WO2004102860A2 - Cryptographically secure transactions with optical cards - Google Patents

Cryptographically secure transactions with optical cards Download PDF

Info

Publication number
WO2004102860A2
WO2004102860A2 PCT/US2004/015374 US2004015374W WO2004102860A2 WO 2004102860 A2 WO2004102860 A2 WO 2004102860A2 US 2004015374 W US2004015374 W US 2004015374W WO 2004102860 A2 WO2004102860 A2 WO 2004102860A2
Authority
WO
WIPO (PCT)
Prior art keywords
ofthe
cryptographic
record
key
recited
Prior art date
Application number
PCT/US2004/015374
Other languages
French (fr)
Other versions
WO2004102860A3 (en
Inventor
W. Jack Harper
Original Assignee
Bsi2000, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US10/844,963 external-priority patent/US20050005156A1/en
Priority claimed from US10/844,967 external-priority patent/US20040267847A1/en
Priority claimed from US10/844,960 external-priority patent/US20050005108A1/en
Application filed by Bsi2000, Inc. filed Critical Bsi2000, Inc.
Publication of WO2004102860A2 publication Critical patent/WO2004102860A2/en
Publication of WO2004102860A3 publication Critical patent/WO2004102860A3/en

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1016Devices or methods for securing the PIN and other transaction-data, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Definitions

