Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
1998-07-23
2001-09-04
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C705S076000
Reexamination Certificate
active
06286099
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to secure, electronic payment in exchange for goods and services purchased over a communication network, and more specifically, to determining the security properties of the hardware devices and accompanying software used in the payment network, for the purpose of allowing financial institutions to allow or disallow specific types of transactions based on the security properties of the device. A preferred embodiment of the invention facilitates public key cryptography for securely transmitting transactions over a public communication network in a manner that is independent of any specific financial institution is provided.
BACKGROUND
Today, approximately 2 trillion dollars worth of purchases are made yearly over the worldwide credit and debit networking systems. Also, approximately 350 billion coin and currency transactions occur between individuals and institutions every year. As smart card technology matures (e.g., a smart card is a credit card with built-in memory (and optionally a microprocessor) that can be used as an identification or financial transaction card that can also store personal or transaction information), many of these transactions will take place electronically. Home banking programs allow consumers to pay bills and transfer money between accounts, all from the privacy of their own homes. Soon, with electronic cash, these same consumers will be able to download value from their banks without leaving home. Throughout the history of commerce, economic exchange has generally sought greater convenience at a lower cost, while achieving improved security.
In transactions that take place over networks (e.g., a consumer sending payment details to a merchant, or the merchant requesting transaction approval from a bank), it is desirable for the devices used by consumers and merchants to have specific security properties. In many cases, the security properties are mandated by government regulation; in other cases, the specific financial institution may have requirements that are more stringent than the government requirements.
Credit card networks generally transmit only information that is easily obtainable elsewhere. For example, the card number transmitted is also plainly visible as embossed on the face of the credit card. For these reasons, many governments limit the liability of the cardholder in the case of theft of the card number.
Online debit networks and Automatic Teller Machine (ATM) networks require the use of a Personal Identification Number (PIN) to authorize a transfer of funds. Various governmental and financial institution regulations stipulate that the devices used to capture a PIN and transmit it to a financial institution incorporate encryption and that the devices be tamperproof. Generally, the properties of such a device include the majority of the following:
An encryption key utilizing a symmetric key algorithm like Data Encryption Standard (DES) (a standard method of coding information into ciphertext), stored in a non-volatile memory such as an Electrically Erasable Programmable Read Only Memory (EEPROM), for securely transmitting debit card PINs.
A keypad for entering PINs for debit cards and smart cards.
A casing that detects whether the device is being tampered with for the purpose of altering the electronics or determining the key.
A mechanism for zeroing the device memory, including any keys and transaction history, in the event that the device is tampered with.
In some cases, sophisticated shielding, such as a Faraday cage, that ensures the device does not give off any electromagnetic radiation that would allow instrumentation measuring such radiation to determine which keys are pressed on the keypad of the device.
The financial institution that purchases such devices (e.g., Point of Sale (POS) terminals or Automated Teller Machines (ATMs)), specifies the requirements for their devices and ensures, via a certification process, that the devices are compliant with any governmental or card association regulations, as well as with the transaction processing environment at the particular financial institution.
Recently, electronic commerce has expanded to include interactions with consumers in their own homes using either private or public networks such as the Internet. It is desirable for the merchant to transmit information, including a subset of the information provided by the customer, over such a network to a payment gateway computer system that is designated, by a bank or other financial institution that has the responsibility of providing payment on behalf of the customer, to authorize a commercial transaction on behalf of such a financial institution, without the risk of exposing that information to interception by third parties. Such institutions include, for example, financial institutions offering credit card or debit card services.
One such attempt to provide such a secure transmission channel is a secure payment technology, such as Secure Electronic Transaction (SET), jointly developed by the Visa and MasterCard card associations, and described in Visa and MasterCard's Secure Electronic Transaction (SET) Specification Version 1.0, May 31, 1997 (available via for download via www.setco.org/SET_Specifications.html), incorporated herein by reference in its entirety.
Another such attempt to provide such a secure transmission channel is a general-purpose secure communication protocol such as Netscape, Inc.'s Secure Sockets Layer (SSL) , as described in Freier, Karlton & Kocher (hereinafter “Freier”), The SSL Protocol Version 3.0, March 1996, and incorporated herein by reference in its entirety. SSL allows for secure transmission between two computers. SSL advantageously does not require special-purpose software to be installed on the customer's computer, because it is already incorporated into commercially and widely available software that many people utilize as their standard Internet access medium and advantageously does not require that the customer interact with any third-party certification authority. Instead, the support for SSL can be incorporated into software already in use by the customer (e.g., the Netscape Navigator™ World Wide Web browsing tool).
SUMMARY
The present invention provides for determining point of interaction device security properties for secure transmission of a transaction between a plurality of electronic devices, such as point of interaction (POI) devices or computer systems (or both), over a public communication system, such as the Internet. In one embodiment, a communication is established between a first electronic device and a second electronic device using a public network. Digital certificates are then exchanged to validate the parties and to provide a secure channel for transmission of data. Device security properties of the first electronic device are determined based on information transmitted by the first electronic device to the second electronic device thereby allowing the second electronic device to accept or reject a transaction request from the first electronic device based (in part) on the device security properties of the first electronic device.
REFERENCES:
patent: 5557518 (1996-09-01), Rosen
patent: 5621797 (1997-04-01), Rosen
patent: 5642419 (1997-06-01), Rosen
patent: 5703949 (1997-12-01), Rosen
patent: 5712914 (1998-01-01), Aucsmith et al.
patent: 5790677 (1998-08-01), Fox et al.
patent: WO 97/43716 (1997-11-01), None
patent: WO 97/50207 (1997-12-01), None
R.E. Lennon, et al., IBM Technical Disclosure Bulletin, “Application For Personal Key Crypto With Insecure Terminals”, vol. 24, No. 1B, pp. 561-565 (Jun. 1981).
D. Chaum, “Security Without Identification: Transaction Systems To Make Big Brother Obsolete”, Communications of the ACM, vol. 28, No. 10, pp. 1030-1044 (Oct. 1985).
D.M. Nessett, “Layering Central Authentication on Existing Distributed System Terminal Services”, Proceedings 1989 IEEE Computer Society Symposium on Security and Privacy, pp. 290-299 (May 1-3 1989).
S. Russell, “Paradigms For Verification
Hewlett--Packard Company
Peeso Thomas R.
LandOfFree
Determining point of interaction device security properties... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Determining point of interaction device security properties..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Determining point of interaction device security properties... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2469320