Classifications

• • G—PHYSICS
  • G07—CHECKING-DEVICES
  • G07F—COIN-FREED OR LIKE APPARATUS
  • G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
  • G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
  • G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
  • G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
  • G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
  • G06Q20/363—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes with the personal data of a user
• • G—PHYSICS
  • G07—CHECKING-DEVICES
  • G07F—COIN-FREED OR LIKE APPARATUS
  • G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
  • G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
  • G07F7/0866—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means by active credit-cards adapted therefor
• • G—PHYSICS
  • G07—CHECKING-DEVICES
  • G07F—COIN-FREED OR LIKE APPARATUS
  • G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
  • G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
  • G07F7/0873—Details of the card reader
  • G07F7/088—Details of the card reader the card reader being part of the point of sale [POS] terminal or electronic cash register [ECR] itself
  • G07F7/0886—Details of the card reader the card reader being part of the point of sale [POS] terminal or electronic cash register [ECR] itself the card reader being portable for interacting with a POS or ECR in realizing a payment transaction

Definitions

• This invention relates to a data transaction system for smart cards and, in particular, to a secured data transaction system where the transactions and the data related thereto are securely stored.
• Smart cards are becoming increasingly important and widespread for all manner of data transactions.
• a smart card user performs a transaction via a read/write station containing a user interface, a card interface and a processor with a memory.
• the user defines his request via the card interface, which feeds data to the processor for execution and storage in memory.
• the results of such a transaction are usually stored as data in the memory of the station for later use.
• data retrieval generally takes place either at a time convenient to the resources of the system, or on a periodic basis. Later on, the institution involved in the deal may retrieve the data and credit or debit the user's account, as appropriate.
• DES Data Encryption Standard dealing with passwords
• DES allows host and terminal applications to operate safely in environments wherein the threat of intrusion by unauthorized cards and terminals, eavesdropping, playback of captured passwords and data, or alteration or substitution of data is a risk.
• DES provides protection to comiTiunications, to data transactions and to data stored in memory.
• DES provides an effective protection against the danger that unauthorized circles will profit from stolen memories containing passwords and transaction monies, from communication being established between the wrong parties and from data transfer being intercepted.
• SAM Secured Application Module
• the necessary security measures for protecting communications, transactions and the consequent data are incorporated within the read/write units such that they are physically connected to the circuits of the read write station.
• the SAM uses the processor and the memory of the read/write station accordingly to run and store the software application constituting the SAM.
• the many elements of the read/write station including the SAM are kept closely together, packaged inside one hardware unit.
• the memory of known read/write stations thus contains not only the security means, including password and protocols, but also the record of the transactions performed and the money involved.
• a secured data transaction 5 system comprising: a Smart Card Interface (SCI) for interfacing with smart cards and a Remote Secure Application Module (RSAM) located remote from the SCI for processing data from smart cards and for providing security functions; the SCI comprising: 0 an SCI memory containing a predetermined instruction set, an SCI processor coupled to the memory for operating in accordance with said instruction set, a first SCI communication interface coupled to the SCI processor for allowing bi-directional communication between at least 5 one smart card and at least one device coupled to the SCI, and a second SCI communication interface coupled to the SCI processor for allowing bi-directional contactless communication between the SCI and the RSAM; and - 5 -
• the RSAM comprising: an RSAM memory containing a predetermined instruction set and comprising a secured area reserved for security applications and for secure storage of data related thereto, an RSAM processor coupled to the RSAM memory for operating in accordance with said instruction set, and an RSAM communication interface coupled to the RSAM processor for allowing bi-directional contactless communication between the RSAM and the SCI; whereby data associated with the smart card interface is stored in the