  • This application relates generally to optical cards. More specifically, this application relates to cryptographic security of optical cards.
  • optical cards are cards that are typically made to be about the size of a standard credit card and which store digitized information in an optical storage area. While the storage capacity of such cards may be relatively high, the basic data on the card are relatively easily extracted. Individual data bits on the card are typically about 2 ⁇ m in diameter and can be recovered by magnified examination ofthe card. While this ease of recovery may not be a significant concern for some types of data, it does present a barrier to storing sensitive data on the card. Such sensitive data may be stored in an encrypted format, but a fundamental concern is where to store the secret key used to decrypt the data. The key cannot simply be stored within the optical storage area on the card itself because it would then be as easy to extract as the data.
  • an attempt at obfuscating the key may be tried by embedding the key in the microcode of hardware used in extracting data from the optical cards.
  • This approach suffers from a similar deficiency in that an attacker can reverse engineer the electronics and control microcode to recover the key or its cryptographic function. While this is somewhat more difficult than reverse engineering pure software, it still leaves the keys open to attack while also compounding the security issue by requiring hardware and its microcode to be protected against theft.
  • Another possibility is to embed a smart-card chip into the optical card to produce a hybrid card, with key storage assigned to the smart-card chip.
  • smart-card chips themselves suffer from a number of security deficiencies. They typically use a form of flash memory that may be read by shaving the outer housing and illuminating the die with a scanning electron microscope to read the bits.
  • Embodiments ofthe invention provide methods for maintaining cryptographic security of optical-card records. This includes methods for writing records to optical cards, methods for extracting records from optical cards, and methods for initializing a cryptographic-key management device used as part of a network of transaction processing units.
  • a method for writing a record to an optical card.
  • a session key is generated randomly.
  • the session key is encrypted using a private key of a public/private key pair associated with a particular cryptographic-key management device.
  • the record is encrypted using the session key.
  • a serial number for the particular cryptographic-key management device, the encrypted private key, and the encrypted record are optically written to the optical card.
  • a combination ofthe session key and information uniquely associated with encryption ofthe record may be encrypted with the private key.
  • a date/time stamp and or a unique serial number for the optical card may be combined with the session key.
  • the combination is encrypted by randomly generating a string having an equal bit length to the combination and performing an exclusive-or operation between the string and the combination; the string, result ofthe exclusive-or operation, and the session key may be encrypted with the private key.
  • the record may be encrypted with a block-encryption technique. For example, an initialization vector c 0 equal in length to each of a plurality of blocks ofthe record may be generated randomly.
  • a vector a may then be generated by encrypting, with the session key, a result of performing an exclusive-or operation on each ofthe plurality of blocks with a preceding vector CM-
  • the record may be signed cryptographically.
  • a one-way hash may be performed ofthe record, with a result ofthe one-way hash being encrypted with the private key.
  • a method for extracting a record from an optical card.
  • a number of items may be read from the optical card: (1) a serial number for a particular cryptographic-key management device used when an encrypted version ofthe record was written; (2) an encrypted session key; and (3) the encrypted version ofthe record.
  • the encrypted session key is decrypted using a public key associated with the serial number.
  • the encrypted version ofthe record is decrypted using the decrypted session key.
  • decrypting the encrypted session key may comprise extracting information uniquely associated with encryption ofthe record, with authenticity of the extracted information being verified. Such information may include a date/time stamp and/or a unique serial number for the optical card, in which verification of authenticity may be performed by verifying that the extracted optical-card serial number matches the actual serial number ofthe optical card.
  • This information may be extracted in one embodiment by decrypting a combination ofthe session key, a first string that embodies the information uniquely associated with encryption ofthe record, and a second string having an equal bit length to that information; an exclusive-or operation is performed between the first and second strings to recover the information.
  • block decryption may be used to decrypted the encrypted version ofthe record.
  • a cryptographic signature ofthe record may be verified.
  • a one-way hash may be performed ofthe decrypted record.
  • An encrypted version of a one-way hash ofthe record is read from the optical card and decrypted using the public key, allowing the one-way hash of the decrypted record to be compared with a result of decrypting the encrypted version ofthe one-way hash.
  • a method for initializing a cryptographic-key management device to encrypt and decrypt optical-card data as part of a network of transaction processing units that comprise such cryptographic-key management devices.
  • a multibit string is transmitted to the cryptographic-key management device, with the cryptographic-key management device being enabled upon receipt of a correct multibit string.
  • An encrypted set of public keys, each of which is associated with one ofthe cryptographic-key management devices in the network, is read from a master boot optical card. The set of public keys is stored securely in memory comprised by the cryptographic- key management device.
  • the cryptographic-key management device is comprised by a particular transaction processing unit.
  • the application software may be read from the master boot optical card and loaded onto a processor comprised by the particular transaction processing unit and adapted to control operation ofthe cryptographic- key management device. The authenticity ofthe application software may be verified.
  • the application software may be read from the master boot optical card by reading a first version ofthe application software encrypted with the session key and reading a second version subjected to a one-way hash and encrypted with the private key.
  • the session key may be decrypted with the private key, and the application software may be decrypted with the session key.
  • the one-way hash may be applied to the decrypted application software to generate a first result, and the encrypted one-way hash may be decrypted with the private key to generate a second result, allowing the first and second results to be compared.
  • the encrypted set of public keys may be cryptographically signed, allowing the authenticity ofthe encrypted set of public keys to be similarly verified. If the cryptographically signed version ofthe encrypted set of public keys was generated by encrypting a one-way hash ofthe encrypted set of public keys, authenticity may be verified by performing the one-way hash on the encrypted set of public keys read from the master boot optical card to generate a first result. The encrypted one-way hash ofthe encrypted set of public keys read from the optical card maybe decrypted to generate a second result, which may be compared with the first result.
  • Embodiments ofthe invention also provide a cryptographic-key management device.
  • a secure cryptographic module is provided with a first memory storing a private cryptographic key of a plurality of public/private key pairs. The secure cryptographic module is adapted to zeroize the first memory in response to physical disruption ofthe module.
  • a secure microcontroller is provided in communication with and adapted to control operation of the secure cryptographic module.
  • the secure microcontroller comprises a second memory storing the public keys ofthe plurality of public/private key pains and a self-destruct pin whose activation disables the microcontroller.
  • a package encapsulates the secure cryptographic module and the secure microcontroller, and is linked with the self-destruct pin to activate the self-destruct pin in response to a breach ofthe package.
  • the physical disruption that results in zeroization of the first memory may comprise a breach of a container housing the first memory, a deviation in temperature ofthe module outside of a predefined range, or a deviation in strength of an electromagnetic field near the module outside of a predefined range, for example.
  • the package may comprise a brittle wire connected with the self-destruct pin. The wire may be wrapped, perhaps in multiple layers, about the secure cryptographic module and secure microcontroller.
  • the package comprises an encapsulating material that includes an epoxy substance and at least one of a silica and an alumina.
  • the secure microcontroller comprises a second self-destruct pin whose activation also disables the microcontroller, with the second self-destruct pin connected to a tamper sensor internal to a housing.
  • the cryptographic-key management device may further comprise a random-number generator, such as a hardware random-number generator.
  • Such cryptographic-key management devices may be used in an optical-card network that comprises a plurality of transaction processing units and a plurality of optical cards.
  • Each transaction processing unit may comprise a cryptographic-key management device having a securely stored private key for that cryptographic-key management device and securely stored public keys for a plurality of cryptographic-key management devices, an optical-card read/write drive adapted to exchange data with optical cards, and a processor to control operation ofthe cryptographic-key management device and the optical-card read/write drive.
  • the cryptographic-key management devices may have the structure and characteristics described above.
  • information may be exchanged among the plurality of transaction processing units only with the plurality of optical cards, while in other embodiments the transaction processing units may be interconnected electronically.
  • embodiments ofthe invention provide a hardware random-number generator, which may be used in some instances in a cryptographic system such as may be used with optical cards, but has other applications also.
  • Random shot noise is generated by first and second quantum random shot-noise generators.
  • a differential amplifier is provided in electrical communication with the shot-noise generators to subtract signals produced by the shot-noise generators.
  • An analog comparator is provided in electrical communication with the differential amplifier to quantize a difference signal produced by the differential amplifier.
  • a second amplifier may be provided in electrical communication with the differential amplifier to supply a virtual ground to the differential amplifier.
  • the analog comparator has a trigger reference derived by scaling and integrating input to the analog comparator.
  • a sample-and-hold module may be provided in electrical communication with the analog comparator to sample output ofthe analog comparator; for example, such a sample-and-hold module may comprise a JK flip flop.
  • a processor in electrical communication with the analog comparator may remove residual bias from the quantized signal.
  • Each ofthe shot-noise generators may comprise a pair of transistors.
  • a first of the transistors has a reverse-biased base-emitter junction to generate current shot-noise signals.
  • a second ofthe transistors is in electrical communication with the first transistor to convert the current shot-noise signals to voltage signals.
  • an output ofthe second transistor may be in electrical communication with an input ofthe first transistor to limit noise-generation pulse width.
  • FIG. 1 provides schematic illustrations of different forms of optical cards that may be used in embodiments ofthe invention.
  • FIGS. 2 A and 2B provide schematic illustrations of different system arrangements that may be used to support the use of optical cards;
  • Fig. 3 provides a perspective illustration of a transaction processing unit that may be used in the systems of Figs. 2A and 2B;
  • FIG. 4 provides a schematic illustration of a cryptographic-key management device that may be integrated within the transaction processing unit of Fig. 3 in an embodiment ofthe invention
  • FIG. 5 A is a flow diagram illustrating a method for securely forming a cryptographic-key management device like the one illustrated in Fig. 4;
  • FIG. 5B provides a series of schematic illustrations showing the formation of a cryptographic-key management device using the method of Fig. 5 A;
  • FIG. 6 provides an exploded view of a cryptographic module used on a cryptographic-key management device in one embodiment ofthe invention
  • FIG. 7 provides a schematic illustration of a hardware random-number generator used on a cryptographic-key management device in one embodiment ofthe invention
  • FIG. 8 graphically summarizes results of tests of the hardware random-number generator illustrated in Fig. 7;
  • FIG. 9 provides a schematic overview of a cryptographic protocol that makes use of a cryptographic-key management device like the one illustrated in Fig. 4;
  • Fig. 10 is a flow diagram illustrating a method for booting a transaction processing unit that uses the cryptographic protocol in one embodiment
  • Fig. 11 is a flow diagram illustrating a method for writing a secure record to an optical card using the cryptographic protocol in one embodiment
  • Fig. 12 is a flow diagram illustrating a method for reading a secure record from an optical card using the cryptographic protocol in one embodiment.
  • Embodiments of the invention permit the support of cryptographically secure transactions using optical cards.
  • optical cards may be ofthe specific type described in U.S. Pat. No. 5,919,112, entitled “OPTICAL CARD” by Jiro Takei et al., the entire disclosure of which is incorporated herein by reference for all purposes, but more generally includes any card that uses optical storage techniques.
  • Such optical cards are typically capable of storing very large amounts of data in comparison with magnetic-stripe or smart cards.
  • a typical optical card may compactly store up to 4 Mbyte of data, equivalent to about 1500 pages of typewritten information.
  • optical cards hold on the order of 1000 times the amount of information as a typical smart card.
  • optical cards are also impervious to electromagnetic fields, including static electricity, and they are not damaged by normal bending and flexing.
  • optical cards make them especially versatile for numerous different types of transactions.
  • a single optical card could store fingerprint biometrics for all ten fingers, iris biometrics for both eyes, hand-geometry specifications for both hands, and a high-resolution color photograph of a cardholder while using far less than 1% of its capacity.
