CA2300933A1 - Portable electronic device for safe communication system, and method for initialising its parameters - Google Patents

Portable electronic device for safe communication system, and method for initialising its parameters Download PDF

Info

Publication number
CA2300933A1
CA2300933A1 CA002300933A CA2300933A CA2300933A1 CA 2300933 A1 CA2300933 A1 CA 2300933A1 CA 002300933 A CA002300933 A CA 002300933A CA 2300933 A CA2300933 A CA 2300933A CA 2300933 A1 CA2300933 A1 CA 2300933A1
Authority
CA
Canada
Prior art keywords
personalizing
secret
specific
key
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
CA002300933A
Other languages
French (fr)
Inventor
Yves Louis Gabriel Audebert
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HID Global SAS
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of CA2300933A1 publication Critical patent/CA2300933A1/en
Abandoned legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/355Personalisation of cards for use
    • G06Q20/3558Preliminary personalisation for transfer to user
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners

Abstract

The invention concerns a portable electronic device for safe communication with at least one electronic unit comprising means for data storage (8, 9), means (10) interfacing with at least an external tool for loading data in said storage means, and means for data processing (7) including initialisation means for enabling, in response to the application of a secret personalization access code, to modify said access code and personalization data loading into said storage means. Said device comprises a plurality of functions and particular re-programmable secret access codes different from one another (KPERX, KPERY) and each assigned to personalizing a particular function (X, Y...) of said device, and inhibiting means (7; 222) adapted for authorising said processing means access to loading and/or reading personalization data particular to a function only in response to the application of the access code assigned to said function.

Description

Portable electronic device for safe communication system and method for initializing its parameters.
The present invention relates generally to secure electronic communication systems and more particularly to systems of this kind in which portable secure electronic devices are used to set up a call or communication to and/or to access another electronic unit.
Many electronic communication systems require .
access of users to particular applications to be controlled, such control generally entailing authenticating persons and/or messages. This is the case in particular when it is a question of controlling access to a computer or more generally a data processing network whose use is reserved to duly authorized persons. Such networks can be used, for example, to provide all kinds of services involving a transaction, usually with an economic consideration, such as telepurchasing, pay-per-view television, home banking, interactive video games, etc.
Access control systems of this kind are described in particular in documents US-A-3 806 874, US-A-4 601 011, US-A-4 720 860, US-A-4 800 590 and US-A-5 060 263. The systems described in the above documents use a portable secure electronic device which generates a password by encrypting a variable. A verification unit performs the same calculation or a similar calculation on the same or approximately the same variable and authorizes access to the requested application if the passwords generated in the portable device and the verification unit match. The variable can be a random or pseudo-random number, referred to hereinafter as a die, transmitted from the verification unit to the portable device, or it can be generated independently in the portable device and in the verification unit by means of a clock and/or an event counter, for example.
If the encryption process used in the portable device and the verification unit uses a symmetrical algorithm and a secret key, for example the DES (Data Encryption Standard) algorithm, the security of the system relies on the preservation of the secret character of the key stored both in the portable device and in the verification unit.
In some cases, the key can be static, i.e. it retains the same value throughout the service life of the .
portable device.
In other cases, the key can be dynamic, i.e. it changes in time as a function of the content of a counter incremented by a clock signal and/or an event counter, for example.
Whether the key is static or dynamic, it must initially, i.e. when the device is personalized, have a w particular value which is stored both in the portable electronic device and in a database associated with the verification unit. When a user requests access, he or she must one way or another, for example using a public identification number or a personal identification Number (PIN), identify himself or herself to the verification unit which obtains from the database the static key or, in the case of a dynamic key, the information that may be needed to calculate the current key.
Security problems of a similar kind arise in secure electronic communication systems using portable electronic devices and verification units employing encryption and decryption by means of asymmetric algorithms with public and private keys. The mechanisms used by an algorithm of the above kind (authentication, signature, etc) are such that the secret character of. one or more of the keys stored in the devices and/or the verification units must be conserved.
During the personalizing process the keys) and other secret personalizing data are loaded into memory in the device by the entity which supplies the device to the end user. Protecting the personalizing data by enabling the supplier of a smart card to substitute a new master key controlling access to the personalizing data for the initial key installed by the card manufacturer is well known in the art, in particular from document WO 93/10509.
What is more, the rapid expansion of secure electronic communication systems is leading to the design of products for implementing a number of different applications and having a number of different security levels for the same application. The problem then arises of guaranteeing the independence of the applications and the associated security levels, i.e. the various functions implemented by the device.
One object of the invention is to provide a secure portable electronic device for communication with another electronic unit which is capable of assuring this independence of the functions.
To this end, the invention concerns a device of the above kind including data storage means, interface means with at least one external tool for loading data into said storage means, data processing means including initialization means for enabling, in response to the application of a secret personalizing access code, modification of said access code and loading of personalizing data into said storage means, characterized in that said device is adapted to use a plurality of functions and includes means for loading a plurality of particular secret data respectively representative of different particular access secret codes and each assigned to personalizing a particular function of said device, and inhibitor means adapted to authorize access of said processing means to loading and/or reading of personalizing data particular to a function only in response to application of the particular access code assigned to said function.
According to one feature of the invention said inhibitor means are adapted to prohibit read mode access to any of said secret data.
According to another feature of the invention said loading means include at least one specific reprogrammable secret datum representative of a specific secret code common to all of said functions and in that said inhibitor means are adapted to prohibit access of said processing means to said particular personalizing data by way of said specific secret code.
According to another feature of the invention said data processing means are adapted to authorize modification of a secret datum representative of an access code particular to a function and loaded into said storage means via said specific access secret code in response to the application of said particular access code.
According to another feature of the invention said loading means are adapted to authorize, by means of said specific reprogrammable secret data, the deletion of particular secret data and of particular personalizing data previously loaded and the loading of new particular secret data.
Said specific secret code is preferably an access code to personalization of personalizing data common to all said functions of the device.
According to other features of the invention, taken in isolation or in combination:
- said storage means include at least one non-volatile memory in which a basic secret key is stored and said initialization means include first means for calculating an initial value of said specific secret data as a function of said basic secret key and an initial secret parameter;

