CA2319773A1 - Simultaneous protection for several types of software of several software designers - Google Patents

Abstract

The invention concerns the protection of several types of software against unauthorised use, consisting in an apparatus (licence card reader LCR) for simultaneously protecting several types of software of several software designers and comprising at least one communication peripheral (network, I/S port), a microcontroller programmable only once which integrates on the same silicon chip two parts separated by an interface. The integrated circuit is logically and physically protected against all attempts of unauthorised intrusion. The invention also concerns a portable apparatus of relatively small size with respect to the chip card connected for its use with the LCR apparatus, comprising at least a detachable recording module with high storage capacity, a microcontroller made secure against all attempts at unauthorised intrusion into its internal circuits. Thus the invention provides protection for several types of software independently of their editors with a single apparatus.

Description

Simultaneous protection of several software from several designers software.
The present invention relates to the protection of software against their uses no allowed.
The software industry is arguably the industry where products are most easily copied.
The information recording media, which are generally media optical, magnets are more and more powerful in storage capacities. Moreover, the time taken for making a copy of these media is quick. In addition, the price for owning a powerful device of information storage (hard disks, CDROM burners) has been completely democratized from so the new versions of software that go on sale are very quickly faced with problems with illegal copying. In addition, there are countries where copying unlawful is practiced in a manner industrial and with impunity using CDROM. If such a practice were to occur to generalize is everyone who is falling apart. The programs are developed by the designers of software, also called developers. The licenses to use their software are then sold to customers. Software companies earn profits generally at 1 S through the direct sale of their software products and / or the sale of licenses.
Illegal use of software is defined in relation to authorization of use of these software. This authorization therefore results in the fact that the designer of software accepts give a user license which authorizes vis-à-vis the law, the use of its products, at the end a commercial agreement.
The software sale price is calculated with the number of users likely to buy. So the profits made by a software design company depend enough on the how their customers plan to use the software once purchased.
To the extent that after purchase the user is free to duplicate the content of the media containing these software, the survival of software designers depend enough on the honesty of their clients.
Thus, for software used on the network, this license obtained authorizes in general use given software only on one computer station. To be used on several stations, one number of licenses corresponding to the number of computer stations provided for the use of such software on its network, must be purchased. Of course for a personal computer that number is equal to 1. Compared to designers, nothing can guarantee them that indeed their customers respect the conditions linked to license sales contracts, because in the absence of a method and / or medium, nothing prevents the use of the software on a number of stations greater than number of licenses purchased.
In addition, for software used on an isolated computer (computer personal) or networked, if no means have been taken by the software designer, nothing prevents what a user pirate faces copies of this software on computer media for them install on a number unlimited computers and use them with impunity. It is created so black markets sales of “pirated” software. This uncontrolled market can cause great shame in the software industry.
. 9 ~~ r ~~ i ~ i ~ '1_. ~ <R ~~~~', "~~, ~~~. '~ 26) ~ = ~ é ~ 1; ~ 4 '~~, ï:;' ~ ..,>., ~ ...-

-2-Designers who wish to control this phenomenon of copies and / or unlawful use of their software, buy an electronic device to protect somehow these software. But this solution is only possible for certain software.
In addition, these designers are dependent on the supplier of these means of protection software. The low-budget software developers cannot afford to protect their digital products given the too high price of protection methods compared to sale price of their software.
In addition, the use of these electronic devices requires from the designer software, a purchase of these devices before the actual sale of its software.
This situation forces the constitution of a stock which can represent a disadvantage compared to its competitors who would have chosen not to use software protections.
To address all of these software usage issues, different solutions were brought so far. A software or network protection solution monopostes (personal computers) is proposed in the US Pat patent. No. 5,553,139.
However it does not not allow software to be protected by the same device system coming from to several different software designers.
Other methods are used for a given computer through of systems connected directly to an I / O port on the host computer. A
such system is proposed in US Pat. No. 5,343,524. This invention is based on the use of a circuit electronic based on a secure microcontroller, which cannot be reproduced.
The protection of software with respect to this invention relates to the fact that software protected can verify by through keys, the presence of this device and interact with that apparatus. However the devices according to this invention have the disadvantage of only protecting software large productions because of its cost, and on the other hand not being able protect that software from the same designer. An example of a similar product is distributed by Rainbow company.
On the other hand, fully software protection methods are also employed. These protections very often consist in requesting an access code to the user. This code is then checked using a very complicated calculation. However, it does not prevent some users of find the type of calculation that is used so that protected software in this way do offer no reliability compared to software protection.
More powerful systems are used through the use of coprocessor that can calculate some of the codes of a given and protected software according to this method. Generally, these software cannot be used directly as it stands have been delivered to the user, because part of it is encrypted using encryption keys stored so secure in access, in a coprocessor ROM type memory. This principle implies that a user having obtained a license to use software protected by this method either attached to the computer host on which the software was installed. In addition, the possibility of protect multiple software from multiple designer companies is difficult to implement. So a coprocessor with

-3 ~
Similar characteristics are proposed by the US Pat. No. 4,817,140.
: I coprocessor relating to this patent is launched on condition that the user has a key to justify his purchase of user licenses. Another disadvantage of such a system is its use dedicated to software protection from a single designer, can make the presence of a annoying coprocessor especially when other designers decide to provide a means of protection software similar. In some cases, adding a new device may be impossible. Furthermore, such coprocessor represents a possible investment only with software including the price is very high (expensive) compared to the price of this already expensive coprocessor. Moreover, the user is linked to the computer on which the coprocessor is installed.
Most systems used for software protection are dedicated to a category accurate software. The image of these systems towards the user can be troublesome in the to the extent that they are likened to some kind of electronic police of surveillance and not of protections. In addition, these systems are restrictive insofar as the use of software protected by these systems is linked to the host computer on which is installed The software. Moreover writing protected software is very dependent on the architecture of the means of protections, which can make software development complicated. In addition, as in the case "dongles", the user is bound in the use of the software to the means which serve to the protections of software. So, for example, if a dongle is lost, that loss very often results in loss the right to use the software attached to the lost dongle. On the other hand, protection systems of software does not take into account the fact that software attached to its electronic system protection can be stolen. In this case of theft, and illicit use by relation to the thief there is no way to prevent the use of stolen software. In addition, the user will have to get a new license with a new purchase.
In addition, certain protected software is characterized by its use limited in time.
Such a system is presented by the US Pat patent. No. 4,868,736. This patent to the disadvantage of not be able to realize that this functionality.
Thus, the present invention overcomes all the drawbacks which have just been cited.
The present invention relates to software protection against non-compliance conditions of uses of the software fixed by its designer. It relates to using only one device to protect multiple software independently of computer systems and from the designer of these software. It is based on the use of two electronic devices who cannot be duplicated without authorization. This protection against duplication of devices according to this invention is realized thanks to an authentication method integrated in these devices.
The first device is an electronic reader of the second. It is noted LCL
for reader license cards. This reader provides almost all of the functionality of software protections according to the present invention.

-4-The second device is an electronic card, marked CL (license card).
Each user who wishes to run protected software according to the present invention, must have a CL card on which the authorizations to use software protected according to the present invention are stored.
Thus, the present invention separates on three levels the protection of software. In one firstly, the present invention relates to a method allowing the software separation protected (recording media) of the means which achieves the protection of this software (the LCL reader).
Secondly, the LCL reader is distributed independently compared to the distribution of protected software according to the present invention. So the same LCL reader, can be used to protect multiple software regardless of the designers and the number of software. Use of software protected under this invention is possible only if the user has the CL card which is distributed regardless of reader LCL.
According to the present invention, the CL card is a portable device of small size compared to a smart card. It has a removable device for recording big capacity. She allows data to be stored securely against readings and / or changes no allowed. It is mainly used as an access device allowing the use of protected software according to the present invention. Conditions of use of software are fixed by software designers. User cannot run software that provided have an authorization provided to him on his CL card during a purchase transaction. The map CL allows to store a large number on removable recording media permissions protected software uses. Thus, the CL card allows the user to carry the authorizations to use software and to be able to use software correspondents on everything computer when the use of this software for which it is entitled is possible compared to the whether or not this protected software is present on this computer.
The present invention relates to the use of this CL card a way to fight against loss or theft of this CL card. In the event of loss or theft, the card can be returned unusable by the body that manages (administers) the devices according to the present invention. A
important part of the licenses to use this software can be recover in case of loss.
Thus, the user does not run the risk of losing his rights of use software during CL card losses, which can be the case with protective devices software in the state current art.
The present invention relates to software protection methods regardless of Informatic Systems. The present invention allows the protection of network software and / or on a personal computer. LCL reader has a large capacity modularity by different devices that can be added to his system internal electronics.
This makes it very easy to connect the LCL reader to any environment computer science. So the software protection according to the present invention is achievable with the same LCL reader in _5 ~
very heterogeneous IT systems where many different systems coexist. The operation of LCL readers is independent of these computer systems.
Therefore, LCL readers allow software protection regardless of systems computer systems intended to run this software.
The present invention allows the development of protected software regardless of technical characteristics of the apparatuses according to the present invention. The development of protected software according to the present invention, is independent of internal functioning of LCL.
The production of protected software according to the present invention is made possible by doing perform some of the functions that make up this software by resources internal LCL.
The writing of these functions is completely transparent since the designer software is not required to respect the LCL electronic architecture. The smooth operation of these functions can even be tested outside of the LCL reader, so that the work of software protections for the designer stops writing these functions. These functions are basically small computational functions compared to the standard software size and whose execution is very fast. Several protected software different can be used as part of a network with the same LCL reader. In addition, several software protected according to the present invention can therefore be used on a personal computer with a single LCL reader.
The operation of the LCL reader used with a personal computer by in relation to use in a network environment only differs at the peripheral level communication used in each case.
According to the present invention, the LCL reader performs software protection by performing measures on the use of all software running. The LCL reader is according to the present invention, capable of knowing the number of licenses used on a computer and / or on the entire network to which it is connected. He is able to know the duration use of software given by a given user. According to the present invention, it is capable of cannaitre every usage information for software given over time.
These means of measurement specific to the LCL reader allows the LCL reader to arbitrate the use of software protected according to the present invention. This arbitration is carried out against at the conditions of use of each protected software according to the present invention. These conditions are set by the designer of this software.
Thus, according to the present invention, the CL card is used to store permissions to use software and the user's profile in relation to their use of software protected according to the present invention. The LCL reader is responsible for checking whether the profile of the user in relation to his rights to use the software, corresponds well to the conditions of use fixed by the designer of this software. These conditions can be according to the realization of this invention, time-limited conditions of use, opening conditions simultaneous of a number of execution sessions limited by the number of user licenses owned by the owner of the CL card.

