Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04M—TELEPHONIC COMMUNICATION
  • H04M1/00—Substation equipment, e.g. for use by subscribers
  • H04M1/26—Devices for calling a subscriber
  • H04M1/27—Devices whereby a plurality of signals may be stored simultaneously
  • H04M1/274—Devices whereby a plurality of signals may be stored simultaneously with provision for storing more than one subscriber number at a time, e.g. using toothed disc
  • H04M1/2745—Devices whereby a plurality of signals may be stored simultaneously with provision for storing more than one subscriber number at a time, e.g. using toothed disc using static electronic memories, e.g. chips
  • H04M1/275—Devices whereby a plurality of signals may be stored simultaneously with provision for storing more than one subscriber number at a time, e.g. using toothed disc using static electronic memories, e.g. chips implemented by means of portable electronic directories
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
  • G06K7/00—Methods or arrangements for sensing record carriers, e.g. for reading patterns
  • G06K7/0013—Methods or arrangements for sensing record carriers, e.g. for reading patterns by galvanic contacts, e.g. card connectors for ISO-7816 compliant smart cards or memory cards, e.g. SD card readers
  • G06K7/0021—Methods or arrangements for sensing record carriers, e.g. for reading patterns by galvanic contacts, e.g. card connectors for ISO-7816 compliant smart cards or memory cards, e.g. SD card readers for reading/sensing record carriers having surface contacts
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
  • G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
  • G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
  • G06Q20/3415—Cards acting autonomously as pay-media
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
  • G06Q20/357—Cards having a plurality of specified features
  • G06Q20/3576—Multiple memory zones on card
• • G—PHYSICS
  • G07—CHECKING-DEVICES
  • G07F—COIN-FREED OR LIKE APPARATUS
  • G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
  • G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
  • G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
  • G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04M—TELEPHONIC COMMUNICATION
  • H04M1/00—Substation equipment, e.g. for use by subscribers
  • H04M1/26—Devices for calling a subscriber
  • H04M1/30—Devices which can set up and transmit only one digit at a time
  • H04M1/50—Devices which can set up and transmit only one digit at a time by generating or selecting currents of predetermined frequencies or combinations of frequencies
  • H04M1/505—Devices which can set up and transmit only one digit at a time by generating or selecting currents of predetermined frequencies or combinations of frequencies signals generated in digital form
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04M—TELEPHONIC COMMUNICATION
  • H04M1/00—Substation equipment, e.g. for use by subscribers
  • H04M1/72—Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
  • H04M1/724—User interfaces specially adapted for cordless or mobile telephones
  • H04M1/72403—User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality
  • H04M1/72406—User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality by software upgrading or downloading
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04M—TELEPHONIC COMMUNICATION
  • H04M2250/00—Details of telephonic subscriber devices
  • H04M2250/14—Details of telephonic subscriber devices including a card reading device

Definitions

• This invention relates to integrated circuit cards (IC cards) and more particularly to a portable hand held device and a method for communicating with an IC card.
• IC cards integrated circuit cards
• Integrated circuit cards are becoming more popular in every day use for enabling a user to perform some form of commercial transaction with a service provider.
• IC cards as defined by international standard ISO 7816, in particular are becoming fashionable due principally to the memory and processing power which has been able to be integrated into the design of the card with microelectronic circuit design techniques.
• readers and terminals for communicating with an IC card are permanently disposed and electrically interconnected at the site of the service provider or host computer connected thereto.
• a smart card or the like can be carried on the person of a user, it is necessary for such user to actually attend the premises of the service provider or host computer in order to perform a transaction with the card by physically inserting the card into the card reader thereof and establishing the communication protocol.
• This invention relates to integrated circuit cards (IC cards) and more particularly to a portable hand held device and a method for communicating with an IC card.
• Integrated circuit cards are becoming more popular in every day use for enabling a user to perform some form of commercial transaction with a service provider.
• IC cards as defined by international standard ISO 7816, in particular are becoming fashionable due principally to the memory and processing power which has been able to be integrated into the design of the card with microelectronic circuit design techniques.
• readers and terminals for communicating with an IC card are permanently disposed and electrically interconnected at the site of the service provider or host computer connected thereto.
• a smart card or the like can be carried on the person of a user, it is necessary for such user to actually attend the premises of the service provider or host computer in order to perform a transaction with the card by physically inserting the card into the card reader thereof and establishing the communication protocol.
• a device for communicating with an integrated circuit card comprising-
• an external interface including an IC card interface for connectedly receiving and communicating with an IC card
• microcomputer means having internal storage for storing data said microcomputer means being connected to said user interface and said external interface;
• an operating system for operating said microcomputer means to control said internal storage, said user interface and said external interface;
• said data includes a program module loaded into said internal storage for execution upon activation via said user interface, said program module being loaded from a said IC card or from a host connected to the device.
• the device includes an interpreter for executing a said program module, wherein said interpreter operates as a virtual machine on top of said microcomputer means and is adapted to prevent access to certain secured areas of said internal storage and said microcomputer means, and to prevent the direct execution of native program code of said microcomputer means.
• said interpreter comprises a compiler means for converting high level program module language into program module object code in accordance with a prescribed instruction set.
• said compiler means comprises a compiler for converting said high level program module language into program module language assembler source code, and an assembler for converting said program module language assembler source code into said program module object code, in accordance with respective prescribed instruction sets.
• said external interface includes a serial communications interface for allowing full duplex serial communications between said microcomputer means and said host connected thereto.
• said operating system provides for one or more communication options when a said IC card is connected to, said IC card interface, said IC card interface providing services with said serial interface or said user interface in conjunction with said microcomputer means to achieve said communication option.
• one said communication option comprises loading a said program module directly from said IC card for execution.
• said program module is loaded into a temporary storage area and executed upon said activation.
• another said communication option comprises passing messages between said serial interface when a host is connected thereto, and said IC card interface when an IC card connected thereto, under the control of said microcomputer means and said operating system upon activation via said user interface.
• said external interface includes a microphone for receiving tone signals remotely transmitted to the device, a speaker for generating tone signals to be transmitted from the device, and a tone signalling interface interconnecting said microphone, said speaker and said microcomputing means for decoding tone signals received by said microphone and for driving said speaker, whereby said operating system provides for a further communication option using said tone signalling interface with a telephone system upon activation via said user interface.
• said internal storage comprises a semi ⁇ permanent storage area for storing data loaded from a host connected to said serial communications interface.
• the device includes a system loader to receive and execute prescribed commands via said serial communications interface for loading said data, wherein said system loader prevents the direct execution of native program code of said microcomputer means.