  • This large storage capacity also allows information for essentially every transaction that involves the card to be written to the card and thereby provide a permanent detailed audit trail ofthe card's use.
  • Fig. 1 provides a diagram illustrating a structure for an optical card in one embodiment.
  • the card 100 includes an inked cardholder photograph 116, an optical storage area 112, and a printed area 104 on one side ofthe card.
  • the other side ofthe card could include other features, such as a bar code(s) or other optically recognizable code, a signature block, counterfeiting safeguards, and the like.
  • the printed area 104 could include any type of information, such as information identifying the cardholder so that in combination with photograph 116 acts as a useful aid in authenticating a cardholder's identity.
  • the printed area 104 could also include information identifying the issuer ofthe card, and the like.
  • the optical storage area may also comprise a plurality of individual sections, which may be designated individually by an addressing system.
  • CDs Code Division Multiple Access Memory
  • a panel of gold-colored laser-sensitive material may be laminated on the card and used to store the information.
  • the material comprises several layers that react when a laser light is directed at them.
  • the laser burns a small hole, about 2 ⁇ m in diameter, in the material; the hole can be sensed by a low-power laser during a read cycle.
  • the presence or absence ofthe burn spot defines a binary state that is used to encode data.
  • the data can be encoded in a linear x-y format described in detail in the ISO/IEC 11693 and 11694 standards, the entire contents of which are incorporated herein by reference for all purposes.
  • Optical cards may be used in a variety of different network structures, some of which avoid the large, complex, and expensive online systems that are inherently needed with smart cards.
  • Fig. 2A schematically illustrates a network in which a plurality of transaction processing units ("TPUs") 204 are interconnected solely by optical cards.
  • Transaction information is stored only on the optical cards carried by cardholders 208, rather being stored in any central or local database.
  • transaction information is thus intended to include any information that may be used in executing or be the result of any type of transaction performed with an optical card, including identification, financial, access, and numerous other types of transactions.
  • a particular cardholder 208-1 may be granted access to a secure facility with that person's optical card including digitized identification and/or biometric information such as name, age, sex, record fingerprints, iris scans, and the like.
  • the access authorization may be written to that person's card by TPU 204-1 after confirming his identity with information already on the card. Subsequently, when the cardholder wishes to access the facility, his identity and access authorization may be confirmed by TPU 204-2 from information on the card without it even needing to be stored in a database.
  • the network 2B illustrates a system in which the TPUs are additionally connected with an electronic network 212 that has access to databases or other data-storage sources 216.
  • the network may comprise the Internet or other wide-area network, a local-area network, a telephone network, and the like.
  • a perspective illustration of a TPU 204 in one embodiment is provided with
  • the device includes a housing 304 within which electronic components adapted to read data from and write data to optical cards is provided, some further description of which is provided below. Additional details regarding components of a TPU are provided in copending, commonly assigned U.S. Pat. Appl. No. 09/454,717, entitled “OPTICAL CARD BASED SYSTEM FOR INDIVIDUALIZED TRACKING AND RECORD KEEPING,” filed December 6, 1999 by Jack Harper, the entire disclosure of which is incorporated herein by reference for all purposes.
  • the TPU may include a card slot 316 adapted to accept an optical card so that data may be read from or written to the optical card, a display screen 308 for displaying data about the optical card or transaction being executed, and a printer 312 for generating hard-copy.
  • Embodiments ofthe invention allow operation ofthe optical-card system, including the network of TPUs 204 and the optical cards themselves to be handled in a cryptographically secure manner.
  • embodiments ofthe invention are designed in one embodiment to conform to standards for security levels 1, 2, and 3 as set forth in Federal Information Processing Standards Publication No. 140-1, entitled “SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES” (“FIPS 140-1”), the entire disclosure of which is incorporated herein by reference for all purposes.
  • FIPS 140-1 sets forth standards for increasing levels of cryptographic security for the design and implementation of cryptographic modules.
  • Security level 1 specifies basic security requirements for a cryptographic module.
  • Security level 2 provides an additional physical-security requirement to level 1 in the form of tamper-evident coatings or seals and/or pick-resistant locks.
  • Security level 3 enhances the physical security by requiring that the module be held in a strong enclosure and configured for zeroization of critical security parameters upon a breach.
  • Other embodiments are designed to conform to standards for security levels set forth in Federal Information Processing Standards Publication No. 140-2 ("FIPS 140-2").
  • Fig. 4 provides a schematic overview of a cryptographic-key management device 400 that may be comprised by each ofthe TPUs 204 in the network and which is configured as described below to meet security level 1, 2, and/or 3 as set forth in FIPS 140-1, and/or security levels as set forth in FIPS 140-2.
  • the cryptographic-key management device 400 is configured for removable engagement within a TPU 204, such as by using a PC/ 104 form factor for plug-and-play engagement.
  • the cryptographic-key management device 400 acts as a secure repository for cryptographic keys and may in some embodiments also be used for generation and encryption/decryption of keys and key pairs.
  • these keys may be stored in secure memories 416 and 424.
  • Reference to the public and private keys is intended in the context of well known key pairs and does not require that the public key actually be made publicly available; indeed, in many embodiments, both the public and private keys are maintained securely with the cryptographic-key management device 400.
  • the use of a public/private key pair in certain embodiments decreases the amount of plaintext encrypted with any one key. h alternative embodiments, a symmetric-key encryption scheme may be used.
  • the private key is maintained in secure memory 416 that is comprised by a secure cryptographic module 404, one example of which is the DS1955B cryptographic iButton ® available commercially from Dallas Semiconductor Corporation.
  • the cryptographic module 404 is provided in communication with a secure microcontroller, such as the DS5240 Secure Microcontroller chip, also available commercially from Dallas Semiconductor Corporation.
  • the secure microcontroller 408 includes secure memory 420 and controls the operation of other components ofthe cryptographic-key management device 400, including a random-number generator 412 that may be used in managing cryptographic keys.
  • the public keys for all ofthe other cryptographic-key management devices 400 in the TPU network are stored in memory 424, which may comprise static random access memory ("SRAM”) or other types of memory, and are securely protected by the microcontroller 408.
  • Bus 428 allows communications to be made between the cryptographic-key management device 400 and other components ofthe TPU 204 through the microcontroller 408.
  • the combination ofthe secure microcontroller 408 and the cryptographic module 404 enable networks having thousands of TPUs and millions of optical cards to operate in a cryptographically secure manner.
  • the DS1955B iButton ® and DS5240 are specifically designed to provide an on-chip self-contained cryptographic boundary that is tamper reactive and able to store and manage secret keys securely within the hardware.
  • Other modules and chips having similar capacities are commercially available, as known to those of skill in the art, or may be specially constructed.
  • One feature that may be included in such modules and chips includes fast and substantially complete zeroization of security parameters upon breach.
  • One target of an attack on an embedded cryptographic system is frequently physical memory since a simple logic analyzer can easily monitor and decode all data moving on address and data buses.
  • Some embedded systems and smart cards attempt to achieve at least some security by using microcontrollers that have internal floating- gate memory, such as EPROM or FLASH. Erasure of floating- gate memory cells requires considerable time for both EPROM and FLASH memory.
  • floating-gate technologies are intrinsically nonvolatile and maintain the cell contents when power is removed; the decay time is typically on the order of hundreds of years, giving attackers time to breach physical chip defenses to access protected information.
  • the use of rapid zeroization of keys protected by the cryptographic module 404 and/or the secure microcontroller 408 provides much greater security.
  • the same zeroization used by the protective on-chip systems may also be initiated by the cryptographic module 404 and/or secure microcontroller 408 when certain off-chip tamper-detection systems are activated.
  • the devices may include an additional metal layer die top coating designed to prevent microprobe attacks on the chip itself even when the chip is not powered.
  • the layer comprises an interweave of power and ground that are connected to logic protecting the keys so that any attempt to remove the layer results in zeroization.
  • the tamper response when activated, thus rapidly erases internal encryption keys, interrupt vector tables, and data that may be stored in memory.
  • the secure microcontroller 408 may also comprise an on-chip hardware encryption/decryption engine that operates at substantially the same rate as the machine instruction scheme.
  • the encryption decryption engine could comprise a triple-DES engine. This engine is used to perform a cryptographic operation on each program fetch, so that data such as encryption keys and controlling software are never seen outside the processor as plaintext.
  • the microcontroller 408 may comprise one or more self-destruct pins that cause rapid, substantially complete zeroization of protected memory when their lines are disturbed, even when the unit is not powered.
  • one such pin may be connected to external off-chip tamper sensors configured inside the TPU housing 304. The operation of another such pin may be used to provide enhanced protection in combination with encapsulating the cryptographic-key management device 400 as illustrated in Figs. 5A and 5B.
  • Fig. 5A is a flow diagram illustrating a method for fabricating a cryptographic-key management device in accordance with an embodiment ofthe invention, and Fig. 5B schematically shows stages ofthe device during that fabrication method.
  • Fig. 5 A The specific sequence shown in Fig. 5 A is not intended to be exclusive; in other embodiments, some ofthe acts maybe omitted, some additional acts may be performed, and/or the recited order of acts may be changed without exceeding the intended scope ofthe invention.
  • the various modules ofthe cryptographic-key management device are provided on a surface 540, including the microcontroller 544 having a self-destruct pin at block 504.
  • the cryptographic module 548 is provided on the surface 540.
  • a random-number generator 552 is provided on the surface 540.
  • secure memory is provided for public and private cryptographic keys, hi some embodiments, this memory may be comprised by the microcontroller 544 and/or cryptographic module 548; in other embodiments, the memory may be appropriate for storage of a symmetric key if such an encryption technique is used.
  • memory 556 is provided for storage ofthe public keys while memory to store the private key is comprised by the cryptographic module 540.
  • the components on the surface 540 are interconnected as appropriate for implementing the encryption protocol to produce the structure shown schematically in the top panel of Fig. 5B.
  • brittle wire is connected to the microcontroller self-destruct pin.
  • #40 fine nichrome wire has suitable characteristics, although other types of wire may be used in alternative embodiments.
  • the brittle wire may be wrapped about the surface 540 as shown in the central panel of Fig. 5B. In some instances, such wrapping may have multiple layers, such as two, three, four, or more layers, increasing the difficulty of reaching active components ofthe cryptographic-key management device without encountering the wire. Damage to the wire, such as would result from attempted tampering with the cryptographic-key management device would produce a disturbance that activates the self-destruct pin to zeroize the protected memory.
  • the surface 540 may then be potted with a block of hard opaque frangible material 564 at block 528 to produce the structure shown in the lower panel of Fig.
  • Suitable substances for material 564 include mixtures of epoxy substances with ground silica, alumina, of a filled encapsulate. Such materials make it extremely difficult to machine or laser ablate the surrounding block without triggering the automatic zeroization mechanisms that obliterate the secret keys.
  • FIG. 6 An exemplary structure ofthe cryptographic module is shown in Fig. 6, which is adapted from a figure provided in the technical document "DS1955B JavaTM-powered Cryptographic iButton®: FIPS 140-1 NonProprietary Cryptographic Module Security Policy," produced by Dallas Semiconductor Corporation and published by the Computer Security Resource Center ofthe National Institute of Standards and Technology at http://csrc.nist.gov/cryptval/140-l/140sp/140spl 11.pdf. This document is incorporated herein by reference in its entirety for all purposes.
  • Fig. 6 provides an exploded view ofthe DS1955 iButton ® , which may be used as the cryptographic module in an embodiment.
  • the module holds a DS83C960 cryptographic chip 616 within a protective stainless-steel can 602 having lid 624.
  • This external structure does not include any holes or vents that could permit probing.
  • the chip 616 is protected by a barricade 622, which is bonded with metallurgical bonds 620, and by an electrostatic discharge suppressor 614.
  • a quartz timing crystal 612 provides a true time clock for the chip 616 and an energy reservoir 618 provides a parasitic capacitance power for the chip 616.
  • Backup power is provided by a lithium cell 606, which is supported by grommet 610 and kept in electrical contact with the chip through microswitches 604 and 608.
  • the switch contacts are monitored constantly so that any separation ofthe chip 616 from the lithium cell 606 switches the device to on-chip capacitor power to perform substantially complete zeroization as its last powered action.
  • the device may also include temperature monitors so that deviation from standard operational temperatures of about -20°C to 70°C cause zeroization.
  • the random- number generator 412. includes software-based generators that supply an initial seed as a starting value to an algorithm to generate a sequence of pseudorandom numbers that meet certain distribution and repetition constraints.
