CH656243A5 - METHOD FOR PROCESSING A PERSONAL IDENTIFICATION NUMBER IN CONNECTION WITH AN ID CARD. - Google Patents

Description

The invention relates to a method according to the preamble of claim 1.

The use of a personal identification number, hereinafter abbreviated as PIN, in automatic money and service transactions65

Kehr is intended to ensure that an ATM card can only be used successfully by its legal owner.

There are essentially two process steps associated with handling the PIN,

- card personalization, i.e. in this context the encryption of the PIN and the transfer of the encryption result and the customer and bank-specific data to the ID card,

- user identification, i.e. verification of the encryption specified in the personalization every time the machine card is used.

Many options have become known for encrypting the PIN.

Simple systems of the type mentioned, such as in U.S. Patent 3,657,521, e.g. Customer-related data such as the account number, hereinafter referred to as PAN (Personal Account Number), via a predetermined function with a PIN specified by the issuing body.

In the case of user identification, the specified relationship between account number and PIN is checked for correctness after the user has entered his PIN in the machine.

If several cards are available to a fraudster, it cannot be ruled out with these conventional systems that he finds the connection between the card data and the PIN and thus can derive the associated PIN from stolen cards.

Systems have become known that use complex algorithms to link the PIN with the customer-specific data; e.g. the “NBS Data Encryption Standard Algorithm” or also called “DES” (see also US Pat. No. 4123,747). A special feature of such encryption systems is that the algorithm itself may be known without endangering the system as long as the key with which plain text data is encrypted using the algorithm in a key-specific manner remains secret. The algorithm is therefore also available in the form of an IC module. For the encryption of customer-specific data, the PAN and PIN, for example, are routed to the DES module and encrypted while simultaneously supplying secret information (keys). The result of the encryption is saved on the card for later comparisons. The security of the system, if such a DES component is available, lies in the secrecy of the key. If a key becomes known that must be stored in several places (card issuing institution, machine) when used in the previously known systems, all ID cards processed with the key are accessible to fraudulent manipulation with the help of the DES module. A reduction of the risk would be possible by dividing the issued ID cards into relatively small groups using different keys assigned to the respective groups. However, the use of a key for only a very limited number of ID cards is uneconomical for organizational and technical reasons.

To increase security in handling the PIN, it has also become known (DE-OS 2 901 521) to subject the data on the identification card to two-stage encryption.

For this purpose (see FIG. 1) a PAN and a PIN are assigned to a future cardholder. The latter can also be chosen freely by the customer, for example in the form of a 4-digit number. Now the first closures

656243

the PAN is carried out, the PIN being used in combination with a first, secret security number as a key. A resultant so-called first key number (Yi) is converted into a second key number (Y2) via a predetermined transformation. The decryption of this second key number, a second secret security number serving as the key, results in a check number (PCN) which is stored, for example, on the card.

For user identification, the PAN read from the card is encrypted with the aid of the PIN and the first security number, so that the first key number (Yi) results again when the data is correct. In addition, the check number (PCN) read from the card is encrypted using the second security number, so that the second key number (Y2) results here. The key numbers must meet the transformation specified when the card is issued or personalized.

The higher security compared to the aforementioned systems is particularly given when two different security numbers, i.e. two different keys can be applied.

The additional memory required for the second key and the additional confidentiality measures associated with this are disadvantageous.

This applies above all to the cross-institute off-line systems, in which each customer should not only have access to the vending machine, but also to non-vending machines.

Since all the keys used must be stored in each machine, the inefficiency of the system increases with the number of machines involved. The risk to the security system also increases with the number of machines involved, since each machine contains all the "secrets" necessary to manipulate the system

The object of the invention is to propose a method of the type mentioned at the outset which, while maintaining the generally high level of security of two-stage encryption, improves the economy and security in handling the PIN.

The object is achieved according to the invention by the features specified in the characterizing part of claim 1.

Despite the high level of security of the two-level encryption, this results in a reasonable amount of memory on the part of the vending machine, since in at least one encryption level, secret information (key) read from the ID card is processed and a different key can be assigned to each ID card without any special measures, which increases security the system is further increased.