• a said program module loaded from a said host connected to said serial communications interface is stored in said semi-permanent storage area, and wherein said operating system is adapted to load a said program module stored in said semi-permanent area into said temporary area for execution upon said activation.
• said IC card interface includes a routine for determining the compatibility of said IC card with the device and configuring said IC card interface for communicating with a compatible IC card connected thereto.
• said routine defines different subroutines to enable the device to differentiate between different types and makes of IC cards.
• said operating system provides for an option of a personal identification number subroutine to be performed to enable said microcomputing means to validate the identity of a user of the device before allowing a predetermined communication option to be activated by a user.
• said internal storage comprises a core area for permanently storing firmware for said operating system, said user interface and said external interface, said firmware being generally divided into three layers: the first layer comprising system and driver firmware, including said operating system and said external interface for direct hardware interfaces and firmware task management; the second layer comprising application firmware, including said user interface, for supporting the functional requirements of the device; and the third layer comprising program module interpreter firmware for supporting the operation of a said program module.
• said semi-permanent storage area also provides for storage of: system information data including a password for an initialisation loading access, an internal personal identification number (IPIN) for user access; cipher keys for cryptographic processing; program module control data; and function parameters including configuration data for the device.
• said temporary storage area is partitioned into areas for running the firmware, program module volatile data areas and intermediate storage for cryptographic functions performed by the device.
• a portable hand held device for communicating with an integrated circuit card comprising:-
• a keypad disposed on one portion of said housing
• microcomputing means disposed within said housing and connected to said keypad and said display for receiving input signals provided by said keypad, and sending output signals for display by said display, said microcomputing means having a computer program for operating said microcomputing means in accordance with a prescribed routine to communicate with a user of the device;
• a self-contained power source is disposed within said housing for supplying power to said processing means;
• an integrated circuit card receptor is disposed on a further portion of said housing and connected to said processing means for receiving an integrated circuit card and communicating therewith in accordance with said prescribed routine and the input signals provided by said keypad;
• said housing is of a size sufficiently small to be carried on one's person.
• testing the integrated circuit card to determine whether it is one of a predetermined range of integrated circuit card types
• Figure 1A is a side view of the hand held device opened in its operative position
• Figure IB is a rear view of the hand held device of figure 1A;
• Figure IC is a front view of the hand held device of figures 1A and IB;
• Figure 2 is a block diagram showing the basic hardware architecture of the electronic circuitry of the hand held device
• Figure 3 is a block diagram showing the basic firmware architecture of the hand held device.
• Figure 4 is a block diagram of a flowchart indicating the algorithm of the communication method invoked for the purpose of differentiating between different types and makes of IC cards.
• the embodiment is directed towards a multi-functional portable self contained hand held device.
• the device is essentially a personal information terminal which can provide data security, user authentication, telephone dialling, and act as an intelligent terminal for integrated circuit (IC) cards, in the form defined by IS07816, better known as Smartcard ⁇ .
• IC integrated circuit
• the device functions as part of a system for identification, data storage and for processing data stored internally or on a Smartcard.
• the data stored internally can be in the form of special Program Modules (PM's) and/or user data, and may be for purposes such as identification, a telephone number book, etc.
• PM's Program Modules
• user data may be for purposes such as identification, a telephone number book, etc.
• Data stored on a Smartcard can be for many sorts of purposes, for example financial, medical, social security, club membership, company employee, season tickets, frequent user, etc.
• the device generally includes features for:
• the device operates in three main configurations:
• the device 11 is a small (shirt-pocket size) electronic device which has a housing 12, a keypad 13, liquid crystal display (LCD) 15, audio beeper 17, Smartcard reader/writer receptor 19, serial port 21, microphone 23 and speaker 25.
• the device is battery powered by a battery 26 disposed within a battery compartment 27, via an on/off switch 28, and operates via a microprocessor in the form of a microcomputer-on-a-chip 29 that provides secure storage and cryptographic facilities.
• the device 11 is programmable, thereby enabling it to have many possible uses such as: a telephone list and dialler, remote user identification, an electronic purse, a low cost smart card terminal, an on course betting facility, etc.
• the housing 12 comprises two planar wings 12a and 12b which are hingedly joined along their respective proximal ends. Accordingly, the wings may be opened out in an operating position as shown in figure la of the drawings, or alternatively may be closed together like a book in an inoperative position (not shown) .
• the keypad 13 is of the 'rubber mat' type and is provided with 20 keys for data entry and selection of menu choices.
• the liquid crystal display 15 has one line of 16 characters and presents prompts and information to the user.
• the audio beeper 17 provides a tone at 1000, 1250, 1500 or 2000 HZ and indicates keypresses and other actions.
• the Smartcard reader/writer receptor 19 is designed to receive one of a variety of different types and makes of Smartcard inserted therein so that the device can read from and/or write to the Smartcard.
• the serial port 21 enables the device to be connected to a modem or host device.
• the microphone 23 receives DTMF tones for data reception.
• the speaker 25 generates DTMF tones for dialling and data transmission.
• the internal battery enables self-containment of the device and an expected service life of two years with typical use.
• the microcomputer 29 in the present embodiment is a microprocessor with memory, input/output ports, timer functions, and serial communications interface, al on a single integrated circuit.
• the memory comprises internal non-volatile secure storage 31 for the operating program and sensitive data, divided up into read only memory (ROM) 31a and electrically erasable programmable read only memory (EEPROM) 31b, and an amount of internal volatile storage in the form of random accessible memory (RAM) 32.
• ROM read only memory
• EEPROM electrically erasable programmable read only memory
• RAM random accessible memory
• the device can run an internally-stored program, its versatility is greatly increased by the fact that it can also run programs stored on a Smartcard.
• other service providers will be able to develop their own applications and provide them on Smartcards that plug into the device 11.
• other organisations will be able to load their own applications into the internal storage area, thus producing fully customised devices.
• System software is common to all devices of the invention and comprises the operating system, interfaces to the various hardware components of the device and an interpreter for executing application program code.
• system software itself is in the ROM 31a, configuration options are stored in the EEPROM 31b, so that they can be changed at loading time.
• Basic user functions are incorporated in the system software and can be selected from a main menu presented at power up.
• the main menu offers the following options:
• Tone dialler - allowing the user to generate DTMF tones by pressing keys. This would be useful for sending tones to automatic services when only a rotary (pulse) dialling handset is available.
• Card terminal - allowing operation as a smartcard terminal. In this case the device 11 connects to another external device via its serial port 21.