  • algorithmic generators For security applications, one weakness with such algorithmic generators is that the algorithm may be subject to reverse engineering so that, coupled with a deduction ofthe initial seed or any subsequent seedlet, it
  • Fig. 7 may allow the sequence to be predicted. Much greater security may be achieved with a hardware-based random-number generator, one example of which is illustrated schematically in Fig. 7 for an embodiment ofthe invention.
  • Each ofthe noise generators 704 and 708 may comprise a plurality of transistors.
  • a first ofthe transistors has its base-emitter junction reverse-biased into a breakdown region that generates quantum random current shot noise.
  • shot noise is caused by random fluctuations in the motion of charge carriers in a conductor; quantum shot noise reflects variations in current that arise from quantum effects ofthe discreteness of electrical charge.
  • the shot noise is fed into another ofthe transistors, which is configured as a normal common emitter configuration to act as a current-to-voltage converter. Negative feedback may be employed to provide stabilization of a dc bias point and to minimize the effect of transistor-component variations.
  • the noise voltage may also be fed back to the reverse-biased transistor to limit noise-generation pulse width.
  • the two random shot-noise generators feed the resulting pulses into a differential amplifier 712.
  • the amplifier 712 may have a first input that receives the signal incoming from noise generator 704 and a second input that inverts the signal incoming from noise generator 708. This property acts to subtract the signals from the two generators 704 and 708 so that any signal components that are common to both, such as ambient electrical noise, are canceled out to eliminate external periodic interference that may be introduced to the circuit by such sources as a power supply, a ground bounce from associated digital circuitry, electromagnetic interference, and the like.
  • a second operational amplifier may be used as a ground generator to supply a virtual ground to the differential amplifier to improve operation.
  • the conditioned random response is then fed into an analog comparator 716, which may have its trigger reference derived by scaling and integrating its input signal to make an offset tracking comparator to quantize the analog noise.
  • the offset is desirable so that the noise pulse rate is limited and the noise entropy is enhanced.
  • the narrow quantized noise may then be converted to a digital signal by converter 720. For example, in one embodiment the conversion may be performed by clocking a JK flip flop with the quantized noise.
  • the random bit stream may then be sampled and synchronized for processing by a processing unit 728 by a sample-and-hold module 724, which in one embodiment also comprises a JK flip flop.
  • the processing unit may correspond to the secure microcontroller 408. Residual bias may be removed by a processor 732 comprised by the processing unit 728 programmed to apply an algorithm such as the classic von Neumann method, with the stream of random bits being injected into a circulating ring buffer 736 also comprised by the processing unit.
  • the test number in the table corresponds to a subsection of Rukhin that describes the test in detail, i.e. Test is described in subsection 2 f of Rukhin; the test description in the table is a brief label that corresponds to test identifications provided in Rukhin.
  • the block size M for test 2 is 20,000; the template length m for tests 7 and 8 is 10; the block size --_ for test 9 is 12 and the initialization steps Q for test 9 is 40,960; the block size for test 11 is 1,000; and the block size m for tests 12 and 13 is 2.
  • each ofthe TPUs 204 is shown including an optical read/write drive 908 and a processor 904 in addition to the cryptographic-key management device 400.
  • the processor is in communication with both the cryptographic-key management device 400 and optical read/write drive 908 to coordinate operation of them within the TPU.
  • the processor 904 may also coordinate operation of additional components such as a touch screen, control buttons, interfaces to external or integral biometric devices, interfaces to external communication links, and the like, some of which are shown in the physical embodiment depicted in Fig. 3.
  • the read/write optical drive 908 has the capability to read data from optical cards in accordance with instructions from the processor 904 and to write data to optical cards.
  • a variety of models of such optical read/write devices will be known to those of skill in the art, including, for example, various models available from Drexler Technology Corporation of Mountain View, California.
  • one ofthe TPUs 204 may be used to write encrypted data onto an optical card 100 and the data may subsequently be read from the optical card 100 by another TPU 204.
  • Figs. 10 - 12 provide flow diagrams that illustrate a secure cryptographic protocol used in some embodiments to perform such read and write operations securely.
  • the ability to perform read and/or write operations begins by booting a TPU so that it is in a ready state to encrypt or decrypt data according to the cryptographic protocol as necessary.
  • the flow diagram of Fig. 10 illustrates such a boot operation, which begins at block 1004 by powering the TPU.
  • a secure loader which may be stored in FLASH memory in the TPU, to receive, in one embodiment, a text pass phrase ("TPP") from a human operator.
  • TPP is specific to the cryptographic-key management device comprised by that TPU.
  • the TTP is one-way hashed to yield a multibit string, which, when confirmed, will enable further operations ofthe cryptographic-key management device.
  • the multibit string is approximately 160 bits.
  • the TPP may be about twenty typical English words (e.g., "The time has come, the walrus said "), preferably not a literary phrase that would be susceptible to a dictionary attack, but still a phrase easily remembered by the TPP owner.
  • the TPP may be hashed with a one-way cryptographically secure hash function, such as the NIST 160-bit secure hash algorithm ("SHA").
  • SHA secure hash algorithm
  • the result is written to the cryptographic-key management device (“CrypKey”) as indicated in the following formalism:
  • the encrypted set of all public keys is read. This may be done initially by having the secure loader read a master boot optical card ("MBOC), which has data for initializing the cryptographic-key management device:
  • MBOC master boot optical card
  • the notation A «- B is used to denote that B is written to A.
  • the master boot optical card provides a file of decrypting public keys C2KD for each cryptographic-key management device in the network. This file is always encrypted with the private key C2K ofthe specific cryptographic-key management device where it is maintained, as indicated by the expression c2 ⁇ (C2KD). The file will usually also have been previously signed by the specific cryptographic-key management device as E C2K (H [E C2K (C2i-- ))) . This expression is decrypted with the private key so that the signature may be verified by performing a comparison of how the public keys have been hashed:
  • the cryptographic-key management device ofthe TPU is ready to decrypt secure traffic received from optical cards that was securely written by any other TPU in the network.
  • ASM application software module
  • the ASM on the master boot optical card is encrypted with a random session key k, E k (ASM), which is itself encrypted by the private key C2K, E C 2 ⁇ (k)-
  • the random key k may be, for instance, an encryption key used with a symmetric encryption algorithm, and may be generated by the random-number generator comprised by the cryptographic-key management device.
  • the master boot optical card also includes an encrypted version ofthe one-way hashed ASM, E C2K (H(-4S )), so that the signature may be verified at block 1020 in the same fashion described above:
  • the application software is started on the processor 904 to replace the secure loader at block 1024:
  • a header block is built.
  • a current date/time stamp DTS and a serial number for the target optical card CSN are packaged into a data record of n bits.
  • the combination of information is thus information uniquely associated with encryption ofthe record.
  • the use of a date/time stamp in this information prevents fraudulent duplication of cloned records, and the use ofthe optical-card serial number prevents block-relay types of attacks.
  • the package may omit the optical-card serial number, and some alternative embodiments may use a substitute for the date/time stamp to provide a different form for the unique information.
  • the cryptographic-key management device is asked by the processor 904 to generate two random numbers r and k using the random-number generator and to supply a serial number C2KSN that unique identifies the cryptographic-key management device:
  • Random number r may have a length ofn bits, i.e. equal in length to the package ofDTS and CSN, and random number J may be used as a session key, having a length of 128 bits in one embodiment.
  • the cryptographic-key management device then encrypts, with its private key
  • C2K a data record that includes r, r ⁇ (DTS, CSN), and k, where the symbol ⁇ is used to denote an exclusive-OR (XOR) operation.
  • XOR exclusive-OR
  • This technique may be expressed more generally as encrypting plaintext M with key X by using a random number R to blur the plaintext and make its unauthorized recovery much more difficult: E x (R,R ⁇ M).
  • authorized recovery ofthe plaintext may be achieved by performing the operation R @ D X (E r (R, R ⁇ M)) , the blurring of the plaintext with random number r complicates its unauthorized recovery, enhancing the overall security ofthe system.
  • the actual record may be written in encrypted form.
  • the plaintext m ofthe record is signed by calculating a one-way hash H of the plaintext and encrypting the result with the private key for writing to the target optical card:
  • the record itself may then be encrypted and written to the optical card at block 1112.
  • a symmetric algorithm is used to encrypt the plaintext m with the randomly generated key k.
  • Security can be further enhanced in other embodiments by using block chaining to reduce the effectiveness of plaintext or block-repeat attacks. For instance, the cryptographic-key management device may be asked to return another random number c 0 from the random-number generator, which may be used as an initialization vector for the block-chaining algorithm and which is recorded on the optical card:
  • Blocks of plaintext my, m 2 , m , ... are then encrypted successively and written to the optical card by performing the exclusive-or operation with the chain of c values:
  • the c values may comprise 64- bit numbers. This technique significantly increases the security ofthe record written to the optical card. Including the header information, the complete secure record for writing plaintext m to the optical card is thus:
  • FIG. 12 The flow diagram of Fig. 12 illustrates how such a secure record may subsequently be read and decrypted by a different TPU in the network.
  • the information is extracted by initially reading the header block at block 1204.
  • the first item in the header record is the uniquely identifying serial number C2KSN of the writing cryptographic-key management device
  • the second item is the encrypted version ofthe date/time stamp DTS, the optical-card serial number CSN, and session key k: E C2KSN ( r, r ® (DTS, CSN), l ).
  • the subscript of the encryption operator E is C2KSN to emphasize that the decryption by the reading TPU may be performed with the public key corresponding to the private key ofthe writing unit. Accordingly, these header records are read from the optical card and provided to the cryptographic-key management device:
  • C2KSN E C2KSN (r,r ® (DTS, CSN), k) «- Optical Card C2KSN, E C2KSN (r,r® (DTS, CSN), k) ⁇ CrypKey.
  • the identification ofthe writing-unit serial number C2KSN is used to look up the securely stored public key ofthe writing unit from the record of all public keys C2KD. This public key is used to decrypt the encrypted header information,
  • DTS, CSN r®(r ® (DTS, CSN) .
  • the extracted card serial number CSN is verified to ensure that it matches the serial number ofthe card being read; a failure for these numbers to match is generally indicative of some type of fraud, such as that a block-replay attack is underway or that a record has been cloned from another card and illicitly written to the card being read.
  • the authenticating plaintext signature is extracted from the next record read from the card after the header, E C2KSN (H(m)), where again the subscript ofthe encryption operator E has been written as C2KSN to emphasize that the public key for the writing unit may be used to perform the decryption.
  • This record is thus read from the optical card and provided to the cryptographic-key management device with the writing-unit serial number C2KSN so that the authenticating signature H(m) may be extracted:
  • the decryption performed by the cryptographic-key management device proceeds by looking up the public key corresponding to the writing unit in the public-key repository C2KD and applying it.
  • the plaintext is read and decrypted at block 1212.
  • the next record on the optical card is the block-chain initialization vector c 0 :
  • the decrypted plaintext m may then be used to verify the signature by calculating the oneway hash ofthe decrypted plaintext m and verifying that it equals the previously decrypted signature H(m):
  • the plaintext may be provided to the processor 904 ofthe reading TPU so that a transaction may be executed with it.
  • This cryptographic protocol particularly when combined with the physical security features ofthe cryptographic-key management device described above, provides very high security ofthe information on optical cards.
  • the fast and complete zeroization of keys and other items combined with the several layers of physical tamper-attack sensing that conform at least to security levels 1, 2, and 3 ofthe FIPS 140-1 standards, provides security that is in some embodiments greater than that provided by high-level smart-card systems.
  • the one-way hash that implements a digital signature enables all records to be authenticated, verified for integrity, and nonrepudiable.
  • the effect of known plaintext and dictionary attacks are greatly mitigated by using the technique of blurring certain plaintext with random strings, i.e. by construction of the (r,r®m) string.
  • the digital signature authentication also prevents so-called "Man in the Middle” attacks from being effective.
  • so-called "Trojan Horse” attacks is also prevented because attacking software cannot obtain a copy ofthe one-way hash ofthe text pass phrase that is securely stored in the protected memory; a particular cryptographic-key management device will not function at all until it receives the multibit string derived from the text pass phrase.
  • the protocol detects illicitly cloned optical cards because each secure record contains the unique serial number ofthe original card to which it was written in encrypted form.
  • a list of missing or compromised TPUs may occasionally or periodically be circulated. Such a list may conveniently be distributed on optical cards that provide each ofthe uncompromised TPUs in a network with notification to ignore records identified as originating with potentially compromised units.

