[go: up one dir, main page]

EP1070302A1 - Secured data transaction system for smart cards - Google Patents

Secured data transaction system for smart cards

Info

Publication number
EP1070302A1
EP1070302A1 EP99913559A EP99913559A EP1070302A1 EP 1070302 A1 EP1070302 A1 EP 1070302A1 EP 99913559 A EP99913559 A EP 99913559A EP 99913559 A EP99913559 A EP 99913559A EP 1070302 A1 EP1070302 A1 EP 1070302A1
Authority
EP
European Patent Office
Prior art keywords
rsam
sci
data
memory
transaction system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP99913559A
Other languages
German (de)
French (fr)
Inventor
Ronnie Gilboa
Oded Bashan
Nehemya Itay
Moshe Aduk
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
On Track Innovations Ltd
Original Assignee
On Track Innovations Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by On Track Innovations Ltd filed Critical On Track Innovations Ltd
Publication of EP1070302A1 publication Critical patent/EP1070302A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/363Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes with the personal data of a user
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0866Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means by active credit-cards adapted therefor
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0873Details of the card reader
    • G07F7/088Details of the card reader the card reader being part of the point of sale [POS] terminal or electronic cash register [ECR] itself
    • G07F7/0886Details of the card reader the card reader being part of the point of sale [POS] terminal or electronic cash register [ECR] itself the card reader being portable for interacting with a POS or ECR in realizing a payment transaction

Definitions

  • This invention relates to a data transaction system for smart cards and, in particular, to a secured data transaction system where the transactions and the data related thereto are securely stored.
  • Smart cards are becoming increasingly important and widespread for all manner of data transactions.
  • a smart card user performs a transaction via a read/write station containing a user interface, a card interface and a processor with a memory.
  • the user defines his request via the card interface, which feeds data to the processor for execution and storage in memory.
  • the results of such a transaction are usually stored as data in the memory of the station for later use.
  • data retrieval generally takes place either at a time convenient to the resources of the system, or on a periodic basis. Later on, the institution involved in the deal may retrieve the data and credit or debit the user's account, as appropriate.
  • DES Data Encryption Standard dealing with passwords
  • DES allows host and terminal applications to operate safely in environments wherein the threat of intrusion by unauthorized cards and terminals, eavesdropping, playback of captured passwords and data, or alteration or substitution of data is a risk.
  • DES provides protection to comiTiunications, to data transactions and to data stored in memory.
  • DES provides an effective protection against the danger that unauthorized circles will profit from stolen memories containing passwords and transaction monies, from communication being established between the wrong parties and from data transfer being intercepted.
  • SAM Secured Application Module
  • the necessary security measures for protecting communications, transactions and the consequent data are incorporated within the read/write units such that they are physically connected to the circuits of the read write station.
  • the SAM uses the processor and the memory of the read/write station accordingly to run and store the software application constituting the SAM.
  • the many elements of the read/write station including the SAM are kept closely together, packaged inside one hardware unit.
  • the memory of known read/write stations thus contains not only the security means, including password and protocols, but also the record of the transactions performed and the money involved.
  • a secured data transaction 5 system comprising: a Smart Card Interface (SCI) for interfacing with smart cards and a Remote Secure Application Module (RSAM) located remote from the SCI for processing data from smart cards and for providing security functions; the SCI comprising: 0 an SCI memory containing a predetermined instruction set, an SCI processor coupled to the memory for operating in accordance with said instruction set, a first SCI communication interface coupled to the SCI processor for allowing bi-directional communication between at least 5 one smart card and at least one device coupled to the SCI, and a second SCI communication interface coupled to the SCI processor for allowing bi-directional contactless communication between the SCI and the RSAM; and - 5 -
  • the RSAM comprising: an RSAM memory containing a predetermined instruction set and comprising a secured area reserved for security applications and for secure storage of data related thereto, an RSAM processor coupled to the RSAM memory for operating in accordance with said instruction set, and an RSAM communication interface coupled to the RSAM processor for allowing bi-directional contactless communication between the RSAM and the SCI; whereby data associated with the smart card interface is stored in the
  • RSAM memory remote from the smart card so as to be inaccessible to or from the smart card.
  • the security measures and secured operations and their storage are assigned to a remote device separate from the read/write station accepting the smart cards.
  • a read/write station constituted by the Smart Card Interface or SCI, receives the smart card and forwards the data stored therein to the Remote Secured Application Module, (RSAM), for processing the security measures and the transactions and for storing the security measure software, the transactions and the data related thereto.
  • RRSAM Remote Secured Application Module
  • the memory device is best maintained separate from the read/write station.
  • the chances are high that the data will remain intact regardless of harm to the station.
  • Further security may be achieved by hiding the memory device containing the data, so as to render it less easily accessible.
  • security may be enhanced by preventing the physical removal of the memory from the system or, on the contrary, permitting removal of the memory from the system for safe consignment elsewhere. Removal of the memory is desirable, for example, at the end of a work session, when personnel abandon the premises thereby leaving a facility unattended. It will be appreciated that improved security is afforded by separating the read/write functions from the SAM functions.
  • the system is transparent to the user who, as in hitherto proposed systems, presents his smart card to the read/write station constituted by the Smart Card Interface, which accepts the smart card and transfers processing and storage operations to the Remote Secured Application Module (RSAM).
  • RRSAM Remote Secured Application Module
  • the system according to the invention allows for secure retrieval of the data stored in the memory of the RSAM via one or more SCI, while ensuring that impairment of one SCI does not impair other SCIs in the system. Further, impairment of the SCI does not either influence the functioning of the RSAM or alter the integrity of the data stored in the memory of the RSAM.
  • a host computer may be provided for communication with the smart card interface(s).
  • the host computer may be a PC comprising a host processor for operating functions of the host computer and of the SCI, for establishing bi-directional communication between the host and the SCI, and for retrieval of data contained in the RSAM.
  • a host memory coupled to the host processor within the host allows for secured storage of data received from the RSAM memory.
  • the SCI communication interface allows communication with the host communication means, whereby the host communicates with the SCI for control of SCI functions, and the host - 7 -
  • Fig. la is a block diagram showing functionally a detail of a secure data transaction system according to a first embodiment of the invention
  • Fig. lb shows schematically a modification to the system shown in
  • FIG. 2a and 2b show schematically further variations of the system illustrated in Figs, la and lb;
  • Fig. 3 is a flow diagram showing the principal operating steps associated with the system shown in Fig. la.
  • Fig. la shows a system designated generally as 10 comprising a Smart Card Interface (SCI) 12, and a Remote Secured Application Module (RSAM) 14.
  • the SCI 12 may be part of a station such as, for example, an Automatic Teller Machine (not shown in Fig. la), utilized for reading and for writing to secured contact/contactless smart cards for carrying out financial transactions.
  • the SCI 12 includes a processor 15 (constituting an SCI processor) coupled to a transceiver 16 having a coil antenna 17 for effective non-contact inductive coupling with a coil antenna 18 coupled to the RSAM 14.
  • the SCI 12 is energized by an external power supply whilst the RSAM 14 may or may not be self-powered, as will be explained in greater detail below.
  • - 8 -
  • the RSAM 14 comprises an antenna interface 19 coupled to the coil antenna 18 and to a microprocessor 20 (constituting an RSAM processor) which is itself coupled to an EEPROM 21.
  • the antenna interface 19 is not itself a feature of the present invention and so is not described in further detail. It is described more fully in WO 98/29830 published on July 9, 1998.
  • the RSAM 14 is in contactless communication with the SCI 12 and is remote from the SCI, and therefore remote from the station of which the SCI is a component. Transactions requested by the owner of a secured smart card are forwarded for execution, via the SCI 12, to the RSAM 14 where they are securely processed and stored.
  • the EEPROM 21 constitutes an RSAM memory for storing the data, an area in the EEPROM 21 being reserved for the secure storage of transactions and data so as to be inaccessible except via the SCI 12. If desired, the instruction set in accordance with which the microprocessor 20 operates may also be stored in the EEPROM 21.
  • the antenna interface 19 includes a bi-directional communication interface that allows for bi-directional contactless communication between the RSAM 14 and the SCI
  • the SCI processor 15 and the RSAM microprocessor 20 are responsive to their respective instruction sets for retrieving data from the RSAM memory.
  • the SCI processor 15 is coupled to a host computer 25 (constituting a local device) and may also be coupled to a smart card 26 having a contact field (not shown) and having a microprocessor 27 operating in accordance with an instruction set contained within a memory 28 coupled thereto.
  • the contact field of the smart card 26 engages corresponding contacts (also not shown) associated with the transceiver 16 in the SCI 12.
  • a contactless smart card 30 having a coil antenna 31 may effect bi-directional communication with a coil antenna 32 coupled to the transceiver 16 within the SCI 12.
  • the coil antenna 31 of contactless smart card 30 is connected to an antenna interface 33 coupled to a microprocessor 34 operating in accordance with an instruction set stored in a memory 35 coupled thereto.
  • memory 35 may be an EEPROM operating in similar manner to the EEPROM 21 in the RSAM 14 so as to allow customization of the antenna interface 33.
  • the transceiver 16 is a first SCI communication
  • the processor 15 constitutes a second SCI communication interface for allowing bi-directional contact communication with the contact smart card 26 and with the local device 25. If desired, a separate contactless interface may be coupled to the processor 15 for allowing
  • the 10 for contactless communication with the local device be it a host computer or another smart card.
  • the malfunctioning SCI 12 may be replaced by another functional SCI 12.
  • Fig. lb shows schematically such a system comprising two identical
  • the SCI 12' constitutes an auxiliary SCI which may be used temporarily for the purpose of data retrieval only or as a substitute for the malfunctioning
  • both the SCIs 12 and 12' may be permanently installed and configured for alternate operation, or the system may be configured so that the SCI 12 perform transactions while the SCI 12' retrieves data from the RSAM 14. Since both of the SCIs 12 and 12' are identical, their tasks may be interchanged.
  • FIG. 2a shows schematically yet another arrangement wherein the three elements SCI 12, SCI 12' and RSAM 14 form a group in which the elements are mutually remote from each other. Besides being separate, the communication between the RSAM 14 and either of the SCIs 12 or 12' is contactless. Both the remoteness and the contactless communication ensure that a failure - 10 -
  • SCI 12 SCI 12' and RSAM 14 will not propagate to any other of the remaining elements of the group. Thus, for example, damage to the SCI 12 will not derogate from the performance of the SCI 12' and vice versa. Furthermore, the collapse of any SCI, 12 or 12', or of both of them, will have no influence on the functioning of the RSAM 14 or on the integrity of the data stored in its memory.
  • Fig. 2b shows schematically another variation wherein the host 25 is connected by line to two SCIs 12 and 12', in a similar configuration to that depicted in Fig. lb.
  • Each of the SCIs 12 and 12' is coupled to a respective RSAM 14 and 14', the combination of SCI and RSAM constituting a cluster.
  • many clusters may be connected to the host 25 and each cluster may display a different mix of attached devices.
  • contactless communication allows for the SCI 12 to be maintained separate and remote from the RSAM 14 which performs the secure transactions and contains all the transaction data.
  • Contactless communication between the may be achieved by numerous methods, including: radio frequency, microwave, optical communication, infra red, fiber optic and inductive coupling. To keep manufacturing costs low inductive coupling communication is chosen which also allows transmission of energy from a transmitting antenna to a receiving antenna.
  • the transmitting side, here SCI 12 may operate with a matched coil antenna, and the receiving side, in this case the RSAM 14, may possess a tuned coil antenna.
  • inductive coupling communication renders possible to power the circuits of the RSAM 14 with the power received from the SCI 12, whereby the RSAM 14 will not need to be self-powered but will rely on the emissions radiated from the SCI 12. This feature is especially important as it allows implementation of DES secured functions that impose a constant power drain on the system. An SRAM powered by batteries is not practical. - 1 1 -
  • the matched coil antenna of the SCI may be connected by a length of SCI cable to the SCI 12 and the SCI cable may be deployed outside of the SCI so that it may be brought close to the tuned coil antenna of the RSAM 14.
  • the distance between the SCI 12 and the RSAM 14 may thereby be significantly increased.
  • the tuned RSAM coil antenna may also be connected to the RSAM 14 by a length of RSAM cable that may extend out of the housing of the RSAM.
  • both the SCI cable and the RSAM cable may be extended so that the maximum distance between the SCI 12 and the RSAM 14 is equal to the combined length of both cables.
  • either or both of the two coil antennas may be connected via respective cables of equal or unequal lengths.
  • the length of the coil antenna cable is preferably determined as multiples of half-wavelengths, starting from zero for up to eight half- wavelengths. The measured length of such a coil antenna cable depends therefore on the frequency of the carrier signal used.
  • one half- wavelength taking the influence of the cable into account, amounts to 8 m.
  • the length of the coil antenna cable will not reach more than 48 m and ideally it should be less than 32m.
  • the aforementioned U.S. Patent 5,241,160 lists the factors influencing the relative distance allowed between the two coil antennae and provides information about the distances obtainable. - 12 -
  • the RSAM 14 is prone to theft or to attempted intrusion, advantage may be taken from the fact that the RSAM 14 consists of a separate unit, packaged within an individual housing and remote from the SCI 12. Accordingly, the RSAM 14 may be physically protected, such as secreted behind a wall or embedded in concrete for purposes of concealment as well as for reasons of safekeeping and prevention of removal. With quality assurance and reliability as objectives, the housing of the RSAM 14 may be hermetically sealed against liquids or gases.
  • the RSAM 14 may thus reside within a housing appropriately reinforced to thwart off forceful intrusion and properly protect against physical destruction, like being clad in steel armor. To avoid shielding of the inductive ' coupling communication by the steel housing, the RSAM coil antenna, with or without a span of cable, protrudes out of the steel housing.
  • the housing may be removable for storage in a safe place. This may be realized in practice by providing the housing in the form of a data card.
  • DES applications are stored in the memory of the RSAM, in a secured area reserved for security applications.
  • the transactions and the data related thereto are also deposited in a secured area of the memory of the RSAM, in known manner.
  • the SAM may be realized in a remote housing.
  • a data transaction card is coupled to the SCI that receives a transaction request and prompts the card owner for entry of his secret code (PIN).
  • PIN his secret code
  • the transaction request is encrypted by the card so as to produce a secure Account Certificate. This is fed. via contact or non-contact communication to the SCI from where it is forwarded to the RSAM via non-contact communication.
  • the RSAM is decrypted by the RSAM so as to authenticate the card. If authentic, then the encrypted Account Certificate is also decrypted so as to produce an encrypted Transaction Certificate. This is fed. via non-contact communication to the SCI from where it is forwarded to the card via contact or non-contact communication. The card now decrypts the transaction data is so as to authenticate the RSAM. If authentic, the transaction is processed and an encrypted Settlement Certificate is prepared for feeding via contact or non-contact communication back to the SCI from where it is forwarded via non-contact communication to the RSAM wherein the transaction data is again decrypted so as to authenticate the card. If authentic, then the purse account is settled. In the event of an invalid card or RSAM, the transaction is aborted arid a suitable message relayed via the SCI.
  • a matched antenna is employed in the SCI
  • a conventional resonant circuit may be employed as is well known in the art.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Finance (AREA)
  • Storage Device Security (AREA)

Abstract

A secured data transaction system (10) comprising a Smart Card Interface (SCI) (12) for interfacing between a local device (25, 26) and a Remote Secure Application Module (RSAM) (14) located remote from the SCI for processing data from smart cards. The SCI (12) comprises an SCI memory (28, 35) containing a predetermined instruction set, an SCI processor (15) coupled to the memory for operating in accordance with said instruction set, and a first SCI communication interface (16) coupled to the SCI processor for allowing bi-directional contactless communication between the SCI and the RSAM. The RSAM (14) comprises an RSAM memory (21) containing a predetermined instruction set and comprising a secured area reserved for security applications and for secure storage of data related thereto, an RSAM processor (20) coupled to the RSAM memory for operating in accordance with said instruction set, and an RSAM communication interface (19) coupled to the RSAM processor for allowing bi-directional contactless communication between the RSAM and the SCI. In such an arrangement data associated with the smart card interface (12) may thus be stored in the RSAM memory (21) remote from the smart card interface.

Description

Secured data transaction system for smart cards
FIELD OF THE INVENTION
This invention relates to a data transaction system for smart cards and, in particular, to a secured data transaction system where the transactions and the data related thereto are securely stored.
BACKGROUND OF THE INVENTION
Smart cards are becoming increasingly important and widespread for all manner of data transactions. Typically, a smart card user performs a transaction via a read/write station containing a user interface, a card interface and a processor with a memory. To perform a transaction with a smart card, the user defines his request via the card interface, which feeds data to the processor for execution and storage in memory. The results of such a transaction are usually stored as data in the memory of the station for later use. In practice, data retrieval generally takes place either at a time convenient to the resources of the system, or on a periodic basis. Later on, the institution involved in the deal may retrieve the data and credit or debit the user's account, as appropriate. - 2 -
Along with the growth in popularity of smart cards and so-called "super smart" cards, a rise in criminal activity has spurred the demand for the prevention of fraudulent transactions. The great amount of money involved in the smart card market has attracted, and continues to attract, a growing number of unscrupulous efforts to defeat the data transaction card's security. A partial response to this threat is provided by the protocols and algorithms which include security measures such as DES, an acronym for Data Encryption Standard dealing with passwords, encryption and decryption of communications and of data. DES allows host and terminal applications to operate safely in environments wherein the threat of intrusion by unauthorized cards and terminals, eavesdropping, playback of captured passwords and data, or alteration or substitution of data is a risk. DES provides protection to comiTiunications, to data transactions and to data stored in memory.
DES provides an effective protection against the danger that unauthorized circles will profit from stolen memories containing passwords and transaction monies, from communication being established between the wrong parties and from data transfer being intercepted. Various kinds of available security measures applied in systems are commonly referred to as SAM, an acronym for Secured Application Module. According to the prior art, the necessary security measures for protecting communications, transactions and the consequent data are incorporated within the read/write units such that they are physically connected to the circuits of the read write station. The SAM uses the processor and the memory of the read/write station accordingly to run and store the software application constituting the SAM. The many elements of the read/write station including the SAM, are kept closely together, packaged inside one hardware unit. The memory of known read/write stations thus contains not only the security means, including password and protocols, but also the record of the transactions performed and the money involved. - 3 -
Methods of practical implementation of security measures are taught, for example, in US Patent 5,664,017 in the name of Gressel et al. and in US Patent 5.694,472 for a Personal Management System, to Johnson et al.
Since relatively large sums of money may be involved, transaction information is of great value both to the user of the card and to the company concerned. Therefore, it is important to safeguard the data against possible loss, such as loss due to a power shortage. One known approach that provides a partial remedy is the use of non- volatile memories, able to retain data even without power. Nevertheless, even non-volatile memory cannot prevent physical damage incurred by the read/write station from the possible destruction of the stored data.
Another conventional measure for the prevention of potential loss of data in memory is immediately to transfer the data out of memory, for real-time processing. However, although feasible, this kind of response imposes a strain on the communication and processing resources by requiring attention without delay, thus increasing costs to the provider of the service and, ultimately, to the customer. It would thus be advantageous if data could be left in memory without fear of loss resulting from possible damage suffered by the card read/write station. Besides physical harm to the data card station, there is also the danger of an electrical malfunction, even as unintentional as a mistake by personnel performing routine maintenance. For example, an accidental short-circuit due to human error is enough to wipe out the contents of a memory device. Therefore, isolation of the memory from electrically conductive connections is desirable.
For mobile card reader systems, such as those to be installed for fare collection in vehicles of mass transportation services, there lingers the peril of an accident destroying the data transaction equipment, including memory and data. It would therefore be beneficial to provide for crash-proof protection to the memory containing the data, comparable to the araiored protection imparted to the "black box" installed in aircraft.
These drawbacks of prior art systems do not appear to have been even addressed, still less solved, notwithstanding the ongoing effort in recent years 5 to render smart card data transaction systems ever more secure. As noted, the bulk of this effort has been concentrated in the application of ever more secure cryptology algorithms for providing proper verification and signature authentication. However, this is just so much wasted effort if direct access to the memory containing the sensitive data is insufficiently restricted.
o SUMMARY OF THE INVENTION
It is therefore an object of the invention to provide a secured data transaction system for use with smart cards wherein the shortcomings associated with the prior art are significantly reduced or eliminated.
According to the invention there is provided a secured data transaction 5 system comprising: a Smart Card Interface (SCI) for interfacing with smart cards and a Remote Secure Application Module (RSAM) located remote from the SCI for processing data from smart cards and for providing security functions; the SCI comprising: 0 an SCI memory containing a predetermined instruction set, an SCI processor coupled to the memory for operating in accordance with said instruction set, a first SCI communication interface coupled to the SCI processor for allowing bi-directional communication between at least 5 one smart card and at least one device coupled to the SCI, and a second SCI communication interface coupled to the SCI processor for allowing bi-directional contactless communication between the SCI and the RSAM; and - 5 -
the RSAM comprising: an RSAM memory containing a predetermined instruction set and comprising a secured area reserved for security applications and for secure storage of data related thereto, an RSAM processor coupled to the RSAM memory for operating in accordance with said instruction set, and an RSAM communication interface coupled to the RSAM processor for allowing bi-directional contactless communication between the RSAM and the SCI; whereby data associated with the smart card interface is stored in the
RSAM memory remote from the smart card so as to be inaccessible to or from the smart card.
Thus in accordance with the invention, the security measures and secured operations and their storage are assigned to a remote device separate from the read/write station accepting the smart cards. A read/write station, constituted by the Smart Card Interface or SCI, receives the smart card and forwards the data stored therein to the Remote Secured Application Module, (RSAM), for processing the security measures and the transactions and for storing the security measure software, the transactions and the data related thereto.
It follows that to prevent the loss of data stored in memory in case of complete or partial damage to the station, the memory device is best maintained separate from the read/write station. Thus, by confining the data memory as a separate entity in its own housing, detached from the read write station, the chances are high that the data will remain intact regardless of harm to the station.
Further security may be achieved by hiding the memory device containing the data, so as to render it less easily accessible. Alternatively, security may be enhanced by preventing the physical removal of the memory from the system or, on the contrary, permitting removal of the memory from the system for safe consignment elsewhere. Removal of the memory is desirable, for example, at the end of a work session, when personnel abandon the premises thereby leaving a facility unattended. It will be appreciated that improved security is afforded by separating the read/write functions from the SAM functions. Therefore, it is beneficial to maintain physical separation between those functions in the read/write station which handle the user's requests and allow for reading of the card data and which are in contactless communication with each other, from the independent and remote device which implements the secure treatment of data processing, of the security measures and of the secure storage.
The system is transparent to the user who, as in hitherto proposed systems, presents his smart card to the read/write station constituted by the Smart Card Interface, which accepts the smart card and transfers processing and storage operations to the Remote Secured Application Module (RSAM).
The system according to the invention allows for secure retrieval of the data stored in the memory of the RSAM via one or more SCI, while ensuring that impairment of one SCI does not impair other SCIs in the system. Further, impairment of the SCI does not either influence the functioning of the RSAM or alter the integrity of the data stored in the memory of the RSAM.
If desired, a host computer may be provided for communication with the smart card interface(s). The host computer may be a PC comprising a host processor for operating functions of the host computer and of the SCI, for establishing bi-directional communication between the host and the SCI, and for retrieval of data contained in the RSAM. A host memory coupled to the host processor within the host allows for secured storage of data received from the RSAM memory. The SCI communication interface allows communication with the host communication means, whereby the host communicates with the SCI for control of SCI functions, and the host - 7 -
authorizes data retrieval from the RSAM and commands secure storage of data received from the RSAM memory into the host memory.
BRIEF DESCRIPTION OF THE DRAWINGS
In order to understand the invention and to see how it may be carried out in practice, a preferred embodiment will now be described, by way of non-limiting example only, with reference to the accompanying drawings, in which:
Fig. la is a block diagram showing functionally a detail of a secure data transaction system according to a first embodiment of the invention; Fig. lb shows schematically a modification to the system shown in
Fig. la;
Fig. 2a and 2b show schematically further variations of the system illustrated in Figs, la and lb; and
Fig. 3 is a flow diagram showing the principal operating steps associated with the system shown in Fig. la.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT
Fig. la shows a system designated generally as 10 comprising a Smart Card Interface (SCI) 12, and a Remote Secured Application Module (RSAM) 14. The SCI 12 may be part of a station such as, for example, an Automatic Teller Machine (not shown in Fig. la), utilized for reading and for writing to secured contact/contactless smart cards for carrying out financial transactions. The SCI 12 includes a processor 15 (constituting an SCI processor) coupled to a transceiver 16 having a coil antenna 17 for effective non-contact inductive coupling with a coil antenna 18 coupled to the RSAM 14. The SCI 12 is energized by an external power supply whilst the RSAM 14 may or may not be self-powered, as will be explained in greater detail below. - 8 -
The RSAM 14 comprises an antenna interface 19 coupled to the coil antenna 18 and to a microprocessor 20 (constituting an RSAM processor) which is itself coupled to an EEPROM 21. The antenna interface 19 is not itself a feature of the present invention and so is not described in further detail. It is described more fully in WO 98/29830 published on July 9, 1998.
The RSAM 14 is in contactless communication with the SCI 12 and is remote from the SCI, and therefore remote from the station of which the SCI is a component. Transactions requested by the owner of a secured smart card are forwarded for execution, via the SCI 12, to the RSAM 14 where they are securely processed and stored. The EEPROM 21 constitutes an RSAM memory for storing the data, an area in the EEPROM 21 being reserved for the secure storage of transactions and data so as to be inaccessible except via the SCI 12. If desired, the instruction set in accordance with which the microprocessor 20 operates may also be stored in the EEPROM 21. The antenna interface 19 includes a bi-directional communication interface that allows for bi-directional contactless communication between the RSAM 14 and the SCI
12. The SCI processor 15 and the RSAM microprocessor 20 are responsive to their respective instruction sets for retrieving data from the RSAM memory.
The SCI processor 15 is coupled to a host computer 25 (constituting a local device) and may also be coupled to a smart card 26 having a contact field (not shown) and having a microprocessor 27 operating in accordance with an instruction set contained within a memory 28 coupled thereto. The contact field of the smart card 26 engages corresponding contacts (also not shown) associated with the transceiver 16 in the SCI 12. Alternatively, a contactless smart card 30 having a coil antenna 31 may effect bi-directional communication with a coil antenna 32 coupled to the transceiver 16 within the SCI 12. The coil antenna 31 of contactless smart card 30 is connected to an antenna interface 33 coupled to a microprocessor 34 operating in accordance with an instruction set stored in a memory 35 coupled thereto. The - 9 -
memory 35 may be an EEPROM operating in similar manner to the EEPROM 21 in the RSAM 14 so as to allow customization of the antenna interface 33.
In such an arrangement the transceiver 16 is a first SCI communication
5 interface for allowing bi-directional contactless communication with the contactless smart card 30, whilst the processor 15 constitutes a second SCI communication interface for allowing bi-directional contact communication with the contact smart card 26 and with the local device 25. If desired, a separate contactless interface may be coupled to the processor 15 for allowing
10 for contactless communication with the local device, be it a host computer or another smart card.
Although data is stored securely in the RSAM 14, authorized parties may retrieve stored data from the RSAM by means of the SCI 12. In the event of a malfunction of the SCI 12 preventing retrieval of data from the RSAM
15 14, the malfunctioning SCI 12 may be replaced by another functional SCI 12.
Fig. lb shows schematically such a system comprising two identical
SCIs. 12 and 12', each in close contactless communication with the RSAM
14. The SCI 12' constitutes an auxiliary SCI which may be used temporarily for the purpose of data retrieval only or as a substitute for the malfunctioning
20 SCI 12 until a replacement is installed. Alternatively, both the SCIs 12 and 12' may be permanently installed and configured for alternate operation, or the system may be configured so that the SCI 12 perform transactions while the SCI 12' retrieves data from the RSAM 14. Since both of the SCIs 12 and 12' are identical, their tasks may be interchanged.
25 Fig. 2a shows schematically yet another arrangement wherein the three elements SCI 12, SCI 12' and RSAM 14 form a group in which the elements are mutually remote from each other. Besides being separate, the communication between the RSAM 14 and either of the SCIs 12 or 12' is contactless. Both the remoteness and the contactless communication ensure that a failure - 10 -
of any of the elements of the group, namely SCI 12. SCI 12' and RSAM 14, will not propagate to any other of the remaining elements of the group. Thus, for example, damage to the SCI 12 will not derogate from the performance of the SCI 12' and vice versa. Furthermore, the collapse of any SCI, 12 or 12', or of both of them, will have no influence on the functioning of the RSAM 14 or on the integrity of the data stored in its memory.
Fig. 2b shows schematically another variation wherein the host 25 is connected by line to two SCIs 12 and 12', in a similar configuration to that depicted in Fig. lb. Each of the SCIs 12 and 12' is coupled to a respective RSAM 14 and 14', the combination of SCI and RSAM constituting a cluster. In practice, many clusters may be connected to the host 25 and each cluster may display a different mix of attached devices.
In all embodiments, the use of contactless communication allows for the SCI 12 to be maintained separate and remote from the RSAM 14 which performs the secure transactions and contains all the transaction data. Contactless communication between the may be achieved by numerous methods, including: radio frequency, microwave, optical communication, infra red, fiber optic and inductive coupling. To keep manufacturing costs low inductive coupling communication is chosen which also allows transmission of energy from a transmitting antenna to a receiving antenna. The transmitting side, here SCI 12, may operate with a matched coil antenna, and the receiving side, in this case the RSAM 14, may possess a tuned coil antenna. Another reason for selecting inductive coupling communication is that it renders possible to power the circuits of the RSAM 14 with the power received from the SCI 12, whereby the RSAM 14 will not need to be self-powered but will rely on the emissions radiated from the SCI 12. This feature is especially important as it allows implementation of DES secured functions that impose a constant power drain on the system. An SRAM powered by batteries is not practical. - 1 1 -
Communication and energy transfer between the SCI 12 and the RSAM 14 is via inductive coupling in accordance with the teachings of US Patent 5,241, 160 entitled "A System and Method for the Non-Contact Transmission of Data", in the name of Bashan et al.. incorporated herein by reference. This patent also explains how the impedance of a cable connecting a coil antenna to a transmitter may be varied without requiring re-tuning of the card resonant frequency.
Using these techniques, the matched coil antenna of the SCI may be connected by a length of SCI cable to the SCI 12 and the SCI cable may be deployed outside of the SCI so that it may be brought close to the tuned coil antenna of the RSAM 14. The distance between the SCI 12 and the RSAM 14 may thereby be significantly increased.
In like manner, the tuned RSAM coil antenna may also be connected to the RSAM 14 by a length of RSAM cable that may extend out of the housing of the RSAM. Moreover, both the SCI cable and the RSAM cable may be extended so that the maximum distance between the SCI 12 and the RSAM 14 is equal to the combined length of both cables. It will be appreciated that either or both of the two coil antennas may be connected via respective cables of equal or unequal lengths. The length of the coil antenna cable is preferably determined as multiples of half-wavelengths, starting from zero for up to eight half- wavelengths. The measured length of such a coil antenna cable depends therefore on the frequency of the carrier signal used. Thus, assuming a carrier frequency equal to 13.56 MHz, one half- wavelength, taking the influence of the cable into account, amounts to 8 m. Preferably the length of the coil antenna cable will not reach more than 48 m and ideally it should be less than 32m. The aforementioned U.S. Patent 5,241,160 lists the factors influencing the relative distance allowed between the two coil antennae and provides information about the distances obtainable. - 12 -
Because the RSAM 14 is prone to theft or to attempted intrusion, advantage may be taken from the fact that the RSAM 14 consists of a separate unit, packaged within an individual housing and remote from the SCI 12. Accordingly, the RSAM 14 may be physically protected, such as secreted behind a wall or embedded in concrete for purposes of concealment as well as for reasons of safekeeping and prevention of removal. With quality assurance and reliability as objectives, the housing of the RSAM 14 may be hermetically sealed against liquids or gases.
The RSAM 14 may thus reside within a housing appropriately reinforced to thwart off forceful intrusion and properly protect against physical destruction, like being clad in steel armor. To avoid shielding of the inductive ' coupling communication by the steel housing, the RSAM coil antenna, with or without a span of cable, protrudes out of the steel housing.
In contrast to this approach, but with the same goal of avoiding theft and intrusion, the housing may be removable for storage in a safe place. This may be realized in practice by providing the housing in the form of a data card.
DES applications are stored in the memory of the RSAM, in a secured area reserved for security applications. The transactions and the data related thereto are also deposited in a secured area of the memory of the RSAM, in known manner. By such means the SAM may be realized in a remote housing.
Referring now to Fig. 3, there will be described a protocol for use with the system described above with particular reference to Fig. 1 of the drawings. Thus, initially a data transaction card is coupled to the SCI that receives a transaction request and prompts the card owner for entry of his secret code (PIN). On entry of a valid PIN, the transaction request is encrypted by the card so as to produce a secure Account Certificate. This is fed. via contact or non-contact communication to the SCI from where it is forwarded to the RSAM via non-contact communication. The transaction data - 13 -
is decrypted by the RSAM so as to authenticate the card. If authentic, then the encrypted Account Certificate is also decrypted so as to produce an encrypted Transaction Certificate. This is fed. via non-contact communication to the SCI from where it is forwarded to the card via contact or non-contact communication. The card now decrypts the transaction data is so as to authenticate the RSAM. If authentic, the transaction is processed and an encrypted Settlement Certificate is prepared for feeding via contact or non-contact communication back to the SCI from where it is forwarded via non-contact communication to the RSAM wherein the transaction data is again decrypted so as to authenticate the card. If authentic, then the purse account is settled. In the event of an invalid card or RSAM, the transaction is aborted arid a suitable message relayed via the SCI.
Whilst preferred embodiments of the invention have been described in detail, it is apparent that many modifications and variations thereto are possible, all of which fall within the scope of the invention as defined in the appended claims.
Thus, for example, whilst in the preferred embodiment a matched antenna is employed in the SCI, it will be understood that a conventional resonant circuit may be employed as is well known in the art.

Claims

- 14 -CLAIMS:
1. A secured data transaction system (10) comprising: a Smart Card Interface (SCI) (12) for interfacing between a local device (25, 26) and a Remote Secure Application Module (RSAM) (14) located remote from the SCI for processing data from smart cards: the SCI (12) comprising: an SCI memory (28, 35) containing a predetermined instruction set, an SCI processor (15) coupled to the memory for operating in accordance with said instruction set, a first SCI communication interface (16) coupled to the SCI processor for allowing bi-directional contactless communication between the SCI and the RSAM; and the RSAM (14) comprising: an RSAM memory (21) containing a predetermined instruction set and comprising a secured area reserved for security applications and for secure storage of data related thereto, an RSAM processor (20) coupled to the RSAM memory for operating in accordance with said instruction set, and an RSAM communication interface (19) coupled to the RSAM processor for allowing bi-directional contactless communication between the RSAM and the SCI; whereby data associated with the smart card interface (12) may be stored in the RSAM memory (21) remote from the smart card interface.
2. The secured data transaction system according to Claim 1, wherein data is retrieved from the RSAM memory via the SCI. - 15 -
3. The secured data transaction system according to Claim 1 or 2, further including an auxiliary SCI (12') for allowing parallel or backup data retrieval from the RSAM memory.
4. The secured data transaction system according to any one of the preceding Claims, wherein the Smart Card Interface includes a second SCI coiΗmunication interface (15) for allowing bi-directional communication with the local device.
5. The data transaction system according to any one of the preceding Claims, wherein: the RSAM contains security means for prevention of unauthorized transactions and unauthorized access to RSAM functions and RSAM memory.
6. The data transaction system according to any one of the preceding Claims, wherein: the SCI communication interface (16) communicates with a smart card and the RSAM by contactless inductive coupling communication.
7. The data transaction system according to Claim 6, wherein: the first SCI communication interface (16) is coupled to an SCI coil antenna (17) operating at a predetermined frequency, and the RSAM communication interface (19) is coupled to an RSAM coil antenna (18) tuned to said predetermined frequency.
8. The data transaction system according to Claim 7, wherein the first SCI communication interface is coupled to the SCI coil antenna (17) by an SCI cable having a length which may be varied without requiring the first SCI communication interface to be re-tuned to said predetermined frequency.
9. The data transaction system according to Claims 7 or 8, wherein the RSAM communication interface (19) is coupled to the RSAM coil antenna (18) by a cable. - 16 -
10. The data transaction system according to Claim 9, wherein the SCI coil antenna (17) and the RSAM coil antenna (18) are in mutual proximity.
11. The data transaction system according to any one of the preceding Claims, wherein the RSAM (14) is displaced from the SCI (12) and is in contactless communication therewith.
12. The data transaction system according to any one of the preceding Claims, wherein the RSAM is housed in a reinforced casing for protection against physical intrusion.
13. The data transaction system according to any one of the preceding Claims, wherein the RSAM is housed in a hermetically sealed casing.
14. The data transaction system according to any one of the preceding Claims, wherein the RSAM is housed in a concealed casing.
15. A secured data transaction system (10) comprising: an SCI (12) for interfacing with smart cards and an RSAM (14) for processing data from smart cards and for providing security functions, the SCI (12) comprising: a processor (15) for operating functions of the SCI, an SCI memory (28) connected to the SCI processor, and an SCI communication interface (16) for bi-directional inductive coupling communication with smart cards and for bi-directional communication with a host device (25); the RSAM (14) comprising: an RSAM processor (20) for operating functions of the RSAM, an RSAM memory (21) connected to the RSAM processor, the RSAM memory comprising a secured area reserved for security applications and for secure storage of transactions and data related thereto, - 17 -
an RSAM communication interface (19) connected to the RSAM processorfor bi-directional inductive coupling communication with at least one SCI, and a data card for containing the RSAM therein, the data card being remote from the SCI; whereby the SCI transfers data exchanges between secured smart cards and the RSAM, the RSAM providing for the secured processing of transactions and the RSAM also providing a secured repository for the transactions and for data related thereto.
16. The data transaction system according to any one of the preceding claims, wherein the SCI also provides energy for functions of the RSAM thereby obviating the need for the RSAM to be self-powered.
EP99913559A 1998-04-08 1999-04-06 Secured data transaction system for smart cards Withdrawn EP1070302A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
IL12400898 1998-04-08
IL12400898 1998-04-08
PCT/IL1999/000192 WO1999053449A1 (en) 1998-04-08 1999-04-06 Secured data transaction system for smart cards

Publications (1)

Publication Number Publication Date
EP1070302A1 true EP1070302A1 (en) 2001-01-24

Family

ID=11071407

Family Applications (1)

Application Number Title Priority Date Filing Date
EP99913559A Withdrawn EP1070302A1 (en) 1998-04-08 1999-04-06 Secured data transaction system for smart cards

Country Status (4)

Country Link
EP (1) EP1070302A1 (en)
AU (1) AU3165799A (en)
CA (1) CA2327728A1 (en)
WO (1) WO1999053449A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
NL1014956C2 (en) * 2000-04-14 2001-10-16 Jelle Ossenwaarde Method is for secret storage of valuable software and/or personal data in first memory of device connectable to telephone network and comprises identification part with identification code
WO2001086599A2 (en) * 2000-04-14 2001-11-15 Supercom Ltd. Smart communications
JP4501241B2 (en) 2000-07-10 2010-07-14 ソニー株式会社 IC card and IC card data communication method
US7716082B1 (en) * 2000-08-24 2010-05-11 Gilbarco, Inc. Wireless payment mat device and method for retail environments
CN1659566B (en) 2002-06-10 2010-10-20 坂村健 Electronic money transfer device equipped with non-contact IC interface
US7883420B2 (en) 2005-09-12 2011-02-08 Mattel, Inc. Video game systems
US8014755B2 (en) 2007-01-05 2011-09-06 Macronix International Co., Ltd. System and method of managing contactless payment transactions using a mobile communication device as a stored value device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2079504B (en) * 1980-07-01 1984-03-07 Interbank Card Ass Security system for electronic funds transfer system
GB2205667B (en) * 1987-06-12 1991-11-06 Ncr Co Method of controlling the operation of security modules
US5241160A (en) * 1990-12-28 1993-08-31 On Track Innovations Ltd. System and method for the non-contact transmission of data
NL9101608A (en) * 1991-09-24 1993-04-16 Nedap Nv CHIP CARD WITH REMOTE IDENTIFICATION.
EP0600170B1 (en) * 1992-12-01 1997-12-17 Landis & Gyr Technology Innovation AG Method for the payment of services and/or articles and device for implementing this method
FR2740291B1 (en) * 1995-10-20 1997-12-12 Sagem DUAL FUNCTION RADIOTELEPHONE, PARTICULARLY FINANCIAL TRANSACTION AND METHOD FOR ESTABLISHING A COMMUNICATION BETWEEN THE RADIOTELEPHONE AND THE RADIOTELEPHONE NETWORK

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO9953449A1 *

Also Published As

Publication number Publication date
AU3165799A (en) 1999-11-01
WO1999053449A1 (en) 1999-10-21
CA2327728A1 (en) 1999-10-21

Similar Documents

Publication Publication Date Title
US6021494A (en) Electronic micro identification circuit that is inherently bonded to someone or something
JP3790032B2 (en) Authentication settlement method using portable terminal device and portable terminal device
CA2182464C (en) Radio frequency transponder stored value system employing a secure encryption protocol
AU615832B2 (en) Multilevel security apparatus and method with personal key
US6078888A (en) Cryptography security for remote dispenser transactions
EP1132800B1 (en) Non-wire contact device application for cryptographic module interfaces
US20020077992A1 (en) Personal transaction device with secure storage on a removable memory device
KR0125095B1 (en) Electronic asset data transfer method
EA001415B1 (en) Conditional access method and device
WO2001086599A2 (en) Smart communications
US6371376B1 (en) PCMCIA card with secure smart card reader
US7416114B2 (en) Electronic value transfer device equipped with non-contact IC interface
WO2010043974A1 (en) System for secure contactless payment transactions
AU2007224797B2 (en) Method and apparatus for the secure processing of sensitive information
WO2000074007A1 (en) Network authentication with smart chip and magnetic stripe
EP1070302A1 (en) Secured data transaction system for smart cards
US11783152B1 (en) Chip card with on/off mechanisms
JP2000156718A (en) Protocol conversion adaptor and method for controlling the protocol conversion adaptor
JP2000268137A (en) Recording medium backup method and device for implementing the method
JP2899464B2 (en) Electronic asset data transfer method
KR20020051543A (en) IC Card and System and Method for Effective and Secure Function of Internet Access
JP2000507380A (en) Safety module
JP4101561B2 (en) IC card and service information display system
KR101140640B1 (en) Terminal device and recording medium for card applet post-issuance
CA2390239C (en) Centralised cryptographic system and method with high cryptographic rate

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20001106

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Withdrawal date: 20020801

REG Reference to a national code

Ref country code: HK

Ref legal event code: WD

Ref document number: 1031941

Country of ref document: HK