• Internal PM - allowing execution of an internal PM (from a choice of up to three in the present embodiment) .
• IPIN personal identification number
• Change PIN - allowing changing of a personal identification number (PIN) for the device.
• PIN personal identification number
• Any of the above options can be configured for internal PIN (IPIN) protection. In that case the user will be prompted for a IPIN before the option is activated. Changing the IPIN always requires entry of the existing IPIN first.
• PM Program Module
• PMs are an application for the hand held device 11 written in a special Program Module language (PML) .
• PMs Program Module language
• the PML is a programming language that provides the usual arithmetic, logical, flow control and data transfer facilities, plus access to in-built device functions such as:
• the device 11 is required to store cipher keys and other sensitive data in a secure and non-volatile manner. Access controls of varying levels protect data stored internally and can optionally protect access to some modes of communication and execution of PMs.
• Cipher processes are provided for data security and to support cryptographic operations.
• the hardware provides security by the use of the single-chip microcomputer 29 with built in features that monitor its mode of operation. If the mode is changed the internal storage areas 31 of the microcomputer will be erased.
• the operating system provides security by controlling which memory areas a Program Module (PM) can access, controlling both the use of I/O features and the execution of items from the main menu.
• PM Program Module
• the loading system provides security by the use of a password to start initial loading and by securing the session to reload cipher keys.
• the interpreter provides security by removing the need to use the processor's native code to write programs.
• the interpreter limits PM access to only the memory areas allocated to it under the PML.
• the firmware component of the software will now be described in more detail.
• the firmware is responsible for providing the user functionality of the device and control of associated electronic hardware.
• the firmware is masked in the microcomputer 29 of the device 11.
• the firmware can be conceptually divided into three layers, namely:
• System and Driver firmware This is the core firmware and is responsible for direct hardware interfaces and firmware task management.
• This layer is mainly concerned with supporting the functional requirements of the device.
• PM Interpreter firmware This layer provides the programmability of the device. It draws on the above two layers to provide all device services through a PM programmer instruction set.
• the system and driver firmware comprises the main menu 51, operating system 53, system services 55, and driver firmware 57.
• drivers provide hardware control sequences for the microcomputer 29, such as setting up and servicing interrupts, I/O device control and CPU timer management.
• the LCD display 15 allows alphanumeric data to be displayed to the user.
• NULL terminated string at a logical LCD cursor address.
• Logical addresses have a range from zero to fifteen. The logical address allows the application to address the cursor without regard to the underlying device address which is dependent on the LCD control hardware design.
• the hardware uses a standard intelligent LCD controller 65 for dot matrix alphanumeric display.
• the function of the DTMF module 35 is to allow remote service support through a public telephone network without the need for a modem.
• the driver software 35 will support DTMF decoding using a decoder 67a and encoding using an encoder 67b. Only half-duplex communication is available, so transmission and reception can not be enabled simultaneously.
• GetDtmf - Requires the maximum number of digits and the maximum waiting timeout to be specified. A buffer is also required. Returns TRUE if all the digits have been received, FALSE if a timeout has occurred.
• PSTNs public switched telephone networks
• Tone duration and interdigit pause parameters are stored in the EEPROM 31b. This allows customisation for PSTNs that have highly varying requirements for these parameters.
• the tone duration can be set to a maximum of 70 milliseconds and a minimum of 50 milliseconds.
• Interdigit pause can be set from 50 milliseconds to approximately 10 seconds.
• Encoding requires two sinusoidal signals to be generated at the required dual frequencies for each tone representing a digit. To achieve this, two square wave signals are generated by the encoder 67b under firmware control and then electrically filtered into the corresponding sinusoids to generate a DTMF tone.
• the decoder 67a receives a DTMF tone and determines its corresponding digit. The result is presented as a binary number to the microcomputer 29.
• Asynchronous serial data communication provides a general purpose gateway to a myriad of external devices such as modems and personal computers.
• This module 37 supports two data transfer modes, namely:-
• a packet message is arranged as shown below.
• VL1 Very Length Indicator
• CRC Cyclic Redundancy Check
• an inter-character timeout is set to a predefined value stored in the EEPROM 31b. Should the timeout occur, the receiver aborts.
• a maximum of thirty two data bytes can be transmitted or received in one packet. If any more is sent, the data received up to that point is discarded and reception starts again.
• the application interface 59 to this module 37 consists of:-
• the baud rate is required and can be set to 1200, 2400, 4800, 9600 and 19200 baud.
• SetSerialMode This allows the protocol mode to be changed. Changing a mode during a transmission or reception will result in unpredictable behaviour in this module.
• the serial port on the microcomputer 29 is used for serial communication. It is initialised to a default baud rate, 8 data bits, 1 stop bit and no parity on power up.
• the default baud rate is stored in the EEPROM 31b.
• the keypad 13 allows the user to interact with the device.
• the keys are arranged as a 4 by 5 matrix. Standard key scanning techniques with debouncing are used to reliably decode keypresses.
• the keypad driver 39 is responsible for scanning the matrix keypad to ascertain the row and column position of a depressed key. A scan code is calculated from this position and returned. The scan code is the linear position of each key scanning from the first key in the top left key (scan code of zero) to the bottom right key (scan code nineteen).
• Debouncing is achieved by a debounce delay between scans and requires a key pressed to be released before a new key can be accepted.
• the application firmware 59 accesses the key buffer with two procedures, namely,
• GetKeypad Initiates the key scanning algorithm and returns the scan code and TRUE flag if a key press is detected. Otherwise it will return immediately with a FALSE status.
• This module 41 implements the hardware control sequence for card power on/off, data communications and session termination as specified by ISO 7816 part 3.
• Typical Smartcards that can be supported in the present embodiment are:-
• Gemplus GPM 896-Y Bit Synchronous Card (trademark) .
• Gemplus MCOS16K Asynchronous Card (trademark).
• Schlu berger ME2000 Asynchronous Card (trademark).
• Schlumberger EEK2, EEK4, EEK16 Byte Synchronous Cards (trademark) .
• Application level firmware 59 has access to the following services:-
• System clock enable/disable - output to cards that may require a system clock input. This is also used in the reset sequence.
• Card insertion/withdraw detection Communication to or from a Smartcard is implemented using digital port lines 69 on the microcomputer 29. All the required signals are controlled by the microcomputer and are sequenced correctly by the firmware as per ISO-7816-3 when the card is activated or deactivated. Smartcard signals are automatically deactivated when the card is removed.