Abstract

A method is provided for writing a record to an optical card. A session key is generated randomly. The session key is encrypted using a private key of a public/private key pair associated with a particular cryptographic-key management device. The record is encrypted using the session key. A serial number for the particular cryptographic-key management device, the encrypted private key, and the encrypted record are optically written to the optical card.

Description

CRYPTOGRAPHICALLY SECURE TRANSACTIONS WITH OPTICAL CARDS
BACKGROUND OF THE INVENTION
[0001] This application relates generally to optical cards. More specifically, this application relates to cryptographic security of optical cards.
[0002] The development of optical cards has been relatively recent. They are cards that are typically made to be about the size of a standard credit card and which store digitized information in an optical storage area. While the storage capacity of such cards may be relatively high, the basic data on the card are relatively easily extracted. Individual data bits on the card are typically about 2 μm in diameter and can be recovered by magnified examination ofthe card. While this ease of recovery may not be a significant concern for some types of data, it does present a barrier to storing sensitive data on the card. Such sensitive data may be stored in an encrypted format, but a fundamental concern is where to store the secret key used to decrypt the data. The key cannot simply be stored within the optical storage area on the card itself because it would then be as easy to extract as the data.
[0003] A number of attempted approaches to optical-card systems that encrypt data suffer from deficiencies that compromise the security ofthe keys. For instance, in such a system, the keys may be embedded in software that is used in extracting data from the optical cards. But with this method, an attacker can reverse engineer the software object file to recover the key. This method also compounds the security issue since megabytes of software need be protected rather than only the much smaller key.
[0004] In another approach, an attempt at obfuscating the key may be tried by embedding the key in the microcode of hardware used in extracting data from the optical cards. This approach suffers from a similar deficiency in that an attacker can reverse engineer the electronics and control microcode to recover the key or its cryptographic function. While this is somewhat more difficult than reverse engineering pure software, it still leaves the keys open to attack while also compounding the security issue by requiring hardware and its microcode to be protected against theft. [0005] Another possibility is to embed a smart-card chip into the optical card to produce a hybrid card, with key storage assigned to the smart-card chip. This approach more than doubles the cost ofthe card system, and relinquishes the simplicity of a stand-alone system by requiring that the system be inherently online. Furthermore, smart-card chips themselves suffer from a number of security deficiencies. They typically use a form of flash memory that may be read by shaving the outer housing and illuminating the die with a scanning electron microscope to read the bits.
[0006] The use of any of these techniques, or of a combination of these techniques, leaves significant security risks in a cryptographic optical-card system. There is accordingly a general need in the art for a system that enables cryptographically secure transactions to be performed with optical cards.
BRIEF SUMMARY OF THE INVENTION
[0007] Embodiments ofthe invention provide methods for maintaining cryptographic security of optical-card records. This includes methods for writing records to optical cards, methods for extracting records from optical cards, and methods for initializing a cryptographic-key management device used as part of a network of transaction processing units.
[0008] Thus, in one set of embodiments, a method is provided for writing a record to an optical card. A session key is generated randomly. The session key is encrypted using a private key of a public/private key pair associated with a particular cryptographic-key management device. The record is encrypted using the session key. A serial number for the particular cryptographic-key management device, the encrypted private key, and the encrypted record are optically written to the optical card.
[0009] In some embodiments, a combination ofthe session key and information uniquely associated with encryption ofthe record may be encrypted with the private key. For example, a date/time stamp and or a unique serial number for the optical card may be combined with the session key. In one embodiment, the combination is encrypted by randomly generating a string having an equal bit length to the combination and performing an exclusive-or operation between the string and the combination; the string, result ofthe exclusive-or operation, and the session key may be encrypted with the private key. In some instances, the record may be encrypted with a block-encryption technique. For example, an initialization vector c0 equal in length to each of a plurality of blocks ofthe record may be generated randomly. For each ofthe plurality of blocks I, a vector a may then be generated by encrypting, with the session key, a result of performing an exclusive-or operation on each ofthe plurality of blocks with a preceding vector CM- Also, in some cases the record may be signed cryptographically. For example, a one-way hash may be performed ofthe record, with a result ofthe one-way hash being encrypted with the private key.
[0010] In another set of embodiments, a method is provided for extracting a record from an optical card. A number of items may be read from the optical card: (1) a serial number for a particular cryptographic-key management device used when an encrypted version ofthe record was written; (2) an encrypted session key; and (3) the encrypted version ofthe record. The encrypted session key is decrypted using a public key associated with the serial number. The encrypted version ofthe record is decrypted using the decrypted session key.
[0011] In some embodiments, decrypting the encrypted session key may comprise extracting information uniquely associated with encryption ofthe record, with authenticity of the extracted information being verified. Such information may include a date/time stamp and/or a unique serial number for the optical card, in which verification of authenticity may be performed by verifying that the extracted optical-card serial number matches the actual serial number ofthe optical card. This information may be extracted in one embodiment by decrypting a combination ofthe session key, a first string that embodies the information uniquely associated with encryption ofthe record, and a second string having an equal bit length to that information; an exclusive-or operation is performed between the first and second strings to recover the information. In some embodiments, block decryption may be used to decrypted the encrypted version ofthe record. Also, in some instances, a cryptographic signature ofthe record may be verified. For example, a one-way hash may be performed ofthe decrypted record. An encrypted version of a one-way hash ofthe record is read from the optical card and decrypted using the public key, allowing the one-way hash of the decrypted record to be compared with a result of decrypting the encrypted version ofthe one-way hash.
[0012] In a further set of embodiments, a method is provided for initializing a cryptographic-key management device to encrypt and decrypt optical-card data as part of a network of transaction processing units that comprise such cryptographic-key management devices. A multibit string is transmitted to the cryptographic-key management device, with the cryptographic-key management device being enabled upon receipt of a correct multibit string. An encrypted set of public keys, each of which is associated with one ofthe cryptographic-key management devices in the network, is read from a master boot optical card. The set of public keys is stored securely in memory comprised by the cryptographic- key management device.
[0013] In some instances, the cryptographic-key management device is comprised by a particular transaction processing unit. In such instances, the application software may be read from the master boot optical card and loaded onto a processor comprised by the particular transaction processing unit and adapted to control operation ofthe cryptographic- key management device. The authenticity ofthe application software may be verified. For example, the application software may be read from the master boot optical card by reading a first version ofthe application software encrypted with the session key and reading a second version subjected to a one-way hash and encrypted with the private key. The session key may be decrypted with the private key, and the application software may be decrypted with the session key. The one-way hash may be applied to the decrypted application software to generate a first result, and the encrypted one-way hash may be decrypted with the private key to generate a second result, allowing the first and second results to be compared. In some instances, the encrypted set of public keys may be cryptographically signed, allowing the authenticity ofthe encrypted set of public keys to be similarly verified. If the cryptographically signed version ofthe encrypted set of public keys was generated by encrypting a one-way hash ofthe encrypted set of public keys, authenticity may be verified by performing the one-way hash on the encrypted set of public keys read from the master boot optical card to generate a first result. The encrypted one-way hash ofthe encrypted set of public keys read from the optical card maybe decrypted to generate a second result, which may be compared with the first result.
[0014] Embodiments ofthe invention also provide a cryptographic-key management device. A secure cryptographic module is provided with a first memory storing a private cryptographic key of a plurality of public/private key pairs. The secure cryptographic module is adapted to zeroize the first memory in response to physical disruption ofthe module. A secure microcontroller is provided in communication with and adapted to control operation of the secure cryptographic module. The secure microcontroller comprises a second memory storing the public keys ofthe plurality of public/private key pains and a self-destruct pin whose activation disables the microcontroller. A package encapsulates the secure cryptographic module and the secure microcontroller, and is linked with the self-destruct pin to activate the self-destruct pin in response to a breach ofthe package.
[0015] The physical disruption that results in zeroization of the first memory may comprise a breach of a container housing the first memory, a deviation in temperature ofthe module outside of a predefined range, or a deviation in strength of an electromagnetic field near the module outside of a predefined range, for example. The package may comprise a brittle wire connected with the self-destruct pin. The wire may be wrapped, perhaps in multiple layers, about the secure cryptographic module and secure microcontroller. In some instances, the package comprises an encapsulating material that includes an epoxy substance and at least one of a silica and an alumina. In one embodiment, the secure microcontroller comprises a second self-destruct pin whose activation also disables the microcontroller, with the second self-destruct pin connected to a tamper sensor internal to a housing. In some instances, the cryptographic-key management device may further comprise a random-number generator, such as a hardware random-number generator.
[0016] Such cryptographic-key management devices may be used in an optical-card network that comprises a plurality of transaction processing units and a plurality of optical cards. Each transaction processing unit may comprise a cryptographic-key management device having a securely stored private key for that cryptographic-key management device and securely stored public keys for a plurality of cryptographic-key management devices, an optical-card read/write drive adapted to exchange data with optical cards, and a processor to control operation ofthe cryptographic-key management device and the optical-card read/write drive. In some instances, the cryptographic-key management devices may have the structure and characteristics described above. In some embodiments, information may be exchanged among the plurality of transaction processing units only with the plurality of optical cards, while in other embodiments the transaction processing units may be interconnected electronically.
[0017] In addition, embodiments ofthe invention provide a hardware random-number generator, which may be used in some instances in a cryptographic system such as may be used with optical cards, but has other applications also. Random shot noise is generated by first and second quantum random shot-noise generators. A differential amplifier is provided in electrical communication with the shot-noise generators to subtract signals produced by the shot-noise generators. An analog comparator is provided in electrical communication with the differential amplifier to quantize a difference signal produced by the differential amplifier. [0018] In some embodiments, a second amplifier may be provided in electrical communication with the differential amplifier to supply a virtual ground to the differential amplifier. In other embodiments, the analog comparator has a trigger reference derived by scaling and integrating input to the analog comparator. A sample-and-hold module may be provided in electrical communication with the analog comparator to sample output ofthe analog comparator; for example, such a sample-and-hold module may comprise a JK flip flop. A processor in electrical communication with the analog comparator may remove residual bias from the quantized signal.
[0019] Each ofthe shot-noise generators may comprise a pair of transistors. A first of the transistors has a reverse-biased base-emitter junction to generate current shot-noise signals. A second ofthe transistors is in electrical communication with the first transistor to convert the current shot-noise signals to voltage signals. In some instances, an output ofthe second transistor may be in electrical communication with an input ofthe first transistor to limit noise-generation pulse width.
BRIEF DESCRIPTION OF THE DRAWINGS
[0020] A further understanding ofthe nature and advantages ofthe present invention may be realized by reference to the remaining portions ofthe specification and the drawings wherein like reference numerals are used throughout the several drawings to refer to similar components. In some instances, a sublabel is associated with a reference numeral and follows a hyphen to denote one of multiple similar components. When reference is made to a reference numeral without specification to an existing sublabel, it is intended to refer to all such multiple similar components.
[0021] Fig. 1 provides schematic illustrations of different forms of optical cards that may be used in embodiments ofthe invention;
[0022] Figs. 2 A and 2B provide schematic illustrations of different system arrangements that may be used to support the use of optical cards; [0023] Fig. 3 provides a perspective illustration of a transaction processing unit that may be used in the systems of Figs. 2A and 2B;
[0024] Fig. 4 provides a schematic illustration of a cryptographic-key management device that may be integrated within the transaction processing unit of Fig. 3 in an embodiment ofthe invention;
[0025] Fig. 5 A is a flow diagram illustrating a method for securely forming a cryptographic-key management device like the one illustrated in Fig. 4;
[0026] Fig. 5B provides a series of schematic illustrations showing the formation of a cryptographic-key management device using the method of Fig. 5 A;
[0027] Fig. 6 provides an exploded view of a cryptographic module used on a cryptographic-key management device in one embodiment ofthe invention;
[0028] Fig. 7 provides a schematic illustration of a hardware random-number generator used on a cryptographic-key management device in one embodiment ofthe invention;
[0029] Fig. 8 graphically summarizes results of tests ofthe hardware random-number generator illustrated in Fig. 7;
[0030] Fig. 9 provides a schematic overview of a cryptographic protocol that makes use of a cryptographic-key management device like the one illustrated in Fig. 4;
[0031] Fig. 10 is a flow diagram illustrating a method for booting a transaction processing unit that uses the cryptographic protocol in one embodiment;
[0032] Fig. 11 is a flow diagram illustrating a method for writing a secure record to an optical card using the cryptographic protocol in one embodiment; and
[0033] Fig. 12 is a flow diagram illustrating a method for reading a secure record from an optical card using the cryptographic protocol in one embodiment.
DETAILED DESCRIPTION OF THE INVENTION
[0034] Embodiments of the invention permit the support of cryptographically secure transactions using optical cards. Such optical cards may be ofthe specific type described in U.S. Pat. No. 5,919,112, entitled "OPTICAL CARD" by Jiro Takei et al., the entire disclosure of which is incorporated herein by reference for all purposes, but more generally includes any card that uses optical storage techniques. Such optical cards are typically capable of storing very large amounts of data in comparison with magnetic-stripe or smart cards. For example, a typical optical card may compactly store up to 4 Mbyte of data, equivalent to about 1500 pages of typewritten information. As such, optical cards hold on the order of 1000 times the amount of information as a typical smart card. Unlike smart cards, optical cards are also impervious to electromagnetic fields, including static electricity, and they are not damaged by normal bending and flexing.
[0035] These properties of optical cards, particularly their large storage capacity, make them especially versatile for numerous different types of transactions. Merely by way of example, a single optical card could store fingerprint biometrics for all ten fingers, iris biometrics for both eyes, hand-geometry specifications for both hands, and a high-resolution color photograph of a cardholder while using far less than 1% of its capacity. This large storage capacity also allows information for essentially every transaction that involves the card to be written to the card and thereby provide a permanent detailed audit trail ofthe card's use.
[0036] Fig. 1 provides a diagram illustrating a structure for an optical card in one embodiment. The card 100 includes an inked cardholder photograph 116, an optical storage area 112, and a printed area 104 on one side ofthe card. The other side ofthe card could include other features, such as a bar code(s) or other optically recognizable code, a signature block, counterfeiting safeguards, and the like. The printed area 104 could include any type of information, such as information identifying the cardholder so that in combination with photograph 116 acts as a useful aid in authenticating a cardholder's identity. The printed area 104 could also include information identifying the issuer ofthe card, and the like. The optical storage area may also comprise a plurality of individual sections, which may be designated individually by an addressing system.
[0037] Many optical cards use a technology similar to the one used for compact discs
