CA2568990A1 - Smart card data transaction system and methods for providing storage and transmission security - Google Patents

Smart card data transaction system and methods for providing storage and transmission security Download PDF

Info

Publication number
CA2568990A1
CA2568990A1 CA002568990A CA2568990A CA2568990A1 CA 2568990 A1 CA2568990 A1 CA 2568990A1 CA 002568990 A CA002568990 A CA 002568990A CA 2568990 A CA2568990 A CA 2568990A CA 2568990 A1 CA2568990 A1 CA 2568990A1
Authority
CA
Canada
Prior art keywords
chip
distribution server
card
security
issuance data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CA002568990A
Other languages
French (fr)
Other versions
CA2568990C (en
Inventor
Vincenzo Valentino Di Luoffo
Craig William Fellenstein
Dylan Maxwell Reilly
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of CA2568990A1 publication Critical patent/CA2568990A1/en
Application granted granted Critical
Publication of CA2568990C publication Critical patent/CA2568990C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/355Personalisation of cards for use
    • G06Q20/3552Downloading or loading of personalisation data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Finance (AREA)
  • Computer Security & Cryptography (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Storage Device Security (AREA)

Abstract

A smart card system is disclosed for secure transmission of post issuance data to a embedded chip using a chip relay module, a plurality of hardware security modules, a first communication system having two security layers and a second communication system having four security layers. The first communication system may be considered a server side system and comprises a chip management system, a security server having a first hardware security module, a distribution server having a second hardware security module and a computer system connected by a network. The first communication system has a first security layer and a second security layer. The first security layer comprises mutual authentication that makes each component of the first communication system a trusted node to the others through client mutual authentication. The second security layer comprises system keys for secure communication between the hardware security modules. The second communication system may be considered a client side system and comprises the computer system connected to the distribution server by a network, a PC/SC card reader driver, a Web browser application, and a chip relay module and is for secure communication between the distribution server and the chip of a smart card inserted in the card reader/writer. The second communication system has a third, fourth, fifth and sixth security layer.

Claims

Claims An apparatus for secure transmission of a post issuance data from a distribution server to a smart card comprising: a smart card inserted in a card reader; a chip embedded in the smart card and electronically connected to the card reader; a computer connected to the card reader and to the distribution server by a network; a chip relay module in a browser in the memory of the computer;
wherein the chip relay module establishes a secure session with the distribution server; and wherein the post issuance data is transmitted in an XML message that has been provided with a code derived from an issuer's master key.
The apparatus of claim 1 wherein the code is a message authentication code.
The apparatus of claim 1 wherein the code is a message authentication code encrypted.
The apparatus of claim 2 wherein the message authentication code is derived from a first card key.
The apparatus of claim 3 wherein the message authentication code encrypted is derived from a second card key.
The apparatus of claim 1 wherein the issuer's master key is obtained from a first hardware security module in a security server and transmitted to a second hardware security module in the distribution server.
The apparatus of claim 1 wherein the chip relay module establishes a secure communication between the chip and the distribution server by a second mutual authentication.
The apparatus of claim 1 wherein the chip relay module establishes a session context security using a session key.
The apparatus of claim 1 wherein a data marker or a flag is a precondition for a secure transmission between the distribution server and the chip.
The apparatus of claim 1 further comprising a secure communication between the distribution server and the browser using a first mutual authentication.
The apparatus of claim 1 further comprising a chip management system connected to the network which comprises a plurality of chipholder files, wherein the chipholder files further comprises a card file.
The apparatus of claim 11 wherein the card file further comprises a reference key which is used to obtain the issuer's master key The apparatus of claim 11 wherein the chip management system and the dis-tribution server share a means for a first mutual authentication.
The apparatus of claim 1 wherein the post issuance data is encrypted and/or digitally signed for transmission from a security server to the distribution server.

