[go: up one dir, main page]

WO2001029791A1 - Improved chip card and method for interacting with same - Google Patents

Improved chip card and method for interacting with same Download PDF

Info

Publication number
WO2001029791A1
WO2001029791A1 PCT/EP1999/007991 EP9907991W WO0129791A1 WO 2001029791 A1 WO2001029791 A1 WO 2001029791A1 EP 9907991 W EP9907991 W EP 9907991W WO 0129791 A1 WO0129791 A1 WO 0129791A1
Authority
WO
WIPO (PCT)
Prior art keywords
section
memory
chip card
mailbox
transaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP1999/007991
Other languages
French (fr)
Inventor
Siegfried E. Wilhelm
Jay Yun
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
TRESOR TV PRODUKTIONS GmbH
Original Assignee
TRESOR TV PRODUKTIONS GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by TRESOR TV PRODUKTIONS GmbH filed Critical TRESOR TV PRODUKTIONS GmbH
Priority to PCT/EP1999/007991 priority Critical patent/WO2001029791A1/en
Publication of WO2001029791A1 publication Critical patent/WO2001029791A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/355Personalisation of cards for use
    • G06Q20/3552Downloading or loading of personalisation data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/357Cards having a plurality of specified features
    • G06Q20/3576Multiple memory zones on card