As will be shown, the method according to the invention allows the entire secret information to be distributed in a simple manner to the “levels” involved in handling the PIN (institute level with PIN output, personalization level with card output, machine level with user identification) without the all of the information required to derive the PIN is available in its entirety on one of the levels.

For the presentation of the key information on the identity cards, high-quality security technology methods are used, which make the recognition and replication of the information impossible or so difficult that the necessary effort, especially from a device-technical point of view, significantly exceeds the achievable profit. The type of code on the ID card is optional as long as the above requirements are met. It can be carried out, for example, by applying magnetic, conductive, fluorescent or other substances that are difficult to identify. In the same way, however, the use of a manufacturing feature of a manufacturing tolerance that is peculiar to the identity card or also optically coded recordings can be used.

Further developments of the method according to the invention are the subject of the dependent claims.

An embodiment of the invention is described below with reference to the attached drawing, for example 10. In it show:

1 system for handling the PIN according to the prior art,

Fig. 2 system for handling the PIN after the inven tion.

Fig. 1 shows the handling of the PIN according to the prior art. The procedure is divided into the procedures Personalization 1 and Customer Identification 2. 20 For personalization, a PAN 3 and a PIN 4 are assigned to a future cardholder. The latter can be chosen by the customer, for example in the form of a 4-digit number. Now the encryption of the PAN 3 is carried out in a first encryption module 7, the PIN 4 being used in combination with a first secret security number 5 as the key. A resultant so-called first key number Y1 is converted into a second key number Y2 via a predetermined transformation 8. From the decryption of this second key ISO number Y2 in the module 10, a second secret security number 11 serving as the key, a check number PCN results, which is stored on the card 12, for example.

For user identification, the PAN 3 read from the card is encrypted with the aid of the PIN 4 and the first security number 5 35, so that the first key number Y1 results again when the data is correct. In addition, the check number PCN read from the card is encrypted with the aid of the second secret security number 11 in the module 12, so that the second key number Y2 results here. The key numbers Y1 and Y2 must meet the transformation specified when the card is issued or personalized, which is checked in a comparator 15.

It can be seen from the illustration in FIG. 1 that both the personalization and the user identification in the machine must have all the system data, including all the secret keys and the like. The risk of betraying secrets or spying on the data and measures required to operate the system is therefore relatively high.

50 FIG. 2 shows an example of a possible embodiment for handling the PIN according to the invention.

When handling the PIN, a distinction is made between three process levels, marked by dash-dotted lines:

55

the institute level 15, in which the corresponding customer data PAN is assigned to the customer,

- Personalization level 16, in which the ID card is provided with all the necessary customer and bank data

«0 will

- The machine level 17, in which the ID card data is read and checked for belonging to the entered PIN.

«S The card issuing institutes expediently assign the PAN 18 customer-specific data to the future cardholder.

The PIN 19, e.g. a 4-digit number, the customer can

656243

if necessary, choose yourself. The PIN 19 chosen by the customer and only known to him, as well as the PAN 18, are routed to the algorithm module 20 and processed in this with the aid of a first secret key, generated from a key memory 21, to an intermediate value ZW. The intermediate value ZW and associated customer-related data PAN 18 are stored on a magnetic tape 22.

The magnetic tapes produced by the individual institutes are fed to central personalization points 16 for the final completion of the identification cards 23. Here the magnetic tape data are read and again fed to an algorithm module 24, which can be constructed like module 20. At this point, however, the second key manipulating the data is determined by secret card information, indicated by the hatching 7, with the aid of a reading head 28 connected to the key reader 25. The result of the encryption, the key number SZ, is stored together with the customer-related data PAN, for example on the magnetic track 26 of the card 23.

For user identification 17, the customer enters his secret PIN 19 'via a keyboard in the machine. The PIN is encrypted together with the PAN read from the card while feeding the first secret key from the key store 21. The result is fed directly to a second algorithm module 24 and encrypted by supplying the second secret key, which is again obtained from the identification card 23 with the aid of a key reader 25 or the reading head 28.

If the procedure is correct, the result of the double encryption SZ 'matches that on the magnetic track

26 stored key number SZ match. The comparator

27 delivers a yes signal, which is either coupled to an optical display or connected to the device-internal electronics, which displays the test result by means of corresponding electronic signals and thus the initiation of corresponding further method steps, e.g. enables the desired loan amount to be issued.