("CDs") or for CD ROMs. For example, a panel of gold-colored laser-sensitive material may be laminated on the card and used to store the information. The material comprises several layers that react when a laser light is directed at them. The laser burns a small hole, about 2 μm in diameter, in the material; the hole can be sensed by a low-power laser during a read cycle. The presence or absence ofthe burn spot defines a binary state that is used to encode data. In some embodiments, the data can be encoded in a linear x-y format described in detail in the ISO/IEC 11693 and 11694 standards, the entire contents of which are incorporated herein by reference for all purposes.
[0038] Optical cards may be used in a variety of different network structures, some of which avoid the large, complex, and expensive online systems that are inherently needed with smart cards. For example, Fig. 2A schematically illustrates a network in which a plurality of transaction processing units ("TPUs") 204 are interconnected solely by optical cards. Transaction information is stored only on the optical cards carried by cardholders 208, rather being stored in any central or local database. As used herein, reference to "transaction information" is thus intended to include any information that may be used in executing or be the result of any type of transaction performed with an optical card, including identification, financial, access, and numerous other types of transactions. For example, in one type of access transaction, a particular cardholder 208-1 may be granted access to a secure facility with that person's optical card including digitized identification and/or biometric information such as name, age, sex, record fingerprints, iris scans, and the like. The access authorization may be written to that person's card by TPU 204-1 after confirming his identity with information already on the card. Subsequently, when the cardholder wishes to access the facility, his identity and access authorization may be confirmed by TPU 204-2 from information on the card without it even needing to be stored in a database.
[0039] This ability to avoid storage of certain types of information, particularly in the context of avoiding storage in government databases, is especially valuable in addressing privacy concerns. Opposition to national identity cards and the like is often fueled by objections to providing government authorities with access to citizen biometric data; these objections may be largely obviated by storing such data on optical cards that remain under the control ofthe individuals whose information is stored.
[0040] Other types of information are not subject to the same types of privacy objections, and it may often be useful to store such information in a centralized database that is accessible to each ofthe TPUs 204. For instance, if the optical cards are used as identification to receive certain government benefits, a centralized database might record those benefits and the amounts that each individual is entitled to. This is more convenient than storing the information on the card because the amounts may change over time in response to cost-of-living or other adjustments made in the underlying programs. This may also be true ofthe specific access information in the example described above since a secure facility may reasonably wish to maintain its own records of who has been granted access. The system shown in Fig. 2B illustrates a system in which the TPUs are additionally connected with an electronic network 212 that has access to databases or other data-storage sources 216. The network may comprise the Internet or other wide-area network, a local-area network, a telephone network, and the like.
[0041] A perspective illustration of a TPU 204 in one embodiment is provided with
Fig. 3. The device includes a housing 304 within which electronic components adapted to read data from and write data to optical cards is provided, some further description of which is provided below. Additional details regarding components of a TPU are provided in copending, commonly assigned U.S. Pat. Appl. No. 09/454,717, entitled "OPTICAL CARD BASED SYSTEM FOR INDIVIDUALIZED TRACKING AND RECORD KEEPING," filed December 6, 1999 by Jack Harper, the entire disclosure of which is incorporated herein by reference for all purposes. The TPU may include a card slot 316 adapted to accept an optical card so that data may be read from or written to the optical card, a display screen 308 for displaying data about the optical card or transaction being executed, and a printer 312 for generating hard-copy.
[0042] Embodiments ofthe invention allow operation ofthe optical-card system, including the network of TPUs 204 and the optical cards themselves to be handled in a cryptographically secure manner. Specifically, embodiments ofthe invention are designed in one embodiment to conform to standards for security levels 1, 2, and 3 as set forth in Federal Information Processing Standards Publication No. 140-1, entitled "SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES" ("FIPS 140-1"), the entire disclosure of which is incorporated herein by reference for all purposes. Briefly, FIPS 140-1 sets forth standards for increasing levels of cryptographic security for the design and implementation of cryptographic modules. The standards cover such areas as basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference and compatibility, self-testing, and resistance to reverse- engineering and hacking. Security level 1 specifies basic security requirements for a cryptographic module. Security level 2 provides an additional physical-security requirement to level 1 in the form of tamper-evident coatings or seals and/or pick-resistant locks. Security level 3 enhances the physical security by requiring that the module be held in a strong enclosure and configured for zeroization of critical security parameters upon a breach. Other embodiments are designed to conform to standards for security levels set forth in Federal Information Processing Standards Publication No. 140-2 ("FIPS 140-2").
[0043] Fig. 4 provides a schematic overview of a cryptographic-key management device 400 that may be comprised by each ofthe TPUs 204 in the network and which is configured as described below to meet security level 1, 2, and/or 3 as set forth in FIPS 140-1, and/or security levels as set forth in FIPS 140-2. In one embodiment, the cryptographic-key management device 400 is configured for removable engagement within a TPU 204, such as by using a PC/ 104 form factor for plug-and-play engagement. The cryptographic-key management device 400 acts as a secure repository for cryptographic keys and may in some embodiments also be used for generation and encryption/decryption of keys and key pairs. In an embodiment where the encryption technique uses both a private key and a public key, these keys may be stored in secure memories 416 and 424. Reference to the public and private keys is intended in the context of well known key pairs and does not require that the public key actually be made publicly available; indeed, in many embodiments, both the public and private keys are maintained securely with the cryptographic-key management device 400. Also, as will be evident from the discussion of cryptographic protocols below, the use of a public/private key pair in certain embodiments decreases the amount of plaintext encrypted with any one key. h alternative embodiments, a symmetric-key encryption scheme may be used.
[0044] The private key is maintained in secure memory 416 that is comprised by a secure cryptographic module 404, one example of which is the DS1955B cryptographic iButton® available commercially from Dallas Semiconductor Corporation. The cryptographic module 404 is provided in communication with a secure microcontroller, such as the DS5240 Secure Microcontroller chip, also available commercially from Dallas Semiconductor Corporation. The secure microcontroller 408 includes secure memory 420 and controls the operation of other components ofthe cryptographic-key management device 400, including a random-number generator 412 that may be used in managing cryptographic keys. The public keys for all ofthe other cryptographic-key management devices 400 in the TPU network are stored in memory 424, which may comprise static random access memory ("SRAM") or other types of memory, and are securely protected by the microcontroller 408. Bus 428 allows communications to be made between the cryptographic-key management device 400 and other components ofthe TPU 204 through the microcontroller 408.
[0045] The combination ofthe secure microcontroller 408 and the cryptographic module 404 enable networks having thousands of TPUs and millions of optical cards to operate in a cryptographically secure manner. For example, the DS1955B iButton® and DS5240 are specifically designed to provide an on-chip self-contained cryptographic boundary that is tamper reactive and able to store and manage secret keys securely within the hardware. Other modules and chips having similar capacities are commercially available, as known to those of skill in the art, or may be specially constructed. One feature that may be included in such modules and chips includes fast and substantially complete zeroization of security parameters upon breach. One target of an attack on an embedded cryptographic system is frequently physical memory since a simple logic analyzer can easily monitor and decode all data moving on address and data buses. Some embedded systems and smart cards attempt to achieve at least some security by using microcontrollers that have internal floating- gate memory, such as EPROM or FLASH. Erasure of floating- gate memory cells requires considerable time for both EPROM and FLASH memory. Moreover, floating-gate technologies are intrinsically nonvolatile and maintain the cell contents when power is removed; the decay time is typically on the order of hundreds of years, giving attackers time to breach physical chip defenses to access protected information. In contrast, the use of rapid zeroization of keys protected by the cryptographic module 404 and/or the secure microcontroller 408 provides much greater security.
[0046] The same zeroization used by the protective on-chip systems may also be initiated by the cryptographic module 404 and/or secure microcontroller 408 when certain off-chip tamper-detection systems are activated. For example, the devices may include an additional metal layer die top coating designed to prevent microprobe attacks on the chip itself even when the chip is not powered. The layer comprises an interweave of power and ground that are connected to logic protecting the keys so that any attempt to remove the layer results in zeroization. The tamper response, when activated, thus rapidly erases internal encryption keys, interrupt vector tables, and data that may be stored in memory. The secure microcontroller 408 may also comprise an on-chip hardware encryption/decryption engine that operates at substantially the same rate as the machine instruction scheme. For example, the encryption decryption engine could comprise a triple-DES engine. This engine is used to perform a cryptographic operation on each program fetch, so that data such as encryption keys and controlling software are never seen outside the processor as plaintext.
[0047] In addition, in some embodiments, the microcontroller 408 may comprise one or more self-destruct pins that cause rapid, substantially complete zeroization of protected memory when their lines are disturbed, even when the unit is not powered. For example, one such pin may be connected to external off-chip tamper sensors configured inside the TPU housing 304. The operation of another such pin may be used to provide enhanced protection in combination with encapsulating the cryptographic-key management device 400 as illustrated in Figs. 5A and 5B. Fig. 5A is a flow diagram illustrating a method for fabricating a cryptographic-key management device in accordance with an embodiment ofthe invention, and Fig. 5B schematically shows stages ofthe device during that fabrication method.
[0048] The specific sequence shown in Fig. 5 A is not intended to be exclusive; in other embodiments, some ofthe acts maybe omitted, some additional acts may be performed, and/or the recited order of acts may be changed without exceeding the intended scope ofthe invention. The various modules ofthe cryptographic-key management device are provided on a surface 540, including the microcontroller 544 having a self-destruct pin at block 504. At block 508, the cryptographic module 548 is provided on the surface 540. At block 512 a random-number generator 552 is provided on the surface 540. At block 516, secure memory is provided for public and private cryptographic keys, hi some embodiments, this memory may be comprised by the microcontroller 544 and/or cryptographic module 548; in other embodiments, the memory may be appropriate for storage of a symmetric key if such an encryption technique is used. In the illustrated embodiment, memory 556 is provided for storage ofthe public keys while memory to store the private key is comprised by the cryptographic module 540. At block 520, the components on the surface 540 are interconnected as appropriate for implementing the encryption protocol to produce the structure shown schematically in the top panel of Fig. 5B.
[0049] At block 524, brittle wire is connected to the microcontroller self-destruct pin.
The inventor has found that #40 fine nichrome wire has suitable characteristics, although other types of wire may be used in alternative embodiments. The brittle wire may be wrapped about the surface 540 as shown in the central panel of Fig. 5B. In some instances, such wrapping may have multiple layers, such as two, three, four, or more layers, increasing the difficulty of reaching active components ofthe cryptographic-key management device without encountering the wire. Damage to the wire, such as would result from attempted tampering with the cryptographic-key management device would produce a disturbance that activates the self-destruct pin to zeroize the protected memory. The surface 540 may then be potted with a block of hard opaque frangible material 564 at block 528 to produce the structure shown in the lower panel of Fig. 5B; trademark or other information may be printed on the material 564 as shown. Suitable substances for material 564 include mixtures of epoxy substances with ground silica, alumina, of a filled encapsulate. Such materials make it extremely difficult to machine or laser ablate the surrounding block without triggering the automatic zeroization mechanisms that obliterate the secret keys.
[0050] An exemplary structure ofthe cryptographic module is shown in Fig. 6, which is adapted from a figure provided in the technical document "DS1955B Java™-powered Cryptographic iButton®: FIPS 140-1 NonProprietary Cryptographic Module Security Policy," produced by Dallas Semiconductor Corporation and published by the Computer Security Resource Center ofthe National Institute of Standards and Technology at http://csrc.nist.gov/cryptval/140-l/140sp/140spl 11.pdf. This document is incorporated herein by reference in its entirety for all purposes. Fig. 6 provides an exploded view ofthe DS1955 iButton®, which may be used as the cryptographic module in an embodiment. The module holds a DS83C960 cryptographic chip 616 within a protective stainless-steel can 602 having lid 624. This external structure does not include any holes or vents that could permit probing. The chip 616 is protected by a barricade 622, which is bonded with metallurgical bonds 620, and by an electrostatic discharge suppressor 614. A quartz timing crystal 612 provides a true time clock for the chip 616 and an energy reservoir 618 provides a parasitic capacitance power for the chip 616. Backup power is provided by a lithium cell 606, which is supported by grommet 610 and kept in electrical contact with the chip through microswitches 604 and 608. The switch contacts are monitored constantly so that any separation ofthe chip 616 from the lithium cell 606 switches the device to on-chip capacitor power to perform substantially complete zeroization as its last powered action. The device may also include temperature monitors so that deviation from standard operational temperatures of about -20°C to 70°C cause zeroization.
[0051] There are a variety of different structures that may be used for the random- number generator 412. This includes software-based generators that supply an initial seed as a starting value to an algorithm to generate a sequence of pseudorandom numbers that meet certain distribution and repetition constraints. For security applications, one weakness with such algorithmic generators is that the algorithm may be subject to reverse engineering so that, coupled with a deduction ofthe initial seed or any subsequent seedlet, it
may allow the sequence to be predicted. Much greater security may be achieved with a hardware-based random-number generator, one example of which is illustrated schematically in Fig. 7 for an embodiment ofthe invention.
[0052] This structure produces random numbers by generating random electronic noise by known quantum processes, and then amplifying and sampling that noise. In the illustrated embodiment, two separate noise generators 704 and 708 are provided. Each ofthe noise generators 704 and 708 may comprise a plurality of transistors. A first ofthe transistors has its base-emitter junction reverse-biased into a breakdown region that generates quantum random current shot noise. As is known to those of skill in the art, shot noise is caused by random fluctuations in the motion of charge carriers in a conductor; quantum shot noise reflects variations in current that arise from quantum effects ofthe discreteness of electrical charge. The shot noise is fed into another ofthe transistors, which is configured as a normal common emitter configuration to act as a current-to-voltage converter. Negative feedback may be employed to provide stabilization of a dc bias point and to minimize the effect of transistor-component variations. The noise voltage may also be fed back to the reverse-biased transistor to limit noise-generation pulse width.
[0053] The two random shot-noise generators feed the resulting pulses into a differential amplifier 712. For example, the amplifier 712 may have a first input that receives the signal incoming from noise generator 704 and a second input that inverts the signal incoming from noise generator 708. This property acts to subtract the signals from the two generators 704 and 708 so that any signal components that are common to both, such as ambient electrical noise, are canceled out to eliminate external periodic interference that may be introduced to the circuit by such sources as a power supply, a ground bounce from associated digital circuitry, electromagnetic interference, and the like. In some embodiments, a second operational amplifier may be used as a ground generator to supply a virtual ground to the differential amplifier to improve operation.
[0054] The conditioned random response is then fed into an analog comparator 716, which may have its trigger reference derived by scaling and integrating its input signal to make an offset tracking comparator to quantize the analog noise. The offset is desirable so that the noise pulse rate is limited and the noise entropy is enhanced. The narrow quantized noise may then be converted to a digital signal by converter 720. For example, in one embodiment the conversion may be performed by clocking a JK flip flop with the quantized noise. The random bit stream may then be sampled and synchronized for processing by a processing unit 728 by a sample-and-hold module 724, which in one embodiment also comprises a JK flip flop. In embodiments where the random-number generator is comprised by the cryptographic-key management device 400, the processing unit may correspond to the secure microcontroller 408. Residual bias may be removed by a processor 732 comprised by the processing unit 728 programmed to apply an algorithm such as the classic von Neumann method, with the stream of random bits being injected into a circulating ring buffer 736 also comprised by the processing unit.