Definitions

  • the present invention is related to an improved chipcard for use with e-commerce or e-purse applications.
  • the increasing number of users and providers as well as the vastly growing volume of business carried out via the in- ternet or other networks demands the provision of mechanisms that ascertain secure identification, authorisation, and payment on both the user's or customers and the provider's side.
  • one or both parties 's banks are also involved in the purchase of a certain product or servide.
  • the security systems employed by existing chip cards are based on complicated security key schemes where an individual key of a chipcard works together with a master key at a host computer.
  • This scheme has a number of inherent pro- blems.
  • the key system (keys plus de/encryption software) may be so complicated that it may require the main part of the memory and of the computing capacity of the chip card.
  • the main problem of these know chip cards is, however, that when the master key is no longer secret, the entire scheme is compromised. Also, when the individual key becomes known to unauthorized persons, transactions with the specific chip card may no longer be secure.
  • the object of the invention is to overcome the deficiencies and drawbacks of currently available chip card protection schemes described above and to provide a chip card protection scheme that provides for secure transactions and for a more versatile use of one chip card by different service providers.
  • a chip card for carrying out secure transactions e.g. between a computer of a service provider and a user terminal receiving the chip card
  • the chip card comprising a processor unit adapted to communicate with a memory provided in the chip card and containing software and data to carry out transactions between the chip card and an external computer via an input/output interface provided in the chip card, wherein the memory is divided in to several sections, the size of each of the sections being defined and controlled by the software, the access via the input/output interface to each of the memory sections being controlled by the software, a first section of the memory being accessible via the input/output interface by the processor unit or the external source (e.g.
  • a second section of the memory being provided to write a software program or data from the first section to the second section of the memory upon a command entered by a user of the chip card
  • a third section of the memory being provided to write a software program or data from the first section or the second section to the third section of the memory upon a command entered via the input/output interface by an external source.
  • This unique design of a chip card provides for an enhanced versatility in the use of the chip card since different service providers can implement their own security system (de/encryption software and keys etc.) in the chip card of a user. Effectively, the user does not require several chip cards to carry out transactions with different service providers.
  • a user having a first bank account in a first bank and a second bank account in a second bank could effect a very fast money transfer from the first to the second bank account by carrying out a first secure transaction of a certain amount of money from the first bank account under the security scheme of the first bank into a mailbox in the chipcard and by carrying out a second secure transaction of this amount of money from the mailbox in the chipcard under the security scheme of the second bank into the second bank account.
  • the first section of memory is divided into a predefined number of mailboxes, the size of each mailbox being defined by the external source or by the software.
  • the size and structure e.g. beginning, free space and end of each mailbox
  • pointers under the control of the external source or the software of the processor unit. This allows for a efficient use of the mailboxes and the memory space allocated to each one of them.
  • the mailboxes are prepared for holding one or more de/en- cryption keys, transaction codes, immediately executable or encrypted software programs or data.
  • the encrypted software programs or data contained in a mailbox in the first secti- on is transferred and decrypted into the second memory section under control of the external source.
  • a service provider can implement a security mechanism in the chip card that is unknown to other service providers and also not accessible to the user of the chip card.
  • the chip card can be "universal chip card” instead of the user requiring a multitude of chip cards, one for each service provider.
  • the service provi- der ' s host computer must provide a software program that is executable by the microprocessor unit. Either this software program is actual (executable) machine code, or it is writ- ten in a meta language (Java® or the like) that can be interpreted by an interpreter program maintained in the microprocessor unit's memory.
  • encrypted software programs or data contained in a mailbox in the first memory section is transferred and decrypted into the second section under control of the user.
  • the invention teaches to transfer and decrypt saime into the third section under control of the external source.
  • This third section is re- served for software programs or data that not, under any circumstances, be accessed by the user (via the microprocessor unit). To accomplish this, the access to this memory area is only possible if a certain pass word or signal combination is present at the input/output interface. This pass word in combination with the transfer software present in the first section will provide the right address to reach this third secion.
  • each mailbox is provided with one de/encryption key and a transaction code for being used in one de/encryption-transaction process by using a software program contained in the first, second or third memory section. It is also possible to carry out both functions of the de/encryption key and the transaction code with one and the same key/code. This reduces the memory space requirement in each mailbox.
  • a typical chip card there are e.g in the order of 100 mailboxes.
  • the external host computer of the service provider uses the contents of one mailbox to establish the connection (i.e. the transaction code) and to de/encrypt data (i.e. the key) .
  • One or more of the mailboxes are provided with de/encryp- tion keys and transaction codes being identical to de/encryption keys and transaction codes held in a memory device having the same mailbox structure provided in an external host computer.
  • the host computer randomly generates the de/encryption keys and transaction codes to be stored in each mailbox of the chip card as well as in the corresponding memory device (RAM, EEPROM, disk or the like) so that the contents of the mailbox of the chip card and the contents in the correspondig memory device in the host computer are exactly the same.
  • a de/encryption-transaction process between the external host computer and the chip card is only carried out after a comparison of transaction codes in a specific mailbox held in the memory device provided in the external host computer and in the corresponding mailbox in the first memory section carried out under control of a software program stored in the second or third memory section shows identity of the two transaction codes.
  • the bank's host computer In order to e.g. access the own bank account via an internet connection (through a chip card terminal on the user's side), the bank's host computer requests that the user's chip card sends the transaction code of a certain mailbox in the chip card. If this transaction code matches the transaction code of the corresponding mailbox in the bank's host computer, the transaction may commence. Depending on the nature of the transaction (account information, money transfer to another account, etc.) the required information will be en/decrypted in a manner that the respective keys in the mutual mailboxes can be used to de/encrypt the transmitted information.
  • the de/encryp- tion-transaction process between the external host computer and the chip card utilizing a de/encryption key and a transaction code stored in first respective mailboxes is only carried out after the external host computer has delivered a transaction code from a second of its mailboxes to the chip card for comparison with the transaction code in the corresponding second mailbox of the chip card, and the comparison process executed under control of a software pro- gram stored in the second or third memory section shows identity of the two transaction codes.
  • the actual transaction will thus only be carried out, when the service provider's host will - in advance or after the chip card has done so - provide the (partial) contents of a one mailbox that can be compared to the corresponding contents of the respective mailbox of the chip card.
  • the actual transaction will then be car- ried out using the de/encryption key and a transaction code of an other mailbox.
  • the service provider's host computer can create a new set of de/encryption keys and a transaction codes and transfer these into the mailboxes in the chip card (and it's own memory device) via the network (in a encrypted format) or by a terminal provided in the service provider's premises.
  • the transfer of the de/encryption keys and a transaction codes into the mailbox of the chip card may be secured by a separate (e.g. the last available) decryption key and a transaction code that will be used once all others have been used.
  • This last mailbox may also contain an automatic request command to be sent to the service provider's host computer to refill all the mailboxes with new de/encryption keys and transaction codes.
  • the service provider's host computer requests to be provided with the transaction code in a first maibox of the chip card.
  • the chip card requests to see the transaction code in the se- cond mailbox in the host computer's second memory in order to compare ist with the transaction code in the second mailbox in ist own memory. If theses two transaction codes match, the chip card will send out the transaction code of the first mailbox as initially requested by the host compu- ter.
  • the host computer will, at the end of or during the transacti- on, additionally submit new de/encryption keys and transaction codes.