The system components to be protected against unauthorized access are identified by hatching on all three process levels. As already indicated and clearly shown by the process flow in FIG. 2, the secret information required to derive the PIN is not directly accessible on any of the levels. This fact, combined with the use of a two-stage lock-

method, where one of the keys is secreted by e.g. card-specific property is generated, enables a high-quality, economical security system for processing the PIN.

In order to ensure that the connecting line between read head 28 and signal evaluation module 25 cannot be monitored, the practical implementation of the device read head 28 and module 25 are housed in a common sealed housing into which the identification card 23 can be inserted through an input slot.

As already mentioned, there are a number of methods for providing identification cards with key information that cannot be spied out and cannot be copied.

For example, US Pat. No. 3,620,590 describes a holographic method for securing information against unauthorized access. For this purpose, the desired information is transmitted via a special filter (master code filter), optically encrypted, to a hologram, which is located on an ID card. The encrypted information can only be reconstructed using a master code filter. The filter as part of the reader is secured against unauthorized access.

All methods for displaying information, the content of which can only be reconstructed with special aids not accessible to the fraudster and only with special technical knowledge, can be used within the scope of the invention.

In this sense, analogous to the example mentioned above, it is also possible to equip the ID card with magnetic or fluorescent patterns, for example, the information content of which can only be identified with special, generally unavailable devices and corresponding specialist knowledge.

In the exemplary embodiment described, the same encryption principle was chosen in both encryption levels for better understanding (NBS Data Encryption Standard Algorithm). There are a variety of other encryption methods that can also be used within the scope of the invention. It is also possible to use different algorithms in the two stages. Regardless of the actual encryption principle, the essence of the invention, as explained above, is rather to be seen in the fact that the encryption is carried out in two stages at spatially separate locations and that secret, card-specific information is included in the encryption process.

4th

s

10th

15

20th

25th

30th

35

40

45

B

2 sheets of drawings

Claims (8)

656243 PATENT CLAIMS 1. Process for processing a personal identification number (19) assigned to each customer in connection with an identification card (23) carrying machine-readable data (18), the identification number s (19) being linked to the card personalization (15, 16) machine-readable data (18), encrypted using two-stage encryption (20, 24) and the result (SZ) of the encryption is stored, and the identification number (19) is used as part of the customer identification (17) using the stored result (SZ) is verified, characterized, that secret information (7) is read on the identification card (23) in at least one of the stages of the two-stage encryption (20, 24) and is included in the encryption process. 2. The method according to claim 1, characterized in that that in the context of card personalization (15, 16) in the first encryption level (20) the identification number (19), linked to customer-related data (18), is processed to an intermediate value (ZW) and that in the second encryption stage (24) the intermediate value (ZW), linked to customer-specific data (18), using the data from the ID card (23) read secret information (7) is processed to a key number (SZ), which is stored 25 on the ID card (23) as the result to be stored. 3. The method according to claim 1, characterized in that within the scope of the customer identification (17) the personal identification number 30 (19 ') keyed in by the customer, linked to customer-related data (18) read from the identification card (23), is processed to an intermediate value and this is then also used using the identification card (23 ) read secret information (7) is converted into a comparison key number (SZ ') and that the comparison key number (SZ') determined in this way is checked for agreement with the result stored on the identification card (23) as a key number (SZ). 4. The method according to any one of claims 1 to 3, characterized in that the first and the second encryption 40 (20,24) is carried out at spatially separate locations (15,16). 5. The method according to claim 4, characterized in that the first encryption (20) is carried out decentrally 45 at various card-issuing institutes (15). 6. The method according to claim 4 or 5, characterized in that the second encryption (24) is carried out centrally at the card personalizing institution (16). 50 7. The method according to any one of claims 1 to 6, characterized in that the secret information (7) obtained on the identification card (23) is generated from a card-specific feature. 8. The method according to any one of claims 1 to 6, characterized ss; that the secret information (7) recorded on the identification card (23) is represented by a holographic, magnetic, fluorescent or conductive code pattern. 60