[0055] The random-number generator described above has been tested empirically for
10 bits over the course of 10 independent trials to verify that the output is as random as the underlying quantum physics on which the device relies. These tests were performed using the NIST 800-22 RNG test suite described in NIST Special Publication 800-22 entitled "A STATISTICAL TEST SUITE FOR RANDOM AND PSEUDORANDOM NUMBER GENERATORS FOR CRYPTOGRAPHIC APPLICATIONS," by Andrew Rukhin et al. ("Rukhin"), which is available at http://csrc.nist.gov/publications/nistpubs/800-22/sp-800-22- 051501.pdf and which is incorporated herein by reference in its entirety for all purposes. The results of these tests are summarized in Table I.
Table I: Results of Random-Number-Generator Tests
Figure imgf000018_0001
Figure imgf000019_0001
The test number in the table corresponds to a subsection of Rukhin that describes the test in detail, i.e. Test is described in subsection 2 f of Rukhin; the test description in the table is a brief label that corresponds to test identifications provided in Rukhin. In connection with Rukhin, it is noted that the block size M for test 2 is 20,000; the template length m for tests 7 and 8 is 10; the block size --_ for test 9 is 12 and the initialization steps Q for test 9 is 40,960; the block size for test 11 is 1,000; and the block size m for tests 12 and 13 is 2.
[0056] Rukhin recommends two approaches for interpreting results ofthe tests. First, the proportion of successes versus failures for each test should be considered; this is summarized for each test in the third column of Table I. For any nonzero statistical significance level α, a certain proportion of successes and failures are expected. Too few successes indicates that the data exhibit patterns that may be identified by an attacker; similarly, too few failures provides weaknesses since an attacker who knows that a certain bit stream will never fail certain tests has increased chances of determining its output. To decide whether the results lie within an acceptable range, a confidence interval was defined in tenns of a true standard deviation for a sample size m = 1000 and a significance level α = 0.01:
α(l α) = ±α009439- m
The pass:fail proportion results for the tests of Table I are plotted in Fig. 8, with the bounds ofthe confidence interval shown in dotted lines. As evident, all ofthe test results fall within the confidence interval, indicating that this interpretation ofthe results is consistent with having a reliable random-number generator.
[0057] Second, the distribution of results should be examined for conformity with some expectation of uniformity; this is summarized with the uniformity value PQ in the fourth column of Table I. This uniformity value is derived from multiple P values, each of which is an output for each test and corresponds to the probability that a perfect random-number generator would produce data less random than the data tested. The overall P0 value was calculated by binning the P values into ten equal intervals between 0 and 1, and using the upper incomplete gamma function,
Figure imgf000020_0001
where
Figure imgf000020_0002
and Ft is the number of P values in interval / and s is the total number of P values. A result of o greater than 0.0001 is considered to identify a substantially uniformly distributed sequence. As is evident from Table I, all ofthe values of Ro lie above this threshold, again indicating that this interpretation ofthe results is consistent with a reliable random-number generator.
[0058] The manner in which the network of TPUs 204 and optical cards 100 may be used in reading and writing encrypted data is illustrated schematically in Fig. 9. In this illustration, each ofthe TPUs 204 is shown including an optical read/write drive 908 and a processor 904 in addition to the cryptographic-key management device 400. The processor is in communication with both the cryptographic-key management device 400 and optical read/write drive 908 to coordinate operation of them within the TPU. The processor 904 may also coordinate operation of additional components such as a touch screen, control buttons, interfaces to external or integral biometric devices, interfaces to external communication links, and the like, some of which are shown in the physical embodiment depicted in Fig. 3. The read/write optical drive 908 has the capability to read data from optical cards in accordance with instructions from the processor 904 and to write data to optical cards. A variety of models of such optical read/write devices will be known to those of skill in the art, including, for example, various models available from Drexler Technology Corporation of Mountain View, California.
[0059] As indicated in Fig. 9, one ofthe TPUs 204 may be used to write encrypted data onto an optical card 100 and the data may subsequently be read from the optical card 100 by another TPU 204. Figs. 10 - 12 provide flow diagrams that illustrate a secure cryptographic protocol used in some embodiments to perform such read and write operations securely.
[0060] The ability to perform read and/or write operations begins by booting a TPU so that it is in a ready state to encrypt or decrypt data according to the cryptographic protocol as necessary. The flow diagram of Fig. 10 illustrates such a boot operation, which begins at block 1004 by powering the TPU. Such powering activates a secure loader, which may be stored in FLASH memory in the TPU, to receive, in one embodiment, a text pass phrase ("TPP") from a human operator. The TPP is specific to the cryptographic-key management device comprised by that TPU. The TTP is one-way hashed to yield a multibit string, which, when confirmed, will enable further operations ofthe cryptographic-key management device. In one embodiment, the multibit string is approximately 160 bits. To yield a multibit string of this length, the TPP may be about twenty typical English words (e.g., "The time has come, the walrus said ..."), preferably not a literary phrase that would be susceptible to a dictionary attack, but still a phrase easily remembered by the TPP owner. The TPP may be hashed with a one-way cryptographically secure hash function, such as the NIST 160-bit secure hash algorithm ("SHA"). The result is written to the cryptographic-key management device ("CrypKey") as indicated in the following formalism:
H(TPP) → CrypKey (Enable Board).
In this formalism, the notation A → B is used to denote that A is written to B, and H identifies the hashing operation.
[0061] At block 1012, the encrypted set of all public keys is read. This may be done initially by having the secure loader read a master boot optical card ("MBOC), which has data for initializing the cryptographic-key management device:
EC2K (C2KD), EC2K (H (EC2K (C2KD))) *- MBOC.
The notation A «- B is used to denote that B is written to A. The master boot optical card provides a file of decrypting public keys C2KD for each cryptographic-key management device in the network. This file is always encrypted with the private key C2K ofthe specific cryptographic-key management device where it is maintained, as indicated by the expression c2κ (C2KD). The file will usually also have been previously signed by the specific cryptographic-key management device as EC2K (H [EC2K (C2i-- ))) . This expression is decrypted with the private key so that the signature may be verified by performing a comparison of how the public keys have been hashed:
DCIK {Ec κ (H(EC2K(C2KD)))) == H? (EC2K (C2KD))l(Sig OKI).
In this expression, decryption with the private key is denoted with the operator DC K and H? is used to denote the verification operation, i.e. the question "Does the calculated one-way hash value equal the hash value that was stored and then read?" is denoted H? (m) == H(m) ? If the signature is verified in this way, the encrypted public keys are written to the cryptographic-key management device: EC2K (C2KD) → CrypKey.
Having been supplied with the public keys, the cryptographic-key management device ofthe TPU is ready to decrypt secure traffic received from optical cards that was securely written by any other TPU in the network.
[0062] An application software module ("ASM") may similarly be provided to the processor to replace the secure loader. The -4S is read from the master boot optical card at block 1016:
EC2K (k), Ek (ASM), EC2K (H(ASM)) «- MBOC.
As indicated, the ASM on the master boot optical card is encrypted with a random session key k, Ek(ASM), which is itself encrypted by the private key C2K, EC2κ(k)- The random key k may be, for instance, an encryption key used with a symmetric encryption algorithm, and may be generated by the random-number generator comprised by the cryptographic-key management device. The master boot optical card also includes an encrypted version ofthe one-way hashed ASM, EC2K (H(-4S )), so that the signature may be verified at block 1020 in the same fashion described above:
DC2K (EC2K (H(ASM))) = H? [DDaκ{Eaκm) (Ek(ASM)))l(Sig OKI).
If the signature is verified, the application software is started on the processor 904 to replace the secure loader at block 1024:
Processor «- DD ,E (/C)N (Et (ASM)) (SL replaced with ASM on the Processor).
Accordingly, after the boot process illustrated in Fig. 10, data from a master boot optical card has been used securely to supply the processor 904 with application software and to supply the cryptographic-key management device with a record ofthe public keys for all cryptographic-key management devices in the network.
[0063] To write a secure record to an optical card, the protocol illustrated with the flow diagram of Fig. 11 may be used. At block 1104, a header block is built. A current date/time stamp DTS and a serial number for the target optical card CSN are packaged into a data record of n bits. The combination of information is thus information uniquely associated with encryption ofthe record. The use of a date/time stamp in this information prevents fraudulent duplication of cloned records, and the use ofthe optical-card serial number prevents block-relay types of attacks. In applications where block-relay attacks are of less concern, the package may omit the optical-card serial number, and some alternative embodiments may use a substitute for the date/time stamp to provide a different form for the unique information. The cryptographic-key management device is asked by the processor 904 to generate two random numbers r and k using the random-number generator and to supply a serial number C2KSN that unique identifies the cryptographic-key management device:
C2KSN,r,k «- CrypKey.
Random number r may have a length ofn bits, i.e. equal in length to the package ofDTS and CSN, and random number J may be used as a session key, having a length of 128 bits in one embodiment. The cryptographic-key management device then encrypts, with its private key
C2K, a data record that includes r, r Θ (DTS, CSN), and k, where the symbol Θ is used to denote an exclusive-OR (XOR) operation. The result is combined with serial number C2KSN and written to the optical card as the header:
C2KSN, EC2K (r,r® (DTS, CSN), k) → Optical Card.
This technique may be expressed more generally as encrypting plaintext M with key X by using a random number R to blur the plaintext and make its unauthorized recovery much more difficult: Ex (R,R ΦM). In the specific application at hand, the plaintext is M = (DTS, CSN) and the key is X= C2K. While authorized recovery ofthe plaintext may be achieved by performing the operation R @ DX (Er (R, R Θ M)) , the blurring of the plaintext with random number r complicates its unauthorized recovery, enhancing the overall security ofthe system.
[0064] After the header block has been written to the optical card, the actual record may be written in encrypted form. At block 1108, the plaintext m ofthe record is signed by calculating a one-way hash H of the plaintext and encrypting the result with the private key for writing to the target optical card:
EC2K (H(m)) -» Optical Card. The record itself may then be encrypted and written to the optical card at block 1112. In one embodiment, a symmetric algorithm is used to encrypt the plaintext m with the randomly generated key k. Security can be further enhanced in other embodiments by using block chaining to reduce the effectiveness of plaintext or block-repeat attacks. For instance, the cryptographic-key management device may be asked to return another random number c0 from the random-number generator, which may be used as an initialization vector for the block-chaining algorithm and which is recorded on the optical card:
CrypKey -» c0 -» Optical Card.
Blocks of plaintext my, m2, m , ... are then encrypted successively and written to the optical card by performing the exclusive-or operation with the chain of c values:
ct = Ek(mi ® ci_l)(for i = 1, 2, ...) -» Optical Card.
For example, if the plaintext is encrypted in eight-byte blocks, the c values may comprise 64- bit numbers. This technique significantly increases the security ofthe record written to the optical card. Including the header information, the complete secure record for writing plaintext m to the optical card is thus:
C2KSN, EC2K (r,r ® (DTS, CSN),k), EC2K (H(m)), c0, E^. θ c,...) (for i = l,2,...).
[0065] The flow diagram of Fig. 12 illustrates how such a secure record may subsequently be read and decrypted by a different TPU in the network. When an optical card having information written to it is received by a TPU, the information is extracted by initially reading the header block at block 1204. As seen from the complete expression ofthe securely written record, the first item in the header record is the uniquely identifying serial number C2KSN of the writing cryptographic-key management device, and the second item is the encrypted version ofthe date/time stamp DTS, the optical-card serial number CSN, and session key k: EC2KSN ( r, r ® (DTS, CSN), l ). In this expression, the subscript of the encryption operator E is C2KSN to emphasize that the decryption by the reading TPU may be performed with the public key corresponding to the private key ofthe writing unit. Accordingly, these header records are read from the optical card and provided to the cryptographic-key management device:
C2KSN, EC2KSN (r,r ® (DTS, CSN), k) «- Optical Card C2KSN, EC2KSN (r,r® (DTS, CSN), k) → CrypKey. The identification ofthe writing-unit serial number C2KSN is used to look up the securely stored public key ofthe writing unit from the record of all public keys C2KD. This public key is used to decrypt the encrypted header information,
r, r ® (DTS, CSN), k → CrypKey,
with the date/time stamp DTS and card serial number CSN being recovered from the extracted identification ofthe n-bit random number r.
DTS, CSN = r®(r ® (DTS, CSN) .
The extracted card serial number CSN is verified to ensure that it matches the serial number ofthe card being read; a failure for these numbers to match is generally indicative of some type of fraud, such as that a block-replay attack is underway or that a record has been cloned from another card and illicitly written to the card being read.
[0066] At block 1208, the authenticating plaintext signature is extracted from the next record read from the card after the header, EC2KSN (H(m)), where again the subscript ofthe encryption operator E has been written as C2KSN to emphasize that the public key for the writing unit may be used to perform the decryption. This record is thus read from the optical card and provided to the cryptographic-key management device with the writing-unit serial number C2KSN so that the authenticating signature H(m) may be extracted:
EC2KSN (H(m)) «- Optical Card C2KSN, EC2KSN (H(m)) → CrypKey H(m) «- CrypKey.
As before, the decryption performed by the cryptographic-key management device proceeds by looking up the public key corresponding to the writing unit in the public-key repository C2KD and applying it.
[0067] The plaintext is read and decrypted at block 1212. The next record on the optical card is the block-chain initialization vector c0:
c0 «- Optical Card.
Each ofthe other encrypted blocks E/C(c,) may be read and decrypted with the symmetric algorithm and symmetric session key k: c. = m,. = c.=I ®Dk (Ek(m;))(for i = I, 2, ...) «- Optical Card.
The decrypted plaintext m may then be used to verify the signature by calculating the oneway hash ofthe decrypted plaintext m and verifying that it equals the previously decrypted signature H(m):
H(m) = H, (m) l(Sig OK ?).
If so, the plaintext may be provided to the processor 904 ofthe reading TPU so that a transaction may be executed with it.
[0068] This cryptographic protocol, particularly when combined with the physical security features ofthe cryptographic-key management device described above, provides very high security ofthe information on optical cards. The fast and complete zeroization of keys and other items, combined with the several layers of physical tamper-attack sensing that conform at least to security levels 1, 2, and 3 ofthe FIPS 140-1 standards, provides security that is in some embodiments greater than that provided by high-level smart-card systems. The one-way hash that implements a digital signature enables all records to be authenticated, verified for integrity, and nonrepudiable. The effect of known plaintext and dictionary attacks are greatly mitigated by using the technique of blurring certain plaintext with random strings, i.e. by construction of the (r,r®m) string. The digital signature authentication also prevents so-called "Man in the Middle" attacks from being effective. Similarly, the possibility of so-called "Trojan Horse" attacks is also prevented because attacking software cannot obtain a copy ofthe one-way hash ofthe text pass phrase that is securely stored in the protected memory; a particular cryptographic-key management device will not function at all until it receives the multibit string derived from the text pass phrase. Furthermore, the protocol detects illicitly cloned optical cards because each secure record contains the unique serial number ofthe original card to which it was written in encrypted form.
[0069] Even theft of a TPU containing a cryptographic-key management device would not seriously compromise the security ofthe system. If a unit is stolen and an attempt made to reverse engineer the system, the file of all public keys and individual private key remain securely protected by the physical mechanisms described above. For example, to recover the private key for a particular cryptographic-key management device would require the complete destruction ofthe device in some embodiments. Moreover, a stolen cryptographic-key management device will still fail to respond to meaningful commands until it has been activated with the correct text pass phrase. There can be no realistic chance of a successful attack without theft ofthe physical TPU with its cryptographic-key management device, theft ofthe corresponding master boot optical card, and theft ofthe text pass phrase. It is accordingly preferable in some embodiments to store the master boot optical card separately from the TPU in a secure manner, and also to secure the text pass phrase. To further mitigate the impact in cases where a TPU is stolen, a list of missing or compromised TPUs may occasionally or periodically be circulated. Such a list may conveniently be distributed on optical cards that provide each ofthe uncompromised TPUs in a network with notification to ignore records identified as originating with potentially compromised units.
[0070] Having described several embodiments, it will be recognized by those of skill in the art that various modifications, alternative constructions, and equivalents may be used without departing from the spirit ofthe invention. Accordingly, the above description should not be taken as limiting the scope ofthe invention, which is defined in the following claims.