- said inhibitor means are adapted to delete from said storage means one of said secret data representative of an access code in response to the loading, by means of said access code, of a new secret datum representative of a 5 new access code;
- said secret datum is a secret key for calculating a code for verifying the access code of which said datum is representative;
- said processing means include second means for , calculating said verification code by encrypting a variable by means of said calculation secret key;
said personalizing data include at least one plurality of authentication secret keys which are different from each other and each of which is assigned to one of said functions and in that said processing means include third means for calculating an authentication code vis-a-vis a verification unit as a function of one of said authentication secret keys.
The invention also provides a method of initializing a device as defined hereinabove, characterized in that it includes:
- an initialization first step consisting in defining and storing in said storage means a personalizing key specific to said device, - a personalizing second step consisting in loading into said storage means, by means of a specific access code dependent on said specific personalizing key, personalizing data common to said functions and secret keys for calculating said particular access secret codes each assigned to loading personalizing data relative to one of said functions, and - a personalizing third step consisting in, for each of said functions, loading the personalizing data relating to said function into said storage means by means of the corresponding particular access secret code.
Said third step preferably includes a step consisting in, when loading personalizing data relative to at least one of said functions, modifying said secret key for calculating said particular access secret code assigned to said function.
According to one feature of the invention the initialization first step includes:
~ at least one initialization first phase consisting in defining at least one secret datum common to a set of devices intended for the same entity, ~ at least one second initialization phase including the steps of, for each device of said set:
a) reading a specific identification datum carried by said device, b) calculating a first specific personalizing key as a function of said common secret datum and said identification datum, c) storing said identification data and said first specific personalizing key in said storage means, and ~ at least one initialization third phase including the following steps, for each device of said set:
d) extracting said specific identification datum from said device, e) calculating in a first external tool said first specific personalizing key as a function of said common secret datum and said specific identification datum, f) calculating in said external tool a first access code as a function of said specific personalizing key and a challenge transmitted by said device, g) transmitting from said first tool to said device said first access code with personalizing parameters including a second personalizing key different from said first personalizing key, h) calculating in said device a code for verifying said first access code as a function of said first specific personalizing key and said challenge, i) comparing in said device said first access code and said verification code and, in response to a match of said codes:
j) storing said personalizing parameters in said storage means, and k) substituting said second personalizing key .
for said first personalizing key in said storage means.
According to an embodiment of the invention said method is characterized in that it includes a fourth phase consisting in initially storing a common base secret key in a permanent memory of said storage means and in that steps a) and b) consist in:
~ applying said secret datum and said base key to a second external tool, ~ reading said identification datum by means of said second tool, ~ calculating said specific personalizing key by means of said second tool, ~ encrypting said specific personalizing key by means of said common base key in said second external tool, ~ transmitting the result of said encryption from said second tool to said device, and ~ decrypting said result in said device by means of said base key to reconstitute said specific personalizing key.
According to another embodiment of the invention said method is characterized in that it includes a fourth phase consisting in initially storing a common base key in a permanent memory of said storage means, in that said first phase equally consists in encrypting said common secret datum by means of said common base key and applying the result of said encryption to a second external tool, and in that said second phase equally consists in:
a) reading said specific identification datum by means of said second tool and transmitting said identification datum and the result of said encryption to said device, b) decrypting said result in said device by means of said base key to restore said common secret datum and thereafter calculating said specific personalizing key.
The invention also provides a secure communication system which includes a set of devices as defined hereinabove and at least one tool for initializing personalizing parameters for use of said third phase of the method defined hereinabove.
According to one feature of the invention said system further includes a tool for initializing production parameters for use of said second phase of the method defined hereinabove.
Finally, the invention also provides a secure communication system which includes a set of devices including means as defined hereinabove for implementing authentication mechanisms and at least one verification unit.
Other features and advantages of the invention will emerge from the following description of embodiments of the invention given by way of example and illustrated by the accompanying drawings, in which:
figure 1 is a general block diagram of a secure communication system in accordance with the invention applied to access control;
figure 2 is a diagram showing mechanisms for initializing parameters of the portable electronic device which is part of the system from figure 1 during production;
figure 3 is a diagram showing a variant of the mechanisms for initializing parameters of the portable electronic device which is part of the system from figure 1 during production;
figure 4 is a diagram showing mechanisms for initializing personalizing parameters of the portable electronic device which is part of the system from figure 1; and figure 5 is a general block diagram synthesizing the various phases of initializing the portable electronic .
device which is part of the system from figure 1.
The access control system shown in figure 1 allows conditional access to an application symbolized by the rectangle 1. The term "application" must be understood in a very wide sense. It refers to any application to which access is conditional on authorization involving authentication implying verification of the device (card) by means of which the request is formulated, and preferably also identification of the person requesting access to the application, to determine if the request is legitimate.
The application can be of any kind, for example control of access to premises, to a data processing network or to a computer, execution of a pecuniary or other transaction (telepurchase, home banking, interactive video games, pay-per-view television, etc). Moreover, the authentication of persons and/or messages (electronic signature) is explicitly included within the scope of the present invention.
In the embodiment shown in figure 1, the access control system includes a first portable unit 2 referred to hereinafter as a "card" and at least one second verification unit 3. The access control system in accordance with the invention can include a large number of cards 2 and one or more verification units 3, but in all cases a number that is generally smaller. The numbers of cards 2 and units 3 are in no way limiting on the invention.
The card 2 is in the form of a pocket calculator or credit card, for example, and includes a keypad 4 for entering information, for example a personal identification 5 number PIN, and various function keys 5. It also includes a display screen 6, for example a liquid crystal display screen, and an integrated electronic circuit including a programmed microcontroller 7, non-volatile read-only memory (ROM) 8 and reprogrammable memory 9 consisting of random 10 access memory (RAM) and possibly electrically erasable programmable read-only memory (EEPROM). The non-volatile memory 8, the reprogrammable memory 9 and the data bus and the address bus of the microcontroller 7 are inaccessible from outside the card to make it impossible to read or modify information contained in the memories 8 and 9 fraudulently from outside the card.
The non-volatile memory (ROM) area 8 includes a program area and a data area.
The program area includes program instructions relating to the implementation of the following mechanisms:
1. Security mechanisms ~ carrier identification ~ authentication of carrier by verification unit ~ authentication of verification unit and personalizing unit ~ authentication of message ~ encryption/decryption ~ possible electronic signature ~ etc.
2. Personalizing mechanisms ~ in production ~ at time of various personalizing operations by client (s) 3. Mechanisms relating to card applications) 4. Communication mechanism ~ communication with user: display, keypad ~ communication with verification or personalizing unit * infrared * DTMF
* communication with a reader ~ communication with a smart card ~ etc.
The data area includes data common to a fabrication mask:
1. ROM key (KROM) 2. software version number 3. etc.
The reprogrammable memory (RAM and possibly EEPROM) area 9 stores the following information:
1. Data entered during the various phases of initializing production parameters and personalizing parameters:
The data is structured according to the security levels and the applications and modification of a data area is conditional on authentication of the entity requesting personalizing: access code as a function of a challenge generated by the card, signature, etc.
This data can be secret (secret keys) or read-only data, and includes:
* personalizing secret keys * secret keys relating to security mechanisms: entity authentication, message authentication, challenge generation * data relating to application: content of messages, types of security mechanism required, etc.
* data relating to use of card in a given application: required length of personal identification number (PIN), challenge length, access code format, etc.
* data common to all applications: PIN value, clock value, counter values, content of standard messages.
2. Working data The card 2 can include a communication system 10 for communicating with the verification unit 3 or with a production tool or a personalizing tool, as described below, either directly or via a transmission link of greater or lesser length. The communication system 10 can take various forms, for example a bidirectional cable link, a bidirectional DTMF telephone link, a bidirectional infrared link, a bidirectional "connected mode" link in .
which the card is inserted into an appropriate reader, optical reception means associated, in the unit 3, with means for reading information displayed on the screen 6, as described for example in document EP-A-0 399 897, or any other transmission system well known in the art.
Finally, an electrical power supply (not shown), for example a small electrical storage battery, is provided to power the various circuits of the card 2 and to render it autonomous.
The unit 3 includes interface means enabling it to communicate with the card 2 by means of the communication system 10. The interface means, symbolized by a rectangle 12, can take numerous forms, for example a dedicated reader, a computer terminal, a personal computer connected into a network, etc. The particular feature of the interface means 12 is that they enable communication with the associated cards) 2 via the communication system 10.
The interface means 12 can also include a keypad 13 and a display screen 14 to enable a user to enter information to be communicated to a part 15 of the unit 3, for example passwords or data to be authenticated relating to the application 1. However, this data can be entered in other ways, in particular automatically, without manual intervention by the user, for example merely by inserting the card 2 into the interface 12 or by the emission of modulated infrared beams commanded by one of the function keys 5.
The interface 12 communicates with a part 15 of the unit 3 referred to as the "server". This communication, symbolized by the connection 16, can be over a short .5 distance or a long distance and use any appropriate means.
The information carried by this connection includes the password to be checked in the server 15 and possibly data to be authenticated and used in the server.
The server 15 includes a processor 17 and a memory 18. The processor 17 is capable of conditionally releasing the applications 1 referred to in access requests formulated by the cards 2.
The microcontroller 7 of the card 2 is programmed to assure the security of the call in the widest sense, in conjunction with the verification unit 3, for example authentication of a user holding the card 2, certification of messages, securing of transactions, etc. These authentication, certification, etc mechanisms are well known to the skilled person and will not be described in detail in this application. These mechanisms use encryption and/or decryption in the card 2 and/or in the unit 3 of one or more items of information by means of a public key and private key algorithm or a secret key algorithm, which keys are stored in the programmable memory 9 associated with the microcontroller 7 and/or in the memory 18 of the "server" 15.
In the following description, the invention uses secret key algorithms, but it must be understood that it is not limited to this type of algorithm.
For example, after the user has identified himself or herself to the verification unit, an authentication procedure using a secret key algorithm entails encrypting a variable in parallel in the card 2 and in the verification unit 3 by means of the algorithm and a shared secret key KSEA and then comparing the two passwords Age resulting . 14 from the encryption of that variable, generally in the verification unit 3. In systems referred to as asynchronous systems the variable is a random number (challenge) generated by the verification unit 3 and transmitted to the card 2. In systems referred to as synchronous systems the' variable is dynamic, i.e. it is a number which changes in the card 2 and the unit 3 as a function of the content of a clock counter and/or an event counter. Synchronous systems presuppose, subject to a particular tolerance, a match .
between the contents of the clock counters and/or event counters of the card 2 and the content at the address associated with the card 2 of a database which is part of the verification unit 3 or to which the latter unit has access for implementing the authentication process.
Detailed examples of these authentication mechanisms are given in document EP-A-0 338 936 and in French patent application No. 96 04797 filed 17 April 1996, for example, which may be referred to for more information.
As previously indicated, the secret encryption and/or decryption keys) stored in the card 2 and the server 15 can be static, i.e. they can retain the same value throughout the service life of the product, or dynamic, i.e. their value can change with time. The value of the dynamic keys can itself be a function of the content of the clock and/or event counters, as described for example in French patent application No. 96 04798 filed 17 April 1996.
Whether the key is a static key or a dynamic key, it is necessary during the phase of initializing the production parameters or personalizing parameters of the card 2 to load into the programmable memory 9 thereof an initial value that will constitute the static key, the initial dynamic key or a root enabling the initial dynamic w key to be calculated. In a system including a large number of cards, for example several thousand to several tens of thousands, administering one or more secret keys specific to each card and different from those of all the other cards causes security problems. It is desirable for the end user of the card to be assured that the security offered by 5 the card cannot be compromised by programming operations performed on the upstream side by the entity or entities responsible for initializing the production parameters and/or personalizing parameters of the card.
These security problems are accentuated by the 10 current expansion of secure communication systems which must be able to respond to requirements related to the multiplicity of applications and the multiplicity of security levels for an application. For example, for a security system of given configuration, i.e. a set of cards 15 and associated software installed in the cards 2 and the verification units 3 in order to perform particular functions, the same card can be used for different applications, for example authentication vis-a-vis a data processing or similar network to obtain access to one or more resources of that network (access to each resource may require separate authentication), telepurchasing, etc.
Moreover, there may be several security levels for the same application, for example according to different categories of users, with the result that the cards have to be personalized according to their end user.
The multiplicity of applications for the same security system and of security levels for the same application, combined with the various phases of the life of the system between its manufacture and its supply to the end user, means that there can be for the same system, simultaneously or not, a plurality of administrators responsible for administering security problems.
Considering a simple case in which the security system includes only one application, a card can circulate during its life cycle between a number of entities, namely:

