Data processing: financial – business practice – management – or co – Business processing using cryptography – Secure transaction
Reexamination Certificate
1998-12-30
2003-04-22
Dixon, Thomas A. (Department: 3629)
Data processing: financial, business practice, management, or co
Business processing using cryptography
Secure transaction
Reexamination Certificate
active
06553351
ABSTRACT:
The state of the art in electronic purses in adequately described in part II of the (draft) European Standard EN 1546. The description as contained in that document is sumarised here and schematically given in
FIG. 1
; the draft standard contains a more detailed description and explicitly indicates the potential multiplicity of parties involved in the protocols which aspects have been omitted here for clarity. See also European patent 0,421,808-B1.
Referring to
FIG. 1
, an electronic purse operates In that in return for payment from a holder of a Value Carrying Device
1
. A Value Guaranteeing Institution
4
is responsible for securely loading Balance
7
held in Value Carrying Device memory
52
of the Value Carrying Device
1
with a value using a value initializing protocol
12
. The Value Carrying Device
1
is provided with a Value Carrying Device processor
50
connected to memory
52
.
For the purpose of a payment the Value Carrying Device
1
which has a current value indicated as balance
7
engages with a Value Accepting Device
2
using a value transfer protocol
9
, The Value Carrying Device
1
may be a tamper resistant device such as a smart card or may contain such a device that at least protects the integrity of the balance
7
; the tamper resistant feature of the balance
7
is indicated in
FIG. 1
by the double lines surrounding the balance
7
. The basis of the value transfer protocol consists of a first “claiming” message
13
from the Value Accepting Device
2
to the Value Carrying Device
1
, fundamentally containing the amount to be transferred and optionally additional data which may possibly in part serve as a cryptographic challenge and a proving message
14
containing proof of debit of the balance
7
. The cryptographic proof contained in the message
14
serves to authenticate the value transferred in the message and indirectly the correctness of processing inside the Value Carrying Device
1
and ultimately establishes a guarantee for refunding the transferred value by the Value Guaranteeing Institution
4
. The Value Accepting Device
2
is provided with Value Accepting Device processor
51
connected to a Value Accepting Device memory
6
. The Value Accepting Device processor
51
is, preferably, also tamper resistant.
The acceptance of the message depends on the verification by the Value Accepting Device
2
of the cryptographic proof contained in the message
14
upon which the Value Accepting Device
2
increases the value
8
held in its own secure storage
6
. Alternative techniques may be used with equal result of accruing value in the Value Accepting Device
2
, for instance one which allows value to be collected by storing every transaction individually in either secure or non secure storage in the Value Accepting Device. Such techniques may involve the exchange of more messages than those described in
FIG. 2
which may contain additional data, but the net effect is the same: transfer of value. U.S. Pat. Nos. 4,996,711 and 5,131,039 of Chaum describe such possible protocols, mainly differing in the cryptographic techniques applied. These and other specific protocols are used in commercially available electronic purse smart card applications.
Periodically, for the purpose of recovering the values accepted from the Value Guaranteeing Institution
4
, an Acquirer
3
is involved which may be an entity independent from the Value Guaranteeing Institution
4
or identical to it. The Acquirer
3
uses an acquiring protocol
10
to transfer information about the values accepted by the Value Accepting Device
2
during that period for storage and processing and as a result makes a payment
15
to the operator of the Value Accepting Device
2
. The British patent application 9505397.1 (Transmo) describes a particular realisation of an acquiring protocol.
The Acquirer
3
may consolidate, by whatever means, value information from a multitude of Value Accepting Devices
2
and deduce the total value to be reclaimed from each Value Guaranteeing Institution
4
using a clearing and settlement protocol
11
. As a result, a Value Guaranteeing Institution
4
makes a settlement
16
with the Acquirer
3
for the payments
15
made for the value issued by that particular institution which had been accepted by the Value Accepting Devices
2
as acquired by said Acquirer
3
.
With electronic purse systems implemented according to the state of the art it is generally economically infeasible to store, communicate and electronically process individual transactions when they are in majority of small value, which is often the case. As a remedy, a tamper resistant security device
6
. commonly known as “SAM” (=Security Application Module) that is provided as an integral component of every Value Accepting Device, is deployed into which individual payments are accumulated into a single value for subsequent processing by the Acquirer
3
. Additionally the SAM is also used to hold security keys that when used in conjunction with a publicly known algorithm allow the Value Accepting Device
2
to verify in the value transfer protocol
9
the authenticity of the Value Carrying Device
1
and the value transferred; specifically to verify the correctness of the debit proof contained in message
14
. The SAM
6
is thus a integral part of the security of the payment system and holds secret information common to the secret information held in each Value Carrying Device
1
, it has to be secure against the revealing or alteration of its contents. If compromised by various forms of physical and or analytical attack, the SAM
6
can be made to reveal the secrets upon which the entire security of payment schemes using such techniques rely. These tamper resistance requirements for the SAM
6
adds to the complexity and cost of Value Accepting Device's, to increased complexity of security management and increases the exposure to risks of misuse of the payment system.
One could use public key cryptographic algorithms to protect the value transfer protocol in implementations of an electronic purse according to the state of the art which would obviate, in principle, the need for SAM's
6
as part of the Value Accepting Device
2
to authenticate the Value Carrying Device
1
and the value transferred. This restricts the exposure to risks of Misuse of the system. However, in general the amount of data required to be stored with each public key protected transaction is significantly large. The need to aggregate in the Value Carrying Device
1
is even greater than in alternative implementations. Again, where aggregation is required the Value Carrying Device
1
must contain a se cured component that can be trusted by the Value Guaranteeing Institution
4
or Acquirer
3
to perform the accumulation. The tamper resistance requirements for the Value Accepting Device
2
adds to the complexity and cost of the device and to increased complexity of security management in the system.
In purse systems implemented according to the state of the art the actual value transfer protocol
9
is complicated to ensure that failures in communications between Value Carrying Device
1
and Value Accepting Device
2
do not cause irrecoverable loss of value. Additional protocols may be implemented for recovery of value after interrupted communications. Fundamentally, with implementations according to the state of the art, the risk of irrecoverable loss of value can not be eliminated in full however complex the protocol. The added complexity in protocols needed to reach a sufficient level of practical reliable operation increases the implementation costs, increases the transaction duration and may lead to more complicated device usage handling, e.g. for explicit recovery protocols.
The object of the current invention is, firstly, to obviate the need for secure devices in Value Accepting Devices. secondly, to guarantee no irrecoverable loss of value, thirdly, to simplify the value transfer protocol, and fourthly, to make it technically and economically feasible to apply a single typ
De Jong Eduard Karel
Stanford Christopher John
Dixon Thomas A.
Young & Thompson
LandOfFree
System with and method of cryptographically protecting... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System with and method of cryptographically protecting..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System with and method of cryptographically protecting... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3033370