• RSAM memory remote from the smart card so as to be inaccessible to or from the smart card.
• the security measures and secured operations and their storage are assigned to a remote device separate from the read/write station accepting the smart cards.
• a read/write station constituted by the Smart Card Interface or SCI, receives the smart card and forwards the data stored therein to the Remote Secured Application Module, (RSAM), for processing the security measures and the transactions and for storing the security measure software, the transactions and the data related thereto.
• RRSAM Remote Secured Application Module
• the memory device is best maintained separate from the read/write station.
• the chances are high that the data will remain intact regardless of harm to the station.
• Further security may be achieved by hiding the memory device containing the data, so as to render it less easily accessible.
• security may be enhanced by preventing the physical removal of the memory from the system or, on the contrary, permitting removal of the memory from the system for safe consignment elsewhere. Removal of the memory is desirable, for example, at the end of a work session, when personnel abandon the premises thereby leaving a facility unattended. It will be appreciated that improved security is afforded by separating the read/write functions from the SAM functions.
• the system is transparent to the user who, as in hitherto proposed systems, presents his smart card to the read/write station constituted by the Smart Card Interface, which accepts the smart card and transfers processing and storage operations to the Remote Secured Application Module (RSAM).
• RRSAM Remote Secured Application Module
• the system according to the invention allows for secure retrieval of the data stored in the memory of the RSAM via one or more SCI, while ensuring that impairment of one SCI does not impair other SCIs in the system. Further, impairment of the SCI does not either influence the functioning of the RSAM or alter the integrity of the data stored in the memory of the RSAM.
• a host computer may be provided for communication with the smart card interface(s).
• the host computer may be a PC comprising a host processor for operating functions of the host computer and of the SCI, for establishing bi-directional communication between the host and the SCI, and for retrieval of data contained in the RSAM.
• a host memory coupled to the host processor within the host allows for secured storage of data received from the RSAM memory.
• the SCI communication interface allows communication with the host communication means, whereby the host communicates with the SCI for control of SCI functions, and the host - 7 -
• Fig. la is a block diagram showing functionally a detail of a secure data transaction system according to a first embodiment of the invention
• Fig. lb shows schematically a modification to the system shown in
• FIG. 2a and 2b show schematically further variations of the system illustrated in Figs, la and lb;
• Fig. 3 is a flow diagram showing the principal operating steps associated with the system shown in Fig. la.
• Fig. la shows a system designated generally as 10 comprising a Smart Card Interface (SCI) 12, and a Remote Secured Application Module (RSAM) 14.
• the SCI 12 may be part of a station such as, for example, an Automatic Teller Machine (not shown in Fig. la), utilized for reading and for writing to secured contact/contactless smart cards for carrying out financial transactions.
• the SCI 12 includes a processor 15 (constituting an SCI processor) coupled to a transceiver 16 having a coil antenna 17 for effective non-contact inductive coupling with a coil antenna 18 coupled to the RSAM 14.
• the SCI 12 is energized by an external power supply whilst the RSAM 14 may or may not be self-powered, as will be explained in greater detail below.
• - 8 -
• the RSAM 14 comprises an antenna interface 19 coupled to the coil antenna 18 and to a microprocessor 20 (constituting an RSAM processor) which is itself coupled to an EEPROM 21.
• the antenna interface 19 is not itself a feature of the present invention and so is not described in further detail. It is described more fully in WO 98/29830 published on July 9, 1998.
• the RSAM 14 is in contactless communication with the SCI 12 and is remote from the SCI, and therefore remote from the station of which the SCI is a component. Transactions requested by the owner of a secured smart card are forwarded for execution, via the SCI 12, to the RSAM 14 where they are securely processed and stored.
• the EEPROM 21 constitutes an RSAM memory for storing the data, an area in the EEPROM 21 being reserved for the secure storage of transactions and data so as to be inaccessible except via the SCI 12. If desired, the instruction set in accordance with which the microprocessor 20 operates may also be stored in the EEPROM 21.
• the antenna interface 19 includes a bi-directional communication interface that allows for bi-directional contactless communication between the RSAM 14 and the SCI
• the SCI processor 15 and the RSAM microprocessor 20 are responsive to their respective instruction sets for retrieving data from the RSAM memory.
• the SCI processor 15 is coupled to a host computer 25 (constituting a local device) and may also be coupled to a smart card 26 having a contact field (not shown) and having a microprocessor 27 operating in accordance with an instruction set contained within a memory 28 coupled thereto.
• the contact field of the smart card 26 engages corresponding contacts (also not shown) associated with the transceiver 16 in the SCI 12.
• a contactless smart card 30 having a coil antenna 31 may effect bi-directional communication with a coil antenna 32 coupled to the transceiver 16 within the SCI 12.
• the coil antenna 31 of contactless smart card 30 is connected to an antenna interface 33 coupled to a microprocessor 34 operating in accordance with an instruction set stored in a memory 35 coupled thereto.
• memory 35 may be an EEPROM operating in similar manner to the EEPROM 21 in the RSAM 14 so as to allow customization of the antenna interface 33.
• the transceiver 16 is a first SCI communication
• the processor 15 constitutes a second SCI communication interface for allowing bi-directional contact communication with the contact smart card 26 and with the local device 25. If desired, a separate contactless interface may be coupled to the processor 15 for allowing
• the 10 for contactless communication with the local device be it a host computer or another smart card.
• the malfunctioning SCI 12 may be replaced by another functional SCI 12.
• Fig. lb shows schematically such a system comprising two identical
• the SCI 12' constitutes an auxiliary SCI which may be used temporarily for the purpose of data retrieval only or as a substitute for the malfunctioning
• both the SCIs 12 and 12' may be permanently installed and configured for alternate operation, or the system may be configured so that the SCI 12 perform transactions while the SCI 12' retrieves data from the RSAM 14. Since both of the SCIs 12 and 12' are identical, their tasks may be interchanged.
• FIG. 2a shows schematically yet another arrangement wherein the three elements SCI 12, SCI 12' and RSAM 14 form a group in which the elements are mutually remote from each other. Besides being separate, the communication between the RSAM 14 and either of the SCIs 12 or 12' is contactless. Both the remoteness and the contactless communication ensure that a failure - 10 -
• SCI 12 SCI 12' and RSAM 14 will not propagate to any other of the remaining elements of the group. Thus, for example, damage to the SCI 12 will not derogate from the performance of the SCI 12' and vice versa. Furthermore, the collapse of any SCI, 12 or 12', or of both of them, will have no influence on the functioning of the RSAM 14 or on the integrity of the data stored in its memory.
• Fig. 2b shows schematically another variation wherein the host 25 is connected by line to two SCIs 12 and 12', in a similar configuration to that depicted in Fig. lb.
• Each of the SCIs 12 and 12' is coupled to a respective RSAM 14 and 14', the combination of SCI and RSAM constituting a cluster.
• many clusters may be connected to the host 25 and each cluster may display a different mix of attached devices.
• contactless communication allows for the SCI 12 to be maintained separate and remote from the RSAM 14 which performs the secure transactions and contains all the transaction data.
• Contactless communication between the may be achieved by numerous methods, including: radio frequency, microwave, optical communication, infra red, fiber optic and inductive coupling. To keep manufacturing costs low inductive coupling communication is chosen which also allows transmission of energy from a transmitting antenna to a receiving antenna.
• the transmitting side, here SCI 12 may operate with a matched coil antenna, and the receiving side, in this case the RSAM 14, may possess a tuned coil antenna.
• inductive coupling communication renders possible to power the circuits of the RSAM 14 with the power received from the SCI 12, whereby the RSAM 14 will not need to be self-powered but will rely on the emissions radiated from the SCI 12. This feature is especially important as it allows implementation of DES secured functions that impose a constant power drain on the system. An SRAM powered by batteries is not practical. - 1 1 -
• the matched coil antenna of the SCI may be connected by a length of SCI cable to the SCI 12 and the SCI cable may be deployed outside of the SCI so that it may be brought close to the tuned coil antenna of the RSAM 14.