the manufacturer or the supplier who sells the security system to the client;
- a general administrator, who can be the security manager of the client, which can have several geographical sites, each site having its own security system administration organization, independent of that of other sites;
- local administrators each responsible for the organization of the security system of the business at the .
level of one geographic site; and - end users each of whom will hold a card 2 and use it on one or more particular geographical sites.
Once a batch of cards has been sold to a client by the supplier or the manufacturer, administering a system of this kind presupposes that only the general administrator can use the batch of cards and that another client cannot use them. Thus:
- on the one hand, the manufacturer or the supplier must during production initialize a number of parameters common to a batch of cards for a given client who alone will be able to initialize his personalizing parameters in the cards; and - personalization by the client must be irreversible: once the general administrator has personalized the cards, they must no longer be usable by the supplier or the manufacturer.
Once in possession of the batch of cards the general administrator initializes all the personalizing parameters common to all the sites in the cards. The cards are then distributed to various sites on each of which a local administrator initializes the personalizing parameters specific to the site concerned. If cards have to be used and recognized on more than one site, they are handed over to a first local administrator for initializing the personalizing parameters of the first site, then to a second local administrator for initializing the personalizing parameters of the second site, and so on. In this context, it is necessary to assure the independence of the administration means, in other words:
- a local administrator X must be able to initialize only the personalizing parameters of site X:
being able to initialize the personalizing parameters of site X does not make it possible to initialize the personalizing parameters of site Y or to know the personalizing parameters of site Y; and - to assure that administration at each site is autonomous, being the general administrator must not imply a knowledge of the personalizing parameters of the various sites.
These various functions are implemented by means of mechanisms for initializing production parameters and personalizing parameters described next with reference to figures 2 to 4.
Figure 2 is a diagram showing in-production mechanisms for initializing data or parameters, referred to hereinafter as production parameters, which are common to a batch of cards for a given client. In the figure, the lefthand column shows the operations performed by the supplier of the card, i.e. the entity which is responsible for supplying the security system to the client. The middle column shows the operations performed by a tool 20 for manufacturing the cards 2, the manufacturer being the same entity as the supplier or not. Finally, the righthand column shows the operations implemented in the card 2. The production tool 20 used by the manufacturer includes conventional hardware and software that there is no need to describe here and which are used, among other things, to generate data and to transmit it to the cards 2 to program their programmable memory 9.
The lefthand column in figure 2 shows a number of secret keys KROM. KPEM. KALE and KMES which are common to an entire batch of cards for a given client.
The key KROM is defined by the supplier and is known only to the supplier. The key KROM is installed in the permanent read-only memory 8 of the cards when masking the integrated circuits but is not known to the manufacturer of the cards 2 if this is not the same entity as the supplier. To this end, it can be embedded in encrypted form in the software controlling the card .
production tool, for example.
The supplier also chooses the keys KpEM, Kp,LE and KMES and enters them in encrypted form in the software controlling the production tool. The values of these three keys are communicated confidentially to the client, preferably separately from the batch of cards. The key KpEM
is a master personalizing key which, as described below, is used to generate a personalizing key specific to each card according to its serial number. The key KALE is a key enabling the cards to generate challenges and the key KMES
is a key enabling an alphabet and messages to be loaded into the cards.
As shown in the centre column in figure 2, the production tool 20 reads the serial number NS associated with a given card and an algorithm submits the number NS to an encryption operation E using the master personalizing key KpEM (block 100). The result of this encryption is a specific personalizing key KpER which is specific to the card and is submitted by means of an algorithm and the key KROM (block 101) to an inverse operation E-1 to produce a datum E(KpER). The key KpER is used in blocks 102 and 103 to generate data E(KMES) and E(KALE) from the keys KMES and Kp,LE, respectively, using the inverse operation E-1. In the foregoing description, and in the subsequent description, if B = E[KX](A) is the result of the encryption E of a datum A by means of a key Kg, E-1 represents the inverse operation A = E - 1[Kg](B) enabling the datum A to be obtained at the output, by means of the key KX, by applying to the input the key for encrypting the datum B.
For a given card 2, the production parameters (block 104) include the serial number NS, the output data of blocks 101, 102 and 103 and the status of an internal clock counter of the production tool enabling initialization of a clock counter of the card 2, in particular if the system uses dynamic keys and/or variables.
After the parameters have been reset to zero and the internal parameters of the card 2 concerned have been initialized, the card waits to receive a production frame (block 105). In step 106 the card 2 receives the production frame consisting of the data previously listed (block 104).
By means of the software programmed into it, the microcontroller 7 then calculates (block 107) the key KpER
from the datum E(KpER) and the key KROM. using operation E.
It also uses operation E to calculate (block 108) the key KMES from the datum E(KMES) and the key KpER and (block 109) the key KALE from the datum E(Kp,LE) and the key KpER.
In step 110 the serial number NS and the keys KpER.
Kp,LE and KMES are stored in memory and the card is ready to be sent to a client to be personalized.
In the process described above, it is sufficient to know the format of the production frame (block 104) to load parameters into a.card because this operation does not require an access code. However, a pirate in possession of the format of the production frame' would nevertheless be unable to personalize and use the card because he or she would not know the key KROM.
Figure 3 shows a variant of the process for initializing the production parameters which has the advantage of not introducing the keys KROM and KpEM into the software for initializing the production parameters of . 20 the production tool 20. To this end, by means of its own software, the supplier (lefthand column) calculates the data E (KpER) , E (KMES) and E (KALE) from the data KpER, KMES
and KALE respectively, and the key KROM. After calculating this data by an operation E-1 (blocks 111, 112 and 113), the supplier introduces the data into the software for initializing the production parameters of the production tool (step 114) .
After the tool 20 has read the serial number of the card concerned (step 115) and the parameters have been reset to zero and the internal parameters of the card have been initialized (step 116), the production tool 20 transmits the production parameters to the card (step 117):
these parameters are the serial number NS, the data E-1(KpER), E-1(KMES) and E-1(KALE), and the status of the internal clock counter. After receiving the corresponding frame (step 118), the microcontroller 6 uses operation E to w calculate the key KpEM from the datum E (KpEM) and the key KROM (step 119). It then calculates the personalizing key KpER specific to the card using operation E, the data NS
and the master personalizing key KpEM (step 120). Finally, the microcontroller 7 uses operation E to calculate the keys KALE and KMES from the data E(KALE) and E(KMES).
respectively, and the key KRpM stored in the permanent memory 8 of the card (steps 121 and 122). In step 123 the data NS, KpER, KALE and KMES is stored in the programmable memory 9 of the card 2. This data is the same as that obtained by the process of initializing the production parameters described with reference to figure 2.
When the production parameters of a batch of cards from a given client have been initialized in this way, they are shipped to the client . The keys common to this batch, namely the master personalizing key KpEM, the key KALE for generating challenges and the key KMES for loading the alphabet and messages, are communicated confidentially to the client. Each card holds in memory the keys KALE and KMES which are common to the batch of cards and the key KpER and the serial number NS specific to it.
Furthermore, each card 2 holds in memory a code or number identifying the version of the software mask programmed into the integrated circuits of the card. The software version can vary from one batch of cards to another and within the same batch of cards for a given client there may be several groups of cards with different versions of the software on the basis of requirements expressed by the client as to the use of the cards. The code or number identifying each version of the software programmed in the cards shipped to the client is supplied to the client by the supplier. The client also has software for personalizing cards according to the version of the software programmed therein.
Figure 4 shows the process of personalizing the cards 2 by the client. The lefthand column represents the operations performed by a personalizing tool 30 and the righthand column shows the operations performed in the cards 2. The personalizing tool 30 has a structure similar to that of the verification unit 3, i.e. it includes means for communication with the cards 2, a data processor, memories containing in particular the software needed to personalize the cards according to the version of the software programmed therein, and a database containing the values of the keys KpEM, KALE and KMES and the personalizing parameters to be loaded into the cards 2 according to the version of the software programmed therein.
In figure 4, in step 200, the card is awaiting a call or communication opening frame from the personalizing tool. In step 201 the personalizing tool opens communication with the card to be personalized and sends the communication opening frame INIT-MAT. In step 202 the card receives the communication opening frame INIT-MAT and sends the personalizing tool an identification frame IDENT-MAT
including the code or number of the version of the software it contains. In step 203 the personalizing tool 30 receives the identification frame IDENT-MAT and the software version number is input to the database to read therein, among other things, the personalizing parameters to be loaded into the card. In step 204 the personalizing tool 30 sends a software initialization frame INIT-LOG which the card .
receives in step 205, and then proceeds to step 206.
In step 206 the card uses the operation E to calculate a challenge by means of the key KALE (block 207) and then the datum E(NS) by encrypting the serial number NS
of the card using a key which is itself the result of encrypting by means of a logic function F the version number NL of the software using the challenge calculated in step 207. After these encryption operations 208 and 209, the card sends an identification frame IDENT-LOG containing the challenge and E (NS) (step 210) . The personalizing tool 30 receives this frame in step 211 and, by means of an operation F in step 212 on the number NL using the challenge transmitted from the card and an operation E-1 in step 213 on E(NS) by means of the result of the operation effected in step 212, generates the serial number NS of the card. The serial number NS of the card being personalized is input to the database to enable the client to retain a table of personalizing data for each card. In step 214 the personalizing tool calculates the key KpER specific to the card by an operation E of encrypting the serial number NS
by means of the master personalizing key KpEM which is supplied by the database of the tool 30. The tool then calculates (step 215) an authentication password App (which constitutes the access code to personalizing the card) by an operation F which encrypts the challenge by means of the key KpER . App = F[KpER](Challenge).

In step 216, the personalizing tool constructs the personalizing data common to the card from the password calculated in step 215 and personalizing parameters received from the database. The common personalizing data includes personalizing command codes, the password App authenticating the personalizing tool, a new secret personalizing key NKpER specific to the card and to be substituted for the initial personalizing key KpER, and various personalizing parameters, including, for example, one or more secret keys KgEA for calculating the authentication password AgEA vis-a-vis the verification unit 3 (ApEA = E [KgEA](Challenge), and secondary or particular secret personalizing keys KpE~, KpERy, etc specific to each site X, Y, etc for which the card has to be personalized.
In step 217, the personalizing data is transmitted to the card in the form of several frames.
In step 218, the card receives the personalizing frames, verifies the personalizing command codes, stores the received data and sends an acknowledgement to the personalizing tool.
In step 219, the card calculates a code or password ApC for verifying the authentication password App by encrypting the challenge using the logic function F and the specific personalizing key KpER stored in its memory in step 110 or 123: ApC = F[KpER](Challenge).
In step 220, the card verifies that the authentication password App received from the personalizing tool 30 is consistent with the verification password ApC
calculated by the card and, if so, stores the personalizing data in step 221: for example, consistency can consist in the fact that the two passwords are identical, as shown in figure 4, or that the two passwords are linked by another predetermined relationship.
Finally, in step 222 the card substitutes the new personalizing key NKpgR received from the personalizing tool for the old key KpgR. The new key NKpgR is not known to the supplier, who is thereafter unable to access the personalizing data of the client. Read and/or write mode access to the personalizing data requires the personalizing tool to supply the card with a new authentication password NApp = F[NKpgR](Challenge) consistent with the verification password NApC calculated in the card as explained with reference to step 219, NApp and NApC being calculated on .
the basis of a new challenge generated in the card and transmitted to the personalizing tool.
However, a knowledge of the common secret personalizing key NKpgR does not make it possible to read secondary personalizing secret keys KpE~, KpgRy, etc loaded into the card in step 221, or any other secret key.
This is because the secret keys cannot be read because the program of the microcontroller 7 does not include any command for reading these parameters.
After step 222, the general administrator can transmit the cards to the local administrators of sites X, Y, etc., each of whom will be able, using respective secondary keys Kpg~, KpERy, etc, and a process similar to that shown in figure 4, and which does not need to be described again in detail, to load the card with the personalizing parameters specific to the site for which he or she is responsible. To this end, the secondary key specific to personalizing the card for each site is communicated confidentially by the general administrator to the local administrator concerned.
Using the secondary key communicated to him or her, the local administrator loads the card with the personalizing data specific to the site concerned, for example an authentication key for calculating an authentication password vis-a-vis a verification unit of that site. Thus the local administrator of site X can load an authentication key KgE~, the local administrator of site Y can load an authentication key KgEAY. and so on.
During the process of personalizing the card for a given site X, the local administrator can substitute a new 5 secondary personalizing key NKpE~ for the secondary personalizing key KpE~ in the card received from the general administrator for the site concerned, as described with reference to figure 4. This will prevent general administrators having access in read and/or modify mode to 10 the personalizing parameters of cards whose secondary personalizing key has been modified. Modifying the secondary keys also provides a seal between the various segments or functions of the card. Modifying the secondary keys KpEg~, KpERy, etc (replaced by NKpE~, NKpERy, etc) 15 protects against hacking with the aim of writing other secret data into the segments. The effect of this type of hacking is limited because it is not possible to read the secret data even if the corresponding secondary secret personalizing key is known. However, exclusive access to 20 personalizing each segment is guaranteed, as is exclusive access to the common personalizing data with the key KpER.
NKpER~
After the segments have been personalized by means of the secondary keys KpEg~, KpERy, NKpEg~, NKpERy, it is 25 preferred that the key KpER, NKpER specific to the card enables them to be overwritten in order to perform a new process of initializing all the personalizing parameters of the card, if necessary. This facility can be useful in the event of an anomaly, to prevent the device being rendered permanently unusable.
However, in one variant, this possibility can be prohibited.
Figure 5 is a general flowchart showing the main phases of the program that executes in a card 2 provided with a plurality of segments which, after the common personalizing parameters have been initialized, must be initialized with personalizing parameters that are specific to them in order to use the functions specific to each segment by means of the card.
The program starts in step 300 and in step 301 a test is performed to determine if this is the first start since a reset.
If so, the memory is reset to zero in step 302, after which a test is performed in step 303 to determine if .
a flag representative of initialization of the parameters during production (parameters initialized by the manufacturer) is active. If the response to the test in step 301 is negative, the next step is a test step 303.
If the response to test step 303 is negative, the program waits for initialization of the production parameters (step 304). The next step 305 corresponds to initialization of the production parameters in the card 2, as described with reference to figures 2 and 3. When this initialization has been completed, a flag is activated in step 306 and the program goes back to the entry of test step 303.
If the response to test step 303 is positive, i.e.
if the production parameters have been initialized, the program runs a test step 307 to determine if a flag representative of initialization by the client of the common personalizing parameters is active. If not, the program waits for initialization of the common personalizing parameters (step 308). The next step 309 corresponds to initialization of the common personalizing parameters in the card 2; as described with reference to figure 4. The common personalizing parameters include the reprogrammable personalizing keys Kpg~, KpgRy specific to each segment or function. When this initialization has been completed, a flag is activated in step 310 and the program returns to the entry of test step 307.

If the response to test step 307 is positive, the program moves on to a test step 311 to determine if a flag representative of initialization of personalizing parameters specific or particular to the various segments of the card is active. If not, the program waits for initialization of the personalizing parameters particular to the segments (step 312). Step 313 corresponds to initialization in the card 2 of the personalizing parameters particular to the segments. For each segment, this initialization is subordinate to the supply to the card of a correct access code Apg, Apy dependent on the key Kpg~, KpgRy allocated to that segment and a challenge supplied by the card to the personalizing tool, as described with reference to figure 4. As appropriate, this initialization is performed by the general administrator or by the local administrators at the various geographical sites, as previously described. During this process of initializing the particular personalizing parameters, the responsible administrator can substitute a new particular personalizing key NKpg~, NKpERy for the initial personalizing key KpE~, KpgRy for the segment concerned, which was loaded in step 309. Only the holder of the new key NKpg~, NKpgRy can generate the new access code NApg, NApy and subsequently access (in read mode and/or in write mode, depending on how the processing means are programmed) the personalizing data particular to the corresponding segment and the holder of the specific personalizing key KpgR (or NKpgR if it has been modified) does not have access thereto if he or she does not know the new particular personalizing key.
When the initialization of the personalizing parameters of all the segments has been completed, a flag is activated in step 314, the response to test step 311 is positive and the program moves on to step 315 which represents access for the end user to the various functions of the card implemented by the program of the card.
As previously indicated, the invention is not limited to the use of symmetrical algorithms using secret keys and applies equally if the mechanisms for initializing the parameters of the card use asymmetric algorithms employing public and private keys. In this case, the public key is stored in the card or device 2, the challenge is generated in the device 2 and the private key is stored in a personalizing tool or a smart card used by the personalizing tool.
However, using asymmetric algorithms does not allow derivation of keys since the concept of a mother key does not exist in this type of algorithm.
Also, it goes without saying that the embodiments described are merely examples and can be modified, in particular by substitution of equivalent technical means, without departing from the scope of the invention.

Claims (21)

THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE
PROPERTY OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS:
1. Portable electronic device for secure communication with at least one electronic unit for use of at least one function, including:
* data storage means, * interface means with at least one external tool for loading data into said storage means, * data processing means including initialization means for enabling, in response to the application of a secret personalizing access code specific to said device, modification of said specific access code and loading of personalizing data into said storage means, characterized in that said device is adapted to use a plurality of functions (X, Y, etc) and includes:
* first means (7, 309) controlled by said specific access code (A PO) for loading into said storage, means (9) reprogrammable particular secret data (K PERX, K PERY, etc.) respectively representative of different particular secret personalizing access codes (A PX, A PY, etc) and each assigned to personalizing a particular function (X, Y, etc) of said device, * second means (7, 313) controlled by said particular access codes (K PERX, K PERY, etc) for loading into said storage means (9) particular personalizing data (K SEAX, K SEAY, etc) assigned to the implementation of said functions (X, Y, etc) by said processing means (7), and * inhibitor means (7; 313) adapted to authorize modification of any of said particular secret data (K PERX, K SEAY, etc) consecutive upon its loading into said storage means and said loading of said personalizing data (K SEAX, (K SEAY. etc) particular to a function (X, Y, etc) only in response to the application of the particular secret personalizing access codes (A PX, A PY, etc) already assigned to said function (X, Y, etc).
2. Device according to claim 1, characterized in that said inhibitor means (7) are adapted to prohibit read mode access to any of said secret data (K PER, K PERX, K PERY.
etc).
3. Device according to claim 1 or claim 2, characterized in that said inhibitor means are adapted to prohibit read mode and write mode access by said processing means (7) to said particular personalizing data (K SEAX, K SEAY. etc) by means of said specific secret personalizing access code (A PO, NA PO).
4. Device according to any of claims 1 to 3, characterized in that said inhibitor means are adapted to prohibit read mode access to said particular personalizing data (K SEAX, K SEAY, etc) following the loading of said data by means of said particular secret personalizing access codes (K PERX, K PERY, NK PERX, NK PERY, etc) assigned to said functions (X, Y, etc).
5. Device according to any of claims 1 to 3, characterized in that said inhibitor means are adapted to authorize read mode access to personalizing data (K SEAX, K SEAY, etc) particular to a function (X, Y, etc) by means of the particular secret personalizing access code (A PX, A PY, NA PX, NA PY, etc) assigned to said function.
6. Device according to any of claims 1 to 6 , characterized in that said processing means (7) are adapted to authorize, by means of said specific secret personalizing access code (A PO, NA PO), the deletion of said particular secret data (K PERX, K PERY, etc) and of said particular personalizing data (K SEAX, K SEAY, etc) previously loaded into said storage means and the loading of new particular secret data (NK PERX, NK PERY, etc).
7. Device according to any of claims 1 to 6, characterized in that said specific secret personalizing access code (A PO) is an access code for loading into said storage means personalizing data (person-param) common to all said functions (X, Y, etc) of the device.
8. Device according to any of claims 1 to 7, characterized in that it includes third means (7, 305) for loading into said storage means a reprogrammable specific secret datum (K PER) representative of said specific secret personalizing access code (A PO), said initialization means (7, 200-222) being adapted to authorize the replacement of said specific secret datum (K PER) by a new specific secret datum (NK PER) representative of a new specific secret personalizing access code (NA PO) only in response to the application to said processing means (7) of the specific access secret code (A PO) imaging said specific secret datum (K PER) to be replaced.
9. Device according to claim 8, characterized in that said storage means include at least one non-volatile memory (8) in which a base secret key (K ROM) is stored and said initialization means (7) include first means (7, 107) for calculating an initial value of said specific secret datum (K PER) as a function of said base secret key (K ROM) and an initial secret parameter (E(K PER); E(K PEM)).
10. Device according to any of claims 1 to 9, characterized in that said secret datum (K PER, NK PER) is a secret key for calculating a code (A PC; NA PC) for verifying the personalizing access code (A PO; NA PO) of which said datum is representative.
11. Device according to claim 10, characterized in that said processing means (7) include second means for calculating said verification code (A PC, A PX, A PY) by encrypting a variable by means of said calculation secret key (K PER. K PERX, K PERY. etc).
12. Device according to any of claims 1 to 11, characterized in that said personalizing data includes at least one plurality of authentication secret keys (K SEAX.
K SEAY) which are different from each other and each of which is assigned to one of said functions and in that said processing means (7) include third means for calculating an authentication code (A PEA) vis-à-vis a verification unit (3) as a function of one of said authentication secret keys (K SEAX, K SEAY).
13. Method of initializing a device according to any of claims 1 to 12, characterized in that it includes:
- an initialization first step (100-110; 111-123) consisting in defining and storing in said storage means (9) a reprogrammable personalizing secret key (K PER) specific to said device, - a personalizing second step (201-222)consisting in loading into said storage means, by means of a specific access code (A PO) dependent on said specific personalizing key (K PER), personalizing data (person-param) common to said functions and particular reprogrammable secret keys (K PERX. K PERY) for calculating said particular access secret codes (A PX, A PY) each assigned to loading particular personalizing data relative to one of said functions (X, Y) and modifying said specific personalizing key (K PER), and - a personalizing third step (313) consisting in, for each of said functions (X, Y), loading the personalizing data (K SEAX, K SEAY) relating to said function into said storage means by means of the corresponding particular access secret code (A PX, A PY).
14. Method according to claim 13, characterized in that said third step includes a step consisting in, when loading particular personalizing data relative to at least one of said functions (X, Y), modifying said particular secret key (K PERX, K PERY) for calculating said particular access secret code (A PX, A PY) assigned to said function.
15. Method according to claim 13 or claim 14, characterized in that the initialization first step includes:

~ at least one initialization first phase consisting in defining at least one secret datum (K PEM; E(K PEM)) common to a set of devices intended for the same entity, ~ at least one second initialization phase including the steps of, for each device of said set:
a) reading a specific identification datum (NS) carried by said device, b) calculating a first specific personalizing key (K PER) as a function of said common secret datum (K PEM;
E(K PEM)) and said identification datum (NS), c) storing said identification data (NS) and said first specific personalizing key (K PER) in said storage means (9).
16. Method according to claim 15, characterized in that said personalizing second step includes the following steps, for each device of said set:
a) extracting (209) said specific identification datum (NS) from said device (2), b) calculating (214) in a first external tool (30) said first specific personalizing key (K PER) as a function of said common secret datum (K PEM) and said specific identification datum (NS), c) calculating (215) in said external tool (30) a first specific access code (A PO) as a function of said specific personalizing key (K PER) and a challenge transmitted by said device, d) transmitting (217) from said first tool to said device (2) said first specific access code (A PO) with personalizing parameters including a second specific personalizing key (NK PER) different from said first specific personalizing key (K PER), e) calculating (219) in said system a code (A PC) for verifying said first access code (A PO) as a function of said first specific personalizing key (K PER) and said challenge, f) comparing (220) in said device said first specific access code (A PO) and said verification code (A PC) and, in response to a match of said codes:
g) storing (221) said personalizing parameters in said storage means (9), and h) substituting (222) said second specific personalizing key (NK PER) for said first specific personalizing key (K PER) in said storage means (9).
17. Method according to claim 15 or claim 16, characterized in that said initializing first step includes a third phase consisting in initially storing a common base secret key (K ROM) in a permanent memory (8) of said storage means and in that steps a) and b) of said initialization second phase consist in:
~ applying said common secret datum (K PEM) and said base key (K ROM) to a second external tool (20), ~ reading said identification datum (NS) by means of said second tool, ~ calculating (100) said specific personalizing key (K PER) by means of said second tool (20), ~ encrypting (101) said specific personalizing key (K PER) by means of said common base key (K ROM) in said second external tool (20), ~ transmitting (104) the result (E(K PER)) of said encryption from said second tool (20) to said device (2), and ~ decrypting (107) said result (E(K PER)) in said system by means of said base key (K ROM) to reconstitute said specific personalizing key (K PER).
18. Method according to claim 15 or claim 16, characterized in that said initializing first step includes a third phase consisting in initially storing a common base key (K ROM) in a permanent memory (8) of said storage means, in that said first phase equally consists in encrypting (111) said common secret datum (K PEM) by means of said common base key (K ROM) and applying the result of said encryption (E(K PEM)) to a second external tool (20), and in that said second phase equally consists in:
a) reading (115) said specific identification datum (NS) by means of said second tool (20) and transmitting said identification datum (NS) and the result of said encryption (E(K PEM)) to said device, b) decrypting (119) said result (E(K PEM)) in said device (2) by means of said base key (K ROM) to restore said common secret datum (K PEM) and thereafter calculating (120) said specific personalizing key (K PER).
19. Secure communication system characterized in that it includes a set of devices according to any of claims 1 to 12 and at least one tool (30) for initializing personalizing parameters for loading into each of said devices:
* personalizing data (person-param) common to the various functions (X, Y) of said device, * said particular personalizing data (K SEAX, K SEAY.
etc), and * said particular secret data (K PERX, K PERY, etc).
20. Secure communication system according to claim 19, characterized in that it further includes a tool (20) for the initial loading into each of said devices of a reprogrammable secret datum (K PER) specific to each device and representative of said specific secret personalizing access code (A PO).
21. Secure communication system characterized in that it includes a set of devices according to claim 12 and at least one verification unit (3).
CA002300933A 1997-08-21 1998-08-19 Portable electronic device for safe communication system, and method for initialising its parameters Abandoned CA2300933A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR9710548A FR2767624B1 (en) 1997-08-21 1997-08-21 ELECTRONIC PORTABLE DEVICE FOR SECURE COMMUNICATION SYSTEM, AND METHOD FOR INITIALIZING ITS PARAMETERS
FR97/10548 1997-08-21
PCT/FR1998/001820 WO1999010848A1 (en) 1997-08-21 1998-08-19 Portable electronic device for safe communication system, and method for initialising its parameters

Publications (1)

Publication Number Publication Date
CA2300933A1 true CA2300933A1 (en) 1999-03-04

Family

ID=9510423

Family Applications (1)

Application Number Title Priority Date Filing Date
CA002300933A Abandoned CA2300933A1 (en) 1997-08-21 1998-08-19 Portable electronic device for safe communication system, and method for initialising its parameters

Country Status (10)

Country Link
US (1) US6308268B1 (en)
EP (1) EP1004100B1 (en)
JP (1) JP2001514454A (en)
CN (1) CN1271448A (en)
AT (1) ATE239956T1 (en)
AU (1) AU735885B2 (en)
CA (1) CA2300933A1 (en)
DE (1) DE69814406T2 (en)
FR (1) FR2767624B1 (en)
WO (1) WO1999010848A1 (en)

Families Citing this family (87)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6367011B1 (en) 1997-10-14 2002-04-02 Visa International Service Association Personalization of smart cards
EP0932124B1 (en) * 1998-01-14 2002-05-02 Irdeto Access B.V. Integrated circuit and smart card comprising such a circuit
US6615189B1 (en) 1998-06-22 2003-09-02 Bank One, Delaware, National Association Debit purchasing of stored value card for use by and/or delivery to others
US7809642B1 (en) 1998-06-22 2010-10-05 Jpmorgan Chase Bank, N.A. Debit purchasing of stored value card for use by and/or delivery to others
US7660763B1 (en) 1998-11-17 2010-02-09 Jpmorgan Chase Bank, N.A. Customer activated multi-value (CAM) card
US6032136A (en) 1998-11-17 2000-02-29 First Usa Bank, N.A. Customer activated multi-value (CAM) card
US6882984B1 (en) 1999-06-04 2005-04-19 Bank One, Delaware, National Association Credit instrument and system with automated payment of club, merchant, and service provider fees
US7370004B1 (en) 1999-11-15 2008-05-06 The Chase Manhattan Bank Personalized interactive network architecture
US8793160B2 (en) 1999-12-07 2014-07-29 Steve Sorem System and method for processing transactions
US6941279B1 (en) 2000-02-23 2005-09-06 Banke One Corporation Mutual fund card method and system
FR2806858B1 (en) * 2000-03-22 2002-05-03 France Telecom CRYPTOGRAPHIC PROTECTION AGAINST FRAUD
FR2810139B1 (en) * 2000-06-08 2002-08-23 Bull Cp8 METHOD FOR SECURING THE PRE-INITIALIZATION PHASE OF AN ON-BOARD ELECTRONIC CHIP SYSTEM, ESPECIALLY A CHIP CARD, AND ON-BOARD SYSTEM IMPLEMENTING THE METHOD
WO2002011019A1 (en) 2000-08-01 2002-02-07 First Usa Bank, N.A. System and method for transponder-enabled account transactions
FR2816731B1 (en) * 2000-11-14 2003-01-03 Gemplus Card Int METHOD FOR LOADING AND CUSTOMIZING THE INFORMATION AND PROGRAMS LOADED IN A CHIP CARD
US6985873B2 (en) 2001-01-18 2006-01-10 First Usa Bank, N.A. System and method for administering a brokerage rebate card program
US7313546B2 (en) 2001-05-23 2007-12-25 Jp Morgan Chase Bank, N.A. System and method for currency selectable stored value instrument
US7133662B2 (en) * 2001-05-24 2006-11-07 International Business Machines Corporation Methods and apparatus for restricting access of a user using a cellular telephone
US7133971B2 (en) * 2003-11-21 2006-11-07 International Business Machines Corporation Cache with selective least frequently used or most frequently used cache line replacement
US6983364B2 (en) * 2001-06-29 2006-01-03 Hewlett-Packard Development Company, Lp. System and method for restoring a secured terminal to default status
US6834795B1 (en) * 2001-06-29 2004-12-28 Sun Microsystems, Inc. Secure user authentication to computing resource via smart card
WO2003010701A1 (en) 2001-07-24 2003-02-06 First Usa Bank, N.A. Multiple account card and transaction routing
US7809641B2 (en) 2001-07-26 2010-10-05 Jpmorgan Chase Bank, National Association System and method for funding a collective account
US8020754B2 (en) 2001-08-13 2011-09-20 Jpmorgan Chase Bank, N.A. System and method for funding a collective account by use of an electronic tag
US7311244B1 (en) 2001-08-13 2007-12-25 Jpmorgan Chase Bank, N.A. System and method for funding a collective account by use of an electronic tag
US8800857B1 (en) 2001-08-13 2014-08-12 Jpmorgan Chase Bank, N.A. System and method for crediting loyalty program points and providing loyalty rewards by use of an electronic tag
FR2829603A1 (en) * 2001-09-11 2003-03-14 St Microelectronics Sa METHOD AND DEVICE FOR STORING AND READING DIGITAL DATA ON A PHYSICAL MEDIUM
US6970817B2 (en) * 2001-10-31 2005-11-29 Motorola, Inc. Method of associating voice recognition tags in an electronic device with records in a removable media for use with the electronic device
US20030097582A1 (en) * 2001-11-19 2003-05-22 Yves Audebert Method and system for reducing personal security device latency
US6857565B2 (en) * 2001-12-14 2005-02-22 Damon Eugene Smith Electronic traveler's checks
US20030163703A1 (en) * 2002-02-28 2003-08-28 Robins Mark Nelson Image key security system and method
US20030163716A1 (en) * 2002-02-28 2003-08-28 Robins Mark Nelson Card key security system and method
US7756896B1 (en) 2002-03-11 2010-07-13 Jp Morgan Chase Bank System and method for multi-dimensional risk analysis
US7899753B1 (en) 2002-03-25 2011-03-01 Jpmorgan Chase Bank, N.A Systems and methods for time variable financial authentication
US20180165441A1 (en) 2002-03-25 2018-06-14 Glenn Cobourn Everhart Systems and methods for multifactor authentication
AU2003230751A1 (en) 2002-03-29 2003-10-13 Bank One, Delaware, N.A. System and process for performing purchase transaction using tokens
US20040210498A1 (en) 2002-03-29 2004-10-21 Bank One, National Association Method and system for performing purchase and other transactions using tokens with multiple chips
DE10216384A1 (en) * 2002-04-12 2003-10-30 Scm Microsystems Gmbh Access control network
US6941468B2 (en) * 2002-05-06 2005-09-06 Thomson Licensing Hand-held device forgotten password notification
US20030220145A1 (en) * 2002-05-22 2003-11-27 Erickson Craig S. Digital camera and networking accessories for a portable video game device
US8239304B1 (en) 2002-07-29 2012-08-07 Jpmorgan Chase Bank, N.A. Method and system for providing pre-approved targeted products
US7809595B2 (en) 2002-09-17 2010-10-05 Jpmorgan Chase Bank, Na System and method for managing risks associated with outside service providers
US20040122736A1 (en) 2002-10-11 2004-06-24 Bank One, Delaware, N.A. System and method for granting promotional rewards to credit account holders
TW595195B (en) * 2003-04-04 2004-06-21 Benq Corp Network lock method and related apparatus by ciphered network lock and inerasable deciphering key
US8306907B2 (en) 2003-05-30 2012-11-06 Jpmorgan Chase Bank N.A. System and method for offering risk-based interest rates in a credit instrument
US7669236B2 (en) * 2004-11-18 2010-02-23 Biogy, Inc. Determining whether to grant access to a passcode protected system
US7953663B1 (en) 2003-09-04 2011-05-31 Jpmorgan Chase Bank, N.A. System and method for financial instrument pre-qualification and offering
US8239323B2 (en) 2003-09-23 2012-08-07 Jpmorgan Chase Bank, N.A. Method and system for distribution of unactivated bank account cards
TWI283524B (en) * 2004-04-09 2007-07-01 Lite On Technology Corp Method to control and manage an authentication mechanism using an active identification device
US7467106B1 (en) 2004-06-18 2008-12-16 Jpmorgan Chase Bank, N.A. System and method for offer management
US8429006B1 (en) 2004-06-18 2013-04-23 Jpmorgan Chase Bank, N.A. System and method for offer targeting
EP1766839B1 (en) * 2004-07-15 2013-03-06 Anakam, Inc. System and method for blocking unauthorized network log in using stolen password
US8528078B2 (en) 2004-07-15 2013-09-03 Anakam, Inc. System and method for blocking unauthorized network log in using stolen password
US8296562B2 (en) 2004-07-15 2012-10-23 Anakam, Inc. Out of band system and method for authentication
US7676834B2 (en) * 2004-07-15 2010-03-09 Anakam L.L.C. System and method for blocking unauthorized network log in using stolen password
US8533791B2 (en) 2004-07-15 2013-09-10 Anakam, Inc. System and method for second factor authentication services
US7392222B1 (en) 2004-08-03 2008-06-24 Jpmorgan Chase Bank, N.A. System and method for providing promotional pricing
US7702911B2 (en) * 2004-11-18 2010-04-20 Biogy, Inc. Interfacing with a system that includes a passcode authenticator
US7979716B2 (en) 2004-11-18 2011-07-12 Biogy, Inc. Method of generating access keys
US7707622B2 (en) 2004-11-18 2010-04-27 Biogy, Inc. API for a system having a passcode authenticator
US20060107312A1 (en) * 2004-11-18 2006-05-18 Michael Fiske System for handing requests for access to a passcode protected entity
US8209751B2 (en) * 2004-11-18 2012-06-26 Biogy, Inc. Receiving an access key
US20090228714A1 (en) * 2004-11-18 2009-09-10 Biogy, Inc. Secure mobile device with online vault
US7886155B2 (en) 2004-12-20 2011-02-08 Biogy, Inc. System for generating requests to a passcode protected entity
US20060107309A1 (en) * 2004-11-18 2006-05-18 Michael Fiske Using an access key
US7565548B2 (en) 2004-11-18 2009-07-21 Biogy, Inc. Biometric print quality assurance
US20060107315A1 (en) * 2004-11-18 2006-05-18 Michael Fiske System that uses access keys
US7770018B2 (en) * 2004-11-18 2010-08-03 Biogy, Inc. Setting up a security access system
US20080288786A1 (en) * 2004-12-20 2008-11-20 Michael Stephen Fiske System with access keys
EP1691338A1 (en) * 2005-02-14 2006-08-16 Axalto S.A. Method for diversifying a protective key in an authentication token
US8630898B1 (en) 2005-02-22 2014-01-14 Jpmorgan Chase Bank, N.A. Stored value card provided with merchandise as rebate
US7401731B1 (en) 2005-05-27 2008-07-22 Jpmorgan Chase Bank, Na Method and system for implementing a card product with multiple customized relationships
US8408455B1 (en) 2006-02-08 2013-04-02 Jpmorgan Chase Bank, N.A. System and method for granting promotional rewards to both customers and non-customers
US7784682B2 (en) 2006-02-08 2010-08-31 Jpmorgan Chase Bank, N.A. System and method for granting promotional rewards to both customers and non-customers
US7753259B1 (en) 2006-04-13 2010-07-13 Jpmorgan Chase Bank, N.A. System and method for granting promotional rewards to both customers and non-customers
KR100854731B1 (en) * 2006-07-21 2008-08-27 (주)네오프리라인 Method and apparatus for authentication of portable electronic devices
DE102006037879A1 (en) * 2006-08-11 2008-02-14 Bundesdruckerei Gmbh Document reader, method of reading a data object and computer program product
FR2905216B1 (en) * 2006-08-25 2009-03-06 Thales Sa METHOD FOR CUSTOMIZING A SECURITY COMPONENT, IN PARTICULAR IN AN UN-PROTECTED ENVIRONMENT
US8533821B2 (en) * 2007-05-25 2013-09-10 International Business Machines Corporation Detecting and defending against man-in-the-middle attacks
US8676642B1 (en) 2007-07-05 2014-03-18 Jpmorgan Chase Bank, N.A. System and method for granting promotional rewards to financial account holders
US8417601B1 (en) 2007-10-18 2013-04-09 Jpmorgan Chase Bank, N.A. Variable rate payment card
US8515996B2 (en) 2008-05-19 2013-08-20 Emulex Design & Manufacturing Corporation Secure configuration of authentication servers
US20100269162A1 (en) * 2009-04-15 2010-10-21 Jose Bravo Website authentication
EP2312437A1 (en) * 2009-09-30 2011-04-20 Thomson Licensing Detecting client software versions
US8683609B2 (en) * 2009-12-04 2014-03-25 International Business Machines Corporation Mobile phone and IP address correlation service
US8838988B2 (en) 2011-04-12 2014-09-16 International Business Machines Corporation Verification of transactional integrity
US8917826B2 (en) 2012-07-31 2014-12-23 International Business Machines Corporation Detecting man-in-the-middle attacks in electronic transactions using prompts
CN112491558A (en) * 2020-11-26 2021-03-12 湖南中育至诚数字科技有限公司 Data writing method, system and storage medium of multi-application chip card

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA1004362A (en) 1972-04-11 1977-01-25 Gretag Aktiengesellschaft System for the individual identification of a plurality of individuals
IL64675A0 (en) 1981-12-30 1982-03-31 Greenberg Avigdor Data verification system
US4650975A (en) * 1984-08-30 1987-03-17 Casio Computer Co., Ltd. IC card and an identification system thereof
US4800590A (en) 1985-01-14 1989-01-24 Willis E. Higgins Computer key and computer lock system
GB2206431B (en) * 1987-06-30 1991-05-29 Motorola Inc Data card circuits
FR2626095B1 (en) * 1988-01-20 1991-08-30 Sgs Thomson Microelectronics SECURITY SYSTEM FOR PROTECTING PROGRAMMING AREAS OF A CHIP CARD
US5060263A (en) 1988-03-09 1991-10-22 Enigma Logic, Inc. Computer access control system and method
DE3927270C2 (en) * 1989-08-18 1996-07-11 Deutsche Telekom Ag Process for personalizing chip cards
EP0722596A4 (en) * 1991-11-12 1997-03-05 Security Domain Pty Ltd Method and system for secure, decentralised personalisation of smart cards
JPH06236447A (en) * 1993-02-09 1994-08-23 Mitsubishi Electric Corp Microcomputer for ic card
FR2731536B1 (en) * 1995-03-10 1997-04-18 Schlumberger Ind Sa METHOD FOR SECURE INFORMATION RECORDING ON A PORTABLE MEDIUM

Also Published As

Publication number Publication date
JP2001514454A (en) 2001-09-11
EP1004100A1 (en) 2000-05-31
DE69814406D1 (en) 2003-06-12
AU9077098A (en) 1999-03-16
US6308268B1 (en) 2001-10-23
CN1271448A (en) 2000-10-25
FR2767624A1 (en) 1999-02-26
DE69814406T2 (en) 2004-05-27
ATE239956T1 (en) 2003-05-15
AU735885B2 (en) 2001-07-19
FR2767624B1 (en) 2002-05-10
WO1999010848A1 (en) 1999-03-04
EP1004100B1 (en) 2003-05-07

Similar Documents

Publication Publication Date Title
US6308268B1 (en) Portable electronic device for safe communication system, and method for initializing its parameters
US7320139B2 (en) Data processing system for application to access by accreditation
US6694436B1 (en) Terminal and system for performing secure electronic transactions
US8572392B2 (en) Access authentication method, information processing unit, and computer product
CA2371137C (en) Secure distribution and protection of encryption key information
US5802176A (en) System for controlling access to a function, using a plurality of dynamic encryption variables
US5825875A (en) Process for loading a protected storage zone of an information processing device, and associated device
EP1248190B1 (en) Enabling and disabling software features
US8756421B2 (en) Authentication device using true random number generating element or pseudo-random number generating element, authentication apparatus, and authentication method
US6044154A (en) Remote generated, device identifier key for use with a dual-key reflexive encryption security system
US7257708B2 (en) Steganographic authentication
US20030212894A1 (en) Authentication token
US6839840B1 (en) Authenticating method between a smart card and a terminal
US7147157B2 (en) Secure remote-control unit
JPS63229541A (en) Data exchange system
JPH11306088A (en) Ic card and ic card system
US7716477B2 (en) Data processing method, program of the same, and device of the same
EP1504424B1 (en) An authentication token
JP3409653B2 (en) Service providing system, authentication device, and computer-readable recording medium recording authentication program
KR20130123986A (en) System for issuing an otp generator and method thereof
EP0872081B1 (en) Method and device for data communication
JPH10134157A (en) Method and device for cipher authenticating process utilizing computer card
JPH09106445A (en) Key changing method for information recording medium and information recording medium
JPH1141229A (en) Access controller and medium recording access control program
CA2241834C (en) Method and device for data communication

Legal Events

Date Code Title Description
FZDE Discontinued
FZDE Discontinued

Effective date: 20040819