GB2073461A

GB2073461A - A method of handling a personal identification number in connection with an identification card

Info

Publication number: GB2073461A
Application number: GB8110172A
Authority: GB
Original assignee: GAO Gesellschaft fuer Automation und Organisation mbH
Current assignee: GAO Gesellschaft fuer Automation und Organisation mbH
Priority date: 1980-04-03
Filing date: 1981-04-01
Publication date: 1981-10-14
Also published as: AT401205B; BE888254A; SE454392B; GB2073461B; ATA151581A; DE3013211A1; CH656243A5; DE3013211C2; FR2480009B1; SE8102026L; FR2480009A1; JPS56157551A; JPH0143343B2

Abstract

A personal identification card bearing machine-readable data is coded on at least two levels, preferably in spatially separate places, each card owner being assigned a secret number which is coded at the two levels, and on at least one of the levels secret information carried on the card is also used in this coding. The personal identification number (PIN) of the user may be processed to an intermediate value on the first coding level then processed on the second level to a code number (which is stored on the card) by using secret information read from the card. <IMAGE>

Description

SPECIFICATION A method of handling a personal identification number in connection with an identification card The invention concerns a method of handling a personal identification number (called PIN for short) in connection with an identification card bearing machine-readable data, in which each card owner is assigned a secret number which is generated by a two-level coding - if necessary connected with machine-readable data - for the purposes of card personalization, and which is verified by applying the coded result in each identification process.

The use of a personal identification number in automatic monetary intercourse and services should be such as to guarantee that a machine-readable identification card can be successfully used exclusively by its lawful owner.

Handling the PIN requires two steps: card personalization and user identification.

- Card personalization comprises coding the PIN as well as transferring the coded result and userspecific data and bank-specific data onto the identification card, - User identification comprises verifying the coding transferred to the card during personalization on each occasion the card is used.

Numerous ways of coding the PIN are known.

Simple systems of the kind referred to above, for example as described in US-PS 3657521, combine user-related data like the account-number (hereinaf terreferred to as PAN), for example, with a PIN given by the issuing organisation in accordance with-a predetermined function or relationship.

For user identification in such a system the given relationship between the account-number and the PIN is checked for accuracy after the user has entered his PIN into the machine.

If a defrauder has several cards at his disposal, it is possible that in these conventional systems he may discover the relationship between the coded data on the card and the PIN and may thus be able to derive the pertinent PINs from the data on the stolen cards.

Systems have become known which use complex algorithms in order to-relate the PIN to the userspecific data; one such system, for example, is the "NBS Date Encryption Standard Algorithm", also called "DES" (see US-PS 4123 747). A special feature of such coding systems is that the algorithm itself may be known without any danger to the security of the system, as long as the code, with which clear text data are encoded code-specifically with the algorithm, is kept secret. Thus the algorithm can also be obtained in the form of an IC (integrated circuit) module. To code user-specific data the PAN and PIN are fed onto the DES module, for example, and coded with the aid of secret information (the code) fed simultaneously to the module. The resulting coded information is stored on the card for subsequent comparisons.When such a DES module is available, the security of the system consists in the code being kept secret. If a code becomes known all identification cards processed with the aid of the code are accessible to fraudulent use with the aid of the DES module; there is a risk of the code being discovered as it must necessarily be stored in several places (such as card-issuing organisations and machines) at least inasfar as known systems are concerned. A reduction of the risk would be possible by dividing the issued identification cards up into relatively small groups, and alloting a different code to each of the various groups. However, the use of a separate code for each group of identification cards (each group containing only a very limited number of cards) is uneconomical for both organizational and technical reasons.

To increase security in handling the PIN it has also become known (DOS 29 01 521) for the data on the identification card to be subjected to two-level coding. A system involving this idea is described below in more detail with reference to Figure 1.

For the purpose of the system a PAN and a PIN are assigned to a future card owner. The PIN can be freely selected by the user, and may for example be in the form of a 4digit number. The first coding of the PAN is then carried out, with the PIN serving as code in combination with an initial, secret security number. The so-called first code number that emerges (Y1) is converted or transformed into a second code number (Y2) by means of a predetermined transformation. A check number (PCN), which is stored on the card, for example, results from decoding this second code number, a second, secret security number serving as code in this decoding procedure.

For user identification the PAN read from the card is coded with the aid of the PIN and the first security number, so as to yield the initial code number (Y1) if the data are correct. Furthermore, the check number (PCN) read from the card is coded with the aid of the second security member, so as to yield the second code number (Y2). The code numbers (Y1, Y2) should be such as to satisfy the particular transformation determined either by the card issue or by the card personalization.

The improvement in security achieved with this system as compared to the systems previously described is especially marked when two different security numbers, i.e. two different codes, are used.

A disadvantage of the system is the additional need for storage necessary for the second code, and also the additional measures needed for maintaining the secrecy of the second code.

This is especially true in the case of offline systems which are beyond the direct control of specific organisations, and in which each user may have access not only to the organisation's own machine, but also to others.

Since all the codes employed must be stored in each machine, the inefficiency of the system increases with the number of machines involved. The number of machines involved also increases the danger to the security system, since each machine contains all the "secrets" necessary for manipulation of the system.

The aim of the present invention is to provide a system of handling the personal identification number which improves the efficiency and security in the handling of the PIN while retaining the fundamental ly high security of a system using two-level coding.

This aim is achieved, according to the present invention, by providing a method of handling a personal identification number (PIN) in connection with an identification card bearing machine-readable data, in which method each card owner is assigned a secret number which is coded by a two-level coding for the purposes of card personalization - if necessary connected with machine-readable data - and which is verified by use of the coded result in each identification process, characterised in that on at least one of the levels of the two-level coding, secret information recorded on the identification card is also employed.

In spite ofthe considerable security afforded by two-level coding justifiable storage requirements for the machines result from secret information (code) read from the card also being processed on at least one of the coding levels, and another code being assigned to each identification card without any special additional measures, which further increases the security of the system.

As will be shown, the method according to the invention allows for the secret information to be distributed in a simple way to the different "levels" involved in the use of the PIN (the organisation level issuing the PIN, the personalization level issuing the card, the machine level of user identification), with out the secret information necessary for deriving the PIN being available in its entirety on any one of the levels.

For the representation or storage of the code information onthe identification cards high-quality safeguarding techniques are preferably used, which prevent the information from being recognized and simulated or which impede this in such a way that the necessary effort - mainly in carrying out the necessary technical work - considerably exceeds the profit that can be made by determining the code information. The manner of representing the code on the identification card is optional as long as the requirements mentioned above are preferably fulfil led. It can be achieved, for example, by using magnetic, electrographic, fluorescent or other mate rials that are difficult to identify. Similarly, a produc tion feature of a production tolerance peculiar to the identification card, or visually coded recordings can be used.

There now follows, by way of example, a descrip tion of one embodiment of the invention with reference to the accompanying drawings, of which: Figure 1 is a diagrammatic illustration of a system for handling the PIN in accordance with the prior art, and Figure 2 is a diagrammatic illustration of a system for handling the PIN in accordance with the present invention.

Figure 1 shows a system for handling of the PIN in accordance with the prior art. The method used is subdivided into the procedural steps of personaliza tion 1 and user identification 2.

For personalization a PAN 3 and a PIN 4 are assigned to a future card owner. The latter can be selected by the user, for example in the form of a 4-digit number. Then coding of the PAN 3 ie carried out in a first coding module 6, using as code the PIN 4 in combination with a first secret security number 5. The resulting so-called initial code number is converted to a second code number2 by means of a predetermined transformation. A check number PCN, which is stored for example on a card 12, results from the decoding of this second code number Y2 in a module 10, using as code a second secretsecurity number 11.

For user identification the PAN 3 on the user's card is read by a machine and is coded with the aid of a PIN 9 entered by the user and the first security number 5, so as to yield the initial code number Y1 if the data are correct. Furthermore, the check number PCN read from the card is coded in the module 10 with the aid of the second secret security number 11, so that here the second code number Y2 results.

Code numbers Y1 and Y2 must fulfill the transformation determined by the card issue or by card personalization, which is checked in a comparator 13.

It is clear from Figure 1 that all system data - i.e. all secret codes and so on - must be present in the machine for personalization as well as for user identification. The danger of secrets being betrayed or the data and measures necessary for handling the system being detected or discovered is thus relatively great.

Figure 2 shows by way of examply a possible method of carrying out the handling of the PIN in accordance with the invention.

In the handling of the PIN three procedural levels can be distinguished, these being marked by dotted lines: - the organisation level 15, on which the user is assigned the corresponding user data PAN, - the personalisation level 16, on which the identification card is provided with all the necessary user and bank data, - the machine level 17, on which the identification card data are read and checked to see if they correspond to the PIN that has been entered.

It is convenient for the card-issuing organisation to undertake the allocation of user-specific data PAN 18 to the future card owner.

A PIN 19 for example a 4-digit number, can be selected by the user himself, if desired. The PIN 19 selected by the user and known onlyto him, as well as the PAN 18 are fed into an algorithm module 20 and processed to an intermediate value IV with the aid of an initial secret code, generated from a code store 21. Intermediate value IV and the corresponding user-related data PAN are stored on magnetic tape 22.

The magnetic tapes produces by various organisations are given to central personalisation agencies (on the personalization level 16) for the final preparation of the identification cards 23. Here the magnetic tape data are read and fed once again into an algorithm module, 24, which can be constructed like module 20. The second code that manipulates the data is obtained here, however, from secret card information (see hatched area 7) with the aid of a read head 28 attached to a code reader 25. The result of the coding, the code number CN, is stored together with the user-related data PAN on a magnetic track 26 on the card 23, for example.

For user identification (which takes place at the machine level 17) the user types his secret PIN 19 into the machine. The PIN is coded, together with the PAN read from the card, by feeding in the first secret code from the code store 21. The result is fed immediately to a second algorithm module 24 and coded by feeding in the second secret code, which is again obtained from the identification card 23 with the aid of the code reader 25 connected to a read head 28.

The result of the double coding corresponds to the code number CN stored on the magnetic track 26, when the sequence is correct. A comparator 27 gives a yes-signal which is either coupled to a visual indicator or connected to electronics in the device, which indicate the result of the check by generating appropriate electronic signals and thus allow for further procedural steps to take place, for example the issue of the desired credit amount.

The modules of the system that must the protected against unauthorized access are indicated by hatching on all three procedural levels. As mentioned and shown clearly in the procedural sequence of Figure 2, the secret information necessary to derive the PIN is not directly accessible on any of the three levels. This fact, together with the use of a two-level coding process, whereby one of the codes is generated by a secret feature (for example, specific to the card), allows for a system of handling the PIN which is efficient and has a high level of security.

To ensure that the link between the read head 28 and the signal evaluation module or code reader 25 cannot be tapped, the read head 28 and the module 25 are, in a practical embodiment of the system, in the same sealed frame, into which the identification card 23 can be introduced through a slit.

As mentioned, there are several methods of providing identification cards with code information which cannot be detected or imitated.

For example, in US-PS 3620590 a holographic method of protecting information from unauthorized access is described. The desired information, visually coded, is transferred by a special filter (master code filter) onto a hologram in the identification card. The coded information can be reconstructed only by means of a master code filter. The filter is ensured against unauthorized access as part of the reading device.

Any method of representing information which can be reconstructed only by special means inaccessible to the defrauder and with specific expert knowledge, can be used, on the basis of the invention.

Analogously to the above-mentioned example, it is thus also possible to provide the identification card with, for example, magnetic or fluorescent patterns, of which the information content can be recognized only with special devices that are not generally obtainable and with the appropriate expert knowledge.

In the example of operation described, the same coding principle (NBS Date Encryption Standard Algorithm) was selected for both coding levels, to simplify the description. There are a number of other coding methods that can also be used within the scope of the invention. The use of different algorithms on the two levels is also possible. Independent of the coding principle itself, the essential aspect of the invention, as explained above, is rather that the coding takes places on two levels, preferably in spatially separate places, and that secret cardspecific information is involved in the coding process.

Claims

1. A method of handling a personal identification number (PIN) in connection with an identification card bearing machine-readable data, in which method each card owner is assigned a secret number which is coded by a two-level coding for the purposes of card personalization - if necessary connected with machine-readable data - and which is verified by use of the coded result in each identification process, characterised in that on at least one of the levels of the two-level coding, secret information recorded on the identification card is also employed.

2. A method according to Claim 1, in which the PIN is processed to an intermediate value on the first coding level - if necessary connected with userspecific data (PAN) or by application of a secret code - for the purposes of card personalization, and the intermediate value is processed to a code number, which is stored on the identification card, on the second level - if necessary connected with userspecific data - by also using secret information read from the identification card.

3. A method according to Claim 1, in which the PIN entered by the user is processed to an intermediate value - if necessary connected with user-related data read by the card or by application of a secret code - for the purposes of user identification, and this intermediate value is than immediately converted to a code number - if necessary connected with user-related data - by also using secret information read from the identification card, and finally the code number thus obtained is checked against the code number stored on the identification card in that case.

4. A method according to any of Claims 1 to 3, in which the first and second codings are carried out in spatially separate places.

5. A method according to Claim 4, in which the first coding is carried out decentrally by the various organisations that issue cards.

6. A method according to Claim 4 or 5, in which the second coding is carried out centrally by the organisation that personalizes cards.

7. A method according to any of Claims 1 to 6, in which the secret information obtained from the card is generated from a card-specific feature.

8. A method according to Claim 7, in which the feature is represented by a holographic, magnetic, fluorescent or electrographic code pattern.

9. A method according to Claim 1 and substantially as hereinbefore described with reference to Figure 2 of the accompanying drawings.