• the power up sequence requires firmware control to maintain power mmediately after the power is momentarily applied by the closing of the ON/OFF switch 28. Similarly, the power down sequence is performed under firmware control, once initiated by the closure of the ON/OFF switch 28.
• this module 43 does not switch off the power immediately when the ON/OFF button 28 is pressed. Instead a power down message is provided to the Operating System 53 or Interpreter 61.
• a power down timeout will be set to a preprogrammed value (100ms minimum, 25 seconds maximum). This means that if the Operating System 53 or the Interpreter 61 (depending on which one is in control) does not acknowledge within the timeout period, this module 43 will simply switch off the power. Otherwise the Operating System 53 or Interpreter 61 will request this module 43 to switch off power.
• An inactivity timer is also required to ensure that the device 11 cannot be accidentally left switched on for long periods of time. This value is programmable in the range of 1 to 250 seconds.
• Firmware interface for this module 43 consists of:- Latching On power supply control. When the device is unpowered, an ON/OFF switch closure will cause this to set power control line low.
• the power control line is set high to switch off power.
• Inactivity timer Is cleared when a key is pressed or a DTMF tone is transmitted or received.
• PM commands can be used to:-
• the beeper firmware 45 is primarily for keystroke echo but is available to application level for other purposes.
• the beeper 17 can be activated for a specified duration in multiples of 10 milliseconds.
• the frequency can be selected from one of 1000, 1250, 1500 or 2000 hertz.
• the application interface 59 to the beeper 17 is:
• the beeper is controlled by an output on the microcomputer 28.
• the main menu module 51 consists of a list of alphanumeric items presented to the user on power up of the device to allow selection of system utilities.
• the PM to be executed is then selected with the Fl, F2 or F3 keys, corresponding to
• Each alpha numeric item is a string, terminated by the NULL (hexadecimal zero) character. Items are displayed one at a time on the single line LCD 15. The displayed item is considered the current one. Alternatively, an invisible cursor is considered to be pointing to this item.
• the menu items must be stored consecutively in the ROM 31a, RAM 32 or EEPROM 31b.
• the services provided by the operating system (OS) 53 are:-
• Provision of timed interrupt driven system management tasks such as checking Smartcard insertion and power control. This is done to avoid continuous polling by the application level firmware. Flow control of multiple tasks.
• this level of the firmware implements services that can be considered as processor independent.
• Smartcard Manager 71 High level management of Smartcard features is provided by a specific firmware module referred to as the Smartcard Manager 71.
• the Smartcard Manager 71 provides for:
• GetlSO issues the ISO command header and waits for data to be read from the Smartcard.
• SendlSO issues the ISO command header with additional data if required.
• the Smartcard Manager module 71 uses the services provided by the Smartcard Interface driver 41 and the Asynchronous Communication driver 37.
• the Smartcard Manager 71 invokes a routine which selects between one of the card specific subroutines for communicating with the particular Smartcard using the appropriate command codes, data format and transfer protocols specific to the particular Smartcard. As these vary between different types and makes of Smartcards, the initial routine needs to identify the particular Smartcard before it can select the appropriate subroutine. This routine will be described in more detail later.
• an ISO pass through mode is supported. In this mode, the device becomes a transparent serial link between an external terminal and a Smartcard.
• the command message header is shown below.
• Files of the same type are clustered under a directory.
• a complex system of secret code and access control management provides high level of security to stored data and PM.
• the last three services are meant to be used by the Operating System 53 to load a PM from this Smartcard. Writing data and all other Smartcard functions can be accessed with the ISO Pass Through service. PM programmers are encouraged to use the ISO Pass Through service exclusively.
• Data and PM are stored in files.
• Opening a file (Specified by number 1-255).
• the last two services are meant to be used by the Operating System 53 to load a PM from this Smartcard. Writing data and all other Smartcard functions can be accessed with the ISO Pass Through service. PM programmers are encouraged to use the ISO Pass Through service exclusively.
• Dumb card consisting mainly of EEPROM with I 2C synchronous protocol.
• a multi-byte read sequence starting at a specified byte address A multi-byte write sequence starting at a specified byte address.
• the User Interface is provided for by a specific firmware module 73 which uses the LCD and keypad drivers 32 and 39 respectively, to provide an interface consisting of:-
• the keypad driver 39 returns a key entry as a scan code which is a representation of the row and column for that key. This needs to be converted to an output code for display. Conversions are performed through a look up table of scan codes against output codes. In CCITT mode (see Data Entry, Mode and Editing Control), output codes are also dependent on the number of times a scan code has been successively read by the driver. For example, pressing the same key twice will cause the second layer of the output code table to be used for scan code to key output code conversion. To select one of these multi-layered output codes, the period key 47 is pressed. This is known as the "current alphanumeric accept" key in CCITT mode.
• the first layer of the key output code table is located in the EEPROM 31b so that customised key output codes can be loaded.
• the next three layers required for a CCITT keypad are stored in the ROM 310. These CCITT codes consist of the numerals zero to nine, the alphabetics and two control characters ('#' and '*'). The device does not support the two control characters.
• PMs can be written to read these scan codes and/or output codes and take any arbitrary action based thereon.
• the user can enter data in one of three modes, namely:
• PIN entry mode - this causes each (numeric) keypress to be echoed on the screen as an asterisk. Only numeric keys and the E(nter) key 48 are accepted, as indicated by a beep from the beeper 17. Othyer keys are ignored.
• the prompt string appears on the left hand side of the display 15 and the input field is concatenated to the prompt string.
• a blinking cursor is activated on the leftmost character position of the input field.
• a blank space is automatically inserted between the prompt and the input field.
• a maximum field width (in characters) needs to be specified. Numeric only, alphanumeric or PIN entry mode can be specified for the entry field.
• entering a character will cause the character to be displayed at that position and the cursor moved to the next position to the right. In the last position, the character is displayed without moving the cursor. Any further valid character entered will replace it.
• the left arrow key 49a functions as a backspace key. This moves the cursor one LCD location and deletes that character. However, if the cursor is at the last position in the entry field, it deletes the character at that position and remains there. For backspace to work, the cursor must be placed at the end of the input string entered up to that point. If the enter key 48 is pressed, it will return with a USER_DATA flag. The data entered by the user is contained in the buffer supplied to it. This is a string of zero or more ASCII characters terminated by the NULL (Oh) character.
• the data entry function can be modified by a NO_DISPLAY flag to display an asterisk for each character entered. No cursor control is available and the entry mode is strictly numeric only.
• the menu routine is invoked to enable a user to operate the main menu 51.
