METHOD OF MUTUAL AUTHENTICATION BETWEEN A COMMUNICATION INTERFACE AND A HOST PROCESSOR OF AN NFC CHIPSET

Abstract

An authentication method between a secure host processor and a controller of an NFC system, the controller being equipped with an NFC interface circuit sending and receiving contactless data, includes connecting the host processor to the controller and checking that there is a predefined relation between a first secret data stored by the host processor and a second secret data stored by the controller. The method further includes transmitting the second secret data to the controller and storing of the second secret data by the controller. The host processor may be removably associated with a contactless component storing the second secret data which is contactlessly transmitted to the controller.

Description

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

The foregoing summary, as well as the following detailed description of the invention, will be better understood when read in conjunction with the appended drawings. For the purpose of illustration, there are shown in the drawings embodiments which are presently preferred. It should be understood, however, that the invention is not limited to the precise arrangements and instrumentalities shown.

In the drawings:

FIG. 1 shows in block form a classic architecture of NFC chipset, and contactless circuits with which the NFC chipset can communicate;

FIG. 2 shows various applications of an NFC chipset integrated into a mobile telephone;

FIG. 3 shows in block form the classic architecture of an NFC component present in the NFC chipset in FIG. 1;

FIG. 4A to 4C show an NFC chipset capable of receiving an interchangeable secure host processor removed from a card equipped with an NFC component, according to a preferred embodiment;

FIG. 5 shows an authentication sequence executed by an NFC component of the NFC chipset and a secure host processor according to a preferred embodiment;

FIG. 6 shows an example of hardware architecture of an NFC component present in the NFC chipset in FIG. 4A to 4C according to a preferred embodiment; and

FIG. 7 shows an example of software architecture of the NFC component in FIG. 6 according to a preferred embodiment.

DETAILED DESCRIPTION OF THE INVENTION

FIGS. 4A to 4C schematically show the implementation of an authentication method according to a preferred embodiment. The method is implemented in an NFC chipset comprising an NFC component referenced “NFCR2”, a first host processor HP1, and connecting means C1 for connecting the component NFCR2 to a second host processor HP2. The component NFCR2 is substantially similar to the component NFCR1 described above, particularly with respect to a controller NFCC and an interface circuit CLINT, for sending/receiving contactless data, equipped with an antenna circuit ACT.

The connecting means C1 may be, for example, contact pads provided to co-operate with contact pads formed on the host processor HP2. Alternatively, the host processor HP2 is coupled to a contactless communication interface circuit to communicate with the controller NFCC.

In FIG. 4A, the NFC chipset does not yet include a second host processor HP2, which is removably integrated into a smart card 1.

According to one preferred embodiment, the smart card 1 into which the host processor HP2 is integrated comprises a contactless component CLC with units similar to those of the component NFCR1 described above. Thus, the component CLC particularly includes a controller NFCC and an interface circuit CLINT, for sending/receiving contactless data, equipped with an antenna circuit ACT1, but no hard-wire communication interfaces INT1, INT2. The processor HP2 is removable from the smart card 1 for insertion into the chipset, where it is connected to the component NFCR2 by the connecting means C1.

The processor HP2 and the component CLC have previously been customized and thus each store a secret data K1, K2. The secret data K1, K2 stored respectively by the processor HP2 and the component NFCR2 are linked to each other by a relation that it is possible to check. This relation may simply be an equality relation or any other relation, such as an encryption function. Therefore, the data K1 stored by the host processor may be a private key and the data K2 stored by the component NFCR2 may be a public key of a pair of asymmetric enciphering keys.

The host processor HP1 is, for example, the main processor of the chipset into which the component NFCR2 is embedded. The component NFCR2 and the processor HP2 each may be a secure processor, i.e., comprising the classic encryption and authentication circuits of secure processors. The processor HP1 is not secure. The chipset may also comprise a third host processor HP3.

For example, the chipset may be a mobile telephone. The processor HP1 is the main processor of the telephone, the processor HP2 is a chip of a SIM card, and the processor HP3 is a bank card chip.

The processor HP2 is removed from the card 1 into which the component CLC is integrated, and inserted into the chipset, where it is connected to the component NFCR2 as shown by FIGS. 4A and 4B. In parallel, the component NFCR2 is in “reader” mode when the chipset is initialized, and seeks to read an NFC component in passive mode. When the component CLC is put near the chipset, the component NFCR2 activates the component CLC, which supplies the component NFCR2 with the secret data K2. The data K2 is stored by the component NFCR2 in a non-volatile memory of the EEPROM type, for example (FIG. 4C).

When the host processor HP2 is connected to the component NFCR2 and every time the chipset is initialized, an authentication sequence is triggered. FIG. 5 shows different steps of such an authentication sequence executed by the secure host processor HP2 and the controller NFCC of the component NFCR2.