The apparatus of claim 1 wherein the post issuance data is bulk data and the bulk data is encrypted using a system symmetric key.
The apparatus of claim 1 wherein the post issuance data is encrypted using a system symmetric key and is further encrypted using a system public key.
A method for secure transmission of a post issuance data between a distribution server and a chip comprising: inserting a smart card having a chip into a card reader connected to a computer and a network; responsive to authentication of the chip at the distribution server, using a chip relay module to establish a secure communication between the chip and the distribution server; and receiving the post issuance data in an XML message that has been provided with a code derived from an issuer's master key.
The method of claim 17 further comprising: generating a set of card keys at a hardware security module of the distribution server; using the card keys to encrypt the XML message containing the post issuance data; and transmitting the post issuance data from the distribution server to the chip.
A method for secure transmission of a post issuance data between a distribution server and a chip comprising: configuring a first communication system having a distribution server, a security server, a chip management system and a first security layer; configuring a second communication system having the dis-tribution server and a client card system having a chip relay module;
using the chip relay module to establish a third security layer in the second communication system; using a CIN to obtain the post issuance data from the chip management system; using a card key to encrypt the post issuance data for transmission from the distribution server to the chip; and wherein the card key is generated from an issuer's master key obtained from the security server.
The method of claim 19 further comprising at least one of: configuring a second security layer in the first communication system; configuring a fourth security layer in the second communication system; configuring a fifth security layer in the second communication system; and configuring a sixth security layer in the second communication system.
An apparatus for secure transmission of a post issuance data from a distribution server to a smart card comprising: a first communication system connecting a security server, a distribution server and a chip management system; a second communication system connecting the distribution server and a client card system having a card reader; a chip embedded in the smart card and elec-tronically connected to the card reader; wherein the post issuance data is transmitted from the chip management system to the distribution server encrypted by a system key; and wherein the post issuance data is transmitted from the distribution server to the chip encrypted by a card key.
The apparatus of claim 21 wherein the chip has a set of installed card keys.
The apparatus of claim 21 wherein in order to securely transmit the post issuance data from the distribution server to the chip, the post issuance data must be message authentication coded and wherein in order to message authentication code the post issuance data, a set of card keys corresponding to a set of card keys in the chip is generated using an issuer's master key.
CA2568990A 2004-05-28 2004-05-28 Smart card data transaction system and methods for providing storage and transmission security Expired - Fee Related CA2568990C (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2004/050880 WO2005119606A1 (en) 2004-05-28 2004-05-28 Smart card data transaction system and methods for providing storage and transmission security

Publications (2)

Publication Number Publication Date
CA2568990A1 true CA2568990A1 (en) 2005-12-15
CA2568990C CA2568990C (en) 2011-09-27

Family

ID=35463089

Family Applications (1)

Application Number Title Priority Date Filing Date
CA2568990A Expired - Fee Related CA2568990C (en) 2004-05-28 2004-05-28 Smart card data transaction system and methods for providing storage and transmission security

Country Status (5)

Country Link
EP (1) EP1761904A1 (en)
CN (1) CN1954345B (en)
CA (1) CA2568990C (en)
IL (1) IL179597A (en)
WO (1) WO2005119606A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180349618A1 (en) * 2017-05-31 2018-12-06 Entrust Datacard Corporation Cryptographic object management across multiple remote sites

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2908209B1 (en) * 2006-11-07 2009-02-13 Oberthur Card Syst Sa PORTABLE ELECTRONIC ENTITY AND METHOD FOR CUSTOMIZING SUCH AN ELECTRONIC ENTITY
US8014755B2 (en) 2007-01-05 2011-09-06 Macronix International Co., Ltd. System and method of managing contactless payment transactions using a mobile communication device as a stored value device
JP4470071B2 (en) 2008-03-03 2010-06-02 フェリカネットワークス株式会社 Card issuing system, card issuing server, card issuing method and program
WO2010003274A1 (en) * 2008-07-09 2010-01-14 Gemalto Sa Portable electronic device managing xml data
WO2010070539A1 (en) * 2008-12-19 2010-06-24 Nxp B.V. Enhanced smart card usage
EP2209080A1 (en) * 2009-01-20 2010-07-21 Gemalto SA Method of loading data in an electronic device
CN101483554B (en) * 2009-02-23 2013-09-11 中兴通讯股份有限公司 Method and system for hardware safety management
CN102341782B (en) 2009-03-10 2015-03-11 Nxp股份有限公司 Method for transmitting an nfc application and computer device
FR2949877B1 (en) * 2009-09-10 2017-09-15 Viaccess Sa METHOD OF VERIFYING THE INTEGRITY OF DATA IN A MEMORY
DE102010006987A1 (en) * 2010-02-05 2011-08-11 Giesecke & Devrient GmbH, 81677 Completion of portable data carriers
DE102010027586B4 (en) 2010-07-19 2012-07-05 Siemens Aktiengesellschaft Method for the cryptographic protection of an application
CN103049776A (en) * 2012-12-31 2013-04-17 中国电子科技集团公司第十五研究所 File exchange based B/S system card reading and writing method
CN103178953B (en) * 2013-02-27 2016-09-21 中国电力科学研究院 A kind of secure chip key issuing system and secure chip key issuing method
US10277584B2 (en) 2014-04-30 2019-04-30 Hewlett Packard Enterprise Development Lp Verification request
CN105592033B (en) * 2014-12-30 2018-12-25 中国银联股份有限公司 trusted service management system and method
CN106250750B (en) * 2016-07-18 2019-08-16 深圳市文鼎创数据科技有限公司 USB device cut-in method and device based on MacOSX system
GB2565411A (en) * 2017-06-12 2019-02-13 British Telecomm Improved hardware security module management
CN109347625B (en) * 2018-08-31 2020-04-24 阿里巴巴集团控股有限公司 Password operation method, work key creation method, password service platform and equipment
CN111654367B (en) * 2018-08-31 2023-05-12 创新先进技术有限公司 Method for cryptographic operation and creation of working key, cryptographic service platform and device