• the menu responds to the following keystrokes:-
• the left arrow key 49a this causes the menu item previous to the current one to be displayed. If the first (zero) item is displayed when the key is pressed, the selection will roll over to the last item.
• the right arrow key 49b - this has the reverse effect of the left arrow key 49a. It causes a rollover to the first item when the current item is the last one.
• the cancel key 50 - this causes the menu routine to terminate and return with a NO_KEY flag.
• the enter key 48 - this causes the menu routine to return with the index of the current menu item.
• the menu handling utilities are also accesible by a PM.
• a PM can load items into the device for menu options, or use items held in permanent storage (i.e. in ROM).
• the menu routine allows a high level method of handling menu interaction with the user.
• a list handler is specified to provide a high level method of browsing through a list of items and the fields in a list item.
• a field can be selected for editing.
• the editing functions are identical to that for data entry.
• the list handling routines are available to a PM. Each item can have up to four alphanumeric fields.
• the handler If the Enter key 48 is pressed at this point, the handler returns the current item number. Additionally, a FIELD_CHANGED code is returned if at least one field has been updated. Otherwise, a FIELD_OLD code is returned,.
• Cancel key 50 If the Cancel key 50 is pressed, it returns a NO_ITEM code.
• Edit key 47 (which takes over the function of the period key in list mode) is pressed, the current item is selected and its fields can be scanned. The right and left arrow keys will cause the next or previous field to be displayed.
• Pressing the Enter key 48 on a field will cause the field to become editable.
• a blinking cursor at the last character position of the field will be displayed.
• Pressing the Cancel key 50 will exit field editing mode and allow the fields of the item to be scanned again.
• Cryptographic utilities an IPIN and a system password.
• the EEPROM is divided into the following areas.
• System Information area This contains:- A one byte Retry Counter for IPIN locking/unlocking. The maximum count is four consecutive unsuccessful IPIN presentations.
• a twelve byte allocation table as shown in Table 2. Each four byte entry contains control information for a PM stored in the EEPROM 31b.
• the low nine bits of the first word encodes the size of the PM data area in the EEPROM. Bit 9 when cleared (0) gives this PM access to the User Data area.
• the low nine bits of the second word encodes the size of the PM code area. A correct IPIN presentation is required to run this PM if bit 9 is cleared.
• IPIN A two byte storage for a four digit PIN. The first digit entered is stored at the lowest address (B60Dh) .
• IPIN toggle and Option byte Starts at B60Fh.
• the User Data area is defined to exist if bit 7 of this byte is cleared (0).
• bit 0 to 2 when cleared) specifies IPIN protection for "Tone Dialler”, "Smartcard Terminal” and "Execute PM from Smartcard” items of the Main System Menu.
• Cipher Key area This contains four sets of cipher keys, namely, key 0 to key 3. Each key is eight bytes long. Cipher key 0 is located at address B618h.
• User Data area This consists of 140 bytes of user defined data.
• Function Parameters area Contains modifiable parameters that determine the behaviour of PM instructions.
• Inter character timeout indicator for serial communication reception This contains a multiplication factor for the shortest character time (at 19.2 kbaud) . This minimum delay is arbitrarily set to 5/19.2 milliseconds (or 5 character delay).
• Inter byte timeout in multiple of 10 milliseconds for receiption from an Asynchronous Smartcard. This is required when receiving the answer to reset and in the ISO pass through mode.
• Power Down timer Set in multiples of one second.
• InActivity timeout Set in multiples of 100 milliseconds.
• DTMF interdigit pause between transmission tones Set in multiples of 50 milliseconds.
• DTMF tone duration Additional tone duration to basic period of 50 milliseconds.
• the resolution is 5 milliseconds.
• the maximum duration is limited to 70 milliseconds.
• Baud Rate This is the bit pattern for the BAUD register of the microcomputer. Baud rates supported are 1200, 2400, 4800, 9600 and 19200.
• Issuer ID Four byte code that identifies the device EEPROM map issuer.
• Device ID Four byte serial number for each unit. An eight digit number can be encoded.
• EEPROM Map Checksum area Contains the 16 bit addition of the previous 510 bytes of EEPROM data. Read and verified by the OS before activating the interpreter and on power up. If an error is detected, no PM can be run. Only the loader can be activated.
• the microcomputer RAM 32 is partitioned into areas for the firmware, PM volatile data areas and intermediate storage for cryptographic functions. These memory address partitions allow the interpreter to easily check invalid access to the cryptographic processing area during runtime.
• configuration parameters can be set by specific commands:
• IPIN protection for individual main menu items IPIN protection for individual main menu items.
• Power down timer This determines the maximum delay from when the power off button is pressed to when the unit actually shuts down, allowing an active process time to conclude gracefully.
• the rate can be changed by a PM.
• the device can accept up to three PM programs, each with a separate data component. There can also be a common data area available to all PMs.
• a System Loader is provided in the firmware to support these commands.
• the system Loader is responsible for processing loading commands sent by an external device (usually a personal computer), and so avoids the need for using the native instructions of the microcomputer for loading purposes. Furthermore, it prevents program code written in native instructions from being executed, which would otherwise have the ability to access the entire memory range of the microcomputer.
• an Activate Loader command In order to initiate loading, an Activate Loader command must be sent to the device after power has been applied and prior to any other action being performed.
• the Activate Loader command will put the device into the System Loader state. In this state, the unit is controlled by loader commands - access to the normal device functions is not possible until the unit is re-powered.
• the initial Activate Loader command will check the integrity of the EEPROM and erase either all of the EEPROM if the lower checksum verification failed, or the main area of EEPROM (ie. the area above the lower checksum) if the main checksum verification failed.
• the Activate Loader command may be resent at any time to determine the current loader status.
• a sign-On with a correct password is required before the device will permit any loading operation except for Cipher Key Reload (which requires a Terminal Sign-On).
• Cipher Key Reload which requires a Terminal Sign-On.
• the device self secures, requiring an initialisation load to be performed.
• a correct password presentation resets the password retry counter.
• a successful Sign-on resets the IPIN retry counter, so it unlocks a locked device.
• Performing a Sign-On starts a loader session.
• the session is terminated with a Sign-Off command.
• Initialisation clears all EEPROM contents and programs the entire EEPROM space. It is required on a virgin unit or one that has self-secured. All data stored in EEPROM can be set as required, including password, cipher keys, ID values, configuration and PMs.
• An update load clears and programs all EEPROM space except the system area, which contains the password, cipher keys. Device ID, User Id and key output table.
• the load covers the configuration parameters and PMs and their associated data (if required). In practice, PM data would probably be left at all OxFF for this load, with PMs being loaded.
