|European Case Law Identifier:||ECLI:EP:BA:2006:T012601.20060314|
|Date of decision:||14 March 2006|
|Case number:||T 0126/01|
|IPC class:||G06K 19/07
|Language of proceedings:||EN|
|Download and more information:||
|Title of application:||IC card with hierarchical file structure|
|Applicant name:||MATSUSHITA ELECTRIC INDUSTRIAL CO., LTD.|
|Opponent name:||Gemplus SCA|
|Relevant legal provisions:||
|Keywords:||Novelty (yes - after amendment)
Amendments - added subject-matter (no)
Inventive step (yes)
Summary of Facts and Submissions
I. The appeal lies from the decision of the Opposition Division to revoke European patent EP-B1-0 583 006 (denoted "B1" hereinafter) for lack of novelty over
D1: FR-A-2 635 891.
II. The appellant proprietor requests that the decision under appeal be set aside and the patent be maintained on the basis of an amended claim 1 submitted at oral proceedings before the Board.
The respondent opponent requests that the appeal be dismissed.
III. Claim 1 reads:
"1. An integrated circuit card comprising:
- a processing controller (2);
- non-volatile memory means (4) having a plurality of key files (20) and data files (32) in a hierarchical structure, each key file having one or more key boxes with key box numbers for storing key data and each data file having an access conditions controller (80) for a key check in each level of said hierarchical structure, the data stored in the access conditions controller (80) of a certain data file determining certain levels of the hierarchical structure, such that keys valid at these levels may be used for controlling access to said data file;
- volatile memory means (3) including a key verification indication table (71) for storing data indicative of the verification of keys at the various levels in a plurality of data fields corresponding to the various levels, each data field having one or more areas corresponding to said one or more key boxes;
wherein the access conditions controller (80) comprises an access key box designation table (81) for designating key box numbers at which data indicative of the verification of keys must be checked, and a matching condition settings table (84) for designating one or more data fields of said key verification indication table (71) from which the data indicative of the verification of keys are collected and used for checking,
said processing controller (2) being adapted for controlling access to a certain data file based on a result of a check of the data indicative of the verification of keys stored in areas of said key verification indication table (71) designated by said access key box designation table (81) and said matching conditions settings table (84) comprised in the access conditions controller (80) of said certain data file."
IV. The respondent considers the amended claim to extend beyond the content of the application as filed and to lack clarity because the claim represents an overgeneralisation of an embodiment. Moreover, the respondent regards the subject-matter of the claim as anticipated or rendered obvious by the integrated circuit (IC) card described in D1 or its family member
D1': US-A-4 985 615,
because that IC card produces the same effect as the IC card of the opposed patent.
V. According to the appellant, the claim reflects a skilled person's understanding of the original disclosure and includes all the features essential to the operation of the IC card in the light of the objectives to be achieved (security, flexibility). The appellant considers the prior art document D1' as overinterpreted by the respondent; even if that interpretation was to be followed, the IC card according to the amended claim would still be novel over D1'; at any rate, the differences do not derive in an obvious manner from the prior art.
VI. The chairman pronounced the Board's decision at the end of the oral proceedings.
Reasons for the Decision
1. Late-filed request
The amended claim was submitted at a late stage of the appeal procedure, viz. at the oral proceedings before the Board. However, as the claim related to an embodiment (Figures 4 and 5 of B1) which had been thoroughly discussed in writing and orally, the Board admitted the amended request into the proceedings after having allowed extra time for the respondent to familiarise himself with the wording of the claim.
2. Article 123(2) EPC - Original disclosure
The Board is satisfied that the subject-matter of the amended claim does not extend beyond the content of the application as filed and published (= EP-A2-0 583 006, denoted "A2" hereinafter). The single claim is based on the embodiment described in relation to Figures 1 to 5. While some aspects of the embodiment have been generalised (as discussed below), the Board judges that the claimed teaching is within a skilled reader's understanding of the solution disclosed for enhancing the security and flexibility of an IC card so that access to data files on the IC card can be (dis)allowed selectively and user data on the IC card can be kept confidential even from the card issuer (A2, column 1, last paragraph; column 2, first paragraph; column 6, lines 18 to 21 and 53 to 56, for example).
According to the aforementioned embodiment, a hierarchical structure of data files (Figure 2: reference numerals 11; 21, 22; 31, 32) is stored in non-volatile memory (Figure 1: reference numeral 4). Each data file comprises an associated key file (10; 20; 30) and an associated access conditions controller (Figure 2: ACC; Figure 5: 80). A key may be exemplified by a PIN (A2, column 6, lines 22 to 28).
A volatile memory (Figures 1 and 4: reference numeral 3) of the IC card holds a table 71 of data bits indicating whether or not keys have been verified, i.e. whether or not keys entered by the user match the keys stored in the non-volatile memory of the IC card. Table 71 comprises a plurality of data fields corresponding to the levels of the hierarchical structure, and each data field comprises bits or areas corresponding to the boxes of a key file (A2, column 4, line 52 to column 5, line 7).
2.1 A key file (Figure 3, reference numeral 20) has eight key boxes numbered "1" to "8" for storing a "maximum" of eight different keys (A2, column 4, paragraph 1). The word "maximum" implies (and confirms the reader's understanding) that the exact number of keys within the memory space of a key file is not essential to the operation of the embodiment. In particular, it is normal for IC cards that access to a data file may be protected by a single key. Hence, use of the term "one or more key boxes" is appropriate in the claim because the central feature of the embodiment - interaction of tables 71, 81 and 84 (as discussed below) - does not depend on the number of key boxes and is not presented as depending thereon.
2.2 Tables 81 and 84 (access key box designation table; matching condition settings table) in the access conditions controller 80 of a data file 32 (Figure 5) designate which areas (e.g. bits) of which data fields (or levels) in table 71 (Figure 4) are taken into account before access to the data file 32 is granted (A2, column 4, lines 16 to 51; column 5, lines 55 to 58; column 6, lines 18 to 45). While the embodiment compares the required pattern (81, 84) of verified keys with the existing pattern (71) of verified keys in a specific sequence (determined by circuitry SW1...SW5, gate 70, table 72), it is evident that the comparison can be achieved using any other sequence as long as the values of both tables 81, 84 are respected. That two-dimensional access criterion is expressed in the last two paragraphs of the claim.
2.3 In summary, the application discloses the claimed concept of (i) holding a two-dimensional table (71) of key verification data and (ii) using selected rows and columns (i.e. fields and key boxes, or levels and key verification bits) of that table to grant access to a data file according to its two-dimensional access condition controller (81, 84).
The key levels accepted by a given data file can be chosen such that a particular user (e.g. even the card issuer) is excluded from accessing that data file (A2, column 6, lines 29 to 45).
3. Article 123(3) EPC - Scope of protection
The Board is also satisfied that the amended claim does not extend the scope of protection conferred by claim 1 as granted. The respondent has not raised any objection in this respect.
4. Article 84 EPC - Claim clarity and support by the description
4.1 The respondent has based a lack-of-clarity objection on an alleged overgeneralisation of the embodiment. However, the broadness of a claim is not to be equated with a lack of clarity, see "Case Law of the Boards of Appeal of the European Patent Office, 4th edition 2001", European Patent Office 2002, chapter II.B.1.1.3. The broadness of a claim cannot be contested on its own but only in conjunction with other criteria (T 523/91).
4.2 In the Board's judgment, the claim is supported by the description of B1 in the same way as it is based on the original disclosure of A2 referenced at point 2 supra. (The description of the opposed patent contains the description of the application as filed.)
The respondent considers essential features of the embodiment to be missing in the claim. However, the switches SW1 to SW5, the OR gate 70 (which may be an AND gate, see B1, column 4, lines 29/30), and the OR (or AND) table 72 are inessential to the check to be performed on selected areas of table 71 as long as the selection is controlled in two dimensions (tables 81, 84 as recited in the claim).
5. Article 54 EPC - Novelty over D1'
The Board concurs with the parties in considering D1' as the closest available prior art as acknowledged in the introductory portion of the description (B1, column 1, line 45 to column 2, line 2). D1' relates to an IC card having key data for limiting memory access (see title and abstract).
5.1 Figure 4 of D1' maps a non-volatile memory of a prior art IC card. One of the data clusters present in the right-hand column of the non-volatile memory is exemplified by Figure 7. The left-hand part (AREA) of Figure 7 represents protected data. The right-hand part of Figure 7 comprises two strings of bits. The upper bit string refers to key verification bits which are to be checked in the process of controlling read access to the protected data. The lower bit string refers to key verification bits which are to be checked in the process of controlling write (or delete) access to the protected data (D1', e.g. column 7, lines 7 to 20; column 8, lines 3 to 10).
Each bit string in the right-hand part of Figure 7 in D1' constitutes a table in the sense of an access key box designation table 81 of B1, i.e. a value "1" stored at the n-th bit position means that verification data relating to the n-th key is to be involved in the process of allowing or disallowing access to the associated data (D1', column 7, line 61 to column 8, line 10). In addition, each bit string in the right-hand part of Figure 7 is accompanied by logical data "A" or "O" to indicate whether all the designated key positions are to be taken into account (AND condition) or whether it is sufficient for one of the designated key positions to be verified (OR condition, D1', column 4, lines 57 to 59 and 61 to 66), thus anticipating the logic function of bit 83 in Figure 5 of B1.
5.2 The Board is convinced that the first three bits in each bit string of Figure 7 in D1' refer to keys named KID01, KID02, KID03 to be used for controlling access to data areas in a common file 21 and in application files (221, 222) (Figure 4).
The second bit triplet in each bit string of Figure 7 refers to keys named KID04, KID05, KID06 to be used for controlling access to data in a first application file 221 whose data file name (DFN) is XXX (Figure 4). Technically speaking, the keys KID04, KID05, KID06 could be used to control access also to a data area in the common file 21, even though the example shown in D1' does not make use of such a possibility.
Alternatively, the second bit triplet in each bit string of Figure 7 refers to keys which are also named KID04, KID05, KID06 but will be used for controlling access to data in a second application file 222 whose data file name (DFN) is YYY (Figure 4).
5.3 The common file 21 on the one hand and the application files 22 (i.e. 221, 222) on the other hand can be considered as two levels of a data file hierarchy. In other words, the bit position within a bit string of Figure 7 implies information about the level of a key to be considered. By setting selected bits in a bit string of Figure 7, the power of a key to allow access to a data file of the same level and/or a different level can be defined. In particular, the first three bits in a bit string of an application data cluster can be set to zero such that even a key of the common file (e.g. a card issuer's key) does not grant access to that application data area (D1', Figure 4, area C; area E, lower bit string; column 8, lines 3 to 10).
5.4 Figure 6 of D1' represents a 2-line table (stored in a RAM) corresponding to a key verification indication table 71 of B1 (number of levels = 2), for use in the decision making process allowing or disallowing access to protected data. A first line (D1', Figure 6, storage location 231) contains a bit string indicating the verification status of the three keys assigned to the common file 21, and a second line (storage location 232) contains a bit string indicating the verification status of the three keys assigned to an application file 221 or 222 (D1', column 4, lines 26 to 36; column 6, lines 1 to 41). The bit string in section 231 (= level 1) consists of three verification bits ("collation status") and five trailing zeros (D1', Figure 4, left-hand column, one of rows 1 to 3: 100/000/00, 010/000/00, or 001/000/00). The bit string in section 232 (= level 2) consists of three leading zeros, three verification bits ("collation status") and two trailing zeros (D1', Figure 4, left-hand column, one of rows 4 to 6: 000/100/00, 000/010/00, or 000/001/00).
Column by column, the two bit strings 231, 232 are combined by a logical OR function (D1', column 7, lines 3 to 6) to create a 1-line verification table ("result 1", not shown in the Figures) which corresponds functionally to the 1-line logical OR table 72 of B1. The "result 1" table of D1' will be compared to one of the bit strings of Figure 7 which designate the key verification bits required for accessing a data file (D1', column 7, lines 21 to 60). If the comparison shows that verification data exists for all the keys required for accessing a data file, access will be granted.
5.5 Regarding differences of the claimed IC card over the IC card of D1', the Board first notes that it does not follow the appellant's construction that claim 1 requires the tables 81 and 84 to be physically separate. The appellant's claim and description do not rule out that those tables might be merged into one table, in a similar manner as each bit string in Figure 7 of D1' does not only determine the columns to be checked in result 1 but also entails information about the level of each key verification indicator bit to be checked (since the first bit triplet of result 1 originates from level 1 and the second bit triplet of result 1 originates from level 2). What matters is that the data can be assigned correctly to the intended separate functions of the tables.
5.6 At the same time, the Board does not concur with the respondent in equating the interaction of Figures 6 and 7 of D1' with the interaction of Figures 4 and 5 of B1. The only similarity resides in the effect that in both cases access to a specific data area can be controlled with respect to the different levels of the hierarchical file structure. As the levels of the key verification indicator bits included in result 1 of D1' can be identified (from their bit positions), masking a bit triplet in result 1 (by providing three zeros at corresponding positions of a bit string according to Figure 7) effectively excludes an associated level of key verification indicator bits (231 or 232) from the process of controlling access to the data area concerned (i.e. the data area allocated to the bit string of Figure 7).
However, the Board recognises the following differences over D1'.
5.6.1 By providing independent criteria for selecting from the two-dimensional key verification indication table, the claimed IC card masks one or more levels of the key verification indicator bits at an earlier stage than D1' does: Key verification indicator bits are collected only from those data fields (i.e. levels) of the key verification indication table (71) which are designated by the matching condition settings table (84). Thus, not all data fields of the key verification indication table (71) have to be combined for the ensuing comparison, in contrast to Figure 6 of D1' where both data fields (231, 232) are always combined into result 1 before any masking of verification bits can take place.
5.6.2 The width of table 71 of B1 corresponds to the number of keys (e.g. eight) in a key file. Hence, if a table of this type was derived from Figure 4 of D1' (having three keys in each file 21, 22), the table would be only three bits wide, whereas each data field (231, 232) in Figure 6 of D1' comprises eight bits. An 8-bit wide table 71 according to B1 allows eight keys to be managed at each level, with each level being selectable. Conversely, each 8-bit wide data field 231, 232 in Figure 6 of D1' allows only three keys to be managed at the respective level. If the data fields 231, 232 in Figure 6 of D1' were only three bits wide, it would be impossible to tell which bit of result 1 originates from which level. Consequently, it would be impossible to mask levels selectively from result 1.
5.7 The Board concludes that the claimed IC card is novel over D1'. In particular, no matching condition settings table is provided in D1'.
6. Article 56 EPC - Inventive step
6.1 Effects achieved over D1'
6.1.1 As mentioned above (point 5.3, last sentence), a data area "C" or "E" of the IC card according to Figure 4 of D1' can be protected such that keys of a first level (KID01, KID02, KID03, e.g. owned by the card issuer) do not allow access to the data area, whereas keys of a second level (KID04, KID05, KID06, e.g. owned by the card holder) allow the data to be accessed. Hence, level-dependent protection is not a contribution by the invention.
6.1.2 However, the distinguishing features provide a more flexible and efficient way of considering a selected sub-set of key verification indicator bits of a table 71. A two-dimensional access criterion is created in the form of tables 81 and 84.
Moreover, the tables 81, 84 achieve that additional degree of freedom at low cost: In the embodiment according to Figures 4 and 5 of B1, the 5 x 8 = 40 key verification indicator bits of table 71 can be handled using only thirteen control bits (five bits of table 84, eight bits of table 81). To handle the same number and hierarchy of key verification indicator bits in D1', each control bit string according to Figure 7 of D1' would have to comprise 40 bits. The difference is significant in terms of storage space because each data file comprises an access conditions controller (80, 81, 84) and the surface of an IC card chip is limited.
6.2 Problem solved
Setting out from document D1' and its key verification indication table (D1', Figure 6; corresponding to B1, Figure 4), the problem solved by the distinguishing features can be formulated as how to enable a more powerful and efficient utilisation of the key verification indication table.
The Board notes that this task does not readily derive from a simple key verification indication table consisting of two lines as presented by D1'.
6.3 Assessment of the solution
6.3.1 The respondent has not raised any doubt about the aforementioned effects of the claimed access control mechanism but has argued that a skilled person seeking to enhance the access control scheme of D1' would obviously modify the interaction of Figures 6 and 7 of D1' with a view to obtaining additional control selectivity.
In the Board's judgment, D1' contains no pointer to the skilled person that he should modify the interaction of Figures 6 and 7 to improve access control or selectivity, nor any pointer to the specific access conditions controller 80 according to claim 1 which notably comprises a table 84 for designating selected levels of the key verification indication table 71.
6.3.2 Other prior art documents mentioned by the respondent in the course of the proceedings only show that IC cards having three or more hierarchical data levels were available before the priority date claimed by the opposed patent. However, the recognition of an inventive step does not depend on whether the IC card has two or three or more data levels as long as different levels of key verification indicator data can be designated selectively by table 84. These other documents contain no pointer which would lead the skilled person to such a level-selection table as claimed.
Hence, wherever such a pointer is incorporated in the respondent's argumentation, it does not establish an obvious link from D1' to the claimed access control mechanism.
6.3.3 Therefore, the respondent's argumentation does not convince the Board that an IC card having the claimed access control mechanism derives in an obvious manner from the prior art.
The grounds put forward by the respondent opponent do not prejudice the maintenance of the patent in amended form.
For these reasons it is decided that:
1. The decision under appeal is set aside.
2. The case is remitted to the department of first instance with the order to maintain the patent on the basis of
- claim 1 submitted at the oral proceedings on 14 March 2006,
- the description and drawings as granted.