SYSTEM AND METHOD FOR UPDATING ACCESS CONTROL

MECHANISMS

[01] Background of the Invention

[02] 1.0 Field of the Invention

[03] The present invention relates generally to access control

mechanisms for controlling the access to smart cards and more

particularly to the secure update of the access control mechanisms for

smart cards during the smart card life cycle.

[04] 2.0 Description of the related art

[05] Smart cards are small personal computing devices that are used to

protect very sensitive information. Smart cards may be used to perform

banking functions, provide access to health records, personalization of computer network access, secure building access, and many more

functions. Smart cards are also used as subscriber identity modules (SIM)

in certain mobile telephony networks.

[06] A crucial selling point of smart cards is the security of the data

stored thereon or accessed through the use of smart cards. In many

circumstances smart cards provide heightened levels of security than other security mechanisms because smart cards include a combination of

security features. For example, to gain access to some data you need to

know a password stored on the smart card and you must be in possession of the smart card. Other access control mechanisms include challenge-

response schemes and biometric tests such as finger print verification.

[07] A recent trend in smart card technology is so called multi- application smart cards. These cards may be programmed with multiple

disjointed application programs. For example, the same card may be used

to access both banking records as well as provide health care information.

Examples of such cards include the Cyberflex family of cards from Axalto

Inc.

[08] A common feature of multi-application smart cards is that the

application programs may be loaded onto the smart card after the card has

been issued by the manufacturer or even after an end-user has taken

possession of the card. Each such application program in a multi-

application smart card is stored in some form of programmable memory on the smart card. Such post-manufacture programmability of smart cards

provides increased flexibility and power of use of the smart cards.

[09] Thus, because of the nature of smart cards, they have a product life

cycle that includes several distinct phases. A first phase or series of steps

is the manufacturing phase in which the integrated circuit is fabricated

and mounted on the smart card as well as the system software loaded or

stored on the smart card. A second phase is personalization phase in

which the smart card is personalized to contain information unique to one person, the intended end-user of the smart card, such as cardholder name

and cryptography keys for that cardholder. A third phase is the issuance phase in which the smart card is deployed. Finally, a fourth phase is

usage phase in which the cardholder uses the smart card for one or more

purposes, such as for banking or as a Subscriber Identity Module (SIM) in

a GSM mobile telephone system.

[10] Each phase in the smart card life cycle may have unique needs in

terms of access control. For example, at the manufacturing phase there

may not be a need for as high a level of security because at that phase

neither personal information nor other sensitive application programs have been loaded onto the smart card and smart cards are manufactured

in a controlled environment. Thus, to gain access to the smart card during

manufacturing may only require a very simple access control mechanism.

However, once personal information has been loaded onto the smart card,

a higher level of access control may be required. Furthermore, in a multi- application smart card, the smart cards usage may change even during the

usage phase. For example, a card that was originally issued for some

banking purpose, e.g., an electronic purse for small value transactions,

could be re-programmed to also include a health care information

application containing very sensitive and personal information about the card holders health history. The former of these applications would not

merit a particularly sophisticated access control scheme, perhaps PIN

would suffice, whereas the health care information application may

require a very secure access control mechanism, e.g., a biometric scheme

such as fingerprint verification.

[11] Co-pending patent application 10/285,654 to Apostol Vassilev, et al.,

entitled "Authentication Framework for Smart Cards", filed on 10/31/2002

and co-assigned with the present invention, describes an authentication

framework in which authentication technology applications are separated from functional card applications, thereby allowing the authentication

technology applications to be modified or replaced independently from the

card applications. The co-pending patent application '654 allows the

application level to select or update the authentication policy without

requiring updates to the applications themselves.

[12] A problem with the known prior art access control mechanisms is that these schemes do not allow for controlled update of the access control

mechanisms during the smart card life cycle. Accordingly, from the

foregoing it is apparent that there is a hitherto unresolved need for a

system and methodology for permitting the secure update of the access

control mechanism of a smart card during the smart card life cycle.

[13] BRIEF DESCRIPTION OF THE DRAWINGS

[14] Figure 1 is a schematic illustration of the operating environment in

which a smart card according to the invention may be used to provide

secure computing services.

[15] Figure 2 is a schematic illustration of an exemplary architecture of

a resource-constrained device.

[16] Figure 3 is a schematic illustration of a software architecture for a

resource-constrained device.

[17] Figure 4 is a schematic illustration of a software architecture

according to the invention in which one application program as illustrated in Figure 3 is an access control manager according to the invention.

[18] DETAILED DESCRIPTION OF THE INVENTION

[19] In the following detailed description and in the several figures of

the drawings, like elements are identified with like reference numerals.

[20] As shown in the drawings for purposes of illustration, the invention

is embodied in a system and method for providing an access control

mechanism for smart cards in which the access control mechanism may be

updated securely during the smart card life cycle such that different access control schemes may be used during different phases of the life

cycle according to what level of access control is appropriate for a particular phase or use of the smart card.

[21] Figure 1 is a schematic illustration of the operating environment in

which a resource-constrained device according to the invention may be

used to provide secure communication with a remote entity. A resource-

constrained device 101, for example, a smart card, is connected to a computer network 109, for example, the Internet. The resource-

constrained device 101 may be connected to the computer network 109 via

a personal computer 105 that has attached thereto a card reader 103 for

accepting a smart card. However, the resource-constrained device 101 may be connected in a myriad of other ways to the computer network 104,

for example, via wireless communication networks, smart card hubs, or

directly to the computer network 109. The remote node 105 is a computer

system of some sort capable to implement some functionality that may either seek access to information on the smart card 101 or to which the

smart card user may seek access. For example, the remote node 107 may

be executing banking software that a user of the smart card 101 is seeking

to obtain access to. The smart card 101 may then provide some access control functionality or may even be an electronic purse to which funds are

downloaded from the remote computer.

[22] The scenario of Figure 1 is presented here merely for the purpose of

providing an example and must not be taken to limit the scope of the

invention whatsoever. Only the imagination of designers limits the

myriad of possible deployment scenarios and uses for smart cards.

[23] Figure 2 is a schematic illustration of an exemplary architecture of

a resource-constrained device 101. The resource-constrained device 101,

e.g., a smart card has a central processing unit 203, a read-only memory

(ROM) 205, a random access memory (RAM) 207, a non-volatile memory

(NVM) 209, and a communications interface 211 for receiving input and

placing output to a device, e.g., the card reader 102, to which the resource-

constrained device 101 is connected. These various components are

connected to one another, for example, by bus 213. In one embodiment of

the invention, the SSL/TLS module 103, as well as other software modules

shown in Figure 1, would be stored on the resource-constrained device 101

in the ROM 206. During operation, the CPU 203 operates according to

instructions in the various software modules stored in the ROM 205.

[24] Figure 3 is a block diagram of an exemplary software architecture

300 that one may find implemented on a smart card 101. The software architecture 300 includes several application programs 301. These are

loaded onto the smart card by a loader 303. The application programs 301

would typically be loaded into the non-volatile memory 209. However, in

other scenarios an application program may be permanently written onto

the smart card at manufacture by having it stored in the ROM 205. If the smart card 101 were called upon to execute a program for only one session,

it would be possible to have the program loaded in the RAM 207.

However, that would be a rare circumstance. On the other hand, during

execution of an application program, it is indeed possible that certain

portions of the application program are loaded into the RAM 207.

[25] In this example, several application programs 301 are executed by the CPU 203 under the control of instructions of an interpreter 305. The

interpreter 303 may, for example, be a Javacard Virtual Machine as found

on the Cyberflex smart card family from Axalto Inc. of Austin, Texas. In alternative embodiments, the application programs 301 are compiled into

executable code and do not require further interpretation by the

interpreter 305. However, in such embodiments, the job control would be

managed by some operating system program that would take the place of the interpreter 303.

[26] The interpreter 303 is usually a static component of a smart card

101 and would therefore be loaded into the ROM 205. The interpreter 303

may also be burned into some form of firmware. In another alternative the interpreter 303 may be stored in the non-volatile memory 209.

[27] In most embodiments of the invention, the smart card software

architecture 300 also includes some system functions 307. System

functions 307 may include security functionality, cryptography

functionality, and utility libraries that may be called by application

programs 301.

[28] The application programs 301 may access functions provided by the

smart card system software 307 by issuing calls through an application

program interface 309.

[29] According to the invention, access control for a smart card 101 according to the invention is provided by an access control manager that

implements an access control manager interface (described in greater

detail herein below). Figure 4 is an alternative software architecture for a

smart card. In this architecture the software for the smart card are

divided into application programs 401 and system functions 403.

Generally, application programs may be loaded onto the smart card at any

time during the life cycle, e.g., during issuance or even during the usage

phase. The system functions 403 contain programs that control system functionality of the smart card. For example, the system functions include

a loader 405 that operates to load new application programs onto the

smart card, a file system 407 for managing data files stored on the smart

card, and a virtual machine 409 for executing the application programs

403. Of course, the various application programs 401 and system

programs 403 are interconnected, e.g., so that an application program 401

may call upon the file system 407 to access data and so on, however, those connections are not shown in the Figure 4 except where useful to illustrate

the present invention.

[30] One application program 401 is the current access control manager

411. When another application program or a system function requires access to a resource of the smart card, that application program calls upon

the access manager 401 to determine whether the application program or

system function should allow or deny access to the resource. For example,

an application program 415 may wish to access a particular file in the file

system 407. Upon receiving that request, the file system 407 calls the

current access control manager 411 to determine whether access to the

particular file should be allowed or denied.

[31] Being an application program 401 the access control manager 411

may be loaded onto the smart card using the loader 405. In a re¬ programmable multi-application smart card, application programs 401

may be added, modified or deleted at any time during the smart card life

cycle. Thus, by providing access control through an application program

401, e.g., access control manager 411, the access control for the smart card

may be modified at any phase during the life cycle of the smart card.

[32] However, there would be obvious risks with allowing unrestricted

replacement of the access control mechanism for a smart card. According

to the invention the replacement of the access control mechanism is

controlled by having the current access control manager define the

subsequent access control manager. Thus, any access manager according to the invention implements at least two functions, namely, the access

control function and a function to allow or disallow its own replacement.

[33] In one embodiment of the invention, an interface called the

IaccessManager interface is defined as follows:

1 namespace netCard.CardLibrary

2 { 3 public interface IAccessManager

4 {

5 / / GrantAccess : System resource access request to 5 / / the active access manager

/ / param path is the resource path name 6 / / param accessmode is the type of access desired

7 void GrantAccess ( string path, int accessMode) ;

8 / / RegisterAccessManager : System request to the / / current active access manager in order to / / activate a new access manager server .

/ / param URI : Universal Resource Identifier for the

/ / access manager server proposed to replace

/ / the current access manager server / / param accessMode : path of the assembly of the

/ / access manager server proposed to replace

/ / the current access manager server void RegisterAccessManager ( string uri , string application Path) ;

[34] Table 1: IAccessManager Interface

[35] In this embodiment of the invention, each access control manager

411, i.e., any application that seeks to become an access manager on the

smart card, implements the IAccessManager Interface, specifically, the

application implements the two methods specified by the IAccessManager

Interface: GrantAccess and RegisterAccessManager.

[36] Consider the following example. As discussed above, two phases of

the smart card life cycle include personalized ion and usage. Let's suppose,

for the purpose of providing an example, the personalization phase access

manager may be implemented as shown in Table 2:

1 public class Per soAcces sManager : IAccessManager {

2 public void DoLogin (...) { / / challenge-response }

3 public void GrantAccess ( string resource , int accessMode ) {

4 i f ( resource == app && accessMode == app_download) {

5 if (authenticated)

6 allow

7 else

8 deny 9 }

10 else if (resource == fileA && accessMode == delete) {

11 if (username = "Jack Crouch" && authenticated) 12 allow

13 else

14 deny

15 } 16 ***

17 else

18 allow 19 }

20 public void RegisterAccessManager(string uri, string

21 appPath)

22 { 23 if (authenticated) {

24 if (uri == "VENDOR_A_ACCESSMANAGER_APP")

25 allow

26 else

27 deny

28 }

29 }

Table 2 . Example Perso Access Manager [37] In the code of Table 2, the Per soAcces sManager class is defined as

an implementation of the IAccessManager interface, Line 1. The

PersoAccessManager implements the two methods defined by the

IAccessManager interface, namely, GrantAccess ( ) (Lines 3-19) and

RegisterAccessManager ( ) (Lines 20-29). While not specifically

required as part of the implementation of the IAccessManager interface,

usually a card would require some method for authenticating a user. This could be achieved by a login procedure defined in the Access Manager

implementation. In the case of the PersoAccessManager, thee

authentication is performed by the DoLogin () method (Line 2), the details

of which are unimportant to the present invention.

[38] The PersoAccessManager implementation of GrantAccessO provides

for access control to two specific resources and types of access sought for

each of these resources. Specifically, the PersoAccessManger specifies an

access control for application download (Lines 4 through 9) and for the

deletion of a particular file (Lines 10-15). The GrantAccess method

receives as argument the resource that is being accessed and the access

mode. In this particular implementation of GrantAccess, a sequence of if

... else if ... else statements (Lines 4, 10, and 17) are used to determine if

access is attempted to any of the resources under access control by the

GrantAccess routine. If so, the particular access control for that

resource/accessmode is checked, e.g., Lines 5-8 and Lines 11-14,

respectively. In this particular case, for all other access, access is allowed, Line 18. In an alternative, the default would be to deny access.

[39] If an entity wishes to replace the access manager on a smart card

101, the entity would first load the alternative access manager onto the

smart card using loader 405. The entity would then call upon the RegisterAccessManager () method of the current access manager 411 with

the Universal Resource Identifier (URI) of the proposed new access manager, e.g., InactiveAccessManager 411'. The RegisterAccessManager

determines if the entity attempting to replace the access manager has

been authenticated (Line 14). If the entity has been authenticated, the

RegisterAccessManager method determines if the proposed new access

manager (as identified by its URI) corresponds to the expected next access manager. If so the replacement is allowed (Line 16), otherwise, the

replacement is denied (Line 18).

[40] Thus, the PersoAccessManager defines both the access control for

allowing applications to be updated (GrantAccess - Lines 1-19) and defines or controls which application may replace it

(RegisterAccessManager — Lines 20-29).

[41] To continue with this example, consider the possibility that after

the card has concluded the personalization phase in which the

PersoAccessManager (Table 2) has been registered as the access manager

401, the card moves on to being issued, i.e., the issuance phase, by a vendor. That vendor may require a different access control for permitting

additional applications to be added to the smart card. The vendor may

then attempt to replace the access manager 401 with a new access manager that provides the required access control protocol. Table 3

provides an example of such an alternative access manager:

[42]

1 public class VendorAccessManager : IAccessManager{

2 public void DoLogin(...){ // username-password & role }

3 public void GrantAccess (string resource, int accessMode) {

4 if (resource == app && accessMode == app_download) {

5 if (username=="jbrist" is authenticated)

6 allow

7 else

8 deny 9 }

10 }

11 public void RegisterAccessManager (string uri, string appPath)

12 {

13 if ( admin is authenticated) {

14 i f (uri == "VENDOR_B_ACCESSMANAGER_APP"

15 allow

16 else

17 deny

18 }

19 }

[43] Table 3: Vendor Access Manager

[44] When the vendor wishes to replace the access manager of Table 2

with the access manager of Table 3, VendorAccessManager, the loader

calls upon the RegisterAccessManager () method of the

PersoAccessManager (Table 2) to register the VendorAccessManager. The

RegisterAccessManagerO function knows the URI to expect for the next access manager, "VENDQR_A_ACCESSMANAGER_APP" Table 2, Line

24. Thus, if the URI of VendorAccessManager corresponds to the URI that

is expected (Line 24), the RegisterAccessManager () allows the new access

manager to be registered as the current access manager, otherwise, the

registration attempt is denied.

[45] As illustrated in Figure 4, more than one access manager may be

loaded on a smart card 101 at any one time. For example, both inactive

access manager 411' and current access manager 411 are loaded onto the

smart card in the example of Figure 4. Other than space limitations, there is no limit on how many access managers may be loaded at any one time. The RegisterAccessManager () method of the current access manager 411'

is used to activate an inactive access manager and make it into an active

access manager. In the preferred embodiment, registering an access

manager causes the access manager being activated to replace the current

access manager. In the example of Figure 4, if the current access manager 411 is called upon to register the Inactive Access Manager 411', upon

success of that operation the Inactive Access Manager 411' is activated

and replaced the current access manager 411 as the current access manager.

[46] Furthermore, while the preferred embodiment contemplates having

only one access manager active at one time, that is not a required

limitation of the present invention. In alternative embodiments, multiple

access managers are con-currently active. These con-currently active access managers may serve to provide access control for different sets of

resources or for differing sets of conditions. For example, there may be

one access manager that manages all file system access control and

another access manager that manages loading of new applications.

Alternatively, the con-currently active access managers may be triggered depending on which actor is seeking to access a resource.

[47] Smart cards are often employed in a context of a framework.

Examples of frameworks include Globalplatform (GlobalPlatform, Open

Platform, Card Specification Version 2.1 (June 2001),

www.globalplatform.org) and the Global System for Mobile Communications (GSM). In each such framework the smart cards fill

some role in a larger system. One aspect of a framework in which

programmable smart cards are employed is how applications are loaded

onto the smart card and how applications are modified on the smart card.

By employing the present invention in which the access control mechanism that controls the loading of applications onto a smart card it is

possible to alter in which framework a particular smart card is employed.

For example, if a particular smart card has been loaded with an access

control manager that follows the access control specified by GSM and

which implements the IAccessManager interface, that access control

manager may be replaced with an access control manager that adheres to

the access control mechanism specified by the GlobalPlatform framework,

thereby making it possible to make the smart card that was previously

employed as a GSM SIM card available for use as a GlobalPlatform smart

card.

[48] Although specific embodiments of the invention has been described

and illustrated, the invention is not to be limited to the specific forms or

arrangements of parts so described and illustrated. For example, the

invention, while described in the context of smart cards for illustrative purposes, is applicable to other computing devices. The invention is

limited only by the claims.