• the password can be changed during a loader session.
• a Terminal Sign-On involves presentation of a random value sent both in the clear and encrypted under cipher key 0 (the Cipher Reload key). If this validates successfully, Key Load operations can be performed.
• Cipher keys 0 to 3 can be loaded at any time after a successful terminal Sign-On. However, the Cipher Reload key (0) can only be changed once from its erased value of OxFFFFFFFF.
• a separate PC program is used for Smartcard loading. This loader correctly formats a Smartcard, depending on its type, then loads one or more PMs to it in a defined format that can be read by the device.
• a device can be set to Smartcard terminal mode and connected directly to a PC running the loading program.
• the PC sends ISO commands to carry out the loading; these are passed through to the Smartcard.
• the IPIN controls access to services provided on the main menu of the device. Certain items on the main menu can optionally be protected by the IPIN, meaning that the item will not be useable until a valid IPIN is entered. Additionally, the "Change IPIN" item is always protected by the current IPIN, meaning that the current IPIN must always be entered first, before the IPIN can be changed.
• a retry counter is associated with the IPIN. It keeps a count of the number of consecutive incorrect IPIN presentation. When the count reaches four, IPIN protected services are locked out. To recover from this, the password needs to be correctly presented to the device and a "Reset PIN Retry Count" command issued. The retry counter is always cleared on a correct IPIN presentation.
• IPIN Toggle and Option byte is kept in the EEPROM, image and can only be updated through an initialisation load as previously described.
• the. interpreter will implement two main categories of PM instructions, namely:
• General purpose - These are instructions that allow arithmetic and logical operations on unformatted one and two byte user defined data areas. In addition, some of these will allow flow control of the PM. These include jump and subroutine call instructions. General purpose instructions are similar in syntax and semantics to those provided by the microcomputer 29.
• Special purpose - These are related to specific features of the device. Included are instructions to access hardware functions such as DTMF dialling, serial communications. Generally, these instructions are tied to corresponding firmware functions in both application and device driver layers.
• the interpreter is implemented as a virtual machine that resides on top of the microcomputer 29. It is similar to the microcomputer core in that it has its own registers and instruction set. A detail description of the instruction set provided by the interpreter will be described in more detail later.
• the security of the device is enhanced by executing a PM through the interpreter. The interpreter prohibits access to secure memory areas by PMs, by observing memory access control rules described in more detail later. It also prevents program code written in native instructions to be executed by the microcomputer which would otherwise have the ability to access the entire memory range of the microcomputer.
• the PML consists of an instruction set allowing a PM application to be tailored for individual cases. This is an interpreted instruction set.
• This virtual machine consists of:
• Instruction address counter Also known as program counter (PC) .
• a return address register stack to implement pseudo functions (functions without inbuilt parameter passing or local (stack) variables).
• a status register Zero, positive/negative or overflowed result due to latest arithmetic and logical operation.
• a register set that is a subset of the microcomputer
• the PML instructions will be executed sequentially until a function call or a new address is loaded, e.g. a JMP instruction is executed. Parameter passing is via memory locations defined by the user in the global area.
• the instruction set consists of special function instructions and general purpose instructions. These are listed in the following sections.
• InitSerial(baud, type) Initialise serial UART with the specified baud rate.
• Parameter type specifies if a byte by byte or message packet data encoding is used.
• GetSerial(data, num) - Returns number of bytes read and stored in data. Parameter num specifies the maximum to be read. An inter character timeout is associated with this instruction so that it does not wait forever.
• AddPhrase(address, index) - Adds a string in the phrase book (via index) to a string at address. If this address does not contain a string, it must at least hold the NULL character (0 hex)
• SendDTMF(data,num) As for SendSerial but for DTMF port.
• RunMenu(menuHeader) Controls menu interaction with the user. Returns with the menu item number if a valid selection has been made. Otherwise, a NO_KEY token is returned.
• startFlag is zero.
• Ins defines the operation to be performed by the Smartcard. Data bytes of length of zero or more bytes can be attached. GetlSO(startFlag, Ins, Pl, P2, length, data) - Read from Smartcard with ISO protocol.
• Encrypt(data, result, cipherKey) - DES encrypt eight bytes of data and store in result.
• cipherKey is an index to the selected key in cipher key table.
• Decryp data, result, cipherKey
• DES DES decrypt instruction
• EncryptCBC(data, result, cipherKey) - Cipher Block Chaining (CBC) encryption Eight bytes of plain text is pointed to by data and chain encrypted with cipherKey. Note that the result is returned on every completion of this routine.
• the initial chaining vector is set by Se lCV.
• ReadlPIN Reads a pin of 4 digits from the keypad and compares with IPIN. Returns TRUE or FALSE. SCBitRead(bitAddress,numBits, buffer). Read a specified number of bits starting at specified address for GPM 896-Y Smartcard (trade mark).
• SCBitWrite (bitAddress,numBits) . Write a specified number of zero bits starting at specified address for GPM 896-Y Smartcard (trade mark).
• SCBitErase (bitAddress) . This writes a one at the specified bit address. The result is dependent on the area where the one is written to. Only for GPM 896-Y Smartcard (trade mark) .
• EraseAppl(esc, areaNum) Erase area specified by Erase Secret Code and area number. Only for GPM 896-Y Smartcard (trade mark) .
• ReadBytesEE (start, num, data). Requires start address, the number of bytes and a pointer to a data buffer.
• ME2_OpenFile(name) is a byte value, excluding 0 and 255. This uniquely identifies a file on the ME2000. Only “ordinary” file type is supported.
• M16_ReadFile (fileNum, offsetlnFile, numBytes, buffer). Reads “numBytes” of data from file “fileNum” starting at offset “offsetlnFile” into a buffer. This operation is defined only for files with plain access modes. It will not work for file requiring ciphered access.
• label instruction - defines a label at the address of an instructions.
• Jsr label - gives control to function code starting at address indicated by label. The return address is saved on the stack.
• a PM constant identifier defines the PM, i.e. PMl, PM2, PM3 or PM SMC for PM in Smartcard.
• Add[A or B or D] mem - Add two 8 bit values if A or B register is specified. Otherwise a 16 bit add is performed.
• One of the operand is the implicitly specified register and the other being "mem" memory. Result stored in A or B or D Register. Sets the overflow flag in the status register. Seen as a carry.
• Cmp[A or B ] mem - compares register with "mem”. Sets the zero flag if result is zero. Sets the positive flag if meml is greater than mem2. Otherwise clears the positive flag.
• a simple memory allocation is defined for PML application variables and non-volatile storage.