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0798673A1 (en) 1996-03-29 1997-10-01 Koninklijke KPN N.V. Method of securely loading commands in a smart card
US6131090A (en) 1997-03-04 2000-10-10 Pitney Bowes Inc. Method and system for providing controlled access to information stored on a portable recording medium
AU770396B2 (en) 1998-10-27 2004-02-19 Visa International Service Association Delegated management of smart card applications
AU5598800A (en) 1999-06-21 2001-01-09 Sun Microsystems, Inc. Method and apparatus for commercial transactions via the internet
JP3793377B2 (en) * 1999-08-30 2006-07-05 日本電信電話株式会社 Data storage system and storage medium storing data storage program
GB2357229B (en) 1999-12-08 2004-03-17 Hewlett Packard Co Security protocol
FR2805059A1 (en) 2000-02-10 2001-08-17 Bull Cp8 METHOD FOR LOADING A SOFTWARE PART IN A CHIP CARD, PARTICULARLY OF THE TYPE SAID "APPLET"
US7103773B2 (en) 2001-10-26 2006-09-05 Hewlett-Packard Development Company, L.P. Message exchange in an information technology network

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180349618A1 (en) * 2017-05-31 2018-12-06 Entrust Datacard Corporation Cryptographic object management across multiple remote sites
US11030328B2 (en) * 2017-05-31 2021-06-08 Entrust Corporation Cryptographic object management across multiple remote sites
US11610005B2 (en) 2017-05-31 2023-03-21 Entrust Corporation Cryptographic object management across multiple remote sites

Also Published As

Publication number Publication date
WO2005119606A1 (en) 2005-12-15
EP1761904A1 (en) 2007-03-14
IL179597A0 (en) 2007-05-15
CN1954345B (en) 2012-11-21
CA2568990C (en) 2011-09-27
IL179597A (en) 2010-12-30
CN1954345A (en) 2007-04-25

Similar Documents

Publication Publication Date Title
CA2568990A1 (en) Smart card data transaction system and methods for providing storage and transmission security
TW200513922A (en) Smart card data transaction system and methods for providing high levels of storage and transmission security
US9686072B2 (en) Storing a key in a remote security module
EP0880254B1 (en) Security system and method for financial institution server and client web browser
CN1972189B (en) Biometrics authentication system
CN104901931B (en) certificate management method and device
DE69932512T2 (en) DEVICE AND METHOD FOR ELECTRONIC SHIPPING, STORAGE AND RECOVERY OF AUTHENTICATED DOCUMENTS
CN101539980B (en) Method for accessing a data station to an electronic device
KR100493885B1 (en) Electronic Registration and Verification System of Smart Card Certificate For Users in A Different Domain in a Public Key Infrastructure and Method Thereof
EP2751950A1 (en) Method for generating a soft token, computer program product and service computer system
CN101535845A (en) Authenticated radio frequency identification and key distribution system therefor
CN101340437A (en) Time source regulating method and system
CN101409621B (en) Multipart identification authentication method and system base on equipment
CN113360861B (en) Mortgage loan oriented decentralized identity method based on repeater cross-chain
CN101393628A (en) Novel network safe transaction system and method
CN106060073B (en) Channel key machinery of consultation
CN105634730A (en) Secret key management system of financial IC card
CN101741561B (en) Method and system for authenticating two-way hardware
WO2021198017A1 (en) Personalised, server-specific authentication mechanism
CN102823191B (en) For application to be sent to the method and system fetch equipment unit from server security
EP2752785A1 (en) Method for personalisation of a secure element (SE) and computer system
DE19540973C2 (en) Entry protection and digital information transaction procedures
NZ518162A (en) Method for producing and checking forge-proof documents
EP4266203A1 (en) Method and system for providing identity and authentication to a data-generation device
EP1559239B1 (en) Method and devices for performing security control in electronic message exchanges

Legal Events

Date Code Title Description
EEER Examination request
MKLA Lapsed

Effective date: 20170529

MKLA Lapsed

Effective date: 20170529