Thus, a single LCL reader can arbitrate on one or more computers the use of one or several different software protected according to the present invention. The arbitration rules can be specific to each version of software, which allows the protection of several software by a single device according to criteria specific to the use of each protected software.
The present invention allows distribution of protected software regardless of means of protection so the software developer may not build up stocks protection devices. So software protection according to the present invention is interesting for small and large software distributions:
use of a single device for the protection of several software regardless of the designers may only decrease the cost of using the software protection system according to this invention. In addition, the present invention allows great flexibility with respect to administration softwares protected. The sale of authorizations to use given software may be centralized or decentralized.
In addition, according to the present invention, the creation of protected software can be perform of several ways. The permissions to create protected software according to the present invention, can be centralized or decentralized (situation described in the case of development of demo software or software whose use is limited).
In addition, the apparatuses according to the present invention can perform communications with remote systems. The administration of these devices is carried out by a remote system which is according to the embodiment of the present invention, a server noted aSVR. This server sets conditions of uses of the apparatuses according to the present invention. He arbitrates from generally use devices according to the present invention.
In addition, the authorizations to use software contained in a card CL can be either moved to the LCL reader or to another CL card. In the case where moving would take place to an LCL reader, access to protected software can be realized without the presence a CL card. In the case of travel to another CL card, this allows distributions software licenses by resellers. The current invention allows or not the centralized sales of software authorizations.
In addition, according to the present invention, the LCL card reader has one or more devices) which allows adding devices quickly and easily. According to particular modes of realization, the LCL reader has a radio receiver to receive information so secured or not thanks to a transmission device managed by said aSVR server.
This receiver is mainly used for authorization purchase operations of software usage outside line, update operations. It also allows you to manage security device usage according to the present invention.
The present invention allows by its means and methods of purchasing either by computer connections, either through a human reception system. Purchases can therefore be performed online or offline. These purchases consist of the acquisition of usage authorizations _7_ protected software according to the present invention. This concerns the use of a receiver digital radio allowing in particular the reception of these authorizations of uses.
To protect multiple software regardless of their designers, the The present invention relates to the use within the LCL reader, of a secure microcontroller against unauthorized readings and / or modifications of its memory internal and against computer virus attacks that may be encountered to the extent that this microcontroller runs programs of which it is unaware of the reliability, the use of the reader as a means of software protection is free outside of possible commercial agreements.
So this property allows that the use of the LCL reader and the CL card are completely free.
To allow the user to carry usage authorizations software protected, the CL card is small. It is based on a microcontroller to secure access to information that clears the rights of use of a given software. It can store a very large number of authorizations to use protected software according to the present invention.
Information is stored on strong recording media capabilities. They are 1 S protected against all unauthorized modifications and readings. Moreover, the internal sound system microcontroller is also protected against any physical and logical control.
In addition, the present invention relates to a software protection system.
evolving in the since it is possible to update all systems information contained in microcontrollers mentioned above. Given their ability to secure storing data and program execution, also taking into account the possibility of easily put on update the computer systems of the apparatuses according to the present invention, the present invention allows software protection devices to be used in other sectors of applications.
The accompanying drawings illustrate the invention Figure 1 illustrates all of the connection variants used in the current invention, and reflects the general operation of the invention. She allows to understand the different contexts of use of the devices according to the present invention.
Figure 2 illustrates the different layers of software necessary for a given LCL
can connect to a remote system.
FIG. 3 illustrates the block diagram of the architecture of the microcontroller used in the LCL device.
Figure 4 reflects the possible associations between two competing LCLs on the same network, to allow the sharing of software protection operations by the present invention.
FIG. 5 illustrates the block diagram of the various elements making up the menu CL electronics, in particular the architecture of the microcontroller associated with a CL card.
FIG. 6 represents a front view of the housing of the CL card.
Figure 7 shows a perspective view of the CL housing with the card CompactFlash output of its support.

_g_ FIG. 8 illustrates the sets of female male connectors between LCL and CL.
FIG. 9 illustrates the fact that the apparatuses according to the present invention have durations of use compared to the calendar.
Figure 10 illustrates the steps of an authentication procedure preventing machines hackers to work with devices (LCL readers and CL cards) certified.
Figure 11 illustrates the steps in a license purchase process software usage protected according to the present invention.
Figure 12 illustrates a simplified logic tree used by the system operating the microcontroller 100 to perform software protection.
With reference to FIG. 1, according to the embodiment of the present invention, the whole system which operates the electronic reader, can have centralized management by through a aSVR server which has a database 12 relating to the devices according to the current invention. All of the elements included in Box 10 are managed by a donated organism.
This organization is the distributor of the devices relating to this invention. The aSVR server can communicate with remote computer systems using a reader LCL. According to variants of the embodiment of the present invention, an LCL reader can have a way to connect either directly to a network 40, or siu ~ an I / O port of a personal computer (context represented by box 30) or have a digital radio receiver 22 (context represented by box 20).
According to the embodiment of the present invention, FIG. 2 illustrates the different layers crossed by LCL to reach a remote system. Communications between the remote system and LCL are managed by two programs running on a computer 50. The connection 54 between the computer and an LCL reader can, depending on the type of use, be a network connection in the case of box 40 or a direct connection to an I / O port of computer 50 within contexts 30 and 20. The port chosen for the realization of this invention, in contexts 30 and 20, is a USB (Universal Serial Bus) port for reasons of speed, in assuming that computers used have such a communication port. The description of the present invention retained for the context of use 40, the case of an Ethernet network with the TCP / IP protocol.
In this context, the LCL reader will have a network device adequate. The program PGM 52 allows interactive communication with a given LCL reader.
These communications are made using the DRV 51 driver program. With reference to the figure 2, this driver 51 performs all communication functions between an LCL reader and a computer 50 connected to this player. The different functionalities of these two programs management specific devices according to the present invention will be defined below. The PGM program allows to ensure the LCL reader communication with a remote system. For realize this communication, PGM uses the communications resources 53 of the computer host 50. The DRV program provides local communication between the LCL reader and the program PGM. In case 30, it can be modem 31 allowing a connection to the Internet WO 9913925b PCT / FR99 / 00182 to which is attached lc; aSVR server. According to the realization of this invention, for case 40, the communication resource 53 is that of 1 "computer 50 with respect to network resources local, allowing access to a remote system via the Internet.
The use of LCL readers is subject to a condition identification when

5 start-up, and by a condition of the effective connection of the card CL on a support of LCL reader. These two conditions will be described later.
Context 20 corresponding to situations where the LCL reader is connected on a computer not having; means of communication with a remote system. This operation will described later.
According to the present invention, software protection is made possible by having executed a small part of the functions of a given software, by said reader electronic, noted LCL. Said electronic card, marked CL, has the authorizations to use the software. Given its storage capacity; the CL card can store a large amount usage authorizations. Of this way the present invention allows by means of a single device electronic, the 15 protection of several software simultaneously and independently of their designers.
According to the embodiment of the present invention, the LCL reader and the CL card are respectively associated with two unique serial numbers. All information allowing the operation of the LCL reader and the CL card to protect the software, is managed by the aSVR server. using its database 12 which must be protected against unauthorized access 20 authorized in relation to the security of the system put in place for software protection.
The organization in which ~ ~ which manages aSVR allocates respectively to a CL card given and a reader LCL given, ID.c and ID.d serial numbers, and secret coding keys kT.c and kT.d. The ID.c and ID numbers. ~ i are unique. These two numbers and these two secret keys are stored in non-volatile memory found in the electronic system of CL and LCL. Of 25 details will be given later. The couples (ID.c, kT.c) and (ID.d, kT.d) are stored by elsewhere in the database 12 accessible only by aSVR for security reasons obvious. The keys lcT.c and kT.d are known only by aSVR, outside LCL devices and CL.
In addition, according to the embodiment of the present invention, the numbers ID.c and ID.d are public, 30 but cannot be modified. This means that they are stored in memory protected from the system integrated electronics in each device relating to the present invention, and they are communicated to their user in a clear form. According to realization of this invention, they are marked on the CL and LCL housing. In addition, the present invention does concerns the shape of the case used for the LCL reader.
According to the embodiment of the present invention, the encryption method adopted with keys coding secrets lcT.d and kT.c, concerns DES encryption (data encryption standard) developed by the company IBM. These two keys have a size of 128 bits sufficient against crackles of codes. According to particular embodiments, it will be possible to choose other type of encryption and WO 99/3925

6 PCT / FR99 / 00182 encoding key size.
According to the present invention, the LCL and CL devices can be configured in a certain measurement via a computer program, noted PGM, suitable for each type computer and computer operating systems. PGM allows a user to start procedures relating to operations requiring intervention by use. These procedures are described below. PGM is distributed by said organization who manages aSVR. AT
installing PGM on a host computer, a localization operation of an LCL reader is performed. If an LCL reader is connected directly to a computer communication host, a DRV software driver for communication through this port is installed in order to allow a program on this computer to send and receive data to LCL
LCL by following the diagram of Figure 2, without taking into account the technical characteristics of Communication between this computer and the connected LCL player. The DRV driver allows transparent use of the LCL reader.
In the case where protected software is used on the network (this is from context 40), a appropriate DRV driver program will be installed on each computer on the network, to allow the communication between these computers and the LCL connected on this local network. The DRV driver allows transparent use of LCL for each computer on the network which may have different computer systems between them.
When installed on the Ethernet network, the LCL reader receives an address IP versus TCP / IP protocol, which allows the driver installed on network computers to locate it.
In addition, each DRV driver allows each host computer where are used softwares protected by the present invention, to communicate with the LCL reader. The realization of the present invention also allows that several PGM programs can establish communications with a given LCL reader connected to the network in question.
In its use network 40, the LCL reader in case of intensive use, can share with other LCL reader, sa software protection function as seen in Figure 4 where a distribution of computers using two LCL readers is illustrated. The distribution of LCL readers on the network with computers is, according to the realization of this invention made by network administrator. The latter distributes the computers of the network compared to LCL readers present on the network, when DRV was installed on each computer's this network. It tells DRV the IP address of the LCL reader to use.
After installing PGM on a host computer, users of this computer can then perform on a given LCL reader, connected with a given CL card the different following operations: online purchase of software licenses protected by i present invention, relocation of a number of licenses to use CL card software to another CL card, lost license recovery operations with the loss of a CL card, updating the programs contained in the memories LCL reader electronics or the CL card.

Thus, the realization of the present invention considers a given software, noted LD. The The following descriptions are valid for all other software. Its designer (manufacturer) protects it according to the present invention, against illegal uses by separating all functions composing its software in two parts. The first part concerns procedures he desires leave the execution to a host computer. The second part concerns functions that should be run by LCL compute resources. These functions must be quick to execute. Their size is around 100 kilobytes.
From this second part of said LD software, he extracts a list of functions {Fo, F ~, ..., F ;, ... F "}. These functions are necessary for the operation of the LD software.
To perform this extraction, it must respect a fundamental rule: these functions must not not use resources characteristic of computers intended for the execution of LD.
This condition is enough easy to stick to. For example, said list of functions can be only functions of pure calculations.
According to the embodiment of the present invention, the writing of these functions and their good test operation can be performed regardless of the presence of the reader LCL. The way retained for the realization of the present invention, relates to the machine JAVA virtual. So these functions are written in JAVA. These functions are therefore compiled in “byte language code universal JAVA and stored in a file, noted LF.
Furthermore, according to the embodiment of the present invention, the protection of the LD software then begins by running the PGM program on a computer containing LF. According to realization of the present invention, PGM then asks the designer of LD the system operating system (WINDOWS NT, DOS, L11 ~ TIX, ...) and the type of computer (MACINTOSH, SPARC, PC, ...) which will execute LD. After these answers, PGM launches a procedure of reader connection LCL available to the aSVR server. Communication between LCL and aSVR is done according to the figure 2. The serial number of the LCL reader is given first to the aSVR server.
During this procedure for creating software protected by the present invention, LCL
ask aSVR in secure communication an S # serial number to associate with the software protect LD and a key to kX.S # encodings.
According to the embodiment of the present invention, S # is defined on 128 bits, and The key kX.S # is defined with respect to DES encryption with a size of 128 bits.
According to the embodiment of the present invention, to perform said secure communication with aSVR, LCL starts by sending aSVR its ID.d number in a non-form coded. Through association with the corresponding key, aSVR found in its database 12, the key kT.d to associate with ID.d.
Thus, aSVR returns to LCL, S # and kX.S # in a form coded with the key kT.d.
The reader LCL retrieves the clear form of S # and kX.S # by decoding with the key kT.d which is in his internal memory 111, compared to the DES encryption algorithm.
According to the present invention, the key kX.S # is known by aSVR alone, because after use, kX.S # will be deleted from the DRAM 109 secure memory of LCL. In addition, S # esv communicated to PGM which registers it in a binary file containing the boundary conditions software usage.
According to the embodiment of the present invention, this file can have the format next: S # of software associated (128 bits), permanent licenses (8 bits), duration of use (24 bits), (use expires end (16 bits), number of executions (32 bits). This (shit is therefore a size of 26 bytes. {Fo, F;, ..., F ;, ... F "} then undergo encryption operations. The Fo function is treated separately. According to carrying out the present invention, the so-called initialization procedure allowing on the one hand to count the number of licenses used on the network in the network context 40, and on the other hand measure usage characteristics of LD software compared to time. It is a function which is executed during the execution of the LD software by a user, and repetitively. Fo is in particular the first function which will be executed by LCL when opening of a session LD software executions.
Fo is coded with a different key from kX.S #. For this the PGM software generates a key of same type noted kEL.S # compared to DES encryption. The kEL.S # key is known only by the designer of LD. According to the embodiment of the present invention, kEL.S # is a 128-bit key. he is the responsibility of the designer to keep this key safe kEL.S #. To this function coded, it attaches other information coded also by the key kEL.S #. It's about of the file containing the conditions for using the LD software. This coded information then constitute a file named eFo according to the embodiment of the present invention.
In addition, according to the embodiment of the present invention, the other functions are then coded by the key kX.S #. For this step, PGM then sends F ,, ..., F ;, ... F "to LCL through of DRV. LCL computing resources then code these functions successively with the key kX.S #. At the end of the coding operations, LCL returns {eF ,, ...., eF "}
corresponding respectively to the coded forms of {F ,, ..., F "}.
According to the embodiment of the present invention, PGM then proceeds to software assembly.
For a given operating system, PGM creates a library file of functions that will be executed during the execution of the LD software on a user's computer given. The different library functions allow you to load an element from {eFo, ...., eF "} with parameters necessary to execute the corresponding function, to the LCL reader when using LD. eFO, ...., eFn will be respectively loaded by the functions FFo, ...., FF "created by PGM.
These functions are created in relation to the type of operating systems and the type of computers partners who will execute LD. PGM thus brings together {FFO, ..., FFn} and {eFO, ..., eFn} with the rest of the LD software thus protected, and numbered S #. Everything is then put on media registration, by example a CDROM. The software is thus protected and ready to be distributed freely, because he cannot not be used in the current state. So the distribution of the media recording can be completely free.
Thus, the software protection according to the present invention is based on the use of LCL reader calculation resources.

According to the present invention, the LCL reader is an electronic reader built around a microcontroller 100 physically and logically secure to prevent against attempts to hackers for unauthorized electronic checks. Given that that this microcontroller 100 is required to run programs of unknown origin, this invention relates to a means of preventing computer attacks of the microcontroller 100 by virus intermediary IT. This is done to prevent a virus from reading information confidential linked to the operations of the LCL reader. So this invention allows secure both the storage of information and the execution of everything outdoor program to the programs initially loaded into the microcontroller 100.
According to the embodiment of the present invention, the architecture chosen for the microcontroller is built around a system based on a set of two processors used in master slave. In reference to FIG. 3, the microcontroller 100 integrates on the same pad silicon two parts main 130 and 120. Integration methods ASIC (Application Specific Integrated Circuit) are used to make these silicon wafers. Part 130 includes a CPU1 processor which is the master processor. It is connected by an internal bus 101 to a module of FLASH memories 111, a DRAM memory module 109, a 1I2 random number generator, a doors RS232 151, a USB port 152, a smart card controller 153, a controller PCMCIA 154, a keyboard and LCD screen controller 155, a controller 113 of the slave processor CPU2 which is in part 120, an interface 106, a Bus interface external 105, a internal programmable real-time clock 104, a microfuse system internal 102 which allows to take out the internal bus 101 outside the microcontroller 100. The part 120 of the microcontroller 100 includes a watchdog 108. The CPU2 is connected by the internal bus 114 to a memory module DRAM 110, a DMA controller 107, and an interface 106. The slave CPU2 is ordered by through controller 113 and interface 106. The latter two electronic systems (113 and 106) are controlled only by the master processor CPU1. So, such architecture allows the execution of programs of unknown origin without damage integrity information contained in the microcontroller 100.
According to particular embodiments, the microcontroller 100 may not not integrate on the same silicon wafer all or part of the following: I / O port RS232 151, USB port 152, smart card controller 153, PCMCIA controller 154, keyboard controller and LCD screen 155.
According to particular embodiments not illustrated, and in order to accelerate processing speed information, the microcontroller 100 can comprise on the same chip of silicon one encryption coprocessor adapted to the DES encryption technique.
Of course this encryption coprocessor will be integrated into part 130 connected to the bus internal 101.
According to the present invention, the internal real time clock 104 is supplied by a pile electric 103 external with respect to the microcontroller 100. Its operation is autonomous. This clock is integrated on said silicon wafer in order to prevent control attempts distorting the time and date it provides to CPU1. Considering from the weak power consumption of this clock, the electric battery provides continuously on current required to operate this clock for the entire duration of use of microcontroller 100 as the central organ of the LCL reader. Optionally, a procedure setting the time of the clock 104 may be carried out by the aSVR server.
The clock 104 allows measure the time spent using protected software and perform operations dependent on the date and time.
The internal bus 101 is taken out of the microcontroller 100, by through the microfuse system 102. According to a variant not illustrated, the microfuse is avoided by using internal OTP EPROM memory. This variant allows same levels safety than using the microfuse system 102.
The microfuse system 102 makes it possible to produce a system of microcontroller programmable only once. The data necessary to put into service LCL readers (secret coding keys, serial numbers, identifiers, dates, times), and the operating system microcontroller 100 grouping programs allowing LCL readers to realise directly and / or indirectly all the functions relating to present invention are factory programmed in the non-volatile memory memory area (memory Flash 111). The operating system is executed in DRAM 109.
The embodiment of the present invention uses FLASH memory as support of permanent storage for the microcontroller 100. The choice of such a memory FLASH can allow a very easy update of the operating system initially factory programmed.
According to the embodiment of the present invention, the times and the dates are data, unless stated otherwise, compared to the origin meridian of GMT time zones (Greenwich Mean Time).
So when setting the time during the programming of the microcontroller 100 in the factory, this reference is taken for the internal clock 104 of the microcontroller 100 of the LCL readers.
After programming, the microfuse system is destroyed which prevents definitely a new programming of the microcontroller 100, there is then no more access direct inside of the microcontroller 100, because all the controllers and interfaces are completely under the control of master processor CPU1 (depending on the construction of the microcontroller 100). The operating system of the microcontroller 100 thus programmed is automatically loaded by the master processor CPU1 each time an LCL reader is started.
Thus all the information which is stored in the internal memory of microcontroller 100 are secured against all attempts at control electronic external to microcontroller 100. Given the physical properties of a pellet of silicon, its size and its housing, it offers in the current state of the art a very good physical and logical protection against all unauthorized intrusion attempts into circuits internal of the microcontroller 100. According to particular embodiments, protection techniques additional can however be added around the microcontroller 100. One of the possible techniques concerns the use of an external electrical protection device integrated circuits, presented in the patent of the company IBM in 1990 (US Patent 5,117,457).
The slave electronic system 120 is used to execute programs coming from outside of microcontroller, i.e. not belonging to the operating system which was loaded in the FLASH memory 111 when programming the microcontroller 100. It allows to execute programs safe from possible computer virus attacks. Security is completed by report to these attacks through physical protection characterized by a logical separation of the same silicon wafer in two parts 120 and 130 of which one 120 is slave of the other 130.
According to the embodiment of the present invention, the DRAM memory area 109 is strictly reserved for the execution of the operating system of the microcontroller 100 which been loaded at the factory, during the prograxnlnation procedure of the microcontroller 100. It is also used buffer to transfer programs and / or data from outside the microcontroller to the DRAM memory 110 via interface 106 controlled only by the processor master CPU1. The programs from outside are executed from DRAM memory 110, by the slave processor CPU2 controlled by the master processor CPU1 via the controller 113.
According to the embodiment of the present invention, compared to the uses of LCL readers with different types of computers and operating systems, and given of writing Fo functions previously described, the CPU2 is a Java processor (PicoJava) from Sun Microsystems. This characteristic makes the development of the functions {Fo, F1, ..., F ;, ... F "}
independent of computational resources of the computer running software protected according to the present invention, and internal resources of LCL. In addition, the designer protected software by the present invention, can test the operation of the functions {Fo, F ,, ..., F ;, ... F "}
independently of the LCL reader with a program simulating a virtual machine JAVA.
According to the embodiment of the present invention, CPU1 is a processor of the type 80386SX. he can so use directly via its internal bus 101 a large amount of edou internal memories external. Its calculation capacity allows us to envisage a high capacity for treatments multitasking information.
According to particular embodiments, the microcontroller may not use of JAVA processors, but an 80386SX type processor including the system operating would be the JAVA virtual machine from Sun Microsystems that the CPUl would load at every news execution of programs in DRAM 110 in order to avoid possible attacks virus IT.
In addition, according to the embodiment of the present invention, all of the any information of the DRAM memory 110 is erased by CPU1 before each new loading of programs which must be executed by CPU2. CPU1 pauses CPU2 via of the controller CPU2 113, and clears, for example by temporarily disabling the circuits that make up the DRAM 110 memory module, the content of this DR.AM 110 memory thanks to interface 106.
Then CPU1 loads the execution parameters and the new program to run in the DRAM 110 directly thanks to the DMA 107 controller. This direct loading allows to not use CPU2 and allow CPU1 to fully control DRAM 110.
So after loading of the program, CPU1 then gives the hand to CPU2 via of the controller CPU2 113. CPU2 then executes the new program. So given all of these measures, if this program is a computer virus voluntarily registered in one of the type F functions;
however, it cannot affect the functioning of the microcontroller 100, ni copy out of the data not erased concerning the old data functions that have been executed by CPU2 in DRAM memory 110. In addition, CPU1 keeps the access control to the data contained in its part 130. This procedure for loading program and / or data in DRAM 110, is repeated for each program which must be executed by the slave processor CPU2.
According to the embodiment of the present invention, the architecture presented by the Figure 3, allows prevent a program that does not belong to the operating system of the microcontroller 100 to perform readings and / or modification in the internal memory of the system 130 integrated in the rr ~ icrocontroller 100. It also makes it possible to prevent these programs from controlling interfaces and / or microcontroller 100 controllers, and therefore prevent hackers from reading the content of memories physically and logically secured from system 130, integrated into the microcontroller 100.
In addition, according to the present invention, the external bus interface 105 allows the microcontroller 100 to control external devices connected to external bus 114. This bus add to LCL of recording devices such as media type record Flash Disk (FLASH memory used a standard disk), a peripheral communication network.
The architecture of the microcontroller 100 pern ~ and a great modularity of operation.
According to the embodiment of the present invention, on this bus 114 is connected a access device Ethernet network for communication in TPC / IP protocol. Depending on the type of communication used between an LCL reader and a given computer, we can connect to this bus a device adequate for this communication. So we can add a radio device receiver 22, for use an LCL reader in the context 20 of figure 1. The use of this receiver will be defined by the after.
According to the embodiment of the present invention, taking into account the controller Integrated PCMCIA 154 in the microcontroller 100, the peripherals used can also be PCMCIA cards used by the microcontroller 100 for all operations relating to the present invention. These PCMCIA cards can be PCMCIA Ethernet cards, FLASH cards PCMCIA, a disk PCMCIA hard drive, a PCMCIA wireless digital reception module card. These different cards are not illustrated. The use of the PCMCIA controller makes it possible to add to an LCL reader given devices more easily compared to external bus 114. The USB 150 port used for a high speed transmission and reception connection between a computer, and a player LCL given. These are contexts 30 and 20.

_ 17-The I / O port 151 allows, according to the embodiment of the present invention, to communicate with a CL card.
Referring to Figure 5, the CL 60 electronic card is built around of a microcontroller 400 integrating a processor on the same silicon wafer CPU 405 connected by an internal bus 406 to a Flash memory module 401, a memory module OTP EPROM
407, a DRAM memory module 404, a RS232 403 I / O serial port, a controller CompactFlash 402 from SanDisk.
According to a variant not illustrated, the microcontroller integrates on the same pad surface silicon a DES encryption coprocessor to allow the CPU to perform operations encryption faster.
According to the embodiment of the present invention, the read accesses in the memory module OTPEPROM directly from outside the microcontroller 400 are deleted, in order to leave all access to internal circuits of microcontroller 400 under single control CPU processor 405. The present invention does not require the use of a large computing power at the level of the processor CPU 405 integrated in the microcontroller 400.
This microcontroller 400 includes a means of securing the reading and / or the modification illicit information that is contained in its internal memory. A
security method access to memories is proposed in the US Pat. 5,293,424 dated March 8, 1994.
According to the present invention, the internal OTP EPROM memory 407 is used to store keys to encryption, identification serial numbers, dates, system operating the microcontroller 400 performing functions directly and / or indirectly relating to his use according to the present invention.
According to the embodiment of the present invention, the internal FLASH memory 401 used to store permanently additional data after leaving the factory CL card. She serves also to store additional programs that allow the microcontroller 400 to realize directly or indirectly additional functions relating to its use according to present invention after leaving the CL card factory.
According to the embodiment of the present invention, and in general, the CL card is powered electrically by LCL when connected to LCL. This connection electric is not illustrated.
According to the present invention, the microcontroller 400 is protected against any modification of information it contains. It is a microcontroller similar to those smart cards. It is connected to a female connector 63 which makes it possible to communicate by contact with a LCL reader given.
According to the present invention, the CL card is a portable device of small size with a high capacity removable storage unit.
According to the embodiment of the present invention, the microcontroller 400 is connected to the sound output CompactFlash controller to a 64 connection support for modules type memories CompactFlash.

According to particular embodiments, the CompactFlash controller may not be integrated on the same silicon wafer as the microcontroller 400. It can also use another recording media such as DiskOnChip modules from the company M-Systems or any other proprietary and removable system of non-volatile memories.
In the current state of the art, microcontrollers having the characteristics of microcontroller 400 are very numerous. According to the realization of this invention, a 32-bit RISC microcontroller with the characteristics of microcontroller 400 has been integrated on the same silicon wafer with the CompactFlash card controller.
This integration uses ASIC (Application Speciflc Integrated) integration technologies Circuit).
So all of the information that is stored in memory internal of microcontroller 400 is secured against all attempts at checks external electronics.
According to the present invention, the CL card is a portable device of small cut. It allows to transport information concerning the use of protected software, regardless of LCL electronic reader. It is used as an access key to the use of software protected according to the present invention. Its portability allows a user to use software whose use rights (licenses) it has purchased on any computer that would own this software.
According to the embodiment of the present invention, the geometric format of CL is between that of the CompactFlash card is that of a PCMCIA card.
Referring to Figure 6, a hole 62 has been placed in a corner of the housing 60 representing CL.
Thus, the CL card can be attached to a mechanical keychain. According to realization of this invention, the serial number ID.c not illustrated of a given CL card is printed on case 60 from CL.
In addition, according to the present invention, with reference to Figure 7, the module memories CompactFlash 61 is detachable from housing 60 via the support system connection 64 for card CompactFlash.
With reference to FIG. 8 and according to the embodiment of the present invention, the CL card is connects by contact with an LCL reader via a set of two male connectors female. A map CL has a female connector 63 which it connects to the male connector 210 correspondent of LCL reader. These connector sets allow RS232 serial communication between LCL and CL
by contact. In addition, it provides electrical energy to electronic circuits of the CL card. According to the embodiment of the present invention, the LCI reader. East powered by mains.
According to particular embodiments not illustrated, CL can have its own food electric to allow autonomous operation. According to these modes private individuals, you can integrate in CL a radio or infrared communication module to allow contactless communications with LCL. An example of such a device is brought by Hough in US Pat. No. 5,412,253. Of course, the LCL reader has in these conditions the ports of adequate communications.
According to the embodiment of the present invention, all the coding keys written in the factory when programming of LCL and CL type devices are 128-bit keys definite compared to the DES algorithm. Thus, given this description of the invention, a module of 256 kilobyte OTP EPROM memories, a 64 Flash memory module kilobytes, one 512 kilobyte DRAM memory module has been integrated with the CPU 405 (RISC processor), the RS232 403 I / O serial port and the CompactFlash card controller on a same tablet silicon. Of course, other larger memory sizes can be used according availability of ASIC integration macros and their cost. These quantities are given by in relation to this achievement.
Furthermore, according to the embodiment of the present invention, the size retained for the module Flash memory 111 is 1 megabytes. The size chosen for the DRAM memory 109, is 2 megabytes. The size used for the DRAM 110 memory module is 1 megabyte.
These quantities are given relative to the present embodiment.
All the programs relating to the functionalities of the LCL reader constitutes the system internal operating system of microcontroller 100. This operating system is recorded in the Flash memory 111 of microcontroller 100 when programmed in the factory.
All the programs relating to the functionality of the CL card constitutes the system internal operating system of microcontroller 400. This operating system is recorded in the OTP EPROM 407 memory of microcontroller 400 when programmed in factory.
According to the present invention, communications between LCL and CL are secure. The current The invention relates to the use of an authentication method allowing a group of any device to recognize themselves using this method. This authentication allows that only the devices relating to the present invention, certified by the organization that manages the server aSVR, can work together. This method according to the present invention, allows prevent devices which are not recognized by the body which manages them devices related to present invention, can not work with those recognized. This method thus prevents hacked devices to read data from memories secure electronic apparatus relating to the present invention.
The present invention relates to apparatus which can only be used during a duration to be determined over time. For the realization, LCL and CL devices are all characterized by a date of commissioning DB and a date DE which indicates that the use of these devices relating to the present invention, expires end OF. DB and DE constitutes a public information no editable.
Thus, according to the embodiment of the present invention, the date DB of the reader LCL, denoted DB.d, is written during the factory programming of the microcontroller 100, in a zone free from Flash memory 111. In addition, the date DE of an LCL reader, noted DE.d, is written during the factory programming of microcontroller 100, in a free area of the Flash memory 111.
In addition, according to the embodiment of the present invention, the date DB of CL, denoted DB.c, is written when programming the microcontroller 400 in the factory, in a free zone from memory Flash 401. In addition, the date DE of a CL card, noted DE.c, is written during programming in factory of microcontroller 400, in a free area of memory OTPEPROM 407.
Thus, according to the embodiment of the present invention, the organization which manages aSVR generates for each week of the international calendar which begins on Monday and which ends late sunday a kLi key. The kLl key is the first key that was generated for the first week when first devices relating to the present invention have been put into service.
The key kLi indicates the key of week i compared to this first week. All of these keys are fully created and kept secretly by the organization that manages the aSVR server in order to guarantee Security of use of the devices relating to the present invention.
According to the embodiment of the present invention, for a CL card considered, when programming procedure for its microcontroller 400, the secret key to kLj coding is written in a free area of the OTPEPROM 407 memory. This secret key kLj corresponds to the week j compared to the first week when the first devices relating to the present invention have been commissioning. The key kLj was chosen so that week d contains the date DB of the commissioning of this CL card. This secret key will never be revealed to the user. Through moreover, it is known only by the organization which manages the aSVR service.
In addition, according to the embodiment of the present invention, for an LCL reader considered, during the programming procedure for its microcontroller 100, the list of keys coding secrets {kL; +], kL; + 2 ~~ -i + 3 ~ ~ ~ ~ ~~ + mi corresponding to all the keys associated with weeks between the date DB.d reduced by 1460 days and the date DE.d, are stored in the Flash memory 111 of microcontroller 100. Of course, their memory addresses follow a convention adopted for allow them to be found in memory 111. These secret keys are by elsewhere known only by the organization that manages the aSVR server. All these secret keys who have just been cited, are generated in relation to the DES encryption algorithm. Each of these secret keys has a size of 128 bits.
According to the embodiment of the present invention, the duration which separates a date from commissioning DB and an end date DE of the devices relating to this invention, is from 1461 days (4 years). Thus {kL; + ;, ld.; + Z ~ l ~ .a + 3, ..., kL; + ",} occupies no more than 7 000 bytes (approximation voluntarily excessive) in the Flash memory of the microcontroller 100 of a LCL given. The figure 4 allows to understand the choice of the number of keys in the list {kL; + ;, kL; + z, ~ .a + 3, ..., kL; + m}.
This number is due to the existence of the oldest devices, still in service on date DB.d from commissioning of the LCL in question. Given the capacity of the memories Flash built into within a microcontroller 100, all of the keys {kL; + t ~~ ..i + 2W-i + 3 ~~~~~ l ~ i + mi can therefore be stored with the microcontroller operating system 100.
Thus, the realization of said authentication procedure is based on judicious use of all these keys. The number of keys used allows that if a key were to be broken, the operation linked to authentication with respect to this key, does not set in check the entire system relating to the present invention.

WO 99! 39256 PCT / FR99 / 00182 With reference to FIG. 10, for the use of LCL, firstly, an LCL reader can only work if the current date indicated by the real time clock internal 104 of LCL microcontroller 100 is between the dates DB.d and DE.d of the same LCL. Other the continuation cannot succeed 551. This condition is illustrated in FIG. 10 by element 501 $ Secondly, with reference to step 502, to highlight operation one LCL reader, user must perform an identification operation detailed later.
Thirdly, to put a CL card into operation, user must first connect its CL card (step 503) to the male type support of connection 210 owned by the LCL reader, to allow communication by contact between the LCL reader and card CL. The male type 210 support of the LCL reader is connected to the RS232 I / O port 151 of microcontroller 100. The CL card therefore has a female connector 63 connected to the RS232 I / O port 403 of its microcontroller 400. The user must then perform a identification operation described below.
According to the embodiment of the present invention, in a fourth step 504, the microcontroller 400 of the CL card sends in an unencrypted form its date of commissioning DB.c au LCL microcontroller via said RS232 link. If a hacker modify the DB.c value transmitted, the following this description cannot be successfully completed.
On the other side and after reception of DB.c, in a fifth step 505, the processor CPU1 of the LCL microcontroller 100 makes a correspondence between DB.c and a noted secret key kLj.d elements of the list {kL; + t, ~ .i + 2, ~ ..i + 3, ~~~ W-i + mi so that the week d associated with kLj.d according to the present invention contains DB.c.
In a sixth step 506, the processor CPU1 generates a 128-bit kCS key compared to DES encryption, using its random number generator 112. kCS is preserved secretly in the internal DRAM memory 109 of the microcontroller 100.
According to the present invention, kCS is then coded by kLj.d then sent under its shape coded, noted ekCS, towards the microcontroller of CL.
In a seventh step 507, on receipt of ekCS, the CL card attempts to decode ekCS with its secret key kLj. According to the present invention, if the decoding succeeds, said procedure authentication was successful. The CL microcontroller will then use the key kCS for sending coded information to LCL, and for decoded information coming through the sequel to LCL. The microcontroller 400 of the CL card stores in its secure internal memory DRAM 404 this key secret kCS.
Thus, according to the embodiment of the present invention, in an eighth step 508, the CL microcontroller then sends the expiration date DE.c associated with CL
in a form coded by the key kCS to the microcontroller of the LCL reader.
On reception, in a ninth step 509, CPU1 checks whether DE.c is not exceeded compared on the current date given by the internal clock of the LCL microcontroller 100.
If this date is exceeded, LCL will refuse to continue communication with the CL 552 card.
Otherwise, a secure communication between LCL and CL can take place 559.
Thus, each communication session between LCL and CL which begins with their connection by contact and which ends when one of the following conditions is filled: CL is disconnected of LCL, the current date indicated by the clock 104 has exceeded the date DE.c, the current date indicated by the clock 104 has passed the date DE.d. Disconnecting the card LCL reader CL
is marked by the absence of charge at the output of the power supply used to power the electronic circuits of the CL card.
In addition, according to the present invention, all communications between the LCL reader and card CL are secured by the use of a symmetric encryption method using a secret key, noted kCS.
According to the embodiment of the present invention, the user who wishes to make operate a device relating to the present invention, must enter on the keyboard its LCL reader controlled by the microcontroller 100 via the keyboard and screen controller LCD 155, a PIN code.
At the time of its entry, the numbers typed will be written on the LCD screen not illustrated and controlled by the controller 155. This code was supplied to him during the first acquisition (purchase) of the device in question. The PIN code is a 5-digit numeric code associated with each apparatus. He must be kept secretly by the owner of the corresponding device.
The use of such a code is similar to that used with identification methods present in the world of cards to chips (SmartCard) in the current state of the art. The steps to check the correct entry of the PIN code associated with each device according to the present invention, are obvious and are not detailed in the present description of the invention. However, add that the PIN code of a CL card is entered on the LCL keyboard, then transmitted in its non-form coded, towards microcontroller 400 of the CL card, via the RS232 serial link between a given CL card and a given LCL reader. It is therefore understood, unless otherwise stated, in a work correct of an apparatus relating to the present invention, that entering the code PIN was conducted with success.
The present invention relates to the use of a CL card as a medium recording portable, secure containing authorization files for use by all protected software according to the present invention, and acquired legally by the user and separately from the acquisition of software (the recording media). These files have been saved in the CL card following a software acquisition procedure described below.
According to the embodiment of the present invention, an authorization file of use of a given software with serial number S #, marked Fich.S #, is defined as binary file of which the data bits are ordered as follows: S # of the software (128 bits), B7.c (128 bits), number of licenses (L # .S #: 16 bits), last use (DR.S #: Day 5 bits, month 4 bits, year 12 bits, 5-bit hour, 6-bit minutes, 6-bit seconds), first use (DP.S #: date and time 38 büs), current usage time (DU.S # in minutes: 24 bits), number of software executions (28 bits), miscellaneous data (Misc: 1024 bits), kEL.S key (128 bits), kX.S # key (128 bits). The total is WO 99/39256 PC'T / FR99 / 00182 i 680 bits, a 210 byte file.

According to the embodiment of the present invention, a CompactFlash type card 61 distributed by the company SanDisk with a storage capacity of 4 megabytes is inserted as shown on the FIG. 7 on a suitable connection support 64 present on the CL card, to allow the connection of this CompactFlash card to the card controller CompactFlash 402 from 400 microcontroller. CompactFlash cards are compatible with the standard ATA cards PCMCIA in the current state of the art. These CompactFlash memory modules are used as information storage disks. The necessary instructions concerning the writing of the driver which allows the microcontroller 400 to use the CompactFlash module of 4 megabytes are given by the ATA standard. This driver not shown, allows depending on the realization of the present invention, at microcontroller to perform the following operations on the CompactFlash card : readings of files, file modifications, file creations.
Thus, according to the embodiment of the present invention, the CL card makes it possible to store more than 10,000 authorization files for the use of software protected according to the present invention. This number is more than enough for all software protected by present invention, that a user can legally acquire. However, the user can change CompactFlash cards for greater storage capacity. Given the ATA standard, this change does requires neither updating the microcontroller 400 system programs, nor change of case 60 and support for CompactFlash 64 card.
According to the present invention, the information stored on the card CL, about the authorizations to use protected software according to the present invention, do not depend on recording media but from the electronic card entity CL. So a CL card user can use several CompactFlash cards to store files type.Sheet #. The data that is stored on a first CompactFlash card associated with a CL card given can be transferred to a second CompactFlash card. This operation is performed at using the aforementioned PGM program.
According to the present invention, the Fich.S # authorization files are stored.
in a form coded, denoted eFich.S #, with a 128-bit kS.c secret key compared to the encryption technique DES, in the CompactFlash card used as a storage disk. The key secret kS.ca summer written in the OTPEPROM 407 memory during the factory programming of the microcontroller 400.
Thus, eFich.S # can only be used by the CL card that created it, because the secret key kS.c is different for each CL card put into service.
In addition, the present invention relates to a method for separating the acquisition of recording media containing software) protected by the present invention, from right to use this or these software (s).
According to the embodiment of the present invention, the recording media of protected software according to the present invention are freely distributed. However, software protected according to the present invention, can only be executed after an operation legal acquisition a file File.S # authorizing the use of this software numbered S #.
So, with reference to the figure 2, when a user wishes to obtain one or more licenses of use, it must connect everything first its LCL reader with the aSVR server, using the PGM program. According to the achievement of the present invention, this connection is established via the Internet.
To start acquiring an authorization (license (s)) of software uses numbered S # and protected according to the present invention, the user begins by connecting his card CL on said given LCL reader. The user must maintain his CL card connected at least until the end of this online purchase procedure (with connection). We suppose that the user wants to acquire NL number (s) of licenses to use this software numbered S #. he then enter the PIN code of their CL card on the keyboard of the LCL reader.
The operation authentication method mentioned above must be successfully completed in order to continue.
Thus, with reference to FIG. 11, according to the embodiment of the present invention, at the beginning of the connection with aSVR, said LCL reader communicates to aSVR its ID number.d (step 601}. In this communication context, aSVR is the remote system represented on the figure 2. Of course, the commercial transactions which implies that aSVR accepts a communication with said reader LCL are implied. The PGM program then sends the number to aSVR
S series of said software, entered by the user (buyer), and the NL number. These two information are sent in a form encoded by the secret key kT.d of the LCL reader of the user.
In addition, the embodiment of the present invention considers that the designer said software to S # serial number also has a server noted dSVR, not illustrated and connected by network Internet at aSVR. The dSVR server is connected on its side with the LCL reader said designer.
Of course, this assumes that the operating system of an LCL player is programmed such so that it can respond to certain requests relating to this server purchase procedure dSVR. Thus (step 602), dSVR then communicates to aSVR the number ID.d of its LCL reader which was used to create the protected S # software according to the present invention. The communication between dSVR
and the LCL reader goes as in figure 2 where the computer 50 is represented here by the server dSVR.
To allow communication on two levels, the LCL reader of the user communicates to aSVR (step 603) in coded form a public key, denoted kP.
The key kP is encoded with the secret key kT.d of the user's LCL. kP is a key public, relating to RSA encryption technique (Rivest, Shamir and Adleman). The kP key is created with his private key kV
for the occasion (dynamically) and deleted at the end of this procedure acquisition of licenses.
The form coded by said kT.d key of kP is denoted ekP.kT. In addition, it is necessary note that aSVR does not does not know the value of the private key kV associated with kP. Coding systematic information during communication avoids possible data modifications exchanged during their transfer.
On reception, aSVR decodes ekP.kT using the information it has concentrating the User LCL reader. According to the embodiment of the present invention, aSVR is alone outside of this LCL reader, to know the correspondence of the number) Dd with the key kT.d compared to a given LCL reader. The kP key is then coded with the secret key kT.d relating to the LCL reader of designer of the protected S # software according to the present invention. The new coded form of kP is noted ekP.kT2. ASVR then communicates ekP.kT2 604 to the LCL reader of the designer via the dSVR server. In this way, the use of protection techniques software according to the present invention, creates dependency between software designer protected according to this invention, and the organization that manages aSVR. Thus, the software designer has not to constitute stocks other than a stock of recording media containing the software protected according to this invention.
On receipt, the LCL reader of said designer decodes ekP.kT2 with its key kT.d.
With the key public kP, LCL relating to the designer then codes kEL.S # generated during the creation procedure S # software protected according to the present invention with the kP key. The form coded from kEL.S # by kP
is noted ekEL. According to variants not illustrated, after decoding ekP.kT2, said may communicate kP to the dSVR server in order to let it code the kEL.S # key with the kP key. But these variants do not change anything with regard to the fundamental principle of present invention.
According to the embodiment of the present invention, dSVR then receives from aSVR the value of NL.
NL allows the designer of protected software according to the present invention, to perform a accounting with the organization that manages aSVR. According to a variant of this procedure of acquisition of authorization of uses, dSVR sends after reception of the kP key, a public key kPUB relating to RSA encryption to the LCL of the user (buyer) via aSVR.
This variant allows the PGM program connected with the user's LCL reader to return to dSVR by via aSVR, the value coded with kPUB from NL. This variant allows dSVR
does not trust the good sincerity of aSVR. So this variant allows dSVR to control exactly the number of licenses sold.
According to the embodiment of the present invention, dSVR then sends (step 605) ekEL to aSVR.
This aSVR server then sends (step 606) kX.S # in a form coded with the kT.d key (that of user's LCL reader) to the user's LCL reader. The key kX.S # is a key created and stored by aSVR during the previously described protection procedure of the LD software numbered S #. The aSVR server then sends to the LCL reader of the user, eKEL. AT
reception, the user's LCL reader decodes eKEL by kV. So he gets kEL.S #. This reader LCL also decodes the coded form of kX.S # by its key kT.d.
According to the embodiment of the present invention, said LCL reader sends then to said CL card, in coded form with the kCS key obtained during the procedure authentication previously described, the following data: S #, NL which corresponds to the number of licenses requested by the user from aSVR, kX.S #, kEL.S #, date and time common indicated by the clock 104.
Thus, the microcontroller 400 of the CL card decodes the different data received with kCS.

The microcontroller 400 then proceeds to the update procedure (step 607) following. The microcontroller 400 checks whether an encoded file eFich.S # authorization of use already exists for the software in question numbered S #. In this case, it proceeds to its modification by increasing the value of the L # .S # field in the corresponding Fich.S # file, of the value of NL. In the case where the user would have acquired a time-dependent authorization, of course updates on the corresponding fields are carried out in the file Fich.S #. For the understanding of the present invention, certain obvious point are implied.
If there is no corresponding Fich.S # file, a new Fich.S # file is created. So, according to the embodiment of the present invention, the microcontroller 400 of the CL card creates the file Fich.S # by filling in the following fields of the new file: S #, L # .S #, ID.c serial number of the CL card in question, kEL.S #, kX.S #. The values of DR.S # and DP.S # are initialized by the value of the current time and date. The DU.S # and “number” fields software execution »
obviously take the value zero. The Misc field is used to store values linked to needs possible to define additional information fields. Misc is initially zero.
L # .S # takes the value of NL.
According to particular embodiments not described, a user can directly connect to the dSVR server to purchase licenses when aSVR has communicated the value of kX.S # of software numbered S # protected according to the present invention. This variant allows to decentralize the sale of licenses.
Given the format of the Fich.S # files and its coded form eFich.S #, only a CL card given and numbered ID.c can use the Fich.S # files corresponding to ID.c According to the embodiment of the present invention, we consider software, denoted LD, having undergone protection procedure according to the present invention. Of course, explanations that follow are valid for any software protected according to the present invention. For allow an explanation, we consider its use in case the host computer is connected to a LCL reader via a Ethernet type network, in TCP / IP. This is the case for context 40. The DRV driver previously cited allows communication with LCL in relation to the TCP / IP protocol. According to realization of the present invention, the TCP / IP layer is understood in the proposals of communication between the DRV driver program and the LCL reader in question.
According to particular embodiments not described, but illustrated by the figure 4, several LCL may be present on the network. However, these organizations do not don't change them features of the present invention.
According to the embodiment of the present invention, on obtaining one or multiple authorizations) use of LD software (user licenses), LD can then be executed.
Thus, when launching the LD software on a host computer, the FFo function is executed in first. In general, according to the embodiment of the present invention, all FF functions;
all perform a common procedure: loading eF; to LCL.
__ ~ _ ~

According to the embodiment of the present invention, when the LD software calls a function FF data; it transmits it by passing parameters using for example the system stack the host computer, parameter information, noted PARAM, used directly and / or indirectly during the possible execution of the function F; corresponding to FF ;. Then FF;
loads the content of the eF file into memory; previously described. Then, FF;
calls (in the sense of a call of computer programs) the DRV driver in order to communicate the information PARAM and the memory address where eF is located. This information is then sent to LCL at through the network considered. Additional parameters can be added by a function FF; in the PARAM parameters. PARAM therefore contains in particular information related to the current time in the computer executing said FF function ;. II
also contains an identifier unique representing this host computer (for example the IP address of this computer on the network which is provided by the operating system of this computer) and the S # series of software corresponding to said FF function ;. Of course, in the case of a reader directly connected to a computer (context 30 and 20), there are no problems unique identifiers. So, we note the unique identifier of the IDIP computer. This variable is used by the microcontroller 100 the LCL reader to manage the use of software according to workstations computers. Good of course, choosing an IP address for the possible values of the variable IDIP only concerns the present achievement. In other embodiments, IDIP may be otherwise defined.
Thus, according to the embodiment of the present invention, when the reader 100 microcontroller LCL will have finished processing the information received and in particular the execution of the function F; corresponding, the results obtained are then transported again to said host computer to through the network considered. Upon receipt, DRV returns the results to FF; who returns them to LD software. If the CL card that is connected to the LCL reader does not have of licenses of use for LD software, then LCL will not return results but a message telling FF; to close the execution of the LD software. A closing execution may be given to FF; in other situation described later. Thus, the execution of functions F; by LCL reader creates physical dependence on LD software with LCL.
Thus, according to the embodiment of the present invention, at the start of the launch of the LD software, the FFo function associated with LD is executed. During the execution of associated FFo LD software audit none other FF type function; associated with LD should not be executed. Of Additional Information will be given later. FFo sends eFo, the current time indicated by the computer running FFo, execution parameters PAR.AM of the function Fo, the value S #
associated with LD software.
On arrival of the results calculated by the microcontroller 100 of LCL, FFo consider two types of results. The first type concerns the results linked to the execution of Fo (Fo must be a function complicated so that LD software is very dependent on it) in the microcontroller 100.
Since these results are not error messages, these results returned to LD software to continue running LD. The second type concerns a hour Htop by _28_ report to the clock of said computer running LD software. This time indication matches at the next moment when FFo must be launched by the LD software.
In addition, the order in which the other FF functions; are called, is not predictable because it depends on the use of LD.
According to the embodiment of the present invention, the execution of FFa is voluntarily Long, from about 1 second.
In addition, at Htop time, if FFo is not executed, then LCL considers that La session of execution associated with said LD software which is to launch FFo is closed. This condition allows LCL to decrease its counter of licenses used on the network compared to LD.
Of course, exceeding the number of licenses does not concern software which are used with an isolated computer and connected directly by an I / O port to an LCL
suitable for this port.
In addition, when performing other FF functions; for i different from 0 by LD software, FF; first check if the FFo function associated with LD is not in progress of execution. Without an ongoing execution of FFo, FF; for i different from 0, send eF ;, S #, the settings execution of F; to LCL via DRV. When the LCL reader has finished treatment of eF;
accompanied by its parameters, the results are returned to FF ;. FF; return then these results at LD software. If an error message is received, running the LD software stop. Contrary to software protection systems that use checks from codes, software protected according to the present invention, have essential protection compared to the difficulty in being able to find a function equivalent to the functions of F;
used.
According to the embodiment of the present invention, taking into account the processor CPUl, the system operating system of microcontroller 100 is a multitasking system in order to ability to process multiple use of protected software according to the present invention at the same time.
The realization of this operating system refers to multitasking system standards existing regarding 80386 processors from Intel. In addition, the security of the software protection according to the present invention, is based in particular on the execution of a single main program at the times by processor CPU2.
According to the embodiment of the present invention, upon complete reception of a package of information, CPU1 loads them into the DRAM memory 109. In the case of data (corresponding to a given software numbered S #) of the eF type; and parameters associated with eF ;, the The following test list is carried out: i is equal to 0 701, eF; corresponds to a numbered software S # which has already successfully executed FFo once 702, the time indicated by the clock 104 is equal to the hour Htop (previously defined value corresponding to the software numbered S # which has in this condition already executed once FFo successfully) expressed in relation to clock time 104 with an error of more or less two seconds (test 703 or 705), the number (noted NL.S #) current of licenses used (corresponding to software numbered S #) increased by 1 is strictly greater than the value L # .S # of the file Fich.S # (corresponding to the software numbered S #) supplied by the CL card (test 704). The elements of this list of tests are noted respectively testl, test2, testa, _._ _.__ _. T_.

WO 99I39Z56! 'CT / FR99 / 00182 test4. The number associated with these tests indicates the order of these tests in the conditions of their achievements. With reference to FIG. 12, the test test 701 corresponds to the start of the analysis tree which is done therefore by considering a given software numbered S #, and a unique identifier IDIP
which is the IP address number of each computer on the network in question. This number so allows associate each software execution session with a computer given from said network.
According to variants of this embodiment, other unique identifier can be directly associated to a session of execution of a software given by the use of an identifier of combined process with the network address of the computer where this process is located. So the present achievement considers the unique identifier associated with an IP address as an example of possible means for identify a computer on said network. So at the start of the tree Figure 12 analysis, the S # and IP information (IDIP) are assumed to be provided by the FF function; with the DRV driver. These two pieces of information are sent to said LCL reader in the packet PARAM information previously described.
According to the embodiment of the present invention, compared to test test4 704, if the result is a false value in the boolean sense, then the new value of NL.S # 709 is that from the old increased by 1, provided that the test2 702 is false and that the testl 701 is true.
Relative to a true value of testa 703, and provided a value true testl tests 701 and test2 702, CPU1 reads the current time from the clock internal 104, for calculate the new value of Htop expressed with respect to the time of the clock associated with the computer running the S # software under the conditions of these tests and the context of these conditions.
The new value of Htop is equal to the old one increased by 5 minutes (by example), depending on the realization of the present invention. This value of 5 minutes is adjusted by so that two or several software having the same S # number and running on computers different, cannot not execute the corresponding FFo function at the same time (keep account of said error of more or less two seconds). This value of S minutes can therefore be replaced by any other value based on the previous sentence. At the end of the testa, a 706 execution of the function Fo takes place.
Compared to a false value of testa 703, and provided a value true tests testl 701 and test2 702, an error message 70? then returned to the execution session of software corresponding to the execution of the FFo function under the conditions of these tests and the context of these conditions. In addition, CPU1 decreases the NL.S # counter by 1 point associated with software with serial number S #. The microcontroller operating system 100 as part of protection of several software at the same time, manages a list of objects referenced by different IDIP identifiers corresponding to all computers on the network who run software protected according to the present invention. This list of objects is established from information from PARAM. The fields of each of these objects are used to record the numbers of S # series of S # numbered software which is executed on the computer whose identifier IDIP corresponds to said IDIP reference of these objects. This object list allows the management of the use of software . T __.

protected according to computers. When NL.S # is decreased by 1 point by report one computer identified by IDIP and which runs the software numbered S # which has caused this decrease, the corresponding IDIP object field that contains the value of S # is deleted. This management allows that a new execution of a software numbered S #
can take place. It is necessary also note that the value of NL.S # is the total of said objects having a field identical to the value of S # in NL.S # notation. So, in return when a 1 point increase of the value of NL.S # takes place, a new field in the IDIP object of said object list is created.
The IDIP object corresponds to the numbered computer mIP which performs the function FF; of S # software.
Said new field then takes the value of S #.
Compared to a true value of test test4 704 and a false value of test test2 702 and a true value of testl 701, an error message 708 is then returned to the execution session software corresponding to the execution of the FFo function under the conditions of these tests and the context of these conditions.
Relative to a true value of testa 705, and provided a value false testl testl 701, CPU1 decreases the NL.S # counter associated with numbered software by 1 point S #. Said list IDIP objects are updated accordingly. An error message 710 is then returned to the software execution session corresponding to the execution of the FFo function in the conditions of these tests and the context of these conditions.
Referring to Figure 12, for a true value of the product (testl 701 and test2 702 and testa 703) in the order of their realization, for a false value of the product (testl 701 and test2 702 and test4 704) in the order of their realization, and for a false value of product (testl 701 and testa 705) in the order of their realization, the result leads to a processing of eF; by CPU1.
Of course, all of these tests are defined in relation to carrying out of this invention to enable the protection functionality of several software at the same time by a single LCL reader. The analysis tree in Figure 12 is simplified at maximum for the sake of clarity of understanding. According to particular embodiments, the test conditions and the context of these tests may vary.
In case of intensive use, a queue is created to make run one at a time functions F; by the processor CPU2. In order to reduce the waiting time, a duration condition authorized for the execution of an F function; data can be set, by example 1/100 of seconds value defined in relation to the calculation speed of the processor CPU2. This duration condition shall be respected by the developer of software protected according to this invention.
According to the embodiment of the present invention, the usage information of a given software numbered S # are provided by the CL card. So when it is needed by relation to the tree analysis, in particular in step 704, the microcontroller 100 performs a request from the card CL. Thus, CPU1 performs in order to execute F ;, a request about numbered software S #, with the CL card connected in the context of this request. In the conditions for success the authentication procedure previously defined between LCL and CL, and under the conditions of Possession of the Fich.S # files associated with the numbered software S # of the context of this request, the microcontroller 400 of the CL card returns to the LCL in a form coded by the kCS key, the file File #. The microcontroller 100 then updates the following fields: DR.S #
(last use) replaced by the current date, DU.S # recalculated, Number of times the software. DR.S # is set up to date with the date and time of the first execution of the FFo function compared to last launch of an execution of the S # software associated with this function.
DU.S # is recalculated with the dynamic value of Htop and the current time indicated by the clock 104 by the time execution of an FF function; corresponding takes place. The "Number" field software execution »
is calculated with respect to the last execution of the software associated with the context of this calculation. It is therefore increased by one point for each new execution. All of these tests is optimized in function of the flow of requests from the various FF functions; executed by software correspondents on the different computers connected on the network with the LCL reader considered in the context of these information updates.
According to the embodiment of the present invention, the values of L # .S #, kEL.S # and kX.S # (others fields of the file concerned can be retained by CPU1 as needed) are memorized in DRAM 109. Modified Fich.S # is then returned to CL in a form coded by kCS. To to prevent acts of piracy, if the CL card is removed while the LCL reader uses the CL card to perform operations relating to the present invention, the LCL reader ends all software execution sessions protected under this invention, by returning them Error message. According to particular embodiments, the devices according to this invention, may not return a message from others, insofar as where files File.S # can be permanently stored in the LCL reader of the same way that that used with the CL card.
Thus, according to the embodiment of the present invention, the value L # .S # prevents to exceed the number of licenses to use protected software according to this invention.
According to the embodiment of the present invention, for the case i = 0, the key kEL.S #
provided by the Fich.S # file is used to decode eFo. CPU1 thus obtains said conditions file of use of the software associated with this eFo. CPU1 compares the value of these different information compared to the associated Fich.S # file. By way of explanation, if the use is fixed relative to a expiration date, said file of conditions of use informs this limit value by sound corresponding field. According to particular embodiments, said conditions file of use may not include all or part of the following fields:
permanent licenses, duration of use, use expires end, number of executions.
According to the embodiment of the present invention, after the success of the data comparison provided by the Fich.S # file with the conditions file (limits) of use decoded by the key kEL.S # and associated with eFo, and always for i = 0, CPU1 also recovers with the key kEL.S # les "byte code »JAVA (JAVA instruction code) of the Fo function.
_ _- _ _._ T__ According to the embodiment of the present invention, for i other than 0, the eF coded data; are decoded using the IcX.S # key filled in by the corresponding Fich.S #.
CPU1 then retrieves the JAVA byte code (instruction code corresponding to the virtual machine JAVA) of the function F ;.
S These instruction codes are then loaded via interface 106 directly in the DRAM 110 using the DMA 107 controller. Via the CPU2 controller, CPUl gives control to CPU2 (PicoJava processor) for the execution of F; whose the settings have been charged beforehand. The watchdog 108 monitors the right operation of CPU2. At the end of the execution of F; by CPU2, the results are retrieved by CPU1 and returned to the computer that sent the eF data ;.
In contexts of use 30 and 20, an LCL reader can be used with a computer personal thanks to a direct connection between their respective USB I / O port.
For these two contexts software protection by the LCL reader is a simplified version of features in network. Consequently, the present description will not bring any Additional Information.
According to particular embodiments, the “duration of use” field of the file terms of use can be used to characterize the use of software demonstrations. Thus, the file of conditions of use fixes in particular conditions of limited use. The file of authorization of uses informs the “
quantity »of use in Classes. The two files combined allow according to the realization of the present invention, of protect software against non-compliance with its conditions of use.
In addition, the format of the conditions of use file is mainly interesting to develop demonstration applications whose use is limited. In this context, a procedure of special protection can be used so that the creation of software protected according to the present invention, can be carried out without passing through the aSVR server, This functionality is interesting to allow in particular to decentralize the software protection according to the present invention. In addition, to initiate such a procedure protection, the choice will be performed using the PGM program.
Compared to the previously described software protection procedure, the F functions;
are now coded with a secret key kLi from said list {lcL; + 1 ~~ + 2 ~ 1 ~ -i + 3 ~~~~~~ + m} ~ which corresponds to the current week during which this special procedure of protection of software is launched. The use of these keys is interesting only for software including the use is limited in time because of the definition of these keys kLi. Of course, the reader LCL performing this procedure will not communicate the value of kLi by compared to his definition. To be distributed, the software thus protected must be accompanied by indications on the week during which this particular protection procedure was performed. So when user wishes to run software protected in this way (by the key kLi), it will not need to contact the aSVR server, because all the information is there on the media registration. However, the use of the software remains dependent on a LCL reader account required encryption. Thus, the user will have immediate access to the software but will not be able to exceed the conditions of use set in the conditions file of use. The realization of the present invention prevents re-use of software including use is limited in the time. Explanations will be given later.
In addition, the present invention relates to a method making the use devices according to the present invention, transparent from a computer point of view by through a program noted PGM which has already been discussed. The PGM program is developed from such that he can allow a user of the devices according to this to perform operations requiring interactivity with these devices. Its use is generally implied in this description. Its role is also to allow a given LCL to connect to a remote computer system using the communication resources of the host computer and of the computer system of this computer.
The PGM program is used in parallel with a DRV driver program. This DRV driver constitutes a communication layer between PGM and a given LCL reader. he ensures the transparency in the use of the LCL reader. The addition of these two items in a computer given is illustrated in figure 2. These two programs fulfill all the features described previously and later. A convention is adopted on procedures interrogation of a given LCL in order to allow this LCL reader to recognize and execute commands that are integrated into the operating system of its microcontroller These commands are defined when building LCL readers.
In return, according to the present invention, PGM can also interpret the information from orders sent by LCL. These commands are essentially, depending on the realization of the present invention, instructions for allowing an LCL to access a remote system.
Thus, according to the convention adopted to communicate with a given LCL reader, of commands are defined in relation to the possibility for LCL readers to connect to aSVR
through available network communication resources for allow by example an update of the internal computer system of the devices according to the present invention or setting the time of the internal clock 104 in the event of malfunction (püe 103 is sold out).
According to the context of use 20 indicated in FIG. 1, a receiver digital radio 22 is connected to the external bus 114 of the microcontroller 100, to allow a given LCL reader receive information directly from the organization that manages the server aSVR. Of course, this receiver will be integrated in the box selected for the use of the reader LCL. It is thus possible send information to all LCL readers in service so that general and / or specific.
In addition, the low consumption of this type of receiver compared to a operation with electric batteries, allows to leave them in permanent operation, even if the LCL reader is off. According to a variant of use of power supply, batteries rechargeable can be used with the radio receiver 22 independently of the power supply LCL
_ __ __...____. ~ ._ (possibly supplied by the local electrical network). Of course, the receiver: has its own memory to store the data received from the transmitter 13 when the reader LCL is off. So the aSVR server can send information like by example the setting the operating system of the LCL reader and / or the CL card by through a transmitter 13.
According to a variant of the operation of LCL readers, a duration condition may be add in addition information concerning the dates of commissioning and end of use (DB.d and DE.D). This condition relates to the use of LCL with the radio receiver 22. So, an LCL reader who would not have received any information from the transmitter 20, will refuse to operate when it is started by a user. A procedure connection on aSVR through the PGM program should be performed in order to recover them information that this LCL reader could have missed due to bad radio reception. This recovery is of course done using the kT.d key to secure communication between aSVF ~ and the LCL player in question.
In addition, in order to send information from the transmitter 13 so that secure, keys previously described kLi secrets are used to encode this information to send by radio to LCL readers. This information is noted MR. In addition, kLi is chosen from so that she corresponds to the week when the information leaves from the transmitter 13. We note eMR the form coded from MR by kLi. By choosing to send the MR information from the Monday following week (starting Monday and ending late Sunday) where this information MR were defined, the same information is sent in repetition following a interval given during the whole week. This ensures that they have been received, and avoid too much connection from LCL to aSVR.
This variant of the present invention has many advantages, because it allows in a first time to securely return the Fich.S # files to the LCL reader corresponding to the purchaser of the software associated with Fich.S #. Of course, transmitter 13 can send specifically information to a given radio receiver 22. This variant allows a purchase without computer connection, but by the user directly at telephone with a welcome human. This variant allows complete separation of the distribution of media of registration containing a given software, of the sale of licenses to use this software given.
In a second step, this variant makes it possible to send information about the loss of a device. Given the storage capacities of the modules of "
Flash disk ", a DiskOnChip circuit not illustrated from the company Msystems is connected with a possible controller on the external bus 114 of the microcontroller 100 to allow the microcontroller 100 to have a storage drive. A 12 megabyte DiskOnChip is chosen according to the realization of the present variant of the invention. According to other variants, a Disc card Flash PCMCIA can be used in place of DiskOnChip. So, upon receipt of the information eMR, the microcontroller 100 decodes eMR using the kLi key for the current week.
Thus, to deactivate a given CL and / or LCL device in relation to their use, a information corresponding to its serial number can be attached. This issue of series is then saved on the DiskOnChip circuit in a file marked ANNUL which is used to store all serial numbers of the devices according to the present invention, which should not no longer be used. According to particular embodiments, with respect to the necessary security against modifications, said number may not be coded when transmitted from transmitter 13.
According to the present invention, a computerized method of authentication and signature by LCL is performed on the ANNUL file. Electronic signature and information from authentication are stored in internal memory 111 of the microcontroller 100. So the microcontroller 100 at each start-up checks if the ANNUL file has not been replaced by a another file in the same format or modified by an unauthorized operation.
This ANNUL file is then used during the authentication procedure between a CL card given and a given LCL reader compared to the procedure previously described. If CL is present a) Dc which is referenced in the ANNUL file, LCL rejects the CL card in question. Of more, at the start of LCL and / or upon receipt of MR information, the 100 microcontroller LCL, checks if its own ID.d is not referenced in the content of MR
and / or CANCEL. If the case presents itself, the microcontroller 100 goes out of service by destroying the content of his memory internal.
Thus, taking into account the implementation of this variant, a CL device or LCL can be taken out of service within a maximum of 1 week.
In addition, according to the embodiment of the present invention, the devices have a use of at maximum 4 years. This duration can be reduced to 2 years. In the context of this duration, in considering a possibility of loss of devices according to this invention, with a volume of 1 million device losses in 2 two years (voluntary losses would be prevented by the price purchase of a new device in case of loss). This volume may seem overdo it. take in account the capabilities of compression methods (50% false), and taking into account the 128 bit size an ID serial number, so it would take approximately and without compression 1 S
megabytes, 8 megabytes with compression of data storage space. Over a period of use two years old devices according to the present invention, the capacity of the DiskOnChip according to the this variant suffices.
For longer service life, more storage capacity large can be taken into account the capacity of the DiskOnChip modules in the current state of art.
In addition, said digital radio receiver, given its capacity to receive information which concerns him only, when purchasing a license software the user can receive by radio the file File.S # (described above) corresponding to buying licenses of software numbered S #. This feature can have a big impact on commercial level (software can be purchased anywhere on the planet without connection). Of course, Fich.S # is __._ .. ~ __._._ ___. _ __ sent in coded form with the kLi key for the current week. According to d ~; s variations of realizations, we can use a kT.d type key for operations of purchase.
The possibility of rejecting the use of a device according to this invention by the rest devices according to the present invention, allows users to be given the possibility of recover part of the contents of their lost CL card.
So, taking into account the file format Fich.S #, the size of this file can be reduced to 66 bytes in a file named rFich.S #, keeping only the fields following: S # of software, mc, L # .S #, kEL.S #, kX.S #. Considering only software whose user has a permanent use license, rFich.S # is sufficient to define the use of these protected software according to the present invention. So with a module of 64 kilobytes memory, you can store at least 990 different software licenses including use can be defined by rFile.S #. According to this new variant, the organization which manages aSVR, provides when buying a CL card a chip card (SmartCard) denoted SC, which can secure data in read and modification. SC is not illustrated. SC has an integrated microcontroller on one silicon wafer, processor, 64-kilobyte Flash memory module, from memory DRAM and OTPEPROM. The memory accesses are controlled by the processor of the microcontroller from SC. This card is a secure chip card. This smart card is used whenever the user legally acquires a new license for one or more uses) permanent {s) protected software according to the present invention. During this acquisition, this card is inserted in the smart card reader which communicates with the reader 100 microcontroller LCL by means of the smart card controller 153. The file rFich.S # will be then copied to the 64-kilobyte Flash memory module of the microcontroller of the card fleas. Of course, the SC smart card internally has a secret key kLi in the same way as the CL card. This key is used during an identification procedure similar to that which has place between LCL reader and the CL card. Changes to the contents of the SC card cannot be performed only by an LCL reader connected to an associated CL card. So for this variant of the realization of the invention, rFich.S # is stored in coded form, denoted erFich.S #, by the kS.c key on the card CL. In addition, given the security properties of smart cards (SmartCard), erFich.S # and thus protected against unauthorized modification or reading. All way this information is protected. In addition, by using the key kS for coded rFich.S #, this card cannot be used than with the CL card where the rFich.S # files come from. Of course, if user bought S # software licenses in addition to those already in its possession CL card, LCL then copies erFich.S # and sends it to the corresponding CL card. The fields of rFich.S #
are updated by relative to the number of newly acquired licenses. The new file erFich.S # obtained then replaces the old one in the internal memory of the microcontroller of the SC card.
So in case of loss, the backup made on the SC smart card can be recover in two steps: purchase of a new CL card, connection to the aSVR server via PGM program.