• the RAM area is divided into a system area used for internal data manipulation and a user area which is directly available to PML applications.
• a user EEPROM area is defined for each PM.
• Memory address range checking is used at runtime to trap accesses outside these two areas when a memory location is written to or read from in a PM.
• Data transfer uses immediate or extended addressing.
• LDA[A or B] immd or address - Loads value into A or B register.
• Parameter immd is an immediate value which is a number preceded by an "#".
• a sixteen bit address is specified. This loads an sixteen or eight bit value into the referred register.
• STA[A or B] address - Stores an eight or sixteen bit value from a register to the specified address.
• LDD immd or address - Loads value into D register is an immediate value which is a number preceded by an "#". Alternatively a sixteen bit address is specified. This loads an sixteen or eight bit value into the referred register.
• STD address Stores an eight or sixteen bit value from D register to the specified address.
• LDX immd or address - Loads value into IX register.
• Parameter immd is an immediate value which is a number preceded by an "#". Alternatively a sixteen bit address is specified. This loads an sixteen or eight bit value into the referred register.
• STX address Stores an eight or sixteen bit value from IX register to the specified address.
• LDY immd or address - Loads value into IY register is an immediate value which is a number preceded by an "#". Alternatively a sixteen bit address is specified. This loads an sixteen or eight bit value into the referred register.
• STY address - Stores an eight or sixteen bit value from IY register to the specified address.
• the header identifier is arbitrarily chosen to be C4D7 hexadecimal.
• the option byte specifies options such as whether a IPIN is required and if the code has access rights to the User Data Area in the EEPROM 316.
• the CRC will be CRC-CCITT and it will be calculated on the file area starting at the end of the header to the end of PM code.
• a PM has to be loaded from its storage area into an execution buffer in the RAM 32 before it can be run. For internal PMs, this is performed by the Operating System. External PMs on Smartcards require:-
• This interface PM can call another PM. Usually, this is done through a menu setup by the interface PM. It is important that when the last PM in the chain terminates, it calls the ExitPM command to return to the System Main Menu. To ensure that the interface PM is valid, a header preceding it is used for verification. Additionally, the CRC attached to the last two bytes of a PM "file" is used to verify its validity before it is run by the Operating System.
• PMs will only be supported on the MCOS16K, ME2000 and the EEK series Smartcards.
• the location of the boot up PM is not currently defined.
• synchronous Smartcards are basically a serial memory device which do not have commands as such. Normally they do not have read/write control attributes and only some have access control. Hardware driver routines are needed to do the bit by bit accessing of these types of Smartcards.
• All asynchronous Smartcards have a microprocessor therein which runs a program that supports storing and retrieving data, usually with some kind of read/write control attributes that are optional and reasonably flexible. Most of these cards have security features that control access to the card, and/or specific data areas, and that enable the changing of passwords.
• a universal asynchronous receiver transmitter (UART) is needed to communicate with the card.
• Asynchronous cards issue what is known as the "answer to reset" message in response to resetting of the card, which contains basic information about the link level communications encoding and parameters, programming voltage and current, password retry limits, "MASK" number etc.
• Asynchronous Smartcards have commands to Create, Open, Close, Read and Write to storage areas, as well as to present a password or PIN code. Some even have DES (Decryption Encryption Standard) cryptographic facilities. Furthermore, one model of card has the ability to store a number of "user commands" written in the native code of the microprocessor.
• the relevant subroutine for establishing communications between the hand held device 11 and the IC Smartcard will need to operate the microcomputer 29 in a manner so that it reads some "data" stored on the IC card received within the Smartcard receptor 19, which describes how to treat the Smartcard.
• This step will have to be used in conjunction with methods to identify a card's type and make. It is necessary to identify the make because although international standard ISO 7816-3 specifies the message format, command codes that perform similar functions are not the same between different makes of asynchronous Smartcards. Other differences that arise between different makes are the format and presentation of passwords and protocols for transferring data. Indeed, at present it is believed that there are three different protocols adopted for transferring data between different makes of Smartcard.
• the routine 81 for establishing communication involves finding out whether the Smartcard is asynchronous at block 83, synchronous at block 85 or mute at block 87.
• the routine uses the services of the Smartcard Interface driver 41 to enable the Clock contact of the Smartcard and to allow the Smartcard out of Reset. If the card is asynchronous, the "answer to reset" message will be sent out automatically by the card. If no answer is received after about one second, then it is assumed that the card is not asynchronous and the program proceeds to testing for whether the card is synchronous or not at block 85.
• the routine uses the Smartcard Interface driver 41 to attempt to read some data from the "configuration file" of the IC card. If recognisable data is read, then it is assumed to be a synchronous card and the card is then worked with by reading the entire configuration file as shown at block 89.
• the routine needs to proceed with further testing in order to determine whether the make of card falls within the range of card makes supported by the device.
• the reason for this is that the "answer to reset" message from an asynchronous IC card cannot be used to reliably determine the card make, since the "answer to reset" message does not include any information about the commands and their parameters for the Smartcard which is needed to differentiate between different makes of Smartcard.
• the interface PM of the Smartcard needs to be accessed which has information about the card commands, access control attributes, storage format, data representation methods, and/or other PMs that will be executed by the device 11.
• access control means passwords, PIN codes and methods of transferring, changing and reactivating them
• storage format means file names, file sizes and structures, record sizes and structures and number of records
• data representation means what each bit or byte or number of bytes represents for a specific application.
• storage space on IC cards is limited to an average of 2 kilobytes or less, data will usually be stored in a packed, compressed or token like manner and so data is stored differently to how it is actually displayed.
• Smartcard does not run an application program as such, but principally is a means of storing data. Consequently, the Smartcard itself acts under the control of an external device, in the present case being the hand held device 11, and is a physical half duplex device that takes commands and responds to them.
• the PM(s) of the card will be interpreted by the device in a manner that allows data entry, storage and display to be performed, along with password entry, user and Smartcard authentication and authorisation of transactions.
• a Smartcard is used for more than one application and by more than one service provider, then there may be a different storage format and/or data representation for the storage area for each application.
• the Smartcard may have two levels of PM, the first giving information about the card commands and access control attributes of each data storage area, and the second, which will be inside a storage area, will give information on how to handle the data inside that storage area.
• the device is important that the device be able to differentiate not only between different card types, but also between different makes and have a way of allowing the device to handle different Smartcard applications.
• the device is able to actively work with a selected range of Smartcards from different manufacturers that may all contain data for different and or multiple applications.
• This method provides a way whereby the device requires no knowledge of the applications specific aspects of the structure, format, attributes and representation methods of the data stored on the Smartcard, so long as the particular make of the Smartcard is supported by the device.
• the routine uses the Smartcard Interface driver 41 to continue to test whether the card is of a make supported by the device, at block 91. This test involves the driver issuing an "open interface PM file" command to the Smartcard, which command corresponds to a specific make of card. If the status is good, then the process will go to the next stage which will involve reading the interface PM file of the card as represented at block 93. If the status is bad, an "open file” command for the next make of card supported by the device is tried, until a good status is returned or there are no more makes or brands of card supported by the device to try. If there are no more brands, then the routine causes an unusable card message to be displayed on the LCD display 17, as represented at block 95.
• a "read file” command is issued by the driver for the make of card determined.
• the data in that file is then used to determine the parameters and the other PMs that need to be loaded and interpreted by the device, so as to access and work with the other data on the Smartcard, as represented at block 97.
• the user operating the card will firstly open the card so that the wings 12a and 12b of the housing are divergingly disposed in a planar arrangement as shown in figures la to lc of the drawings.
• the on/off key 28 is pressed to power up the device if it is off and the operating system 53 executes the main menu 51 and invokes the menu system routine to enable the user to operate the menu. Viewing and selection of the menu items are as previously described using the arrow keys 49a and 49b, the cancel key 50 and the enter key 48.
• the main menu items which may be selected and displayed are: tone dialler, card terminal, internal PM, card PM and change PIN.
• any of the menu choices can be PIN protected. This option is set via configuration of the device at the time that the device is initialised.
• the prompt "PIN:” appears when the item is seleted. The user is then required to enter the current IPIN, each digit being echoed as an *, and then press the enter key 48. In the present invention the PIN is limited to four digits, whereby any entry after the fourth is ignored. If the IPIN is incorrect, the message "PIN CORRECT" is displayed for three seconds and the user is returned to the main menu.
• the device becomes locked and will be unuseable until an initilisation load is performed.
• the following message is displayed "PIN LOCKED" . If the PIN is correct, the relevant action is performed as selected by the menu item previously displayed.
• the user can key in a sequence of up to sixteen digits, which are echoed on the screen. Pressing the enter key 48 causes the device to generate the corresponding DTMF tone dialling segments. The user can enter another set of digits and repeat the operation as required. Pressing the cancel key 50 causes a return to the main menu.
• the display changes to "READY.".
• the device should be connected to the host device and the user should insert an ISO Smartcard.
• the hose device can then read from and write to the Smarcard.
• the device operates in pass through mode, meaning that commands and responses are transmitted unchanged between the Smartcard and the host device.
• Pressing the cancel key in the sub-menu causes a return to the PM menu, and pressing the cancel key at that menu causes a return to the main menu. If there are no PMs loaded, or if there is none for a particular sub-menu, the message "NO PM" is displayed. After three seconds, the main menu reappears.
• Selecting the Smartcard PM item a Smartcard containing a PM should be inserted into the Smartcard reader/writer receptor 19.
• the PM stored upon the card will be loaded into the execution buffer in the device RAM 32 and executed.
• the first (or only) PM on a Smartcard is called the interface PM and will always be run first.
• the interface PM could then present the user with a menu that allows other PMs on the card to be run.
• the prompt "OLD PIN:” appears. Accordingly, the old PIN must be input, as previously described, and if correct, the user is prompted for the new PIN by the following message appearing "NEW PIN:”. The user is then required to enter the new IPIN (which is echoed on the screen for confirmation) and presses the enter key. Consequently, the new IPIN replaces the old and the main menu returns.
• PMs program modules
• Developing PMs can be performed through a development platform, which can provide a menu based, mouse driven integrated environment for the development of PML applications, and includes a run time simulator.
• the hand held device 11 of the present . embodiment has many applications. Possible functions that the device can perform using customised PMs include:
• a user enters the IPIN to activate the * ID function then enters a challenge value given over the telephone by a service provider.
• the device performs cryptographic processing using a secret key also known to the service provider's computer and reads out the result. If the value matches that calculated by the service provider, the user and device are positively identified.
• This function could also be carried out via a modem, in which case the challenge and response would be transmitted over the serial port, or via DTMF.
• Smartcard Functioning as an electronic purse or wallet, whereby a Smartcard could contain details of various on-line accounts (such as are available via EFTPOS) and the user could operate on an account via a telephone (modem or DTMF) connection.
• EFTPOS electronic purse or wallet
• DTMF telephone
• the hand held device can perform many other kinds of transactions outlined above, depending upon the level of security required, either by telephone or modem, by terminal or as stand alone.
• the device When connecting to a modem or using tone signalling via telephone, the device would be communicating to a host computer system and transactions would be performed on-line. When connecting to a terminal, transactions may be performed on-line or off-line from the host computer system, depending on the requirements.
• This logical data element if and when it is standardised can also be utilised by the hand held device to enable it to attach information to a card or file to indicate the application specific parameters for the card and/or device. Accordingly, this is seen as a longer term use of the device for the future.
• the housing is of monolithic form as opposed to comprising two hinged wings, whereby the IC card receptor is integral with one side of the housing and the keypad and liquid crystal display is integrated with the other side of the housing.
• the housing may include a slide out IC card receptor for receiving the IC card at the rear of the device and incorporating either the microphone or loud speaker, the other of which is disposed at the other end of the card so that when the slide out IC card receptor is fully extended, the distance between the microphone and speaker is commensurate to the distance between the microphone and speaker of a telephone handset to facilitate DTMF communications, in the manner previously described.

Landscapes

• Engineering & Computer Science (AREA)
• Business, Economics & Management (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Theoretical Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Microelectronics & Electronic Packaging (AREA)
• Strategic Management (AREA)
• Accounting & Taxation (AREA)
• General Business, Economics & Management (AREA)
• Signal Processing (AREA)
• Human Computer Interaction (AREA)
• Artificial Intelligence (AREA)
• Computer Vision & Pattern Recognition (AREA)
• Calculators And Similar Devices (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (3)

Publications (1)

Family

ID=3777102

Family Applications (1)

Country Status (3)

Families Citing this family (37)

Family Cites Families (4)

• 1994
  • 1994-08-01 EP EP94922186A patent/EP0711441A1/de not_active Withdrawn
  • 1994-08-01 WO PCT/AU1994/000437 patent/WO1995004328A1/en not_active Application Discontinuation
  • 1994-08-01 CA CA002168434A patent/CA2168434A1/en not_active Abandoned

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events