  • the host computer can either use the same de/encryption key as the one used for the transaction or use the de/encryption key of the first mail- box.
  • the only drawing shows a schematic drawing of a chip card according to the invention mounted in an end user device (like a mobile telephone) communicating with one or more host computers of various service providers.
  • a chip card 10 for carrying out secure transactions is pro- vided in a handheld mobile telephone or a so-called intelligent telephone connected to the fixed telephone network, e.g. the internet.
  • the telephone - as far as its structure is relevant for the present invention - is conventional and therefore not further described here.
  • the chip card 10 comprises a processor unit ⁇ P connected to a bus system.
  • a memory RAM/EEPROM provided in the chip card 10 is connected to the bus system and contains software and data to carry out transactions between the chip card and an external host computer (service provider 1 .. n) via an input/output interface (input/output) also connected to the processor unit ⁇ P (via the bus system) .
  • the software in the memory RAM/EEPROM is contains an operating system to perform the basic functions reading writing data from/to memory section in the chip card, de/encrypting data received/sent via the input/output interface (input/ output) or between various sections of the memory as described in more detail hereinunder, etc.
  • Another part of memory provided in the chip card 10 is divided in to several sections (A, B, C) . These three sections are EEPROMs to allow for a versatile reading/permanent writing/overwriting of programs or data in these sections. The size of each of the sections is defined and controlled by the software.
  • a main distinction between the three memory section is the way they can be accessed.
  • the access via the input/output interface to each of the memory sections (A, B, C 7) is controlled by the software. Therefore, a command to read or write a certain number of bytes into a certain memory section is implemented as follows: CommandType, Source, Destination, # Bytes; with Com- mandType ⁇ Read, Write ⁇ , Source ⁇ I/O, Sectionl, Section2 , Section3 ⁇ , Destination ⁇ I/O, Sectionl, Section2, Section3 ⁇ , and # Bytes ⁇ 1 ... FFFFh ⁇ .
  • Such a command received by the the operating system of the processor unit via the in- put/output interface is the translated into the respective read/write commands to access the respective memory section with the correct physical address.
  • the operating system maintains tables of contents for each of the memory sections in order to allocate and identify the appropriate physical memory location (s) for the contents to be read or written.
  • the first section of the memory (A) is accessible via the input/output interface by the processor unit ( ⁇ P) or the external source without any restrictions in order to read/ write a software program or data from/to the first section of the memory.
  • the second section of the memory data can only be accessed by a restriced set of transfer commands. More specifically, it is only possible to write a software program or data from the first section to the second section of the memory upon a command entered by a user of the chip card via the input/output interface. To achieve this, the operating system checks whether the Destination argument in the command described above is "B". If this is the case, Sources other than A or I/O are prohibited. This ascertains that e.g. a user can only directly enter simple commands rather than execute complex transfer procedures by which a program could be entered and executed. Hence, a user or an unauthorized person can not write directly into the second memory section.
  • de/encryption software provided by a certain service provider in the first memory section can be stored under the control (by a simple transfer command) of the user.
  • the user can decide whether he/she wants to make use of the services provided by a certain service provider by transferring (or not) the software program provi- ded by the service provider in the first memory section.
  • the third section of the memory C can only be accessed in an even more restricted manner. More precisely, it is only possible to write a software program or data from the first section A or the second section B to the third section of the memory C upon a command entered by an external source via the input/output interface (I/O) . This allows for the software program provided by an external service provider to use memory space that can not be monitored by others.
  • the first section of memory is divided into a predefined number of mailboxes.
  • the fisrt section is divided into a matrix of n*m, the size of each mailbox being defined by the external source or by the software.
  • the size of each of the mailboxes and their total number can be changed dynamically by changing the pointers to the beginning or the end of the memory area defining a certain mailbox. This is carried out under control of the operating software.
  • the mailboxes in the first memory section are prepared for holding one or more de/encryption keys, transaction codes, immediately executable or encrypted software programs or data. To allow for this, the size of the mailboxes must be adapted accordingly by setting the pointers appropriately.
  • Encrypted software programs or data contained in a mailbox in the first section are decrypted and transferred into the second memory section under control of the the host computer of the external service provider.
  • this key should not be stored as such in one of the mailboxes of the first me- mory section. Rather, this key should have been part of a software program transferred from a mailbox in the first emory section to the second memory section in a previous transfer step.
  • the encrypted software programs or data con- tained in a mailbox in the first memory section can also be transferred and decrypted into the second section under a control command entered by the user via the input/output interface.
  • each mailbox is provided with one de/encryption key and a transaction code, for being used in one de/encryption-transaction process by using a software program contained in the first, second or third memory section.
  • the mailboxes are provided with de/encryption keys (PINs) and transaction codes (TANs) being identical to de/encryption keys and transaction codes held in a memory device having the same mailbox structure provided in an external host computer of the respective service provider.
  • PINs de/encryption keys
  • TANs transaction codes
  • a de/encryption-transaction process between the external host computer of the service provider and the chip card is only carried out after a co - parison of transaction codes in a specific mailbox held in the memory device provided in the external host computer and in the corresponding mailbox in the first memory section carried out under control of a software program stored in the second or third memory section shows identity of the two transaction codes.
  • a de/encryption-transaction process between the external host computer and the chip card utilizing a de/encryption key and a transaction code stored in first respective mailboxes is only carried out after the external host computer has delivered a transaction code from a second of its mailboxes to the chip card for comparison with the transaction code in the corresponding second mailbox of the chip card, and the comparison process executed under control of a software program stored in the second or third memory section shows identity of the two transaction codes.
  • Another application is a product or ware tag containing the chip card according to the invention in which all persons or entities that produce, wrap, pack, transport, handle, sell, buy, store, distribute, or resell the product can write information into certain areas of the mailboxes.
  • An important aspect, however is the fact that the writer of the information can decide which portions of the information can be accessed (read) and/or changed (deleted, over- written) by all or some subsequent persons or entities coming into contact with the respective product.
  • the following example shows the versatility and usefulness of the invention in this field:
  • a chip card according to the invention is attached to the cardbox containing an electronic product like a video cassette recorder (VCR) at the end of the manufacturing process.
  • VCR video cassette recorder
  • the manufacturer puts the product name, product number, production date, revision level etc. into a mailbox in the first memory section of the chip card in an unencrypted format. This data may be read by every person subsequently coming into contact with this product. Additionally, the manufacturer puts the name of the first person (dealer) and the price of this product charged by the manufacturer to this dealer into the first section of the memory in an unencrypted format.
  • a command is entered by the manufacturer via the input/output interface of the chip card to write this data (the name of the dealer and the price of this product charged by the manufacturer to this dealer) from the first section to the second section of the memory.
  • This portion of the data can be read by the dealer only, since the dealer has knowledge of the de/encryption key.
  • This first dealer writes - in the same way as the manufacturer - additional data (price charged by the first dea- ler to the retail dealer, next receiver, date of shipment etc.) into the memory that can only be read by the subsequent receiver (retail dealer) .
  • this retail dealer as well as the first reader, can also read the contents of the mailbox in the first memory section of the chip card in unencrypted format.
  • This (vertical) chain of dealers can be longer, whereby each member in the chain can hide his predecessors to the subsequent members by sharing the key to this data only with his immediate successor.
  • the prize for which a dealer at a certain level in the chain bought the product from his predecessor is not accessible by subsequent members of the chain.
  • the number of these products is also stored in the chip card.
  • the number is stored in a manner that it can be overwritten by a new number each time one or more items are taken out of the container by a person who is au- thorized - i.e. has the access key - to change the number.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