When connecting to the server, the user communicates by the sound intermediary PGM program, the serial number ID.c of its old CL card (lD.c is a public data cannot be modified: it is displayed in plain text on box 60 of each CL).
Then the user give the serial number of their new CL card. In exchange, aSVR
returns a data which is the coded form of the secret key kS of the lost CL card. This key is coded by the key kT.d the LCL reader on which the new CL card is connected. The acquisition of kS card key CL lost allows you to recover the content of rFich.S # files.
According to the variant of the invention using the radio receiver, the number ID.c CL card lost can be communicated orally by phone. LCL then receives by through her digital radio receiver in a form coded by the kLi key of the week current, the kS key of the lost CL card and corresponding to said ID.c number of the lost card.
The acquisition of the key kS of the lost CL card allows to recover the contents of the files rFile.S #.
On the other hand, aSVR launches a procedure to deactivate the use of the card lost in sending according to the variant of the invention described above, the number ID.c of the lost card to all LCL readers.
According to another variant of the invention, the storage of Fich.S # files can be done by the LCL reader following security conditions similar to CL card operation storage of these files. The Fich.S # files will then be stored on media external recording planned for this storage. We can use for example a DiskOnChip.
The files stored on this medium are protected by the kS.d key of the player LCL matches. In this variant, the key kS.d is a secret key written in the memory internal 111 during the factory programming of the microcontroller 100. Thus when one or more software licenses are moved to the LCL reader, access to protected software according to the present invention, and associated with this LCL reader can be performed regardless of the presence a CL card. This allows use by anyone who can access the computer on which said LCL player is connected. Of course, when moving licenses from card software CL, the information will be updated in the SC smart card by forcing the connection of the SC chip card corresponding to this CL card on the appropriate reader of the LCL reader. for example when two licenses of software numbered S # are moved from the CL card to an LCL reader, the content of the eFich.S # file on the CL card and the content of the file erFich.S # of smart cards SC will be modified accordingly in order to write a file of uses of software at the LCL reader. In this new feature of the LCL reader, a card chips of the same type that SC must be associated with each LCL reader to allow a backup files Fich.S # relating to licenses for the permanent use of software.
So this smart card should be inserted immediately after moving the licenses uses of the CL card to the LCL reader to validate the transfer. In view of the fact that the user authorizations software copied to the LCL player can be transferred by a reverse operation to that which has just been described to a new CL card, it is therefore possible to move permission use of software protected according to the present invention with a CL card to another card CL. The respective SC chip cards of these two CL cards will be fine heard updates automatically.
In addition, compared to said possibility to change the CompactFlash card on a CL card, and S in relation to authorizations to use software in relation to limited use, a eTPS file is present on each CompactFlash card that is used by a given CL card and numbered ID.c. This file must be present on all CompactFlash cards used by said CL card. Otherwise, the CL card does not work. Of plus, eTPS is the form coded from the TPS file which contains the ID.c number on the first line, then all serial numbers of S # software acquired according to the present invention, by the user of this CL card. So a user will not be able to circumvent the limits of use of a software limited use by report for example to the time or the number of executions, by changing the card CompactFlash.
This restriction applies according to the embodiment of the present invention, for example on free software.
Thus according to obvious variant embodiments which will not be described (this description contributes nothing to the understanding and realization of this invention), in relation to its information protection capacity against any modifications, the CL card can be used for non-modifiable public information storage such as the identity of a person. These informations can be viewed through the user interface represented by the program PGM. The CL card can, in fact given its large storage capacity allows to store programs and / or counters relating to a given value, secure way against unauthorized modifications and / or readings according to a given criterion.
On the other side, LCL
provides a secure way to allow these programs to run and / or the processing of these counters relative to a given value. The microcontroller 100 is physically protected against so-called computer virus programs. We can thus consider defining Ie Misc field of Fich.S # files by program codes executable by the CPU2 processor microcontroller 100 or by loyalty counters representing the number of software purchased by the user from a given software designer, so to allow corresponding commercial operations. Program codes possibly added in the Misc field can be used to modify the behavior of said functions F; during their execution by the LCL reader, in order to make pirating almost impossible software corresponds while trying to go back to function F; by monitoring inputs and outputs of data at the level of calls to FF functions ;. It should be remembered that only the coded form eF; of functions F; are accessible by the user.
According to the present invention, the use of an integrated circuit (the microcontroller 100) physically and logically protected against computer virus attacks and against readings and / or modifications of data contained in the circuit, allows a very high level of software protection security. Given the peripherals of communications that can .._ _____- 7_ _ WO 99 / 3925b PCT / FR99 / 00182 use such a circuit, the devices according to the present invention, no longer appears as a device prohibitive surveillance, but a real tool actively participating in the use of software in particular by the fact that the present invention makes it possible to recover in license security lost. Indeed, the present invention makes it possible to make a tool for software protection, S often decorative in appearance due to the time it is actually used, into a tool that the user can use in his daily life by his ability to secure data storage and program execution. So the present invention is a new tool protective software that allows software distribution on the one hand independently of selling their right of use, and on the other hand a free development of protected software according to this invention. According to the present invention, this separation has a large cost consequence necessary to protect software. Indeed, the use of a single device according to this invention, for the protection of several software regardless of software designers, allows to distribute the cost of a device according to the present invention on all the designers of software, so that the price of a single appweil according to the present invention, become weak and affordable for the user.
In addition, said separation allows according to the present invention, the sale of means of software protections regardless of software using these means for protection.
The power of the present invention in terms of the security used, allows given its separate sale of the software product, a commercial operation related to other operations. These operations can be operations which involves presenting confidential information that the user cannot modify or falsify. It can therefore be used as a tool allowing access to a given system. Thus, the present invention is a means of protecting software that allows functionality parallel to its use. These features will consequence the decline of the cost of the devices according to the present invention and the drop in the cost of software protection given. The software protection according to the present invention becomes by therefore a system interesting for small and large software productions. The devices according to this invention are susceptible to industrialization compared to the world of software industry and their protection.
Of course, the invention is not limited to the embodiments which to be described and represented. We can make many modifications in detail without going outside for that part of the invention.

Claims (9)

Claim 1. System for simultaneous protection of multiple software from different software developers against non-compliance with the terms of use fixed by these software designers, characterized in that it comprises in combination - a reader (LCL) comprising at least one communication peripheral (network, port I/O) creating an upper communication layer allowing the exchange of data with protected software, a one-time programmable microcontroller (100) who integrates on a single electronic entity two parts (130, 120) separated by an interface (106) - a portable device (CL) of the card type intended for the storage of a large number authorizations to use protected software comprising a module recording removable high storage capacity, and a secure microcontroller (400) against all unauthorized intrusions into its internal circuits. 2. System according to claim 1 characterized in that the part (130) of the microcontroller (100) comprises at least one non-volatile memory module (111), a module of memories volatiles (109), a serial I/O port (151), an internal real-time clock (104) and a processor master (CPU1). 3. System according to any one of the preceding claims characterized in that the part (120) of the microcontroller (100) includes at least one memory module volatile (110) and a slave processor (CPU2). 4. System according to any one of the preceding claims characterized in that the microcontroller (100) physically and logically secures on the one hand its memory space internal against unauthorized reading and/or modification, and on the other hand the execution of programs within the memory (110) with respect to the possibility for a given program, executed in this memory space to extract data from the microcontroller (100) present before running this program. 5. System according to any one of the preceding claims, characterized in that the microcontroller (400) comprises at least one OTPEPROM memory module (407) Where equivalent, a DRAM dynamic memory module (107) or equivalent, and a processor (CPU). 6. System according to any one of the preceding claims characterized in that the reader includes an over-the-air receiver to enable purchase operations out of line rights use of protected software, update of microcontrollers (100, 440), or administration of the reader (LCL) and the portable device (CL). 7. Systems according to any one of the preceding claims characterized in that the reader includes a communication device for connection and a central system remote to allow purchase operations of rights of use of protected software, updating update of microcontrollers (100, 400), or reader administration (LCL) and of the portable device (CL). 8. System according to any one of the preceding claims, characterized in that the microcontroller is secured against any physical and/or logical attack and remember at least one series of codes and digital keys, used to effect a transmission secure information for the transfer of a right to use protected software of the device portable (CL) to another reader (LCL) or other portable devices (CL). 9. System according to any one of the preceding claims, characterized in that he includes an external read-safe backup device and/or changes unauthorized.