Registers – Systems controlled by data bearing records – Credit or identification card systems
Reexamination Certificate
2002-05-15
2003-09-09
Le, Thien M. (Department: 2876)
Registers
Systems controlled by data bearing records
Credit or identification card systems
C235S379000, C235S381000, C235S383000, C705S039000, C705S041000, C705S043000, C705S044000, C902S001000, C902S002000, C902S004000, C902S005000, C902S022000, C902S025000
Reexamination Certificate
active
06616035
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to a method and a device for performing secure transactions between a service provider such as an institution, a bank, financial institute, retail store, database server, file server etc., and a holder of the device, i.e. transaction requester, which can be a customer or a user of a system.
BACKGROUND OF THE INVENTION
When performing transaction and identification in a general form (credit cards, club members, fund members, broker contacts, access control etc.) a customer or user identifies itself by supplying a unique person identifier, such as a name, customer number, credit card number, social security number etc. The transaction can either be accepted or require further authentication, such as supplying a secret piece of information such as a password or a PIN(Personal Identification Number)-code. If a lookup in the customer/user file identifies the authentication response as correct, the transaction is considered valid. In the case of authentication being used, the problem addressed is the fact that the service provider can by no means verify that the user is the person it turns out to be.
Several problems arise in terms of security, since this type of processing often is done over “open air”, i.e. it can be intercepted and recorded. The fraudulent user can then supply the same identity and authentication and to the service provider appear to be the legal user. To supply a credit card number over a phone connection or on a fax-back form is a large discomfort for many users. Further on, fraudulent use of personal codes and credit card numbers is a major problem in today's automated world.
The growth of Internet trade has risen several concerns about security when customers have to identify themselves to a remote service provider. There is a general understanding that a severe limiting factor for the public to perform trade and utilize services is the rational fear that confidential information is intercepted during transmission of account numbers and credit card numbers having corresponding passwords or PINs.
There are several methods and devices which address these concerns, including encryption of secure information and Transaction Identification (TID) codes. The latter relates to the method of the Service Provider (SP) issuing a single-use code which is transformed in a non-linear fashion, unique to each user, and then transferred back to the SP. The SP then performs the same non-linear transformation and compares the result returned from the remote location. If the results match, the transaction is considered to be valid.
A common way of performing secure transaction relies on the concept of a Certificate, such as X.509, which is defined as an open standard. The certificate relies on the concept of TIDs and is issued by the SP. The certificate is a piece of information, installed into the software package used to perform transactions, such as an Internet browser. The user activates the secret information in the certificate by providing a PIN-code, which is compared with the predefined code in the certificate.
The certificate method has several drawbacks, where the most obvious is the fact that the certificate resides in one computer only. There is no general way of carrying a certificate from computer to computer, or in a more general form, from terminal to terminal. There is also a security drawback involved in the fact that the certificate is stored on a non-removable medium, and can therefore theoretically be opened by someone else using the computer where the certificate is stored.
The fact that scripting languages, such as Java and VBScript, commonly used to perform a more programmatic behavior of Internet pages, actually can perform fraudulent actions, such as intercepting the PIN-code entered when opening a certificate, copying the certificate information and then transferring he information back to an alien service provider.
Some SPs issue transaction terminals, which are small calculator-like devices including a display, a keyboard, and in some cases a slot for inserting an IC-card with user information. This method solves the problem with mobility, but adds up an additional cost for the device. The most severe drawback of this method is the fact that it is all done manually. To enter a TID, and then collate the processed result back is a time-consuming and error-prone process. The number of digits entered and collated back has to be a compromise between security on one hand, and the convenience of having a short code on the other. It can further be assumed that these manual steps are an obstacle for the customer, which may be one reason not to perform a desired action.
The concept of encryption generally relies on the assumption that the time required to “reverse engineer”, i.e. decrypt, the encrypted information is long enough to make it practically impossible to even try to break the encryption scheme. The fabulous growth of both computer processing power and the discovery of new mathematical algorithms have in many cases proven that this assumption is dangerous. Reverse engineering actions, once considered to take several years on the most powerful machine available, can now be performed in minutes by implementation of new algorithms and massive computing power.
Encryption methods, such as Data Encryption Standard (DES), previously known as hard-to-break schemes are now considered “weak”. Prime number methods, such as RSA, try to keep ahead of this leap by making longer and longer keys. 56-bit RSA methods are today known to be considerably safe, but some high-security applications rely on 1024-bit numbers. This race of numbers can be expected to continue.
A problem with high-security encryption schemes is the fact that they usually need heavy numerical processing. By stationary devices, equipped with high-performance microprocessors, such a PC, this is generally not a major problem. But battery operated, low cost mobile devices, such as cellular phones, portable notebooks etc., generally have limited resources for numerical processing.
The conclusion is that it would be advisable to provide a method and device of addressing these issues and be able to practically prove beyond doubt that a transaction is secure. Preferably, the scheme should be simple to explain and not rely on the fact that parts of the method must be kept strictly secret.
OBJECT OF THE INVENTION
An object of the present invention is to provide a method and a device which is capable of performing a secure transaction automatically over a data network as soon as the transaction requester has entered a valid personal identification in the device.
SUMMARY OF THE INVENTION
According to one aspect of the invention there is provided a method of identification and authentication of a holder of a mobile electronic transaction device in an electronic transaction process between a transaction service provider and a transaction terminal in communication via a computer network, said mobile transaction device comprising transceiver means for transmitting information to and receiving information from said transaction terminal, data input means, data processing means, data storage means having information stored therein including an externally accessible device identity, a non-retrievable reference user identification, and including a non-retrievable secret key to be processed by said processing means and used in communication with the service provider by said transceiver means over said network via the transaction terminal for validating a transaction, and means supplying electric energy to the device, said method comprising:
transmitting the device identity to the transaction terminal;
transmitting a challenge transaction identifier to the device;
said holder entering a user identification input using said input means;
said processing means determining an authenticity of said identification input by comparison with said reference user identification; and
only on said identification input being determined as authentic:
said processing means perf
Ehrensvärd Jakob
Grip Stina
Cypak AB
Le Thien M.
Le Uyen-Chau
Renner , Otto, Boisselle & Sklar, LLP
LandOfFree
Method and device for identification and authentication does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and device for identification and authentication, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and device for identification and authentication will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3109032