• the distance between the SCI 12 and the RSAM 14 may thereby be significantly increased.
• the tuned RSAM coil antenna may also be connected to the RSAM 14 by a length of RSAM cable that may extend out of the housing of the RSAM.
• both the SCI cable and the RSAM cable may be extended so that the maximum distance between the SCI 12 and the RSAM 14 is equal to the combined length of both cables.
• either or both of the two coil antennas may be connected via respective cables of equal or unequal lengths.
• the length of the coil antenna cable is preferably determined as multiples of half-wavelengths, starting from zero for up to eight half- wavelengths. The measured length of such a coil antenna cable depends therefore on the frequency of the carrier signal used.
• one half- wavelength taking the influence of the cable into account, amounts to 8 m.
• the length of the coil antenna cable will not reach more than 48 m and ideally it should be less than 32m.
• the aforementioned U.S. Patent 5,241,160 lists the factors influencing the relative distance allowed between the two coil antennae and provides information about the distances obtainable. - 12 -
• the RSAM 14 is prone to theft or to attempted intrusion, advantage may be taken from the fact that the RSAM 14 consists of a separate unit, packaged within an individual housing and remote from the SCI 12. Accordingly, the RSAM 14 may be physically protected, such as secreted behind a wall or embedded in concrete for purposes of concealment as well as for reasons of safekeeping and prevention of removal. With quality assurance and reliability as objectives, the housing of the RSAM 14 may be hermetically sealed against liquids or gases.
• the RSAM 14 may thus reside within a housing appropriately reinforced to thwart off forceful intrusion and properly protect against physical destruction, like being clad in steel armor. To avoid shielding of the inductive ' coupling communication by the steel housing, the RSAM coil antenna, with or without a span of cable, protrudes out of the steel housing.
• the housing may be removable for storage in a safe place. This may be realized in practice by providing the housing in the form of a data card.
• DES applications are stored in the memory of the RSAM, in a secured area reserved for security applications.
• the transactions and the data related thereto are also deposited in a secured area of the memory of the RSAM, in known manner.
• the SAM may be realized in a remote housing.
• a data transaction card is coupled to the SCI that receives a transaction request and prompts the card owner for entry of his secret code (PIN).
• PIN his secret code
• the transaction request is encrypted by the card so as to produce a secure Account Certificate. This is fed. via contact or non-contact communication to the SCI from where it is forwarded to the RSAM via non-contact communication.
• the RSAM is decrypted by the RSAM so as to authenticate the card. If authentic, then the encrypted Account Certificate is also decrypted so as to produce an encrypted Transaction Certificate. This is fed. via non-contact communication to the SCI from where it is forwarded to the card via contact or non-contact communication. The card now decrypts the transaction data is so as to authenticate the RSAM. If authentic, the transaction is processed and an encrypted Settlement Certificate is prepared for feeding via contact or non-contact communication back to the SCI from where it is forwarded via non-contact communication to the RSAM wherein the transaction data is again decrypted so as to authenticate the card. If authentic, then the purse account is settled. In the event of an invalid card or RSAM, the transaction is aborted arid a suitable message relayed via the SCI.
• a matched antenna is employed in the SCI
• a conventional resonant circuit may be employed as is well known in the art.

Landscapes

• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Engineering & Computer Science (AREA)
• Business, Economics & Management (AREA)
• Accounting & Taxation (AREA)
• Computer Networks & Wireless Communication (AREA)
• Strategic Management (AREA)
• General Business, Economics & Management (AREA)
• Theoretical Computer Science (AREA)
• Microelectronics & Electronic Packaging (AREA)
• Finance (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (3)

Publications (1)

Family

ID=11071407

Family Applications (1)

Country Status (4)

Families Citing this family (7)

Family Cites Families (6)

• 1999
  • 1999-04-06 EP EP99913559A patent/EP1070302A1/de not_active Withdrawn
  • 1999-04-06 WO PCT/IL1999/000192 patent/WO1999053449A1/en not_active Ceased
  • 1999-04-06 AU AU31657/99A patent/AU3165799A/en not_active Abandoned
  • 1999-04-06 CA CA002327728A patent/CA2327728A1/en not_active Abandoned

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events