+

WO2002001522A1 - Clavier d'ordinateur pour transactions securisees dans un reseau de communications - Google Patents

Clavier d'ordinateur pour transactions securisees dans un reseau de communications Download PDF

Info

Publication number
WO2002001522A1
WO2002001522A1 PCT/IB2001/000896 IB0100896W WO0201522A1 WO 2002001522 A1 WO2002001522 A1 WO 2002001522A1 IB 0100896 W IB0100896 W IB 0100896W WO 0201522 A1 WO0201522 A1 WO 0201522A1
Authority
WO
WIPO (PCT)
Prior art keywords
keyboard unit
keyboard
software
icc
application
Prior art date
Application number
PCT/IB2001/000896
Other languages
English (en)
Inventor
Hervé Hillion
Original Assignee
Covadis S.A.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from EP00810556A external-priority patent/EP1168265A1/fr
Application filed by Covadis S.A. filed Critical Covadis S.A.
Priority to AU2001256591A priority Critical patent/AU2001256591A1/en
Priority to AU74394/01A priority patent/AU7439401A/en
Priority to PCT/IB2001/001120 priority patent/WO2002001520A1/fr
Publication of WO2002001522A1 publication Critical patent/WO2002001522A1/fr

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/83Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/18Payment architectures involving self-service terminals [SST], vending machines, kiosks or multimedia terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0873Details of the card reader
    • G07F7/088Details of the card reader the card reader being part of the point of sale [POS] terminal or electronic cash register [ECR] itself
    • G07F7/0886Details of the card reader the card reader being part of the point of sale [POS] terminal or electronic cash register [ECR] itself the card reader being portable for interacting with a POS or ECR in realizing a payment transaction
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1025Identification of user by a PIN code
    • G07F7/1058PIN is checked locally
    • G07F7/1066PIN data being compared to data on card

Definitions

  • This invention relates to a computer keyboard for connection to a locally connected computer and which is also specially designed for user ID with or without a smartcard, in particular for carrying out secure transactions in a communications network, in particular in conjunction with operations like e-commerce, e-banking, e- tax and e-mail using the Internet.
  • the invention is applicable inter alia to secure transactions in a communications network like the Internet wherein encrypted data is communicated between a card issuer system, merchant site applications and a banking system using a protocol such as the Secure Electronic Transaction (SET) .
  • SET Secure Electronic Transaction
  • EP 0587375 describes a device, which is a security unit connected between a PC and its keyboard, the PC storing several programs which allow it to be operated in a transparent mode or a special handling mode, i.e. with encryption/decryption or computation of a message authentication code.
  • This device aims to avoid duplication of keyboards/displays . It is designed to act as an access- limiting key and is not adapted for carrying out transactions like purchases using merchant site applications using secure protocols like SET.
  • US patents 5,920,730 and 6,056,193 relate to computer keyboard units incorporating a card-reader interface, having control circuitry whereby key codes generated by actuating keys are either passed directly to a host computer, or to the card-reader interface so a PIN can be directed to an inserted smartcard without the PIN passing out of the keyboard unit.
  • US patent 6, 056, 193 ' s computer keyboard with integral card reader also aims is to retain the PIN in the keyboard for security purposes .
  • This keyboard is also not designed for and is not capable of carrying out secure transactions on the internet. Its purpose is the opposite, to keep the PIN within the keyboard.
  • No PIN encryption is contemplated, only the transmission of encryption keys and other types of personal data. Again, if the device were connected to the internet, security would be corrupted by accessing the PIN through the PC ' s Bios .
  • channel security schemes such as secure HTTP (S-HTTP) and the Secure Socket Layer (SSL) protocol are intended to create confidence between two communicating parties.
  • S-HTTP uses digitally signed messages with a heavy encryption key to ensure security and authentication.
  • SSL utilizes digitally signed certificates to provide authentication and security by heavily encrypting the messages .
  • This channel security technology makes confidential transmitted information, but it does not protect the merchant and the bank involved in a transaction against "true-false" card numbers, nor does it protect the customer against the abuse of their personal data, and it does not allow the bank to guarantee payments to merchants .
  • Multi-party protocols have also been proposed for credit transactions, like Secure Transport Technology
  • SEPP Payment Protocol
  • the SET protocol is designed on a hierarchy of trust for the management and verification of SET certificates by certificate authorities, notably between a Cardholder Certificate Authority (who issue cards to cardholders) , a Merchant Certificate Authority (who issue certificates to merchants) and a Payment Gateway Certificate Authority, controlling a SET Payment Gateway.
  • the SET protocol is based on the exchange of digital certificates to provide a banking guarantee. SET prevents fraudulent use of payment card numbers, and prevents the interception of confidential information by a third party.
  • Chip Card-SET Chip Card-SET
  • WO 98/4965 describes an Internet payment system using a stored-value card, which generally describes the encryption protocols for transactions with a merchant server and a payment server.
  • Card readers for accepting so-called smart cards are also known.
  • These card readers typically consist of a discrete device that complements the usual computer keyboard and comprises a dedicated keypad, a display for displaying messages related to a secure transaction in progress, a microprocessor and a memory.
  • WO 98/07255 describes a transportable authentication communication device with a compact housing possibly serving as a card reader, having a key-pad for entering a PIN and a display.
  • the transportable device incorporates a cryptographic module containing all of the necessary circuitry for encryption and authentication as well as a modem.
  • UK-A-2274523 describes a portable electronic fund transfer device with keyboard and display, a magnetic swipe card reader and a DTMF circuit .
  • US 5,336,870 describes a payment terminal with a magnetic card reader, a display, a modem and encryption means, connected to a host computer for managing payments.
  • Such known ICC card readers intended for security transactions in a communications network like the Internet employ separate dedicated card readers.
  • the known security devices associated with computer keyboards are insufficient for secure transactions in a communications network like the Internet.
  • An object of the invention is to provide a computer keyboard for connection to a locally connected computer provided with an integrated security device for user ID with or without a smartcard, in particular for carrying out secure transactions over a communications network such as the Internet, providing full security for the user and which can be used with different applications and for many different secure transactions, for example in conjunction with operations like e-commerce, e-banking, e-tax, e-mail, telecommunications and restricted access systems .
  • the computer keyboard unit according to the invention comprises a set of keys forming a keyboard matrix associated with means for producing normalised key codes for communication with a basic input output system (Bios) of a locally connected computer.
  • Bios basic input output system
  • ICC integrated circuit card
  • the keyboard matrix is selectively connectable between a normal operation mode for communicating keycodes to the Bios of a locally connected computer, and a secure transaction mode for carrying out secure transactions with or without an ICC inserted in the ICC interface.
  • the keyboard matrix is connected to the microprocessor which performs data encryption including encryption of a keyed-in identification code, and transmits encrypted data including the encrypted identification code to a communications network.
  • the keyboard unit's microprocessor and ICC interface are inaccessible through the Bios of a connected computer, providing full security for internet transactions .
  • the inventive keyboard unit preferably further comprises a secure display incorporated in the keyboard unit for displaying details of a secure transaction in progress, this secure display also being inaccessible through the Bios of a connected computer. Additionally, the keyboard unit can comprises means, typically a LED, for indicating when the keyboard matrix is connected in the secure transaction mode.
  • the keyboard microprocessor authenticates and encrypts a keyed-in identification code.
  • the keyboard's microprocessor includes or is associated with a memory arranged to store downloadable software that manages applications for secure transactions .
  • the keyboard unit's memory (hereinafter exemplified as a non-volatile E PROM) is arranged to store software in three shells, a boot shell, a system shell and an application shell, wherein the boot shell contains non-downloadable ground software that manages boot operation and software download into the system shell and the application shell .
  • the keyboard unit is associated with software downloadable into or downloaded in a non-volatile memory, namely system shell software containing operating system software that manages the application shell, an ASN library and an encryption/decryption toolbox and optionally a card manager; and application shell software containing software that manages applications for secure transactions .
  • the downloadable application shell software comprises an application that, when the software is downloaded into the non-volatile memory and the keyboard unit is connected to the communications network, is arranged to perform a code encryption operation internally of the device when a user keys in an identification code to perform a secure transaction.
  • This identification code may for example be a PAN or PIN code whose entry constitutes a necessary step for transaction acceptance.
  • This application is so arranged that, when the software is downloaded into the non-volatile memory and the device is connected to the communications network, it encrypts within the keyboard unit's microprocessor a user identification code keyed in via the keyboard matrix and outputs the encrypted identification code, without the keyed-in code being accessible through the Bios of a connected computer.
  • the unencrypted identification code is firstly momentaneously stored in a non-readable part of the RAM, inaccessible from the network.
  • the momentaneously-stored keyed-in identification code is encrypted (the entire encryption usually being carried out by means of the downloaded encryption toolbox) then erased from the RAM soon after encryption.
  • the encrypted identification code is then output from within the device to the communications network, for example in response to the user entering an acceptance code. This enables acceptance of a secure transaction by the user keying in a PAN and/or a PAN or PIN code, without the unencrypted PAN and/or PIN code ever being accessible from the communications network.
  • the keyboard unit according to the invention is a veritable lock allowing a security check on a secret code (for example a PAN code associated with a magnetic card or a smart card, or a PIN code associated with a smart card) , without any transmission of the unencrypted secret code to the communication network, e.g. via the CPU of a personal computer connected to the Internet and to which the keyboard unit is connected.
  • a secret code for example a PAN code associated with a magnetic card or a smart card, or a PIN code associated with a smart card
  • the encryption signature is generated within the keyboard unit, and the PAN and/or PIN is/are encrypted within the keyboard unit.
  • the transaction on the network is protected by a protocol such as SET, the transaction can be signed also by the keyboard unit.
  • the SET issuer is able to authenticate the keyboard unit, and the issuer has insurance on the security level. It is possible but however not necessary to manage the SET certificates inside the keyboard unit.
  • a large amount of memory can be made available in the keyboard unit (say 8 Mbits) , so many applications can be installed.
  • the keyboard unit is the speed of the transaction due to the DSP processor used. This performance allows a high level of protection of data transferred from or to the network (typically via a connected PC) by undertaking huge calculations for data encryption or decryption.
  • the keyboard unit is able to encrypt data by using an RSA public key of 1024 bits with its full exponent in less than 5 s.
  • the DSP processor is able to provide virtual emulation, in real time, of functions such as that of a modem or more generally of networks interface functions, making use of the downloaded software. Consequently, the keyboard unit according to the invention dispenses with the need to incorporate a modem or other interface hardware to perform such functions .
  • the keyboard unit is advantageously used in connection with an ICC to perform secure transactions on a communications network, the unit enabling on-line card authentication.
  • the keyboard unit is arranged to enable card identification and acceptance on an ICC inserted in the ICC interface followed, if the card is accepted, by the above-described operations to establish transaction acceptance. At least a part of these card identification and acceptance operations and/or of said transaction acceptance operations can advantageously be performed using a processor incorporated in an ICC inserted in the device, as will be more fully described below.
  • the merchant is certified whereas the keyboard unit according to the invention operates in a closed security environment in which the keyboard unit provides certitude of authentication of the purchaser by electronic signature.
  • On-line authorization of the transaction provides a guarantee for the payment or other transaction. Control of the card signature takes place on line, not off line.
  • Bogus merchants/bogus cardholders are eliminated. There is no possibility of fraud, therefore no repudiation, no litigation with the cardholder and no chargebacks to be managed.
  • An important feature of the preferred keyboard unit is its ability to download system and application software and to use the downloaded software for performing the operations involved in establishing a secure transaction with the communications network. Particularly in the banking sector, there are frequent modifications liable to make software become obsolete rapidly.
  • the keyboard unit's downloading capability enables constant updating according to software developments, in particular new or upgraded applications can be downloaded into the device from a server or from a local computer application connectable to the communications network.
  • the keyboard unit's memory can comprise a buffer zone serving as a buffer memory for temporarily storing previously-loaded system and/or application software during a download operation, the memory being associated with means, responsive to a signal indicating interruption or failure of a download operation, for reloading system and/or application software stored in the buffer memory.
  • the keyboard unit of the invention is connectable to a personal computer via an USB connector.
  • the main set of keys of the keyboard unit may be used also during the secure transaction mode, or the keyboard unit can have a dedicated keypad (such as a standard numeric keypad) located alongside the keyboard unit's usual keys.
  • the keyboard unit advantageously incorporates its own display for the messages related to secure transactions, or the computer screen can be used for display. It will also have a slot for receiving an ICC, the keyboard thus also serving as a card reader.
  • the keyboard unit according to the invention is to be contrasted with the security unit of EP-A-0587375 which is connectable between the PC's CPU and its keyboard for selectively using or not using an encryption mode, also with the keyboard units of US patents 5,920,730 and 6,056,193 which are designed so a PIN does not pass out of the keyboard unit, and not for secure transactions in a communications network.
  • the invention's keyboard unit operates in two modes, a normal mode where generated key codes pass to the computer interace in the normal way (without encryption) and a PIN mode where the generated key codes are subjected to a PIN entry protocol and encryption.
  • Another aspect of the invention is a communications network in which encrypted data is exchanged between a card issuer system, merchant site applications, a payment gateway and a keyboard unit connected to a local computer, wherein the keyboard unit is connected to the communications network to form a terminal for carrying out secure transactions in the network, in particular transactions in which the card issuer system, merchant site applications, and payment gateway exchange electronic certificates according to a protocol such as SET.
  • the keyboard unit can provide particularly high security by combining security based on the ICC with the certificate principle embodied by SET and other protocols. Using the keyboard unit, there is no circulation of banking secrets or personal secrets on the Internet, only enciphered data.
  • the keyboard unit ' s downloading capability makes it particularly versatile in the context of security protocols like SET, because the unit can be constantly upgraded relative to a particular protocol, and can be upgraded by simple software download if a new specification like EMV or the "Bluetooth" standard comes into use.
  • the keyboard unit of the invention is advantageously used with an ICC insertable in the device for effecting a secure transaction in a communications network, but it can also be used for effecting secure transactions in a communications network without the insertion of an ICC in the keyboard unit. Examples of transactions without using an ICC are e-mail encryption, and operations where credit card data such as the credit card number and expiry data are keyed in by the user, possibly associated with providing other means of identification, as required. Even though the keyboard unit is provided with a card reader, it is possible to use the keyboard unit for secure transactions without inserting a card therein.
  • a keyboard unit and LCA combination which is configured to produce an encrypted digital signature derived from a private key associated with the keyboard unit, a user identification code, a private key associated with the keyboard unit's manufacturer, and a public key of the keyboard unit, and in particular is arranged to encrypt the public key of the keyboard unit before transmission to produce a transmittable digital signature containing no public key.
  • the keyboard unit and LCA combination can also be configured to receive and authenticate such digital signature.
  • the keyboard unit can be used in general for all secure transactions with a communications network, including credit card and debit card applications, virtual card transactions, as an e-purse (in particular for reloading e-purses at home), for health cards, e-trade, e- banking including home banking, e-mail security, secure access to personal data, secure dealings with public authorities including e-tax, e-voting including voting as company shareholder, telecommunications systems with fixed telephone sets and mobile telephones, restricted access systems including defense-related and private access systems, etc .
  • a communications network including credit card and debit card applications, virtual card transactions, as an e-purse (in particular for reloading e-purses at home), for health cards, e-trade, e- banking including home banking, e-mail security, secure access to personal data, secure dealings with public authorities including e-tax, e-voting including voting as company shareholder, telecommunications systems with fixed telephone sets and mobile telephones, restricted access systems including defense-related and private access systems
  • Fig. 1 is a diagram illustrating a keyboard unit according to the invention
  • Fig. 2 is an overview of a system for secure transactions over the Internet;
  • Fig. 3 illustrates the software architecture.
  • Fig. 4 is a diagram illustrating a sequence of operations involved in a secure transaction
  • Fig. 5 is a similar diagram illustrating a sequence of operations involved in a download operation
  • Fig. 6 is a block diagram showing sender functions using a keyboard unit to perfom a secure transaction with a digital signature
  • Fig. 7 is a block diagram showing receiver functions to authenticate the digital signature.
  • the device shown schematically in Fig. 1 is a computer keyboard unit 34 that has been designed to perform all card operations and the application processes that must be protected from the external world of the computer keyboard unit.
  • the computer keyboard unit 34 comprises a secure transactions module 30 comprising a card interface 32, a secure display 36 for displaying messages related to a secure transaction in progress, a DSP microprocessor 38 and a memory 40 comprising an E 2 PR0M and a RAM.
  • the keyboard unit 34 with display 36 constitutes a user interface.
  • the keyboard unit 34 further includes an USB interface 42 for connection of the module 30 to a personal computer 44 via an USB connector 46, see Fig. 2.
  • the reader hardware connects to the PC 44 as a high-speed bus-powered device on the USB bus.
  • the keyboard unit includes a wireless interface for connection to a network using for instance Bluetooth wireless technology, details of which are available at http://www.bluetooth.com.
  • the keyboard unit 34 includes standard keyboard matrix 33 and optionally a set of function keys 35 and ten digit keys 37 for keying in the digits 0 to 9 (see Fig. 2) .
  • the function keys 35 can for example include: a language key for switching the language of the displayed message; a conversion key for displaying currency conversions (e.g. FF and Euro) ; a cancellation key for interrupting the current transaction; a correction key for erasing the last pressed key (correction of the introduced PAN and/or PIN code) ; and a validation key for accepting the entered PAN and/or PIN code and to continue the payment process . Further functions can be included, as required.
  • the keys of the keyboard matrix 33 and optional keys 35,37 are associated with a standard keyboard control 39 for producing normalised key codes for communication with a basic input output system (Bios) 43 of a locally connected computer 44 which has its own PC display screen 47.
  • Bios basic input output system
  • a switch 41 is provided whereby the keyboard matrix 33 is selectively connectable between a normal operation mode for communicating keycodes via a keycode connection 42 to the Bios 43 of locally connected computer 44, and a secure transaction mode for carrying out secure transactions by means of the module 30, with or without an ICC inserted in the ICC interface 32.
  • the keyboard matrix 33 is connected to the microprocessor 38 which performs data encryption including encryption of a keyed-in user identification code, and transmits encrypted data including the encrypted identification code to the internet via the USB connection 46.
  • the secure transaction module 30 is entirely separated from the local computer's Bios 43 by means of the switch 41.
  • a LED 36' signals when the keyboard unit is in the secure transaction mode.
  • Secure display 36 displays details of a secure transaction being performed, entirely independently of the computer's main (unsecured) display 47.
  • the switch 41 For normal operation (no secure transaction) , the switch 41 connects the keyboard matrix 33 to the local computer's Bios 43, so the normalized keycodes output by keyboard control 39 control the computer's functions. During this phase, the keycodes entered in the Bios 43 are not secured from "attack”; however, this is of no consequence.
  • the module 30 with an inserted ICC 31 is connected to a computer 44 that uses an Internet browser application.
  • the computer 44 user can open a session on a merchant site 50 that offers a service or product, the purchase of which will be controlled using an exchange of electronic certificates with a merchant bank 52 and an issuer bank 54, using for example the SET protocol, as described in greater detail later.
  • the user By activating a service at the merchant site 50, the user starts a merchant site application MSA, also designated by reference 50. This operation can connect other Internet sites and start corresponding applications on many sites. One of these applications will send back to the user computer 44 a so-called “Wake-Up" request that will activate a specific application on the local computer
  • This application activates the module 30 and manages the transaction between module 30 and the remote Internet site.
  • the local application cancels the link to the module 30 and stops.
  • the remote site receives a positive or negative acknowledgment after the operation.
  • the module 30 and the local computer 44 represent the cardholder system, as defined in the SET standard.
  • ICC 31 and the issuer bank 54 are the issuer system.
  • the merchant site 50, its bank 52 and the associated payment gateway represent the acquirer system.
  • the module 30 has been designed to be used by any computer application, typically a personal computer 44.
  • the module 30 is activated using a dynamic-link library (DLL) stored in the computer 44 's hard disk, and calling the specified interface functions . As soon as these operations are done in a correct way, the module 30 performs the requested applications.
  • DLL dynamic-link library
  • Each application is independent and its software can be downloaded separately into memory 40 's E 2 PROM. This modular implementation allows the module software to be updated or even upgraded.
  • the module 30 is connected to the computer 44 through the USB cable 46.
  • the module 30 is identified by the local computer 44. If not, the operating system of the computer automatically starts an installation procedure, after which the module 30 is identified by the host.
  • the user by activating a merchant site 50 will download a Wake-Up request.
  • This input file activates a local application, called the Local Computer Application LCA that will manage the module 30 on the local computer 44 (the reference 44 is hereinafter used also for the LCA) .
  • This LCA 44 is linked to the module 30 by a Dynamic-Link Library (DLL) that will transmit the LCA requests to the module.
  • DLL Dynamic-Link Library
  • the LCA 44 also formalizes the reader responses and sends them to the payment gateway through the MSA 50.
  • the payment gateway (of Merchant Bank 52) sends to the MSA 50 and to the LCA 44 a positive or negative acknowledge message.
  • the LCA 44 stops the module 30 and exits. In case this message does not come, a timeout is activated in the LCA 44 which stops the module 30 and the local application after having displayed an error message.
  • the merchant site 50 corresponds to a web address that is usually described by a URL address, whereat a set of products can be bought.
  • the products to be purchased can be selected by adding them to a basket.
  • the purchaser can prepare a purchase command and select the payment support (SSL credit card operation, card operation with a virtual wallet, etc.) .
  • the module 30 is protected from being attacked from external entities by the following features .
  • a specific application can be provided for transparent commands from the local computer 44 to " the ICC 31 based on the PC/SC specifications.
  • no transparent command for the ICC 31 is allowed between the computer 44 and the module 30 once a secure transaction has been initiated.
  • Confidential information like the PAN and/or PIN code is always encrypted before being sent to the computer 44 and vice-versa.
  • the sensitive code lines are scrambled before being written in the module 30 's E 2 PROM.
  • Security is based on cryptogram algorithms: the higher the calculation performance, the higher the security level. However, a practical restriction on the cryptogram calculations comes from the real time operations. A calculation duration over a dozen seconds is unacceptable for the user. With the described module, encryption calculations can be performed in under 5 seconds .
  • the SET protocol is advantageously chosen for the data management in order to match security requirements.
  • Management of the SET protocol requires hardware and software with the following capabilities.
  • a large memory space for the I/O buffers larger than 4 kBytes in standard use, and extendible to say 64 kBytes for special cases.
  • a flexible management of the I/O buffers is necessary, because all data could have various lengths.
  • the I/O structure of the data should be managed in the heap of the module's RAM, which should be larger than 4 kBytes.
  • a DSP of type TMS320UVC5402 available from Texas Instruments can be used.
  • Message Authentication Code can use up to 2048 bits of RSA coding (Rivest-Shamir-Adleman algorithm) with generation of private keys.
  • RSA coding Raster-Shamir-Adleman algorithm
  • a hash coding process of the signature can be provided.
  • the module 30 is relatively low-cost, by using a low-cost DSP and E 2 PROM, and is robust and easy to install. It is not possible for the user to erase essential data by performing a wrong manipulation. Moreover, as mentioned previously there is no need for the module 30 to include a modem or other interface hardware, because the interface operations can all be carried out in real time by virtual emulation, using the DSP 38 and downloaded software.
  • the module 30 is accordingly designed with a download capability. Only basic essential software remains in the module 30. The drivers (for card 31, keyboard matrix 33, etc.), the libraries (ASN.l messages, etc.) the system shell and all the applications are downloadable. This requires the following capabilities. A large reserve of E 2 PROM memory is provided for allowing the old version of the downloaded software to be buffered. In case of an interruption of the download operation, a restart will reinstall the old version. The download function should be triggered by an external application through the LCA 44 or by a user request. Moreover, the software must be controlled before being written in the memory.
  • the module 30 is associated with a DLL to provide an API to the user application, and a USB driver for the DLL to communicate with the system's driver stack. It also has an executable that manages the firmware download to the module, and a test program that performs factory tests.
  • This PC software is supplied with the computer keyboard unit for example for Windows 9872000 platforms. At the end of testing the keyboard unit receives a signature that cannot be removed.
  • the DLL is copied from an installation CD to the PC hard disc during the computer keyboard unit installation when the system recognizes a new USB device, and is loaded as required by the user application.
  • the API to the user application consists of three functions to open, read/write and close the module 30. There are additional (non API) functions implemented in the DLL to assist the keyboard unit's module 30 in its operation.
  • a block-oriented asynchronous half duplex transmission protocol has been defined to transfer data between the DLL and module 30.
  • the USB driver (supplied with module 30) is copied from an installation CD to the computer hard disc during keyboard unit's installation when the system recognizes a new USB device, and is loaded as required by the system when module 30 is connected to the USB bus.
  • the DLL communicates with module 30 through this USB driver.
  • E 2 PROM in conjunction with a USB connection has the advantage that the module 30 can operate from the mains supply without need for a battery.
  • the download executable (supplied with computer keyboard unit 34) is copied from the installation CD to the
  • a factory test program is supplied for testing the module 30 after assembly. This program does basic functionality checks of the keyboard unit (USB, display, keypad, card insertion) and writes into its flash memory (E 2 PROM) a coded serial number from a barcode label on the reader 30.
  • This program does basic functionality checks of the keyboard unit (USB, display, keypad, card insertion) and writes into its flash memory (E 2 PROM) a coded serial number from a barcode label on the reader 30.
  • the sof tware installed in the module 30 is essentially written in an obj ect oriented programming language such as C and C++ .
  • the processor 38 which is a DSP, only interprets assembler commands . For this reason the source files are firstly interpreted in assembler using a C/C++ compiler . Some functions that are critical in slowing the performance are optimized in assembler, for example functions that are called during the RSA calculations .
  • the software architecture is shown in Fig. 3.
  • the secure transaction software 60 has been built in three main shells, boot shell 62, system shell 64 and application shell 66 .
  • the boot shell 62 corresponds to the ground software that manages the software download; this shell can never be downloaded.
  • the system shell 64 which is downloadable, corresponds to the rest of the operating system that manages the application shell .
  • the application shell 66 also downloadable, contains the code that manages applications like the payment application.
  • the boot shell 62 contains the USB manager, and all software for managing downloading, including an RSA/DES manager used for download.
  • the downloadable system shell 64 contains an ASN.l library which serves as I/O interpreter, the RSA and DES encryption/decryption tools and the drivers, like the card, keyboard and display manager.
  • the downloadable application shell 62 contains administrative applications like a terminal identification application and a download application. It also contains ICC applications, i.e. a set of applications for each chip card, for example controlling different types of payment, for example payments using EMV parameters, or prepaid card payments or so-called Mondeo payments .
  • the DSP 38 is powered when the USB cable 46 is connected to computer 44. It starts to run and enters the boot shell 62 where all the basic start-up procedure is performed. This procedure essentially checks the validity of the system and activates the USB bus connection. Then the reader 30 waits for an open request from the LCA 44.
  • the DLL sends a message to reader 30.
  • the message will be managed in the boot shell 62 or transferred to the system shell 64 and managed by the system shell, or transferred to the application shell 66.
  • the boot shell software 62 can never be upgraded. In one embodiment, the system and the application can only be upgraded together. In another embodiment, the system and the application can be upgraded separately.
  • the boot shell 62, system shell 64 and the application shell 66 each has its own version number.
  • a hardware version number is written on the electronic plate of the reader 30. Because this number is known during the manufacturing process, it is reported in the boot software that is installed at the end of the manufacturing process. So a new hardware version (n ⁇ +1) corresponds to a new boot version (n ⁇ +1) . If the modifications in the boot shell 62 are sufficiently minor that the new boot version is compatible to the previous system version, the new boot version will keep the same model number. So a new boot version does not always result in a new model number.
  • the hardware, the boot and the system version are respectively numbers (n ⁇ +1) , (n ⁇ +1) and (ng) at the end of the upgrade.
  • the actual hardware is kept but the installed boot shell is modified. This modification alters the system, that is able to take into account the two different boot versions, by implementation of a switch that executes a specific function depending on the boot version.
  • (njj) , (n ⁇ +1) and (ng+1) for the hardware, the boot and the system versions respectively at the end of this upgrade.
  • the new system version is still compatible with the old boot shells, the new system will be integrated as a new software version by the download server. The previous model number is kept.
  • the new system version will correspond to a new model number.
  • the new system version will not be downloaded as a new version to the previous system shell. In this case, the new model number is maintained separately.
  • the system and application shells 64,66 are no longer compatible and must be selected by the download server. It is understood that creating a new model has the drawback that a separate and independent release support is needed for each model . This is fully transparent for the user but has drawbacks for the producer.
  • the upgrade of the applications is still independent from the other shells and the other applications .
  • the applications are always independent from one another.
  • An application upgrade always gives a new application version number. If the application modifications correspond to a specification upgrade, a new application identifier main version number is given. If they correspond to an internal (manufacturer) upgrade, only the identifier sub-version number sub-version number of the issuing Organization is incremented.
  • the code contained in the boot shell 62 essentially initializes the DSP 38 and checks if a valid system is present. If yes, it starts the display, keyboard matrix 33 and card processes (with the switch 41 connecting to the module 30 in the secure transaction mode) . If not, the reader 30 waits about 5 seconds, then restores the previous system by re-installing its back-up copy. Then this procedure activates the USB connection 46, and indicates "Reader ready" when the USB checking is finished.
  • the module 30 's program enters into an infinite loop that corresponds to a state machine, wherein the following events can produce a change of state: an incoming message from the DLL (via USB 42); pressing of a key by the user (keyboard matrix 33) ; insertion of a card 31 (Card I/O 32) . All these events are managed by interruption vectors.
  • the card I/O is used only for the detection of the card insertion or removal .
  • Code enters the system shell 64 when the following functions are called by the boot shell 62 : StartMainSystem Starts and initializes the system shell 64.
  • DisplaySystewManager Manages the display of the messages in the boot shell 62. MainSystem Transfers an incoming message to the system shell 64.
  • the first and last functions control the execution of the system shell 64.
  • the second function provides to the boot 62 the message library that can be upgraded.
  • the MainSystem function controls all the access to the system, which operates according to the input message type. Messages that can enter the system shell can be split in four categories, the ASN (Abstract Syntax Notation) frame; Test requests; Download application requests; and Complementary Requests.
  • ASN Abstract Syntax Notation
  • the input message encoded according to the ASN specifications, is decoded and, depending on its command header, is treated by the application shell 66.
  • the available applications are described below. There are three entry point functions for each application that allow to initialize, to perform and to close the application. All of the data that are transferred inside the ASN structure of the I/O messages are managed by the system shell 64. These data are allocated and deallocated in the system shell 64, but managed in the application shell 66. The data that are specific to the application are allocated and deallocated inside the application shell 66.
  • Test requests concern manufacturing tests to ascertain that the reader 30 performs properly.
  • Download application requests are managed by the boot shell 62, but the request for triggering the download application and its error management must be downloadable. For this reason, this part of the application is implemented in the system and in the application shells 64,66.
  • Some specific application requests are managed by the system shell 64, notably to manage problems associated with management of huge I/O frames.
  • Applications are called by the system shell 64. By definition, the applications should be independent from one another; they can depend from the boot and system shells; and they are called by three generic functions that are used for:
  • Ini tialization Allocation of the data structure that is required during the process, initialization of the data and set up of the variable that controls the application process .
  • Non-blocking or blocking processing of the application steps Non-blocking or blocking processing of the application steps .
  • Termination Deallocation of the application data structure and final processing, like clearing of the display or request for card removal .
  • an administrative application that manages the reader identification and the software download request; and a payment application that performs payment operations for a specific type of smart card.
  • the previous system or/and application zone is copied in a backup or buffer zone of the E 2 PROM and is erased.
  • the keyboard matrix 33 and the card I/O 32 are deactivated and reader 30 displays at 36 the message "Downloading. Please Wait".
  • the reader 30 prepares its ASN.l answers. This is done in two functions called in the system shell 64.
  • a first function prepares the correct answer that is expected by the LCA 44, which contains the path of the DLL file when this library must be downloaded by the LCA 44 at the end of the reader download process .
  • a second function contains error messages that must be returned in case of an error.
  • Fig. 4 illustrates a secure transaction such as a payment carried out with an ICC 31 in a keyboard unit acting as interface device (IFD) , namely module 30 using a local computer 44 as an LCA Wallet communicating via the IFD.
  • IFD interface device
  • Fig. 4 Internet with a merchant at a merchant site MCA 50 and a Payment Gateway 55, using for example the SET protocol.
  • the numbers 1 to 21 are used to designate successive steps of the transaction, as follows.
  • Steps 1-3 Reader Identification
  • the user by activating a merchant site 50 will download a Wakeup request as step 1, providing an input file that causes the LCA 44 to send a request for reader identification RIDReq to the reader 30 in step 2.
  • Each computer keyboard unit 34 is identified by its coded serial number contained in its boot shell 62. If a recognized keyboard unit 34 is connected, an acknowledgment/response RIDRsp is returned to the LCA 44 in step 3.
  • step 4 the LCA 44 sends a Card identification request CIDReq to the module 30 which transmits this request in step 5 to the ICC 31.
  • Identification of an ICC 31 inserted in the module 30 takes place using the ICC ' s internal processor, i.e. without using the encryption/ decryption toolbox downloaded in the module 30.
  • an acceptance message CIDRsp is returned in steps 6 and 7 to the LCA 44.
  • the module 30 acts as a "window": all necessary encryption/decryption operations take place in the ICC 31 and in the LCA 44.
  • the CIDReq asks for the ICC identification and also retrieves the initial payment parameters . This command is used by the LCA 44 to obtain the payment parameters required for building the payment request initiation message.
  • Steps 8-17 Payment Transaction
  • a payment initiation request Pini tReq is then transmitted in step 8 from the LCA 44 to the Merchant Site 50 and returned, accompanied by the necessary certificate, to LCA 44 in step 9.
  • This payment initiation request Pini tReq is normally followed by a payment request PayReq, so no message requesting card removal is displayed when it is completed. An error during the treatment of this request will interrupt the payment procedure, and display at 36 a message inviting card removal .
  • the LCA 44 sends a payment request PayReq to module 30.
  • the PayReq asks the module 30 to perform the payment process. When the module 30 receives such a request, it cannot perform another operation until the payment application has been completed.
  • the PayReq asks the module 30 to perform a transaction that is secured with a card signature.
  • the computer 44 receives data and information that can be displayed and returns the encrypted sensitive data to the gateway 55.
  • Payment operations are carried out between the module 30 and card 31 in steps 11 and 12.
  • the module 30 checks if a card 31 has been inserted. If not, it requires card insertion. Then it checks if the inserted card corresponds to the one that has previously been identified during the CIDReq operation. If not, an error message is displayed saying that the card is invalid and the payment procedure is interrupted.
  • the module 30 displays the amount to be debited and asks the user to enter his/her PIN code. By entering and confirming a valid PIN code, the user accepts the payment transaction conditions. The module 30 confirms the correct PIN code introduction and performs the protection calculations . Then module 30 sends a payment response PRsp to the LCA 44 in step 13. At the end of this command, the LCA 44 receives all the sensitive data encrypted in a protected frame that is included in a payment request message PReq sent to the MCA 50 in step 14. In this way, no sensitive data will be readable on the local computer 44 nor transferred into the Internet.
  • the MCA 50 provides the necessary certificate and includes this in an authorization request AuthReq sent to the Payment Gateway 55 as step 15.
  • the Payment Gateway 55 possesses the necessary key to decrypt the encrypted card- identification data provided in step 6, and provide a payment authorization request AuthRes to the MCA 50 in step 16, the MCA 50 then transmitting a payment request PRes to the LCA 44 in step 17 so the payment request can be performed on the LCA.
  • the card 31 can be removed at the end of the payment process. If a complementary request ComplReq (see below) is sent after the PReq, the module 30 does not ask for card removal. Different messages are displayed on display 36 during further payment processing, even when an error occurs . An error interrupts the payment transaction and the reader 30 asks for card removal .
  • the user can set the keyboard unit 34 in its normal operation mode by manual actuation of switch 41. It is possible to provide for automatic switching between the two modes, for example trigerred by card insertion/removal, or a combination of manual and automatic switching.
  • Steps 18-21 Further processing After a payment transaction, the reader 30 can be asked to perform further processing by a ComplReq through this command.
  • the Payment Gateway 55 can request for example an upgrade of the module 30 's software by initiating a download request and/or the display of a given message on the local computer screen.
  • Fig. 5 illustrates a software download sequence.
  • the numbers 1' to 8 ' are used to designate successive steps of the download sequence.
  • Step 2' of Fig. 5 can be considered to be equivalent to step 22 of Fig. 4, in the case where the ComplReq is for software download.
  • the WakeUp corresponds to the complete message contained in the PRes 17 response.
  • the LCA 44 exchanges a download request DownloadReq with the MCA 50 in steps 2 ' and 3 ' , leading to downloading of software to the LCA 44.
  • steps 5 ' to 8 ' a DWNReq is exchanged between the LCA 44 and module 30 leading to downloading of the software to the module 30.
  • the software download application is protected by an RSA signature calculated using a private key generated by the controlling Organization who attests with this key that the software inside the module 30 is qualified for performing the payment transactions according to the selected security protocol.
  • the memory 40 can allow for the application and system to be downloaded together, or separately.
  • the files to be downloaded are grouped in a single file whose file name corresponds to the design of the module 30.
  • a buffer zone of the module 30 's E PR0M serves as a buffer memory for temporarily storing system and/or application software transferred from the active E 2 PROM during a download operation.
  • a signal initiates reloading the software.
  • the installation procedure is in two steps, driver installation and LCA installation, using for example a CD-ROM containing the software that is loaded into the computer.
  • LCA local computer application
  • the software is automatically upgraded at the end of a standard transaction, like a payment.
  • the system uses the fact that the module 30 is connected to a management server for checking the actual software version that is installed in module 30. If this version is lower than the current one on the server, it sends a download request to the module 30, as described above. The user can also request independently a software download.
  • the module 30 is designed to be attached to a PC through a USB connection 42/46. However, it not only offers smart card operations, but is also a powerful tool for cryptogram calculations. Because the card 31 and module 30 are separate from the PC 44, the module 30 provides a useful tool for securing any transaction that is undertaken on the PC.
  • the module 30 ' s system and application software being downloadable, any application can be developed and downloaded into the keyboard unit's module 30. These applications can use the tool library that is available in the module's downloaded system software.
  • the evolution of a module 30 is linked to its software architecture which, as described before, is built according to a three shells model.
  • the first shell, the boot shell 62 is fixed inside a given module 30. After the manufacturing process, this boot shell 62 is never modified inside the module 30.
  • the system shell 64 Over this boot shell 62 is the system shell 64 that contains the tool box including encryption/decryption functions .
  • the functions of this systems library are compatible to all of the boot functions, regardless of the boot versions, inside a same model number. Most of the time an upgrade of this shell 64 will raise an upgrade of all of the applications. In other words, the module 30 will be entirely upgraded (system and application shells 64, 66).
  • the applications are developed in such a way that they are independent from each other, but only dependent from the system shell 64 and/or possibly from the boot shell 62. This last dependence should be avoided, where possible.
  • a new application always requires a system upgrade. But it should never require a significant boot upgrade, because this means that a new keyboard unit model would have to be created, compatible with this new application.
  • the system shell upgrade is linked to the introduction of the entry points to the new application.
  • the module 30 When a payment application from a given Organization is integrated into the current software, the module 30 must be qualified by this Organization. Its software is signed by the Organization; the private key that controls the download operation is the property of the Organization. This procedure will be chosen for any application that requires a particular qualification for the reader integrity. Because there is a single public key that controls the software download, there is only one specific external Organization that can control the software integrity.
  • the external Organization that has proprietary rights to the download private key is able to control and to qualify the integrity and the quality of the new software. Even if the software modification corresponds to the addition of a new application completely independent from their own applications, the external
  • DIS Digital Identity Signature
  • Figs. 6 and 7 illustrate use of a keyboard unit according to the invention connected as a terminal to a PC via a USB connection for one user to transmit a file with a digital signature (Fig. 6) and another user, the receiver, who uses a keyboard unit according to the invention connected as a terminal to a PC via a USB connection, to authenticate the digital signature (Fig. 7) , using a novel digital signature process.
  • Either or both the sending device and the receiving device can be a keyboard unit according to the invention, the other of which could be a discrete reader device of similar construction, providing both the sending device and the receiving device are each associated with a separate and unique couple of keys, a private key and a public key.
  • the keyboard unit is associated with its own private key Pri_KC and public key Pub_KC; as well as a private key of the manufacturer Pri_KM and a public key of the manufacturer Pub_KM.
  • the sender wants to transmit a document called "File" 70 to the receiver, with a Digital Signature which cannot be repudiated.
  • Any type of file format can be used for the document/data to be transmitted.
  • the file 70 to be transmitted is compressed on the sender's PC by a hash coding into a 20 bytes (h-file) ⁇ file, which is transmitted to the sender's Keyboard Unit 34 via the USB link.
  • the Card/Keyboard Unit Holder's Name "CHN" designated by B gives the identification information of the Sender on 26 Bytes.
  • the Keyboard Unit 34 will then compress with a hash coding the sum of CHN and the (h- file) ⁇ into 20 Bytes.
  • the result, (h-file)* ⁇ is then encrypted with the private key of the Keyboard Unit: Pri_KC to provide the function A which is Pri_KC (h-file) * ⁇ .
  • the signature C (CS) of the Keyboard Unit is obtained by an 1023 bit RSA encryption of the private key of the manufacturer (Pri_KM) with the function D.
  • the latter is obtained from the IFD, which stands for the Keyboard Unit's Identification Numbers (Serial number, software version, etc.) and the Public Key of the Keyboard Unit 34 (Pub_KC) .
  • the Receiver receives via the Internet the sent file S .
  • the PC's receiver extracts the genuine File 70 and compresses it with a hash coding into 20 Bytes: (h-file) 2 - This 20 bytes is then sent to the Receiver's Keyboard Unit 34 with the concatenated information or digital signature R via the USB connection.
  • the Receiver's Keyboard Unit 34 completes these operations. It decrypts with the Public Key of the Manufacturer
  • the Receiver's Keyboard Unit 34 displays on its secure display 36 "Signature OK", also displaying the Card Holder Information "CHN" . Simultaneously, this information is transmitted to the Receiver's PC 44, which also displays on the unsecured PC's screen 47 the same information.
  • the Keyboard Unit 34 displays on its secure display 36 "Wrong Signature" . Simultaneously, this information is transmitted to the Receiver's PC 44, which will also display on the unsecured PC's screen 47 the same information.
  • This digital signature process is based on the concept that no public key needs to be sent between the sender and the receiver. On both sides, we use the private key and the public key of the trusted wallet device or keyboard unit, encrypted into its silicon, as well as the private key and the public key of the keyboard unit's manufacturer. The privacy and the secrecy of the sender can be protected, because no potential identification during the transmission can be performed.
  • the public key Pub-KC is encrypted as part of function D, and is not accessible as such.
  • a Smart Card can be used if it is necessary to recognise the Card owner via its PIN code.
  • the digital signature can use the secure Keyboard Unit to process the PIN code to identify the Keyboard Unit's owner.
  • Any type of file format can be used for the document/data 70 to be transmitted.
  • Any PC platform can be used (Windows 98, Millenium, 2000 & iMac) .
  • this digital signature is capable of: - Keeping the privacy of any sender on Internet: No public keys are sent, and the sender cannot be identified on Internet when any hacker attempts to intercept the message.
  • Each Keyboard Unit has its own unique couple of keys, each being different between 2 Keyboard
  • this digital signature can be applied to and is compatible with other reader devices: discrete reader devices, GSM Mobiles, TV- remote controls, end-to-end routers and servers,
  • the invention has provided a versatile computer keyboard with integrated security device ensuring entire security for the user, and which can be integrated in existing or future protocols directed to secure transactions in communications networks, in particular under control of an Organization that possesses the reader's private key.
  • the described computer keyboard with integrated security device can be used for many other secure transactions with or without the insertion of a card, including e-banking, e-tax and secure e-mail.
  • Various modifications may be made to the described examples of hardware and software without departing from the scope of the appended claims.

Landscapes

  • Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un clavier d'ordinateur (34) devant être relié à un ordinateur connecté localement, conçu pour exécuter via un réseau de communications tel qu'Internet des transactions sécurisées associées en particulier au commerce électronique, aux services bancaires électroniques, aux services fiscaux électroniques, au courrier électronique, aux télécommunications et aux systèmes à accès limité. Le clavier comprend un ensemble de touches formant une matrice de clavier (33) associée à un dispositif (39) de production de code clés normalisés permettant d'établir une communication avec un système d'entrée-sortie de base (Bios) (43) d'un ordinateur connecté localement (44). Une interface de carte à circuit intégré (329) devant recevoir une carte de circuit intégré (31) est associée à un microprocesseur (38) pour chiffrer les données, en particulier à l'aide d'une carte de circuit intégré introduite dans l'interface de carte à circuit intégré (32), et pour transmettre des données chiffrées à un réseau de communications en vue d'exécuter une transaction sécurisée. La matrice de clavier (33) peut être reliée sélectivement entre un mode de fonctionnement normal permettant de communiquer des codes clés au système Bios (43) d'un ordinateur connecté localement (44), et un mode de transaction sécurisé permettant d'exécuter des transactions sécurisées avec ou sans carte de circuit imprimé introduite dans l'interface de carte à circuit intégré (32). Dans le mode de transaction sécurisé, la matrice de clavier (33) est connectée au microprocesseur (38) qui exécute le chiffrement de données, notamment le chiffrement d'un code d'identification saisi, et transmet les données chiffrées, y compris le code d'identification chiffré, à un réseau de communications. Le microprocesseur de l'unité (38) et l'interface de carte de circuit intégré (32) sont inaccessibles par le système Bios (43) d'un ordinateur connecté (44).
PCT/IB2001/000896 2000-06-26 2001-05-21 Clavier d'ordinateur pour transactions securisees dans un reseau de communications WO2002001522A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
AU2001256591A AU2001256591A1 (en) 2000-06-26 2001-05-21 Computer keyboard unit for carrying out secure transactions in a communications network
AU74394/01A AU7439401A (en) 2000-06-26 2001-06-23 Device for carrying out secure transactions in a communications network
PCT/IB2001/001120 WO2002001520A1 (fr) 2000-06-26 2001-06-23 Dispositif destine a effectuer des transactions securisees dans un reseau de communication

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
EP00810556.1 2000-06-26
EP00810556A EP1168265A1 (fr) 2000-06-26 2000-06-26 Dispositif pour effectuer des transactions sécurisées sur un réseau de communication
EP01810482 2001-05-15
EP01810482.2 2001-05-15

Publications (1)

Publication Number Publication Date
WO2002001522A1 true WO2002001522A1 (fr) 2002-01-03

Family

ID=26073929

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/IB2001/000896 WO2002001522A1 (fr) 2000-06-26 2001-05-21 Clavier d'ordinateur pour transactions securisees dans un reseau de communications
PCT/IB2001/001120 WO2002001520A1 (fr) 2000-06-26 2001-06-23 Dispositif destine a effectuer des transactions securisees dans un reseau de communication

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/IB2001/001120 WO2002001520A1 (fr) 2000-06-26 2001-06-23 Dispositif destine a effectuer des transactions securisees dans un reseau de communication

Country Status (2)

Country Link
AU (1) AU2001256591A1 (fr)
WO (2) WO2002001522A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7711952B2 (en) 2004-09-13 2010-05-04 Coretrace Corporation Method and system for license management
US8196815B2 (en) 2003-06-03 2012-06-12 Nxp B.V. Secure card terminal using keypad scanning sequence determined by card
US8250151B2 (en) 2005-10-12 2012-08-21 Bloomberg Finance L.P. System and method for providing secure data transmission
WO2024158531A1 (fr) * 2023-01-23 2024-08-02 Microsoft Technology Licensing, Llc Auto-enregistrement basé sur une chaîne de blocs et une connectivité en nuage et inventaire des actifs d'ido d'entreprise

Families Citing this family (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8909557B2 (en) 2002-02-28 2014-12-09 Mastercard International Incorporated Authentication arrangement and method for use with financial transaction
GB0204620D0 (en) * 2002-02-28 2002-04-10 Europay Internat N V Chip authentication programme
EP1349031B1 (fr) * 2002-03-18 2003-11-05 Ubs Ag Authentification securisée d'un utilisateur et de données dans un réseau d'ordinateurs
KR20060034228A (ko) 2003-06-04 2006-04-21 마스터카드 인터내셔날, 인코포레이티드 전자 상거래 트랜잭션에서의 고객 인증 시스템 및 방법
WO2005109360A1 (fr) * 2004-05-10 2005-11-17 Hani Girgis Saisie securisee de nip au moyen d'un ordinateur personnel
EP1705941A1 (fr) * 2005-03-24 2006-09-27 BRITISH TELECOMMUNICATIONS public limited company Communication sécurisée d'informations de mots de passe dans un réseau
EP1710758A1 (fr) * 2005-04-04 2006-10-11 Research In Motion Limited Lecteur portable de carte à puce possédant une capacité de communications sans fil sécurisées
US7562219B2 (en) 2005-04-04 2009-07-14 Research In Motion Limited Portable smart card reader having secure wireless communications capability
WO2007019791A1 (fr) * 2005-08-12 2007-02-22 Dongsheng Li Procede et dispositif garantissant la securite d'un dispositif de signature electronique
US7878395B2 (en) 2005-09-08 2011-02-01 Research In Motion Limited Alerting a smart card reader of probable wireless communication
US8079068B2 (en) 2006-07-17 2011-12-13 Research In Motion Limited Management of multiple connections to a security token access device
WO2008015491A1 (fr) * 2006-07-31 2008-02-07 Hani Girgis Vérification de données présentées par la révision rationalisée
DE102007034346A1 (de) 2007-07-24 2009-01-29 Cherry Gmbh System und Verfahren zur sicheren Eingabe einer PIN
DE102009004113A1 (de) * 2009-01-08 2010-07-15 Giesecke & Devrient Gmbh Verfahren zur Installation einer elektronischen Ticket- und/oder Bezahl-Applikation auf einem mobilen Endgerät
US9715681B2 (en) 2009-04-28 2017-07-25 Visa International Service Association Verification of portable consumer devices
US9105027B2 (en) 2009-05-15 2015-08-11 Visa International Service Association Verification of portable consumer device for secure services
US8534564B2 (en) 2009-05-15 2013-09-17 Ayman Hammad Integration of verification tokens with mobile communication devices
US9038886B2 (en) 2009-05-15 2015-05-26 Visa International Service Association Verification of portable consumer devices
US8602293B2 (en) 2009-05-15 2013-12-10 Visa International Service Association Integration of verification tokens with portable computing devices
US8893967B2 (en) 2009-05-15 2014-11-25 Visa International Service Association Secure Communication of payment information to merchants using a verification token
US10846683B2 (en) 2009-05-15 2020-11-24 Visa International Service Association Integration of verification tokens with mobile communication devices
BR112012005419A2 (pt) * 2009-09-10 2016-04-12 Visa Int Service Ass ficha de verificação, método, produto de programa de computador, entidade de validação, método para comunicar informação de pagamento para um estabelecimento comercial, computador de estabelecimento comercial, sistema de processamento de estabelecimento comercial, e, método para receber informação de pagamento
US10255591B2 (en) 2009-12-18 2019-04-09 Visa International Service Association Payment channel returning limited use proxy dynamic value
ES2379916B1 (es) * 2010-10-06 2013-01-29 Universidad De Alcalá Terminal electrónico para el pago con el dni electrónico.
CN103503010B (zh) 2011-03-04 2017-12-29 维萨国际服务协会 支付能力结合至计算机的安全元件
EP2780854B1 (fr) * 2011-11-14 2017-04-12 Vasco Data Security International GmbH Lecteur de carte à puce comprenant une journalisation sécurisée
US10282724B2 (en) 2012-03-06 2019-05-07 Visa International Service Association Security system incorporating mobile device
CN115082065A (zh) 2013-12-19 2022-09-20 维萨国际服务协会 基于云的交易方法和系统
US9922322B2 (en) 2013-12-19 2018-03-20 Visa International Service Association Cloud-based transactions with magnetic secure transmission
US10846694B2 (en) 2014-05-21 2020-11-24 Visa International Service Association Offline authentication
US9775029B2 (en) 2014-08-22 2017-09-26 Visa International Service Association Embedding cloud-based functionalities in a communication device
US10187363B2 (en) 2014-12-31 2019-01-22 Visa International Service Association Hybrid integration of software development kit with secure execution environment

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4731842A (en) * 1984-12-12 1988-03-15 International Business Machines Corporation Security module for an electronic funds transfer system
EP0587375A2 (fr) 1992-09-04 1994-03-16 ALGORITHMIC RESEARCH Ltd. Unité de sécurité pour systèmes de traitement de données
GB2274523A (en) 1993-01-25 1994-07-27 Chandra Kamar Patni Portable electronic fund transfer device
US5336870A (en) 1992-05-26 1994-08-09 Hughes Thomas S System for remote purchase payment transactions and remote bill payments
DE4325459A1 (de) * 1993-07-29 1995-02-09 C2S Gmbh Cryptografische Siche Tongeber mit Identifikations- und Authentisierungs-Einrichtung
EP0763791A1 (fr) * 1995-09-14 1997-03-19 Hewlett-Packard Company Unité de clavier d'ordinateur avec une interface de carte à puce
WO1998007255A1 (fr) 1996-08-12 1998-02-19 Information Resource Engineering, Inc. Appareil de poche de cryptage et d'authentification de communications
WO1998049658A1 (fr) * 1997-04-30 1998-11-05 Visa International Service Association Systeme de paiement et de chargement par internet a l'aide d'une carte a puce
WO1998059327A1 (fr) * 1997-06-10 1998-12-30 Digital Equipment Bcfi Ab Module de securite
US6056193A (en) 1996-11-18 2000-05-02 Alps Electric (Ireland) Limited Computer keyboard with integral encoded device reader

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5959574A (en) 1993-12-21 1999-09-28 Colorado State University Research Foundation Method and system for tracking multiple regional objects by multi-dimensional relaxation

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4731842A (en) * 1984-12-12 1988-03-15 International Business Machines Corporation Security module for an electronic funds transfer system
US5336870A (en) 1992-05-26 1994-08-09 Hughes Thomas S System for remote purchase payment transactions and remote bill payments
EP0587375A2 (fr) 1992-09-04 1994-03-16 ALGORITHMIC RESEARCH Ltd. Unité de sécurité pour systèmes de traitement de données
GB2274523A (en) 1993-01-25 1994-07-27 Chandra Kamar Patni Portable electronic fund transfer device
DE4325459A1 (de) * 1993-07-29 1995-02-09 C2S Gmbh Cryptografische Siche Tongeber mit Identifikations- und Authentisierungs-Einrichtung
EP0763791A1 (fr) * 1995-09-14 1997-03-19 Hewlett-Packard Company Unité de clavier d'ordinateur avec une interface de carte à puce
US5920730A (en) 1995-09-14 1999-07-06 Hewlett-Packard Company Computer keyboard that changes from normal mode to secure mode bypassing host to input pin code directly into smartcard received at its ICC interface
WO1998007255A1 (fr) 1996-08-12 1998-02-19 Information Resource Engineering, Inc. Appareil de poche de cryptage et d'authentification de communications
US6056193A (en) 1996-11-18 2000-05-02 Alps Electric (Ireland) Limited Computer keyboard with integral encoded device reader
WO1998049658A1 (fr) * 1997-04-30 1998-11-05 Visa International Service Association Systeme de paiement et de chargement par internet a l'aide d'une carte a puce
WO1998059327A1 (fr) * 1997-06-10 1998-12-30 Digital Equipment Bcfi Ab Module de securite

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8196815B2 (en) 2003-06-03 2012-06-12 Nxp B.V. Secure card terminal using keypad scanning sequence determined by card
US7711952B2 (en) 2004-09-13 2010-05-04 Coretrace Corporation Method and system for license management
US8250151B2 (en) 2005-10-12 2012-08-21 Bloomberg Finance L.P. System and method for providing secure data transmission
WO2024158531A1 (fr) * 2023-01-23 2024-08-02 Microsoft Technology Licensing, Llc Auto-enregistrement basé sur une chaîne de blocs et une connectivité en nuage et inventaire des actifs d'ido d'entreprise

Also Published As

Publication number Publication date
AU2001256591A1 (en) 2002-01-08
WO2002001520A1 (fr) 2002-01-03

Similar Documents

Publication Publication Date Title
WO2002001522A1 (fr) Clavier d'ordinateur pour transactions securisees dans un reseau de communications
US11462070B2 (en) System and method for selective encryption of input data during a retail transaction
EP1168265A1 (fr) Dispositif pour effectuer des transactions sécurisées sur un réseau de communication
US5923759A (en) System for securely exchanging data with smart cards
US6230267B1 (en) IC card transportation key set
EP0981807B1 (fr) Carte a circuit integre a liste d'historique d'applications
JP4906168B2 (ja) Icカードのための鍵配送ユニット
US7089214B2 (en) Method for utilizing a portable electronic authorization device to approve transactions between a user and an electronic transaction system
CN1344396B (zh) 便携式电子的付费与授权装置及其方法
US6694436B1 (en) Terminal and system for performing secure electronic transactions
US20040044739A1 (en) System and methods for processing PIN-authenticated transactions
US20080091956A1 (en) Key transformation unit for a tamper resistant module
WO2009111348A2 (fr) Procédé et appareil pour des transactions sécurisées
JP2001515621A (ja) ネットワーク援用チップカードトランザクション処理方法
MX2010001748A (es) Metodo y sistema para la transferencia remota segura de claves maestras para cajeros automaticos de bancos.
WO2000017758A1 (fr) Peripherique sur d'introduction de donnees
US8397058B1 (en) System and method for communication between smart cards
EP0807907A1 (fr) Système pour l'accès sécurisé aux données de cartes intelligentes
KR101329879B1 (ko) 스마트 카드를 이용한 온라인 금융 서비스에서의 사용자인증 방법
AU723525B2 (en) A method for certifying a running total in a reader
AU2016269392B2 (en) System and method for selective encryption of input data during a retail transaction
AU2013237727A1 (en) System and method for selective encryption of input data during a retail transaction

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载