A chip card for carrying out secure transactions, comprises a processor unit adapted to communicate with a memory provided in said chip card and containing software and data to carry out transactions between said chip card and an external computer via an input/output interface provided in said chip card, wherein said memory is divided into several sections, the size of each of said sections being defined and controlled by said software, the access via said input/output interface to each of said memory sections being controlled by said software, a first section of said memory being accessible via said input/output interface by said processor unit or said external source without any restrictions in order to read/write a software program or data from/to said first section of said memory, a second section of said memory being provided to write a software program or data from said first section to said second section of said memory upon a command entered by a user of said chip card via said input/output interface, a third section of said memory being provided to write a software program or data from said first section of said second section to said third section of said memory upon a command entered by an external source via said input/output interface.

Description

Improved Chip card and method for interacting with same
DESCRIPTION
Background of the Invention
The present invention is related to an improved chipcard for use with e-commerce or e-purse applications. The increasing number of users and providers as well as the vastly growing volume of business carried out via the in- ternet or other networks demands the provision of mechanisms that ascertain secure identification, authorisation, and payment on both the user's or customers and the provider's side. Often times, in addition to the user or customer on the one side and the provider (of goods or services) on the other side one or both parties 's banks are also involved in the purchase of a certain product or servide.
In view of the fact that each of the entities involved in a certain purchase or transaction can be located virtually anywhere in the world, the need for tamper-resistant mechanisms is growing faster with the goods or services traded via the internet become more and more expensive.
Moreover, the community of providers for goods and services as well as the customers could be convinced more easily to use the internet to carry out business transactions if the internet provided a safer environment for such business transactions .
Prior Art
The security systems employed by existing chip cards are based on complicated security key schemes where an individual key of a chipcard works together with a master key at a host computer. This scheme has a number of inherent pro- blems. The key system (keys plus de/encryption software) may be so complicated that it may require the main part of the memory and of the computing capacity of the chip card. The main problem of these know chip cards is, however, that when the master key is no longer secret, the entire scheme is compromised. Also, when the individual key becomes known to unauthorized persons, transactions with the specific chip card may no longer be secure.
In view of the increasing number of different service providers, the number of chip cards that will be held by each user is apt to increase accordingly. However, this is an undesirable situation since the risk of losing a card is also increasing. On the other hand, the service providers are very reluctant to share security mechanisms with other service providers in order to use common keys and/or de/encryption software programs. In order to de/encrypt data and/or software programs that are to be transmitted from one station to another via an unsecure medium (e.g. the telephone network) , standard encryption algorithms (e.g. DES or RSA) are used. In addition, for each transaction there is used a transaction code valid only for one specific transaction in order to further increase security.
Problem underlying the invention
The object of the invention is to overcome the deficiencies and drawbacks of currently available chip card protection schemes described above and to provide a chip card protection scheme that provides for secure transactions and for a more versatile use of one chip card by different service providers.
Solution according to the invention
According to the invention, this problem is solved by a chip card for carrying out secure transactions e.g. between a computer of a service provider and a user terminal receiving the chip card, the chip card comprising a processor unit adapted to communicate with a memory provided in the chip card and containing software and data to carry out transactions between the chip card and an external computer via an input/output interface provided in the chip card, wherein the memory is divided in to several sections, the size of each of the sections being defined and controlled by the software, the access via the input/output interface to each of the memory sections being controlled by the software, a first section of the memory being accessible via the input/output interface by the processor unit or the external source (e.g. the host computer of a service provider) without any restrictions in order to read/write a software program or data from/to the first section of the memory, a second section of the memory being provided to write a software program or data from the first section to the second section of the memory upon a command entered by a user of the chip card, a third section of the memory being provided to write a software program or data from the first section or the second section to the third section of the memory upon a command entered via the input/output interface by an external source.
Advantages of the invention
This unique design of a chip card provides for an enhanced versatility in the use of the chip card since different service providers can implement their own security system (de/encryption software and keys etc.) in the chip card of a user. Effectively, the user does not require several chip cards to carry out transactions with different service providers.
Additionally, different service providers, e.g. two banks not having agreed upon a common or mutual security standard could do business with a user having such a chip card. For example, a user having a first bank account in a first bank and a second bank account in a second bank could effect a very fast money transfer from the first to the second bank account by carrying out a first secure transaction of a certain amount of money from the first bank account under the security scheme of the first bank into a mailbox in the chipcard and by carrying out a second secure transaction of this amount of money from the mailbox in the chipcard under the security scheme of the second bank into the second bank account.
Preferred embodiments and enhancements of the invention In order to allow a larger number of service providers to utilize or download programs or data into the chip card in an organised manner, the first section of memory is divided into a predefined number of mailboxes, the size of each mailbox being defined by the external source or by the software. Preferably, the size and structure (e.g. beginning, free space and end of each mailbox) is defined and dynamically changed by pointers under the control of the external source or the software of the processor unit. This allows for a efficient use of the mailboxes and the memory space allocated to each one of them.
The mailboxes are prepared for holding one or more de/en- cryption keys, transaction codes, immediately executable or encrypted software programs or data.
In one embodiment of the invention, the encrypted software programs or data contained in a mailbox in the first secti- on is transferred and decrypted into the second memory section under control of the external source. Thereby, a service provider can implement a security mechanism in the chip card that is unknown to other service providers and also not accessible to the user of the chip card. Especial- ly if several different service providers (their host computers being the external source, respectively) are accessing the chip card, the chip card can be "universal chip card" instead of the user requiring a multitude of chip cards, one for each service provider. The service provi- der ' s host computer must provide a software program that is executable by the microprocessor unit. Either this software program is actual (executable) machine code, or it is writ- ten in a meta language (Java® or the like) that can be interpreted by an interpreter program maintained in the microprocessor unit's memory.