Claims

WHAT IS CLAIMED IS:
1. A method for writing a record to an optical card, the method comprising: randomly generating a session key; encrypting the session key using a private key of a public/private key pair associated with a particular cryptographic-key management device; encrypting the record using the session key; and optically writing a serial number for the particular cryptographic-key management device, the encrypted private key, and the encrypted record to the optical card.
2. The method recited in claim 1 wherein encrypting the session key using the private key comprises encrypting a combination ofthe session key and information uniquely associated with encryption ofthe record.
3. The method recited in claim 2 wherein the information uniquely associated with encryption ofthe record comprises a date/time stamp.
4. The method recited in claim 3 wherein the information uniquely associated with encryption ofthe record further comprises a unique serial number for the optical card.
5. The method recited in claim 3 wherein encrypting the combination of the session key and information uniquely associated with encryption ofthe record comprises: randomly generating a string having an equal bit length to the combination; performing an exclusive-or operation between the string and the combination; and encrypting the string, a result ofthe exclusive-or operation, and the session key with the private key.
6. The method recited in claim 1 wherein encrypting the record using the session key comprises performing block encryption of the record using the session key.
7. The method recited in claim 6 wherein performing block encryption of the record comprises: randomly generating an initialization vector c0 equal in length to each of a plurality of blocks of the record; for each ofthe plurality of blocks i, generating a vector ct by encrypting, with the session key, a result of performing an exclusive-or operation on the each ofthe plurality of blocks with a preceding vector C -
8. The method recited in claim 1 further comprising cryptographically signing the record.
9. The method recited in claim 8 wherein cryptographically signing the record comprises: performing a one-way hash ofthe record; and encrypting a result of the one-way hash with the private key.
10. A method for writing a record to an optical card, the method comprising: randomly generating a first string having an equal bit length to a second string constructed from known information that includes information uniquely associated with encryption ofthe record; performing an exclusive-or operation between the first and second strings; encrypting a combination ofthe first string and a result ofthe exclusive-or operation with a first key; encrypting the record with a second key different from the first key; and optically writing the encrypted combination and the encrypted record to the optical card.
11. The method recited in claim 10 wherein the first key is a private key of a public/private key pair associated with a particular cryptographic-key management device, the method further comprising optically writing a serial number for the cryptographic-key management device to the optical card.
12. The method recited in claim 10 wherein the information uniquely associated with encryption ofthe record comprises a date/time stamp.
13. The method recited in claim 12 wherein the information uniquely associated with encryption ofthe record further comprises a unique serial number for the optical card.
14. The method recited in claim 10 further comprising randomly generating the second key.
15. The method recited in claim 10 wherein encrypting the record comprises performing block encryption ofthe record using the second key.
16. The method recited in claim 10 further comprising cryptographically signing the record by performing a one-way hash ofthe record and encrypting a result ofthe one-way hash with the first key.
17. A method for extracting a record from an optical card, the method comprising: reading, from the optical card, a serial number for a particular cryptographic- key management device used when an encrypted version ofthe record was written to the optical card; reading, from the optical card, an encrypted session key; reading, from the optical card, the encrypted version ofthe record; decrypting the encrypted session key using a public key associated with the serial number; and decrypting the encrypted version ofthe record using the decrypted session key.
18. The method recited in claim 17 wherein decrypting the encrypted session key comprises extracting information uniquely associated with encryption ofthe record, the method further comprising verifying authenticity ofthe extracted information.
19. The method recited in claim 18 wherein the information uniquely associated with encryption ofthe record includes a date/time stamp.
20. The method recited in claim 18 wherein the information uniquely associated with encryption ofthe record includes a unique serial number for the optical card, the method further comprising verifying that the extracted optical-card serial number matches the serial number ofthe optical card.
21 . The method recited in claim 18 wherein extracting the information uniquely associated with encryption ofthe record comprises: decrypting a combination ofthe session key, a first string that embodies the information uniquely associated with encryption ofthe record, and a second string having an equal bit length to the information uniquely associated with encryption ofthe record using the public key; and performing an exclusive-or operation between the first and second strings to recover the information uniquely associated with encryption ofthe record.
22. The method recited in claim 17 further wherein decrypting the encrypted version of the record comprises performing block decryption of the encrypted version of the record.
23. The method recited in claim 17 further comprising verifying a cryptographic signature ofthe record.
24. The method recited in claim 23 wherein verifying the cryptographic signature comprises: performing a one-way hash ofthe decrypted record; reading an encrypted version of a one-way hash of the record from the optical card; decrypting the encrypted version ofthe one-way hash using the public key; and comparing the one-way hash ofthe decrypted record with a result of decrypting the encrypted version ofthe one-way hash.
25. A method for extracting a record from an optical card, the method comprising: reading, from the optical card, an encrypted combination of a session key, a first string that embodies information uniquely associated with encryption ofthe record, and a second string having an equal bit length to the information uniquely associated with encryption ofthe record; decrypting the combination; performing an exclusive-or operation between the first and second strings to extract the information uniquely associated with encryption of the record; verifying authenticity of the information uniquely associated with encryption ofthe record; reading, from the optical card, an encrypted version ofthe record; and decrypting the encrypted version ofthe record using the session key.
26. The method recited in claim 25 further comprising reading, from the optical card, a serial number for a particular cryptographic-key management device used when the encrypted version ofthe record was written to the optical card, wherein decrypting the combination uses a public key associated with the serial number.
27. The method recited in claim 25 wherein the information uniquely associated with encryption ofthe record comprises a date/time stamp.
28. The method recited in claim 25 wherein: the information uniquely associated with encryption ofthe record comprises a unique serial number for the optical card; and verifying authenticity of the information comprises verifying that the extracted optical-card serial number matches the serial number ofthe optical card.
29. The method recited in claim 25 wherein decrypting the encrypted version ofthe record comprises performing block decryption ofthe encrypted version ofthe record.
30. The method recited in claim 25 further comprising verifying a cryptographic signature ofthe record.
31. A method for initializing a cryptographic-key management device to encrypt and decrypt optical-card data as part of a network of transaction processing units that comprise such cryptographic-key management devices, the method comprising: transmitting a multibit string to the cryptographic-key management device, wherein the cryptographic-key management device is enabled upon receipt of a correct multibit string; optically reading, from a master boot optical card, an encrypted set of public keys, each of which is associated with one ofthe cryptographic-key management devices in the network; securely storing the set of public keys in memory comprised by the cryptographic-key management device.
32. The method recited in claim 31 wherein the cryptographic-key management device is comprised by a particular transaction processing unit, the method further comprising: reading application software from the master boot optical card; and loading the application software onto a processor comprised by the particular transaction processing unit and adapted to control operation ofthe cryptographic-key management device.
33. The method recited in claim 32 further comprising verifying authenticity ofthe application software.
34. The method recited in claim 33 further comprising reading an encrypted version of a session key from the master boot optical card, wherein: reading application software from the master boot optical card comprises: reading a first version ofthe application software encrypted with the session key; and reading a second version ofthe application software subjected to a one-way hash and encrypted with the private key; and verifying authenticity ofthe application software comprises: decrypting the session key with the private key; decrypting the application software with the session key; applying the one-way hash to the decrypted application software to generate a first result; decrypting the encrypted one-way hash of the application software with the private key to generate a second result; and comparing the first and second results.
35. The method recited in claim 31 further comprising: reading a cryptographically signed version ofthe encrypted set of public keys from the master boot optical card; and verifying authenticity of the encrypted set of public keys with the cryptographically signed version.
36 . The method recited in claim 35 wherein: the cryptographically signed version ofthe encrypted set of public keys was generated by encrypting a one-way hash ofthe encrypted set of public keys; and verifying authenticity ofthe encrypted set of public keys comprises: performing the one-way hash on the encrypted set of public keys read from the master boot optical card to generate a first result; decrypting the encrypted one-way hash ofthe encrypted set of public keys read from the master boot optical card to generate a second result; and comparing the first and second results.
37. A cryptographic-key management device comprising: a secure cryptographic module comprising a first memory storing a private cryptographic key of a plurality of public/private key pairs, the secure cryptographic module adapted to zeroize the first memory in response to physical disruption ofthe module; a secure microcontroller in communication with and adapted to control operation ofthe secure cryptographic module, the secure microcontroller comprising a second memory storing the public keys ofthe plurality of public/private key pairs and a self- destruct pin whose activation disables the microcontroller; and a package encapsulating the secure cryptographic module and the secure microcontroller, the package linked with the self-destruct pin to activate the self-destruct pin in response to a breach of the package.
38. The cryptographic-key management device recited in claim 1 wherein the physical disruption ofthe module comprises a breach of a container housing the first memory.
39. The cryptographic-key management device recited in claim 1 wherein the physical disruption ofthe module comprises a deviation in a temperature ofthe module outside of a predefined range.
40. The cryptographic-key management device recited in claim 1 wherein the physical disruption ofthe module comprises a deviation in strength of an electromagnetic field near the module outside of a predefined range.
41. The cryptographic-key management device recited in claim 1 wherein the package comprises a brittle wire connected with the self-destruct pin.
42. The cryptographic-key management device recited in claim 41 wherein the brittle wire is wrapped about the secure cryptographic module and secure microcontroller.
43. The cryptographic-key management device recited in claim 42 wherein the brittle wire is wrapped in multiple layers about the secure cryptographic module and secure microcontroller.
44. The cryptographic-key management device recited in claim 1 wherein the package comprises an encapsulating material that includes an epoxy substance and at least one of a silica and an alumina.
45. The cryptographic-key management device recited in claim 1 wherein the secure microcontroller comprises a second self-destruct pin whose activation disables the microcontroller, the second self-destruct pin connected with a tamper sensor external to the cryptographic-key management device and internal to a housing surrounding the cryptographic-key management device.
46. The cryptographic-key management device recited in claim 1 further comprising a random-number generator in communication with the secure microcontroller.
47. The cryptographic-key management device recited in claim 46 wherein the random-number generator is a hardware random-number generator.
48. A method for fabricating a cryptographic-key management device, the method comprising: providing a secure cryptographic module comprising a first memory and adapted to zeroize the first memory in response to physical disruption ofthe module; providing a secure microcontroller in communication with the secure cryptographic module, the secure microcontroller comprising a second memory and a self- destruct pin whose activation disables the microcontroller; storing a private cryptographic key of a plurality of public/private key pairs in the first memory; storing the public keys of the plurality of public/private key pains in the second memory; and encapsulating the secure cryptographic module and the secure microcontroller within a package linked with the self-destruct pin to activate the self-destruct pin in response to a breach of the package.
49. The method recited in claim 48 wherein the physical disruption ofthe module comprises a breach of a container housing the first memory.
50. The method recited in claim 48 wherein the physical disruption ofthe module comprises a deviation in a temperature of the module outside of a predefined range.
51. The method recited in claim 48 wherein the physical disruption of the module comprises a deviation in strength of an electromagnetic field near the module outside of a predefined range.
52. The method recited in claim 48 wherein encapsulating the secure cryptographic module and the secure microcontroller within a package comprises connecting a brittle wire with the self-destruct pin.
53. The method recited in claim 52 wherein encapsulating the secure cryptographic module and the secure microcontroller within a package further comprises wrapping the brittle wire about the secure cryptographic module and secure microcontroller.
54. The method recited in claim 53 wherein wrapping the brittle wire about the secure cryptographic module and secure microcontroller comprises wrapping the brittle wire in multiple layers about the secure cryptographic module and secure microcontroller.
55. The method recited in claim 48 wherein the package comprises an encapsulating material than includes an epoxy substance and at least one of a silica and an alumina.
56. The method recited in claim 48 wherein the secure microcontroller comprises a second self-destruct pin whose activation disables the microcontroller, the method further comprising connecting the second self-destruct pin with a tamper sensor.
57. The method recited in claim 48 further comprising providing a random number generator in communication with the secure microcontroller.
58. The method recited in claim 57 wherein the random number generator is a hardware random-number generator.
59. An optical-card network comprising: a plurality of transaction processing units, each such unit comprising: a cryptographic-key management device having a securely stored private key for that cryptographic-key management device and securely stored public keys for a plurality of cryptographic-key management devices comprised by the network; an optical-card read/write drive in communication with the cryptographic-key management device and adapted to exchange data with optical cards; and a processor in communication with and adapted to control operation of the cryptographic-key management device and the optical-card read/write drive; and a plurality of optical cards.
60 . The optical-card network recited in claim 59 wherein information may be exchanged among the plurality of transaction processing units only with the plurality of optical cards.
61. The optical-card network recited in claim 59 wherein the plurality of transaction processing units are interconnected electronically.
62. The optical-card network recited in claim 59 wherein the cryptographic-key management device comprises: a secure cryptographic module comprising a first memory storing the private cryptographic key and adapted to zeroize the first memory in response to physical disruption ofthe module; a secure microcontroller in communication with and adapted to control operation ofthe secure cryptographic module, the secure microcontroller comprising a second memory storing the public keys and a self-destruct pin whose activation disables the microcontroller; and a package encapsulating the secure cryptographic module and the secure microcontroller, the package linked with the self-destruct pin to activate the self-destruct pin in response to a breach ofthe package.
63. The optical-card network recited in claim 62 wherein the package comprises a brittle wire connected with the self-destruct pin and wrapped about the secure cryptographic module and secure microcontroller.
64. The optical-card network recited in claim 62 wherein the package comprises an epoxy substance and at least one of a silica and an alumina.
65. The optical-card network recited in claim 62 wherein: the each such unit further comprises a tamper sensor; and the secure microcontroller comprises a second self-destruct pin whose activation disables the microcontroller, the second self-destruct pin connected with the tamper sensor.
66. A hardware random-number generator comprising: a first quantum random shot-noise generator; a second quantum random shot-noise generator; a differential amplifier in electrical communication with the shot-noise generators to subtract signals produced by the shot-noise generators; and an analog comparator in electrical communication with the differential amplifier to quantize a difference signal produced by the differential amplifier.
67. The hardware random-number generator recited in claim 1 further comprising a second amplifier in electrical communication with the differential amplifier to supply a virtual ground to the differential amplifier.
68. The hardware random-number generator recited in claim 1 wherein the analog comparator has a trigger reference derived by scaling and integrating input to the analog comparator.
69. The hardware random-number generator recited in claim 1 further comprising a sample-and-hold module in electrical communication with the analog comparator to sample output ofthe analog comparator.
70. The hardware random-number generator recited in claim 69 wherein the sample-and-hold module comprises a JK flip flop.
71. The hardware random-number generator recited in claim 1 further comprising a processor in electrical communication with the analog comparator and adapted to remove residual bias from the quantized signal.
72. The hardware random-number generator recited in claim 1 wherein each ofthe shot-noise generators comprises: a first transistor having a reverse-biased base-emitter junction to generate current shot-noise signals; and a second transistor in electrical communication with the first transistor to convert the current shot-noise signals to voltage signals.
73. The hardware random-number generator recited in claim 72 wherein an output ofthe second transistor is in electrical communication with an input ofthe first transistor to limit noise-generation pulse width.
74. A method for generating random numbers, the method comprising: generating a first quantum random shot-noise signal; generating a second quantum random shot-noise signal; subtracting the first signal from the second signal to produce a difference signal; and quantizing the difference signal.
75. The method recited in claim 74 wherein subtracting the first signal from the second signal comprises inverting one ofthe first and second signals and adding the inverted signal to the other ofthe first and second signals.
76. The method recited in claim 74 wherein quantizing the difference signal comprises scaling and integrating the difference signal.
77. The method recited in claim 76 wherein quantizing the difference signal further comprises clocking a flip flop with the scaled and integrated difference signal.
78. The method recited in claim 74 further comprising sampling the quantized difference signal.
79. The method recited in claim 74 wherein generating the first and second quantum random shot-noise signals comprises generating current shot-noise signals, the method further comprising converting the current shot-noise signals to voltage signals.
80. The method recited in claim 79 wherein: generating each ofthe current shot-noise signals comprises reverse biasing a base-emitter junction of one of a pair of transistors; and converting the current shot-noise signals to voltage signals comprises feeding the current shot-noise signal to another ofthe pair of transistors.
81. The method recited in claim 80 further comprising feeding the voltage signals back to the one ofthe pair of transistors to limit noise-generation pulse width.
82. The method recited in claim 1 further comprising synchronizing the quantized differential signal.
83. The method recited in claim 82 further comprising removing residual bias ofthe synchronized signal.
84. A hardware random-number generator comprising: means for generating a first quantum random shot-noise signal; means for generating a second quantum random shot-noise signal; means for subtracting the first signal from the second signal to produce a difference signal; and means for quantizing the difference signal.
85. The hardware random-number generator recited in claim 84 wherein the means for quantizing the difference signal comprise means for scaling and integrating the difference signal.
86. The hardware random-number generator recited in claim 84 further comprising means for sampling the quantized difference signal.
87. The hardware random-number generator recited in claim 84 wherein the means for generating first and second shot-noise signals comprise means for generating current shot-noise signals, the hardware random-number generator further comprising means for converting the current shot-noise signals to voltage signals.
88. The hardware random-number generator recited in claim 84 further comprising means for synchronizing the quantized differential signal.
PCT/US2004/015374 2003-05-13 2004-05-13 Cryptographically secure transactions with optical cards WO2004102860A2 (en)

Applications Claiming Priority (14)

Application Number Priority Date Filing Date Title
US47047903P 2003-05-13 2003-05-13
US60/470,479 2003-05-13
US54359604P 2004-02-10 2004-02-10
US54379704P 2004-02-10 2004-02-10
US54359504P 2004-02-10 2004-02-10
US60/543,595 2004-02-10
US60/543,596 2004-02-10
US60/543,797 2004-02-10
US10/844,963 US20050005156A1 (en) 2003-05-13 2004-05-12 Cryptographic-key management device
US10/844,967 US20040267847A1 (en) 2003-05-13 2004-05-12 Hardware random-number generator
US10/844,960 2004-05-12
US10/844,960 US20050005108A1 (en) 2003-05-13 2004-05-12 Cryptographically secure transactions with optical cards
US10/844,963 2004-05-12
US10/844,967 2004-05-12

Publications (2)

Publication Number Publication Date
WO2004102860A2 true WO2004102860A2 (en) 2004-11-25
WO2004102860A3 WO2004102860A3 (en) 2005-01-20

Family

ID=33459439

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2004/015374 WO2004102860A2 (en) 2003-05-13 2004-05-13 Cryptographically secure transactions with optical cards

Country Status (1)

Country Link
WO (1) WO2004102860A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106357649A (en) * 2016-09-23 2017-01-25 浙江神州量子网络科技有限公司 User identity authentication system and method
CN109660338A (en) * 2018-11-19 2019-04-19 如般量子科技有限公司 Anti- quantum calculation digital signature method and anti-quantum calculation digital signature system based on pool of symmetric keys
CN117834137A (en) * 2024-03-04 2024-04-05 深圳市纽创信安科技开发有限公司 Password card switching method, device, computer equipment and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6031910A (en) * 1996-07-24 2000-02-29 International Business Machines, Corp. Method and system for the secure transmission and storage of protectable information

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6031910A (en) * 1996-07-24 2000-02-29 International Business Machines, Corp. Method and system for the secure transmission and storage of protectable information

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106357649A (en) * 2016-09-23 2017-01-25 浙江神州量子网络科技有限公司 User identity authentication system and method
CN109660338A (en) * 2018-11-19 2019-04-19 如般量子科技有限公司 Anti- quantum calculation digital signature method and anti-quantum calculation digital signature system based on pool of symmetric keys
CN109660338B (en) * 2018-11-19 2021-07-27 如般量子科技有限公司 Anti-quantum computation digital signature method and system based on symmetric key pool
CN117834137A (en) * 2024-03-04 2024-04-05 深圳市纽创信安科技开发有限公司 Password card switching method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
WO2004102860A3 (en) 2005-01-20

Similar Documents

Publication Publication Date Title
US20050005156A1 (en) Cryptographic-key management device
EP0743602B1 (en) Circuit device for function usage control in an integrated circuit
Anderson et al. Tamper resistance-a cautionary note
US20050005108A1 (en) Cryptographically secure transactions with optical cards
TW382681B (en) Securely generating a computer system password by utilizing an external encryption algorithm
US7082539B1 (en) Information processing apparatus
US20080072066A1 (en) Method and apparatus for authenticating applications to secure services
US9443111B2 (en) Device security using an encrypted keystore data structure
US20110002461A1 (en) Method and System for Electronically Securing an Electronic Biometric Device Using Physically Unclonable Functions
CN1234081C (en) Method and device for realizing computer safety and enciphering based on identity confirmation
Helfmeier et al. Physical vulnerabilities of physically unclonable functions
CN102084313A (en) Systems and method for data security
US20110064217A1 (en) System And Method For Providing Secure Access To System Memory
US20040267847A1 (en) Hardware random-number generator
KR20160008560A (en) System and methods for encrypting data
WO2011057983A1 (en) A method of assigning a secret to a security token, a method of operating a security token, storage medium and security token
CN101650693A (en) Security control method for mobile hard disk and security mobile hard disk
JP2010517449A (en) Secret protection for untrusted recipients
CN111614467B (en) System backdoor defense method and device, computer equipment and storage medium
CN106408069B (en) User data write-in and read method and the system of EPC card
CN110659506A (en) Replay protection of memory based on key refresh
Dube Hardware-based computer security techniques to defeat hackers: From biometrics to quantum cryptography
WO2004102860A2 (en) Cryptographically secure transactions with optical cards
WO2018154190A1 (en) Biometric system for dynamic access control
US20130089205A1 (en) Token Provisioning Method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase