HK1089540A - Secure method for modifying data recorded in a memory card - Google Patents
Secure method for modifying data recorded in a memory card Download PDFInfo
- Publication number
- HK1089540A HK1089540A HK06109747.1A HK06109747A HK1089540A HK 1089540 A HK1089540 A HK 1089540A HK 06109747 A HK06109747 A HK 06109747A HK 1089540 A HK1089540 A HK 1089540A
- Authority
- HK
- Hong Kong
- Prior art keywords
- value
- cell
- data value
- card
- counter
- Prior art date
Links
Description
Technical Field
The present invention relates to a system for modifying a portion of a data record stored in a smart card when a transaction is conducted via a card reader, and more particularly to a method for securely modifying data recorded in a smart card during a transaction utilizing a reader.
Background
Smart cards, also known as chip cards, increasingly serve as carriers for data associated with the card holder. These cards include contactless cards for which the exchange of information is by contactless electromagnetic coupling between an antenna and an associated reader in the card, which have been developed as access cards to controlled access areas or for electronic purses.
Smart cards typically employ a non-volatile, erasable and rewritable EEPROM or flash EPROM type memory so that data remains written in the memory even when the memory is turned off. They also allow recorded data to be updated by erasing one or several memory cells and writing new data.
It is possible that the power supply is accidentally interrupted during the transaction, typically by "popping" the card, i.e. moving the card before the end of the processing operation, corrupting the memory, which results in the earlier data being lost in case no new data is recorded. This risk is particularly great for non-contact type cards where the space constraints on the card to function properly are not significant.
In the case of non-volatile EEPROM type memories, there is an additional risk that data may still be written for such memories if the write operation is interrupted before the normal end, so that data can be read correctly in a short period after the write operation. However, if the repeated reading at a later time cannot be certainly completed correctly, since the retention of the information in the memory location may be insufficient due to the premature interruption of the writing operation.
To ensure data integrity, it is desirable to prevent these risks for the card by ensuring that the data is in a modified state or in a state before modification, but never in an indeterminate intermediate state due to "pop-up".
For transaction security reasons, if power is lost during the course of a transaction, the entire transaction must be restarted with the risk that sensitive data (e.g., the balance of an electronic purchase) may not be irretrievably lost without restarting from the beginning of the transaction.
In response to the problems detailed above, it has been considered to store data records in a buffer memory before modifications are made. Once all modifications have been made to those records to be modified, the old records are erased from the cache memory.
Unfortunately, this method requires one save to buffer operation, one erase operation to modify the record, one overwrite operation and one erase operation to erase the old record in the buffer for each record, for a total of four operations. Such an operation thus has the disadvantage of being time-consuming, which is a big disadvantage for contactless cards.
Additionally, holding data to another location in memory before erasing older data requires the presence of a "flag" to indicate whether the modify operation was performed correctly based on the flag value. The flag may be a single bit that takes a value of 0 or 1 depending on whether the modification is correct. The obvious reason for recording check bits at the same locations as the data has not been thought of so far, the only way being to record flags (check bits or groups of bits) in memory cells reserved for this purpose, and which consist of whole blocks of 16 or 32 bits when a single bit or a few bits are sufficient.
The above mentioned drawbacks are even more important when using smart cards in certain applications requiring only low capacity memory, where the waste of position in the memory is not allowed and where the value of the data modified in each transaction is a single-valued function in time. In these applications, the memory data record is either an up counter, for example for a photo-duplicator, which is incremented on time, or a down counter in the case of a public transport card, where the value of the record is decremented by one unit each time the ride, or an electronic shopping card, where the value for the card is only decremented.
Disclosure of Invention
It is therefore an object of the present invention to achieve a method for modifying data during a transaction of a smart card, wherein the modification is done within a minimum time compatible with a restricted access time during the card transaction.
Another object of the invention is to achieve a method for modifying data in a contactless smart card without having to save a check bit set (flag) in a memory unit.
The object of the invention is thus a method for modifying data in a card transaction system comprising a smart card or the like and a reader capable of reading the card when the card is in a determined position with respect to the reader, the card comprising a non-volatile, erasable and rewritable memory including at least one unit for recording data values relating to transactions carried out by the card, each transaction causing a modification to the data values, the data values being a monotonic function in time. In each transaction, a data value write operation completes the writing of a new data value to a first one of two predefined locations in the memory forming a counter, the write operation completing the erasing of an old data value recorded in the second location, whereby the first location contains the new data value and the second location contains a zero value upon proper completion of the write operation.
Drawings
The objects, objects and advantages of the present invention will become more apparent upon reading the following description with reference to the accompanying drawings, in which:
figure 1 schematically shows a memory of a smart card in which the method according to the invention is implemented,
figure 2 schematically shows the contents of a two-level (tier) counter of the memory in each phase of a write operation,
figure 3 schematically shows a two-level counter for each phase of the rewriting operation of the smart card in the first case after a sudden extraction,
figure 4 schematically shows a two-level counter for each phase of the rewriting operation of the smart card in the second case after a sudden extraction,
figure 5 schematically shows a two-level counter for each phase of the rewriting operation of the smart card in a third situation after a sudden extraction,
figure 6 schematically shows a two-level counter for each phase of the rewriting operation of the smart card in a fourth situation after a sudden extraction, and
figure 7 schematically shows a two-level counter for each phase of the rewriting operation of the smart card in the fifth case after a sudden extraction.
Detailed Description
In chip cards with wired logic memory used in applications requiring a small amount of memory, the memory cells are limited. The memory of such a chip card as shown in fig. 1 is thus an EEPROM type memory with a capacity of 32 16-bit words. The invention described below allows the check area required to hold an entire word to be omitted from the memory. To this end, two memory units forming a two-level (level A, level B) counter are reserved each time a transaction is made between the reader and the smart card to record a new data value.
The principles of the present invention may be advantageously employed in all applications where the data value modified per transaction is a time monotonic function. In some cases (e.g. cards for photocopying) the record value is incremented, while the data value is decreased when another application, e.g. entering a controlled access area or an electronic purse. However, it is preferred to increment rather than decrement the counter. In fact, when there is a sudden pull, there is a risk that the individual bits written to the memory are left incorrectly. In this case, since each bit 1 may be changed to 0, the recorded value may be decreased. If decrementing is employed, under an incorrectly written value decrease, this decrease constitutes a result of the cardholder not being able to know whether the value in memory is a normal decrement or an abnormal decrease in the memory contents. Conversely, when incrementing is employed, there is no risk of a reduction in memory whenever there is a reduction in the incorrectly recorded value after a sudden pull, which is considered to be the previous value before the increment.
In the case of decrements, it is convenient to consider the complement of binary 2 of the data value at a time. So that the data value is subsequently incremented each transaction, regardless of the application involved.
The method according to the invention comprises recording the new data value subject to modification in a counter level containing a value 0 and erasing another level of the counter to set the value of the level to 0. These two stages, which cannot be reversed, are triggered at transaction time by an instruction from the reader to write a new value.
Fig. 2 shows the normal course of such an operation. Initially, reading the counter causes a value X to appear in level a and a value 0 to appear in level B. The write instruction then proceeds to write the new value Y in level B, followed by erasing the value X from level A. Thus, the counter is incremented under one instruction.
Unfortunately, sudden card withdrawal may occur during a transaction, especially when the chip card is a contactless card. In which case the write operation is done incorrectly, either incorrectly completing the write of the new value or not erasing the old value. In this case, the transaction is unsuccessful or invalid. The consequence may be that the door to the controlled access area is not approved for opening or in the case of an electronic purse the purchase of the retail terminal is not allowed.
So that the cardholder resumes the operation of passing his/her card in or in front of the reader. It first makes a read of the counter indicating that neither of the two levels has a value of 0. This immediately concludes that there is an over-bump extraction and then repairs the counter as explained below.
Fig. 3 to 7 show the counter repair operation in the presence of a sudden pull-out depending on whether the sudden pull-out occurs during the write phase, between the write and erase phases or during the erase phase.
Fig. 3 shows a first case, during the writing phase a sudden pull occurs, in which the value Y has been written but the value X has not yet been erased. In this case, although the value Y is correct, the retention of the value in the level B cannot be guaranteed. So that the value Y is rewritten before erasing the value X from level a to 0 is performed. Note that the write to a memory location is an or function between the value in the location and the new value, so that the new value can only be written if the old value is equal to 0 or the same as the new value (this is the case in this example).
The second case, shown in fig. 4, occurs during the writing phase, in which the value Y' between X and Y is written in level B without erasing the value X from level a. In this case, the first write operation of rewriting Y 'at level B and erasing X from level a is performed, followed by the write operation of writing Y into level a and erasing Y' from level B, so that the counter is again in a normal state where one level contains a new value and the other level is 0.
A third case is shown in fig. 5, where a sudden extraction occurs in the writing phase, where a value Y' smaller than X is written in level B and the value X is not erased. In this case, a first rewrite operation of rewriting the value X into level a and erasing Y' from level B is performed. This is because the repair of the counter is always done for the highest value (in this case the value X). Next, a write operation is performed to write the value Y to level B and erase X from level A.
A fourth case is shown in fig. 6, where a sudden extraction occurs between the writing phase and the erasing phase, the value Y having been recorded in level B but the value X having not yet been erased from level a. Since retention of the value Y cannot be guaranteed, rewriting of the value Y into the level B and erasing of the value X from the level a are performed.
Fig. 7 shows a fifth case, in which a sudden extraction occurs during the wipe phase, the value Y has been written in level B but the value X has not been properly wiped out and the value X' is found in level a. So that an overwrite of the value Y in level B must be performed to erase the value X' from level a.
In all the cases described above, the repair of the counter is performed since neither of the two levels contains a value of 0, and after the repair one of the two levels contains a new data value and the other level contains a value of 0. It should be noted that in any case there is no longer a state in the counter where the maximum value found in level a or level B is less than the old value (X).
Claims (10)
1. A method for modifying data in a card transaction system comprising a smart card or the like and a reader capable of reading said card when the card is in a determined position relative to said reader, said card comprising a non-volatile erasable and rewritable memory including at least one cell for recording data values relating to transactions carried out through said card, each transaction causing a modification to said data values, said data values being a monotonic function in time,
said method is characterized in that, in each transaction, the operation of writing said data value performs writing a new data value (Y) into a first (B) of two predefined cells forming a counter in said memory, said writing operation performing an erasure of an old data value (X) recorded in a second (a) of said two cells, so that, upon correct completion of the writing operation performed, said first cell contains said new data value and said second cell contains a value of zero.
2. A method according to claim 1, wherein the data value recorded in one of the two cells (a or B) is incremented on each write operation.
3. The method according to claim 2, wherein said writing operation cannot be carried out correctly due to the sudden extraction of said card during the transaction, so that neither of the two levels of said counter has a value equal to zero, the transaction being invalid.
4. Method according to claim 2, further comprising repairing said counter by performing a rewrite operation of said new value (Y) to said first cell (B) and of said old value (X) from said second cell (a) when a sudden pull occurs during the write phase of said new value.
5. A method according to claim 2, further comprising repairing said counter when said first cell (B) contains an incorrect value (Y') between said old data value (X) and said new data value (Y) by performing an overwrite operation to overwrite said incorrect value in said first cell and erase said old value from said second cell, and then performing a write operation to write said new value in said second cell (a) and erase said incorrect value from said first cell.
6. A method according to claim 2, further comprising, when the first cell (B) contains an incorrect data value (Y') which is less than the old value (X), repairing the counter by performing a rewrite operation which rewrites the old data value (X) and erases the incorrect data value in the second cell (a), and then performing a write operation which writes the new data value (Y) in the first cell and erases the old data value from the second cell.
7. A method according to claim 2, further comprising, when a sudden pull occurs between a write phase of the new data value and an erase phase of the old data value, repairing the counter by performing a rewrite operation of rewriting the new data value (Y) in the first cell (B) and erasing the old data value (X) from the second cell (a).
8. Method according to claim 2, further comprising, when a sudden extraction occurs during the erasing phase of the old data value (X) and an incorrect data value (X') is recorded in the second cell (a), repairing the counter by performing an overwriting of the new data value (Y) in the first cell (B) and an erasing of the incorrect data value from the second cell.
9. A card transaction system comprising a smart card or the like and a reader capable of reading said card when the card is located in a determined position relative to said reader, said card comprising a non-volatile erasable and rewritable memory including at least one cell for recording data values relating to transactions performed by said card, each transaction causing a modification to said data values, said data values being a monotonic function in time,
said system being characterized in that said memory comprises a first predefined unit and a second predefined unit forming a counter, each transaction generating a write command for writing a new data value (Y) in said first unit (B) and erasing an old data value (X) from said second unit (a), so that at the end of the write operation said first unit contains said new data value and said second unit contains a value of zero.
10. The system of claim 9, wherein the smart card is a contactless card.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| FR0215740 | 2002-12-12 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| HK1089540A true HK1089540A (en) | 2006-12-01 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6731537B2 (en) | Non-volatile memory device and data storing method | |
| US5987478A (en) | Virtual small block file manager for flash memory array | |
| EP0544252B1 (en) | Data management system for programming-limited type semiconductor memory and IC memory card having the data management system | |
| US7818492B2 (en) | Source and shadow wear-leveling method and apparatus | |
| US7769944B2 (en) | Partial-write-collector algorithm for multi level cell (MLC) flash | |
| JP2007128562A (en) | Electronic part having synchronous memory | |
| EP1191426A2 (en) | Power failure managing method and power failure managing device | |
| HK1089540A (en) | Secure method for modifying data recorded in a memory card | |
| JP2001109666A (en) | Nonvolatile semiconductor memory device | |
| CN1757048A (en) | Secure method for modifying data recorded in a memory card | |
| US6236591B1 (en) | Method for reliably changing a value stored in a nonvolatile memory, and circuit configuration for this purpose | |
| CN1533575B (en) | Process and system for modifying data in a card-based transaction system | |
| JPS63200399A (en) | data processing system | |
| CN107402887B (en) | Counter in flash memory | |
| EP1301929B1 (en) | Secure writing of data | |
| JP2528466B2 (en) | IC card | |
| JPH09223199A (en) | IC card with counting function | |
| HK1069668B (en) | A process and system for modifying data in a card-based transaction system | |
| JPH07105335A (en) | Information card | |
| JP2001297589A (en) | Flash memory rewrite control method | |
| JPH01180688A (en) | Portable electronic device | |
| JP2000066957A (en) | Recording / reproducing apparatus and control method for recording / reproducing apparatus | |
| HK1031001B (en) | Secure memory having multiple security levels | |
| JPH11219594A (en) | Storage medium and data protecting method | |
| HK1031001A1 (en) | Secure memory having multiple security levels |