Similarly in another embodiment of the invention, encrypted software programs or data contained in a mailbox in the first memory section is transferred and decrypted into the second section under control of the user.
Especially for secret data, de/encryption keys, transaction codes, encrypted software programs or the like, contained in a mailbox in the first section the invention teaches to transfer and decrypt saime into the third section under control of the external source. This third section is re- served for software programs or data that not, under any circumstances, be accessed by the user (via the microprocessor unit). To accomplish this, the access to this memory area is only possible if a certain pass word or signal combination is present at the input/output interface. This pass word in combination with the transfer software present in the first section will provide the right address to reach this third secion.
In a preferred embodiment, each mailbox is provided with one de/encryption key and a transaction code for being used in one de/encryption-transaction process by using a software program contained in the first, second or third memory section. It is also possible to carry out both functions of the de/encryption key and the transaction code with one and the same key/code. This reduces the memory space requirement in each mailbox.
In a typical chip card according to the invention, there are e.g in the order of 100 mailboxes. For each transacti- on, the external host computer of the service provider uses the contents of one mailbox to establish the connection (i.e. the transaction code) and to de/encrypt data (i.e. the key) .
One or more of the mailboxes are provided with de/encryp- tion keys and transaction codes being identical to de/encryption keys and transaction codes held in a memory device having the same mailbox structure provided in an external host computer. The host computer randomly generates the de/encryption keys and transaction codes to be stored in each mailbox of the chip card as well as in the corresponding memory device (RAM, EEPROM, disk or the like) so that the contents of the mailbox of the chip card and the contents in the correspondig memory device in the host computer are exactly the same.
A de/encryption-transaction process between the external host computer and the chip card is only carried out after a comparison of transaction codes in a specific mailbox held in the memory device provided in the external host computer and in the corresponding mailbox in the first memory section carried out under control of a software program stored in the second or third memory section shows identity of the two transaction codes.
In order to e.g. access the own bank account via an internet connection (through a chip card terminal on the user's side), the bank's host computer requests that the user's chip card sends the transaction code of a certain mailbox in the chip card. If this transaction code matches the transaction code of the corresponding mailbox in the bank's host computer, the transaction may commence. Depending on the nature of the transaction (account information, money transfer to another account, etc.) the required information will be en/decrypted in a manner that the respective keys in the mutual mailboxes can be used to de/encrypt the transmitted information. In a preferred embodiment of the invention, the de/encryp- tion-transaction process between the external host computer and the chip card utilizing a de/encryption key and a transaction code stored in first respective mailboxes, is only carried out after the external host computer has delivered a transaction code from a second of its mailboxes to the chip card for comparison with the transaction code in the corresponding second mailbox of the chip card, and the comparison process executed under control of a software pro- gram stored in the second or third memory section shows identity of the two transaction codes.
In order to improve the security provided by the present invention even further, the actual transaction will thus only be carried out, when the service provider's host will - in advance or after the chip card has done so - provide the (partial) contents of a one mailbox that can be compared to the corresponding contents of the respective mailbox of the chip card. The actual transaction will then be car- ried out using the de/encryption key and a transaction code of an other mailbox.
When all the mailboxes in the chip card have been used, the service provider's host computer can create a new set of de/encryption keys and a transaction codes and transfer these into the mailboxes in the chip card (and it's own memory device) via the network (in a encrypted format) or by a terminal provided in the service provider's premises. The transfer of the de/encryption keys and a transaction codes into the mailbox of the chip card may be secured by a separate (e.g. the last available) decryption key and a transaction code that will be used once all others have been used. This last mailbox may also contain an automatic request command to be sent to the service provider's host computer to refill all the mailboxes with new de/encryption keys and transaction codes. In a preferred embodiment of the invention, there are only a very restricted number of mailboxes, e.g. 2 or 3. This approach is especially useful for low-cost chip cards or in a wireless transfer environment (like digital mobile tele- phony) , where wire tapping is virtually impossible or at least very unlikely. Here, the service provider's host computer requests to be provided with the transaction code in a first maibox of the chip card. In response thereto, the chip card requests to see the transaction code in the se- cond mailbox in the host computer's second memory in order to compare ist with the transaction code in the second mailbox in ist own memory. If theses two transaction codes match, the chip card will send out the transaction code of the first mailbox as initially requested by the host compu- ter. If these two transaction codes also match, the transaction itself (money transfer to the chip card or the like) will take place by using the de/encryption key of the second mailbox. Now, all mailboxes are used. Therefore, the host computer will, at the end of or during the transacti- on, additionally submit new de/encryption keys and transaction codes. To submit the "refill data" (de/encryption keys and a transaction codes) , the host computer can either use the same de/encryption key as the one used for the transaction or use the de/encryption key of the first mail- box.
Short description of the drawing
The only drawing shows a schematic drawing of a chip card according to the invention mounted in an end user device (like a mobile telephone) communicating with one or more host computers of various service providers.
Detailed description of the embodiments of the invention
A chip card 10 for carrying out secure transactions is pro- vided in a handheld mobile telephone or a so-called intelligent telephone connected to the fixed telephone network, e.g. the internet. The telephone - as far as its structure is relevant for the present invention - is conventional and therefore not further described here.
The chip card 10 comprises a processor unit μP connected to a bus system. A memory RAM/EEPROM provided in the chip card 10 is connected to the bus system and contains software and data to carry out transactions between the chip card and an external host computer (service provider 1 .. n) via an input/output interface (input/output) also connected to the processor unit μP (via the bus system) .
The software in the memory RAM/EEPROM is contains an operating system to perform the basic functions reading writing data from/to memory section in the chip card, de/encrypting data received/sent via the input/output interface (input/ output) or between various sections of the memory as described in more detail hereinunder, etc. Another part of memory provided in the chip card 10 is divided in to several sections (A, B, C) . These three sections are EEPROMs to allow for a versatile reading/permanent writing/overwriting of programs or data in these sections. The size of each of the sections is defined and controlled by the software.
A main distinction between the three memory section is the way they can be accessed. In order to allow for a user or external host computer not requiring to know the actual physical memory structure of these three sections, the access via the input/output interface to each of the memory sections (A, B, C ...) is controlled by the software. Therefore, a command to read or write a certain number of bytes into a certain memory section is implemented as follows: CommandType, Source, Destination, # Bytes; with Com- mandType {Read, Write}, Source {I/O, Sectionl, Section2 , Section3}, Destination {I/O, Sectionl, Section2, Section3}, and # Bytes {1 ... FFFFh} . Such a command received by the the operating system of the processor unit via the in- put/output interface is the translated into the respective read/write commands to access the respective memory section with the correct physical address. Moreover, the operating system maintains tables of contents for each of the memory sections in order to allocate and identify the appropriate physical memory location (s) for the contents to be read or written.