During a first step S1, the processor HP2 sends an authentication request to the controller NFCC. In the next step S2, the controller NFCC answers the request by supplying a random number “Rnd Nb” and information “NFC Info.” relating to the NFC component (for example a serial number, a manufacturing date, a software version number, or the like). In the next step S3, the processor HP2 uses the secret data K1 as an enciphering key to cipher the random number received, and possibly any other information received, and transmits the ciphered data to the controller NFCC.

In the next step S4, the controller NFCC deciphers the data received using the secret data K2 as an enciphering key. If the deciphered data corresponds to the data sent in step S2, the secret data K1, K2 are indeed linked by a predefined relation, and the controller NFCC considers the processor HP2 to be authenticated. If so, the controller NFCC transmits a message to the processor HP2 notifying it that it has been authenticated and containing a session key SK. The session key SK is, for example, a random number.

If the deciphering of the ciphered information does not supply the information it transmitted to the processor HP2, the controller NFCC considers the processor HP2 as not authenticated, and refuses any other communication with the processor HP2.

If the processor HP2 has been authenticated, the controller NFCC and the processor HP2 may exchange information, such as configuration and management information, in a ciphered form using the session key SK as a symmetric enciphering key (steps S5 and S6). For example, a routing table stored in the non-volatile memory of the controller NFCC can thus be transferred into the processor HP2 in order to be used in another NFC chipset (for example, another mobile telephone). Alternatively, the information stored in the non-volatile memory of the controller NFCC can also be transferred into the component CLC in order to be used in another NFC chipset.

The information transmitted in step S2 can also be ciphered by the controller NFCC using the secret data K2, the result of the enciphering being transmitted with the non-ciphered information. The processor HP2 may then decipher the result of the enciphering using the secret data K1 and check the identity between the information received and the result of the deciphering. In this way, the processor HP2 can check whether the controller NFCC has the secret data K2 corresponding to the secret data K1, and thus authenticate the controller NFCC. If the host processor HP2 does not authenticate the controller NFC, it refuses to communicate with the controller NFC.

If the processor HP2 installed in the NFC chipset is replaced with a new host processor, the new host processor will not have the session key SK and will not therefore be able to communicate with the controller NFCC, unless the component CLC corresponding to the new host processor is available and unless the execution of the authentication procedure described above with reference to FIG. 5 is launched, by triggering the initialization of the NFC chipset.

FIG. 6 shows an example of hardware architecture of the component NFCR2 shown in FIGS. 4A to 4C. The component NFCR2 includes the controller NFCC and the interface CLINT already described, and a memory array comprising a ROM-type (read-only memory) program memory MEM1, a RAM-type (random access memory) data memory MEM2, and an EEPROM-type electrically erasable and programmable memory MEM3 enabling the secret data K2 and the session key SK to be recorded. The component NFCR2 also includes an authentication and error correction circuit AUTHCT having Data Encryption Standard (EFS) and Elliptic Curve Cryptography (ECC) algorithms, or other encryption algorithms. A connection port INT1 of UART (Universal Asynchronous Receiving Transmitting) type connects to the host processor HP1. An ISO7816-type connection port INT2 connects to the host processor HP2 (the processor HP2 here being assumed to be a SIM card). An SWP-type (Single Wire Protocol) connection port INT3 enables the host processor HP3 to be connected. A data bus DTB and an address bus ADB link the memory array, the controller NFCC, the interface CLINT and the ports INT1, INT2, INT3. A control bus CTB enables the controller NFCC to read- and/or write-control and access these various elements.

The interface CLINT and the ports INT1, INT2, INT3 each have a parallel-input input buffer BUF1 and a parallel-output output buffer BUF2 that is write-accessible and respectively read-accessible via the data bus and the address bus. The exchange of data forming the routing commands or the data frames between the host processors HP1, HP2, HP3 and the controller NFCC or the interface CLINT is thus performed by data blocks of the size of the buffers BUF1, BUF2, and is paced by the controller NFCC.

FIG. 7 represents an example of software architecture of the component NFCR2 and of the host processors HP1, HP2. This software architecture comprises, for the NFC component NFCR2 and the host processors HP1, HP2 of the system, several software layers going from the lowest level (data link layer) to the highest level (application layer). The representation of these software layers in FIG. 9 is simplified compared to the real software architecture of an NFC system according to one embodiment, but is sufficient for those skilled in the art wishing to implement the embodiment in the manner proposed here.

Each host processor HP1, HP2 includes at least four software layers, in an ascending order of level. A lowest level layer Hardware Management Layer (HWML) manages the operation of the hardware elements enabling the host processors HP1, P2 to exchange data with the controller NFCC. This is, for example, the management layer of the UART interface for the processor HP1 and the management layer of the ISO7816 interface for the processor HP2. An Interface Protocol Layer (INTPL) layer manages the protocol of the communication ports INT1, INT2, INT3. This is, for example, the management layer of the UART protocol for the processor HP1 and the management layer of the ISO7816 protocol for the processor HP2. An HCIL layer manages the HCI protocol according to one embodiment, i.e., manages the creation of a communication channel. The HCIL layer rests on the INTPL and HWML layers that are practically transparent to the HCIL layer. A high level Application layer APL manages the RFID applications such as those represented in FIG. 2 (reading a chip card or an electronic tag, emulation of a chip card, dialogue in “device-to-device” mode with an external processor to exchange files, or the like). The APL layer may include several application programs, each being secure or not (according to the internal resources of the processor) and each using a type of protocol and an operating mode of the interface CLINT. Thus, the high level APL layer rests on the HWML, INTPL layers and the HCIL layer, which are practically transparent to the APL layer.

In a substantially similar manner, the controller NFCC includes the following software layers. Two HWML1 and INTPL layers are included and are of the same type as the HWML and INTPL layers present in the host processors HP1, HP2. For the sake of simplicity of the diagram, these layers are represented in the processor NFCC, but in reality are located in the ports INT1 and INT2, which are considered to be part of the controller, as well as the buses ADB, DTB, CTB. Indeed, the processing of the UART and 7816 protocols is performed here in the ports INT1, INT2, which make their input and output buffers BUF1, BUF2 available to the controller via the buses ADB, DTB, CTB. Another low level layer HWML2 enables the controller to write to the buffers BUF1 and to read the buffers BUF2, via the buses ADB, DTB, CTB, by breaking down the data frames or the commands into data blocks of the same size as the buffers. An HCI-ADMIN-L layer or HCI protocol administration layer communicates with the HCIL layers of the host processors HP1, HP2 as routing administrator. A CLINTCL (Contactless Interface Control Layer) layer manages the interface CLINT and indicates thereto the mode into which the interface CLINT must put itself and the protocol to be used to send data in a contactless communication channel. The CLINTCL layer also controls the interface CLINT in contactless data receipt mode and cyclically asks the interface CLINT to perform a scan of the modes (“reader” mode, “emulation” mode and “device” mode) and to search for incoming data in each mode. The interface CLINT thus emits a magnetic field at regular intervals to poll any contactless cards or tags (or other portable objects operating in a contactless manner) that could be present within its polling range. The interface CLINT also puts itself at regular intervals into a listening mode (“emulation” mode) to detect whether a reader in active mode is sending polling messages. An optional APL layer can itself manage applications, just like the host processors HP1, HP2. Indeed, although it has not been described until now, applications can also be managed by the NFC component itself.

Finally, the interface CLINT includes the following software layers. On the controller NFCC side, a HWML low level layer equivalent to the HWML2 layer of the controller NFCC manages the data buffers BUF1, BUF2 via the buses ADB, DTB, CTB. An HCIL layer (as indicated above) makes the interface CLINT compatible with the HCI protocol. On the antenna circuit ACT side, Contactless Protocol Layer (CLPTL) and Mode Control Layer (MCL) layers control or process the electric signals applied to the antenna circuit ACT or received thereby.

It will be understood by those skilled in the art that various alternative embodiments are possible. Thus, an NFC chipset may comprise a single host processor and an NFC component, where execution of applications are controlled.

Furthermore, other authentication procedures than the one described with reference to FIG. 5 may be employed. Other procedures may be implemented to check that the host processor HP2 and the component NFCR2 have secret data linked to each other by a predefined relation.

Moreover, the secret data K2 may be transmitted to the component NFCR2 in other manners than by a contactless link. Thus, the secret data K2 can be transmitted by optically reading an optical code (e.g., a bar code) or by keyboarding the secret data K2 captured appearing on the card from which the SIM card (host processor HP2) is removed. The host processor HP1, which is connected to the image sensor or to the keyboard and to the controller NFCC, then transmits the secret data K2 captured to the controller NFC. In the case of the optical code, the processor HP1 also translates the optical code to obtain the secret data K2. These alternative embodiments are perfectly suited to the current architecture of mobile telephones, which have a keyboard and generally an image sensor.

It will be appreciated by those skilled in the art that changes could be made to the embodiments described above without departing from the broad inventive concept thereof. It is understood, therefore, that this invention is not limited to the particular embodiments disclosed, but it is intended to cover modifications within the spirit and scope of the present invention as defined by the appended claims.

Claims

1. An authentication method between a secure host processor and a controller of an NFC system, the controller being connected to an NFC interface circuit sending and receiving contactless data, the method comprising: connecting the host processor to the controller; checking that there is a predefined relation between a first secret data stored by the host processor and a second secret data stored by the controller; transmitting the second secret data to the controller; and storing the second secret data by the controller.

2. The method of claim 1, wherein the controller authenticates the host processor by checking the relation between the first and second secret data.

3. The method of claim 1, wherein the host processor authenticates the controller by checking the relation between the first and second secret data.

4. The method of claim 1, further comprising transmitting by the controller a session key to the host processor if the authentication of the host processor by the controller was successful, the session key being used to cipher data exchanged between the host processor and the controller.

5. The method of claim 1, further comprising: sending an authentication request by the host processor to the controller,answering the request by the controller by supplying a random number,ciphering by the host processor the random number received using of an encryption function using the first secret data as an enciphering key, and transmitting the result of the enciphering to the controller, and checking by the controller the result of the enciphering received by means of an encryption function using the second secret data as an enciphering key, the authentication of the host processor being successful if the check was successfully performed.

6. The method of claim 1, wherein the first and second secret data are identical.

7. The method of claim 1, wherein the first secret data is a public enciphering key and the second secret data is a private enciphering key linked to the first secret datum by an asymmetric encryption relation.

8. The method of to claim 1, further comprising supplying the host processor, the host processor being removably associated with a contactless component storing the second secret data for transmitting to the controller; and connecting the host processor to the controller, the second secret data being transmitted to the controller by the contactless component.

9. The method of claim 8, wherein the host processor is an integrated circuit of a SIM card removable from a card integrating a contactless component storing the second secret data for contactlessly transmitting to the controller, and the NFC system is a mobile telephone comprising another host processor connected to the controller.

10. The method of claim 1, wherein the second secret data is transmitted to the controller by at least one of optically reading an optical code, which is translated and transmitted to the controller, and keyboarding the value of the secret data, which is transmitted to the controller.

11. A system comprising: a controller connected to an interface circuit for sending/receiving contactless data of NFC type; and a connector for connecting the controller to a host processor, the controller being configured to check that there is a predefined relation between a first secret data stored by the host processor and a second secret data stored by the controller, and to receive and store the second secret data when the system is initialized.

12. The system of claim 11, wherein the controller is configured to authenticate the host processor by checking the relation between the first and second secret data.

13. The system of claim 11, wherein the host processor is configured to authenticate the controller by checking the relation between the first and second secret data.

14. The system of claim 11, wherein the controller is configured to transmit a session key to the host processor if the authentication of the host processor by the controller was successful, the session key being used to cipher the data exchanged between the host processor and the controller.

15. The system of claim 11, wherein: the host processor is configured to send an authentication request to the controller;the controller is configured to answer the request by supplying a random number;the host processor is configured to cipher the random number received using an encryption function using the first secret data as an enciphering key, and to transmit the result of the enciphering to the controller; andthe controller is configured to check the result of the enciphering received using an encryption function using the second secret data it stores as an enciphering key, the authentication of the host processor being successful if the check was successfully performed.

16. The system of claim 11, wherein the first and second secret data are identical.

17. The system of claim 11, wherein the first secret data is a public key and the second secret data is a private key linked to the first secret data by an asymmetric encryption relation.

18. The system claim 11, wherein the host processor is removably associated with a contactless component storing the second secret data for contactlessly transmitting to the controller.

19. The system of claim 18, wherein the host processor is an integrated circuit of a SIM card removable from a smart card integrating a contactless component storing the second secret data for contactlessly transmitting to the controller, and the NFC system is a mobile telephone comprising another host processor connected to the controller.

20. The system of claim 11, wherein the second secret data is transmitted to the controller by at least one of optically reading an optical code, which is translated and transmitted to the controller, and keyboarding the value of the second secret data, which is transmitted to the controller.

21. A smart card comprising: an integrated circuit card removable from the smart card and integrating a secure processor saving a first secret data; anda contactless component coupled to an NFC interface circuit sending and receiving contactless data, and saving a second secret data for contactlessly transmitting, the second secret data being linked to the first secret data by a predefined relation.

22. The smart card according to claim 21, wherein the secure processor is configured to authenticate a controller by checking the relation between the first and second secret data.

23. The smart card of claim 21, wherein the secure processor is configured to receive a session key if the secure processor has been authenticated by a controller, the session key being used to cipher data exchanged between a host processor and the controller.

24. The smart card of claim 21, the secure processor being configured to: send an authentication request to the controller;receive a random number;cipher the random number received using an encryption function using the first secret data as an enciphering key; and transmit the result of the enciphering.

25. The smart card of claim 21, wherein the first secret data is a public key and the second secret data is a private key linked to the first secret data by an asymmetric encryption relation.