The first section of the memory (A) is accessible via the input/output interface by the processor unit (μP) or the external source without any restrictions in order to read/ write a software program or data from/to the first section of the memory.
In comparison to the first section, the second section of the memory data can only be accessed by a restriced set of transfer commands. More specifically, it is only possible to write a software program or data from the first section to the second section of the memory upon a command entered by a user of the chip card via the input/output interface. To achieve this, the operating system checks whether the Destination argument in the command described above is "B". If this is the case, Sources other than A or I/O are prohibited. This ascertains that e.g. a user can only directly enter simple commands rather than execute complex transfer procedures by which a program could be entered and executed. Hence, a user or an unauthorized person can not write directly into the second memory section. In this second memory section, however, de/encryption software provided by a certain service provider in the first memory section can be stored under the control (by a simple transfer command) of the user. Thus, the user can decide whether he/she wants to make use of the services provided by a certain service provider by transferring (or not) the software program provi- ded by the service provider in the first memory section. The third section of the memory C can only be accessed in an even more restricted manner. More precisely, it is only possible to write a software program or data from the first section A or the second section B to the third section of the memory C upon a command entered by an external source via the input/output interface (I/O) . This allows for the software program provided by an external service provider to use memory space that can not be monitored by others.
For one application, the first section of memory is divided into a predefined number of mailboxes. In this embodiment, the fisrt section is divided into a matrix of n*m, the size of each mailbox being defined by the external source or by the software. Although it is convenient to have all of the mailboxes having the same size, this is not a prerequisite. Rather, the size of each of the mailboxes and their total number can be changed dynamically by changing the pointers to the beginning or the end of the memory area defining a certain mailbox. This is carried out under control of the operating software.
The mailboxes in the first memory section are prepared for holding one or more de/encryption keys, transaction codes, immediately executable or encrypted software programs or data. To allow for this, the size of the mailboxes must be adapted accordingly by setting the pointers appropriately.
Encrypted software programs or data contained in a mailbox in the first section are decrypted and transferred into the second memory section under control of the the host computer of the external service provider. In order to avoid any unauthorized person to become knowledgeable of the de/encryption key used to perform this step, this key should not be stored as such in one of the mailboxes of the first me- mory section. Rather, this key should have been part of a software program transferred from a mailbox in the first emory section to the second memory section in a previous transfer step.
Alternatively, the encrypted software programs or data con- tained in a mailbox in the first memory section can also be transferred and decrypted into the second section under a control command entered by the user via the input/output interface.
However, encrypted software programs or data contained in a mailbox in the first memory section are transferred and decrypted into the third memory section only under control of the external source.
In the embodiment shown, each mailbox is provided with one de/encryption key and a transaction code, for being used in one de/encryption-transaction process by using a software program contained in the first, second or third memory section.
The mailboxes are provided with de/encryption keys (PINs) and transaction codes (TANs) being identical to de/encryption keys and transaction codes held in a memory device having the same mailbox structure provided in an external host computer of the respective service provider.
According to the invention, a de/encryption-transaction process between the external host computer of the service provider and the chip card is only carried out after a co - parison of transaction codes in a specific mailbox held in the memory device provided in the external host computer and in the corresponding mailbox in the first memory section carried out under control of a software program stored in the second or third memory section shows identity of the two transaction codes. Similarly, a de/encryption-transaction process between the external host computer and the chip card utilizing a de/encryption key and a transaction code stored in first respective mailboxes is only carried out after the external host computer has delivered a transaction code from a second of its mailboxes to the chip card for comparison with the transaction code in the corresponding second mailbox of the chip card, and the comparison process executed under control of a software program stored in the second or third memory section shows identity of the two transaction codes.
Another application is a product or ware tag containing the chip card according to the invention in which all persons or entities that produce, wrap, pack, transport, handle, sell, buy, store, distribute, or resell the product can write information into certain areas of the mailboxes. An important aspect, however is the fact that the writer of the information can decide which portions of the information can be accessed (read) and/or changed (deleted, over- written) by all or some subsequent persons or entities coming into contact with the respective product. The following example shows the versatility and usefulness of the invention in this field:
A chip card according to the invention is attached to the cardbox containing an electronic product like a video cassette recorder (VCR) at the end of the manufacturing process. The manufacturer puts the product name, product number, production date, revision level etc. into a mailbox in the first memory section of the chip card in an unencrypted format. This data may be read by every person subsequently coming into contact with this product. Additionally, the manufacturer puts the name of the first person (dealer) and the price of this product charged by the manufacturer to this dealer into the first section of the memory in an unencrypted format. Subsequently, a command is entered by the manufacturer via the input/output interface of the chip card to write this data (the name of the dealer and the price of this product charged by the manufacturer to this dealer) from the first section to the second section of the memory. This portion of the data can be read by the dealer only, since the dealer has knowledge of the de/encryption key.
This first dealer writes - in the same way as the manufacturer - additional data (price charged by the first dea- ler to the retail dealer, next receiver, date of shipment etc.) into the memory that can only be read by the subsequent receiver (retail dealer) . However, this retail dealer as well as the first reader, can also read the contents of the mailbox in the first memory section of the chip card in unencrypted format.
This (vertical) chain of dealers can be longer, whereby each member in the chain can hide his predecessors to the subsequent members by sharing the key to this data only with his immediate successor. In the same way, the prize for which a dealer at a certain level in the chain bought the product from his predecessor is not accessible by subsequent members of the chain.
In case the cardbox container does not only contain one but several products, the number of these products is also stored in the chip card. The number is stored in a manner that it can be overwritten by a new number each time one or more items are taken out of the container by a person who is au- thorized - i.e. has the access key - to change the number.

Claims

1. A chip card for carrying out secure transactions, comprising
- a processor unit adapted to communicate with a memory provided in said chip card and containing software and data to carry out transactions between said chip card and an external computer via an input/output interface provided in said chip card, wherein
- said memory is divided in to several sections, the size of each of said sections being defined and controlled by said software,
- the access via said input/output interface to each of said memory sections being controlled by said software,
- a first section of said memory being accessible via said input/output interface by said processor unit or said external source without any restrictions in order to read/write a software program or data from/to said first section of said memory,
- a second section of said memory being provided to write a software program or data from said first section to said second section of said memory upon a command entered by a user of said chip card via said input/output interface,
- a third section of said memory being provided to write a software program or data from said first section or said second section to said third section of said memory upon a command entered by an external source via said input/output interface .
2. The chip card for carrying out secure transactions, ac- cording to claim 1, wherein
- the first section of memory is divided into a predefined number of mailboxes, the size of each mailbox being defined by the external source or by said software.
3. The chip card for carrying out secure transactions, according to claim 2, wherein - said mailboxes are prepared for holding one or more de/encryption keys, transaction codes, immediately executable or encrypted software programs or data.
4. The chip card for carrying out secure transactions, according to claim 3 , wherein
- encrypted software programs or data contained in a mailbox in said first section is transferred and decrypted into said second memory section under control of said external source.
5. The chip card for carrying out secure transactions, according to claim 3, wherein
- encrypted software programs or data contained in a mail- box in said first memory section is transferred and decrypted into said second section under control of said user.
6. The chip card for carrying out secure transactions, according to claim 3, wherein - encrypted software programs or data contained in a mailbox in said first section are transferred and decrypted into said third section under control of said external source.
7. The chip card for carrying out secure transactions, according to claim 3, wherein
- each mailbox is provided with one de/encryption key and a transaction code, for being used in one de/encryption- transaction process by using a software program contained in said first, second or third memory section.
8. The chip card for carrying out secure transactions, according to claim 7, wherein
- one or more of said mailboxes are provided with de/encryption keys and transaction codes being identical to de/encryption keys and transaction codes held in a memory device having the same mailbox structure provided in an external host computer.
9. The chip card for carrying out secure transactions, ac- cording to claims 7 and 8, wherein
- a de/encryption-transaction process between the external host computer and the chip card is only carried out after a comparison of transaction codes in a specific mailbox held in the memory device provided in the external host computer and in the corresponding mailbox in said first memory section carried out under control of a software program stored in said second or third memory section shows identity of the two transaction codes.
10. The chip card for carrying out secure transactions, according to claim 9, wherein
- a de/encryption-transaction process between the external host computer and the chip card utilizing a de/encryption key and a transaction code stored in first respective mail- boxes, is only carried out after the external host computer has delivered a transaction code from a second of its mailboxes to the chip card for comparison with the transaction code in the corresponding second mailbox of the chip card, and the comparison process executed under control of a software program stored in said second or third memory section shows identity of the two transaction codes.
PCT/EP1999/007991 1999-10-21 1999-10-21 Improved chip card and method for interacting with same Ceased WO2001029791A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP1999/007991 WO2001029791A1 (en) 1999-10-21 1999-10-21 Improved chip card and method for interacting with same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP1999/007991 WO2001029791A1 (en) 1999-10-21 1999-10-21 Improved chip card and method for interacting with same

Publications (1)

Publication Number Publication Date
WO2001029791A1 true WO2001029791A1 (en) 2001-04-26

Family

ID=8167471

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP1999/007991 Ceased WO2001029791A1 (en) 1999-10-21 1999-10-21 Improved chip card and method for interacting with same

Country Status (1)

Country Link
WO (1) WO2001029791A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3387882B2 (en) 2000-03-01 2003-03-17 荒川化学工業株式会社 Silane-modified polyamideimide resin, resin composition thereof and production method thereof.
JP2003140972A (en) * 2001-11-08 2003-05-16 Nec Corp Program execute device, program executing method, portable terminal using it and information providing system
WO2006038103A1 (en) * 2004-10-09 2006-04-13 Axalto S.A System and method for post-issuance code update employing embedded native code.
WO2006066604A1 (en) * 2004-12-22 2006-06-29 Telecom Italia S.P.A. Method and system for access control and data protection in digital memories, related digital memory and computer program product therefor
EP2083355A1 (en) * 2008-01-25 2009-07-29 THOMSON Licensing Copy-protected software cartridge
WO2009074686A3 (en) * 2007-12-13 2009-12-10 Thomson Licensing Copy-protected software cartridge
EP1744251A4 (en) * 2004-04-01 2010-04-14 Toshiba Kk Log in system and method
DE102008051869A1 (en) * 2008-10-16 2010-04-29 Vodafone Holding Gmbh Chip card e.g. subscriber identity module card, for portable radio telephone in cellular digital mobile radio network, has access restriction module restricting access to instruction set that is stored in memory

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4211919A (en) * 1977-08-26 1980-07-08 Compagnie Internationale Pour L'informatique Portable data carrier including a microprocessor
EP0193635A1 (en) * 1985-03-07 1986-09-10 Omron Tateisi Electronics Co. IC card system
US5682027A (en) * 1992-10-26 1997-10-28 Intellect Australia Pty Ltd. System and method for performing transactions and a portable intelligent device therefore
US5963980A (en) * 1993-12-07 1999-10-05 Gemplus Card International Microprocessor-based memory card that limits memory accesses by application programs and method of operation

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4211919A (en) * 1977-08-26 1980-07-08 Compagnie Internationale Pour L'informatique Portable data carrier including a microprocessor
EP0193635A1 (en) * 1985-03-07 1986-09-10 Omron Tateisi Electronics Co. IC card system
US5682027A (en) * 1992-10-26 1997-10-28 Intellect Australia Pty Ltd. System and method for performing transactions and a portable intelligent device therefore
US5963980A (en) * 1993-12-07 1999-10-05 Gemplus Card International Microprocessor-based memory card that limits memory accesses by application programs and method of operation

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3387882B2 (en) 2000-03-01 2003-03-17 荒川化学工業株式会社 Silane-modified polyamideimide resin, resin composition thereof and production method thereof.
JP2003140972A (en) * 2001-11-08 2003-05-16 Nec Corp Program execute device, program executing method, portable terminal using it and information providing system
EP1311134A3 (en) * 2001-11-08 2003-11-05 Nec Corporation Program executing method in service system and program executing apparatus for the same
US7228435B2 (en) 2001-11-08 2007-06-05 Nec Corporation Program executing method in service system and program executing apparatus for the same
EP1744251A4 (en) * 2004-04-01 2010-04-14 Toshiba Kk Log in system and method
WO2006038103A1 (en) * 2004-10-09 2006-04-13 Axalto S.A System and method for post-issuance code update employing embedded native code.
WO2006066604A1 (en) * 2004-12-22 2006-06-29 Telecom Italia S.P.A. Method and system for access control and data protection in digital memories, related digital memory and computer program product therefor
US8789195B2 (en) 2004-12-22 2014-07-22 Telecom Italia S.P.A. Method and system for access control and data protection in digital memories, related digital memory and computer program product therefor
CN101896885B (en) * 2007-12-13 2013-05-29 汤姆森许可贸易公司 Copy Protection Software Cartridge
WO2009074686A3 (en) * 2007-12-13 2009-12-10 Thomson Licensing Copy-protected software cartridge
CN101896885A (en) * 2007-12-13 2010-11-24 汤姆森许可贸易公司 Copy-protected software cartridge
EP2083355A1 (en) * 2008-01-25 2009-07-29 THOMSON Licensing Copy-protected software cartridge
DE102008051869B4 (en) * 2008-10-16 2014-05-15 Vodafone Holding Gmbh Chip card with implemented instruction set
DE102008051869A1 (en) * 2008-10-16 2010-04-29 Vodafone Holding Gmbh Chip card e.g. subscriber identity module card, for portable radio telephone in cellular digital mobile radio network, has access restriction module restricting access to instruction set that is stored in memory

Similar Documents

Publication Publication Date Title
US6145739A (en) System and method for performing transactions and an intelligent device therefor
US6385729B1 (en) Secure token device access to services provided by an internet service provider (ISP)
US7707408B2 (en) Key transformation unit for a tamper resistant module
CN102067184B (en) Method of accessing applications in secure mobile environment
EP0706692B1 (en) Host and user transaction system
US6595342B1 (en) Method and apparatus for a biometrically-secured self-service kiosk system for guaranteed product delivery and return
AU724768B2 (en) Smart card reader having multiple data enabling storage compartments
US7350717B2 (en) High speed smart card with flash memory
US20020029254A1 (en) Method and system for managing personal information
US20110145151A1 (en) Financial card system, communications device, authentication terminal, authentication method, and program
US20040199787A1 (en) Card device resource access control
US20050015609A1 (en) Storage apparatus and access system
US20020070976A1 (en) Selectively disclosing and teaching previously unused features in a multi-function system
WO2001029791A1 (en) Improved chip card and method for interacting with same
JPH11154184A (en) Information distribution security management method and system
EP1443440A1 (en) Electronic transaction system
US8635459B2 (en) Recording transactional information relating to an object
KR20010036485A (en) Apparatus and method of on-line approve by smart card
JP7442910B1 (en) Information processing device, information processing system, information processing method, and information processing program
JP6407333B2 (en) Rewriting device and program
JP2877316B2 (en) Transaction processing equipment
KR100598641B1 (en) How to search financial transaction history using mobile communication terminal
US20210383436A1 (en) Advertising operation system, advertising operation method, and readable storage medium
AU700628B2 (en) A system and method for performing transactions and an intelligent device therefor
JP2005258885A (en) Ic card settlement system, and ic card settlement method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): JP KR US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase