DE19919892C2 - Trust center unit (TCE) - Google Patents

Description

The invention relates to a trust center unit (TCE) for operation in a public key infrastructure (PKI).

Such a trust center unit not only serves as Certification body, which assigns public signatures to natural persons certifies; in addition to this activity related to one is used to issue key certificates TCE especially for the production of personalized Chip cards, with which each participant of a PKI can secret private key with which he digitally sig ned, secret and safe and use can.

In connection with trust center units that ent speaking prevailing considerations a physika secure area, are chip card Personalization facilities (CPE) become known, (DE 196 10 739-A1, DE 196 34 230-A1), the multiple contact animal spaces for the labeling of chip cards assign, however, the access of qualified operator require personnel.

This is about the advantageous, a full car Design that allows for safe and mathematical operation tion of a TCE, which, as in the German patent Document DE 199 915 668-C1 described, a walk-in, in normal operation but empty human safety cell has whose shell is secured against intrusion and in addition to safety-critical function modules contains externally operable CPE for automatic  electrical personalization to control directions in the TCE and connected via data Cables chip cards with TCE system components for Applying the private key connects.

So that the CPE ensures safe and fully automatic insertion for the electrical personalization of the Chipkar necessary data (personalization data), ins special of the secret private key in the chip can guarantee cards without being accessed by Operating personnel on the corresponding data technology systems in the TCE and on the personalization data is required, the CPE has little according to the invention at least one implementation for the input and output of chip cards through the envelope of the security cell by means of a transport stone that is secure against foreign penetration direction as well as one or more within the envelope Contacting places for chip cards to be personalized on. This ensures that the personalization data for participants of the PKI without manual interaction Operating personnel are introduced into the chip cards can and there is no provision of operating staff who have special requirements regarding Qualification or suitability for safety is sufficient.

Within the scope of the solution according to the invention is within the security cell of such a TCE is a so-called Personalization machine encapsulated. she advantageously includes six contact points for reading / Describe chip cards, each contacting place via a chip card coupler with a crypto module connected is. Everyone runs in these crypto modules security-critical functions in personalization chip card. The crypto modules put in  self-contained computer systems with a special cryp to hardware. Three of these crypto modules are each because summarized in a certification module, which is based on a common industrial PC is built. The functions of the crypto  Modules are against inadmissible interference by the host computer of the certification modules good insulation. Each certification module is in turn included a security module, which in the case failure of the proper operation of the TCE all Crypto modules in the sense of the defined protection goals of a trust center in a safe state, which is characterized in that the signature keys are no longer usable.

In a further embodiment of the present invention it is envisaged that the shell two bushings, one for an input channel, the other for an output has channel, and that both channels inside the Cover connected to each other by a contact channel are, which a plurality of contact points for has electrical personalization of the chip cards.

It goes without saying that the two through guides so firm, e.g. B. by flanges on the The inside of the cover is securely integrated into it are that easy entry without the use of force would be impossible. Through the two bushings operated the CPE from outside, d. H. it will be electric Chip cards not described introduced and in electrically personalized form again.

To make sure that through the two to the outside guided channels even during chip card transport any unwanted intrusion is excluded provided that in the two corners of the channels A card deflection device (CUE) is provided in each case which is for the transfer of a chip card between a connection position to one of the outside  leading channels and a connection position to the Contact channel is pivotable, such that in each Connection position of the respectively connected channel in the Inside the cue ends.

The contact channel has, as already above on one Executed example, a plurality of contacts places on. The exact chip card positions will be advantageously defined in that each contact place at least one across the chip card in the Contacting channel engaging stop element, against which is the leading edge of the smart card strikes, is limited, and that in the contacting channel Number of contacting places correspondingly many Stop elements are provided one behind the other. Derar term stop elements are preferred by longitudinal movably mounted stop bolts, which using solenoids from the channel floor across Channel length can be raised. Any contact is a read / write head for writing on the Assigned chip card. For this purpose are advantageous Contact elements provided through openings in the Contact channel sprung on contact surfaces of the chip cards are lowered, being through this contact elements a direct electrical connection between Chip card and associated security technology relevant system components.

A particularly safe and low-wear transport system for the chip cards according to the invention in that at least in the two outside leading channels a pneumatic transport system is provided. The chip cards are advantageous here  sucked in through the input channel and through the output channel blown out.

In the area of the contacting channel, it is expedient that the smart cards are moved through bubbles until all provided contacting places by empty, d. H. raw Written chip cards are occupied and after they have been made Personalization again from the contact channel into the CUE assigned to the output channel become.

According to an advantageous safety-technical Ausge staltung is provided that the CUE by a redirect Column is formed, to which the assigned channels are tightly connected, and which a deflection cylinder enclosing one to the level of the channels vertical axis is pivotable, and one in this Flat-lying pocket for the between the connected channels to be implemented chip cards has and with short connection in the deflecting column channels are provided, which in the respective Channels assigned to the pivoting position with the receptacle connect bag.

This ensures that the receiving bag ever after swiveling either with one to the outside leading channel or aligned with the contacting channel, the other channel being closed.

In the context of the pneumatic Transport systems are the two deflection columns connected in different ways.  

On the one hand, the receiving pocket is at the input Channel connectable deflecting cylinder via a Connection hole either to a suction hole or a Blow hole of the deflection column can be connected, depending on Swivel position of the pocket for input or to the contact channel.

On the other hand, the receiving pocket is the one at the output Channel connectable deflecting cylinder via a Connection hole either to a blow hole or a Vent hole of the deflection column can be connected, each after swiveling the receiving bag to the delivery or to the contact channel.

To ensure a fast flow of chip cards afford, it is also provided that the channels for the Transport and contacting the chip cards as communicating flat channels formed are, whose cross section is slightly larger than that Chip cards, such that they only lengthways lying in it with little play. before the receiving pocket is only marginal deeper than the length of a smart card, d. H. it is sufficient if the diameter of a deflecting cylinder is only slightly larger than the length of a chip card equivalent.

In addition to securing the implementation of the CPE against Penetration through objects is also their magne table shielding of importance. For this purpose According to the invention provided that the deflecting column and deflection cylinders to shield against magnetic field influences Mu metal sheet packages are made and that the  Deflection cylinder with a tight fit in a bore of the Deflection column is pivotally received. such Sheets consist, for example, of a highly permeable Ni-Fe alloy.

The pneumatic transport system is useful a compressed air reservoir connected by a compressor located outside the envelope is supplied, the negative pressure in the input channel is generated by means of an ejector valve. such Valves are superior to the usual vacuum pumps because they are characterized by a long service life.

The following is an embodiment of the invention described with reference to the drawing. It shows

Fig. 1 in a top view the schematic representation of the smart card personalization device within the envelope a security cell,

Fig. 2, the smart card personalization device according to Fig. 1 with a pneumatic transport system for the chip card,

Fig. 3 is a holistic representation for controlling the CPE and

Fig. 4 is a cut-away view to step 6 of FIG. 3.

Fig. 1 shows a top view of the chip card personalization device (CPE) 1 within a double-walled shell 2 of a security cell. Cross supports 3 are drawn between the two walls of the casing 2 . The sleeve is penetrated by two bushings 4 , 5 , bushing 4 enclosing input channel 6 and bushing 5 surrounding output channel 7 .

The two bushings 4 , 5 are connected tightly to the sheath 2 , the connection elements being omitted in detail. The input channel 6 and the output channel 7 are each connected to a chip card deflection device (CUE) 8 , 9 , which each establish the connection to a contacting channel 10 . The CUE 8 connected to the input channel 6 is about redirecting the chip cards entered by 90 ° into the contacting channel 10 , where the chip cards are read and electrically personalized. The CUE 9 connected to the output channel is about converting the chip cards from the contacting channel 10 into the output channel 7 . For its magnetic shielding, the contacting channel 10 has walls 50 made of highly permeable ferromagnetic material, e.g. B. made of mu-metal.

The mechanical conversion of the chip cards in the two CUEs is carried out by accommodating individual cards in a receiving pocket 11 of a deflection cylinder 12 which is aligned with the input channel or the output channel and which can assume two pivot positions. A pivot position is connected to the input channel 6 or to the output channel 7 ; the other after a 90 ° rotation reached swivel position with the contacting channel 10 .

According to FIG. 1, the deflecting cylinder 12 of the CUE 8 assigned to the input channel 6 is in a pivot position aligned with the input channel 6 . The individually inserted chip card to the input port 6 via a suction hole 13 a the deflection are cylindrical aspirated 12 surrounding Umlenksäule 14, wherein the baffle cylinder 12 a aligned with the suction bore 13 connecting bore 15 is connected to the inner end of the receiving pocket. 11 The deflecting column 14 also has a blowing bore 16 , which comes into effect in the pivoting position offset by 90 ° in the clockwise direction. The smart card respectively located in the receiving pocket 11 is then over the Blasbohrung 16 and the connection bore 15 is blown into the Kontaktierkanal 10th Six contacting locations are provided there, which according to FIG. 1 are already occupied with chip cards 17 . The respective card position is limited by a stop in the form of a stop pin 18 . The rectangle drawn on the chip cards means the respective contacting surface 19 , that is to say the point to which resilient contact elements are lowered through the wall of the contacting channel 10 against the respective chip card in order to read or write to it. After writing, ie after personalization of the chip cards, they are blown through the contacting channel 10 as described and occasionally get into the receiving pocket 11 of the deflecting cylinder 12 in the CUE 9 assigned to the output channel 7 . After reacting the pocket in the receptacle 11 received chip card, after which the opening of the receiving pocket 11 is aligned with the output channel 7, the smart card located in the receiving pocket 11 is formed by a the output channel 7 opposite Blas bore 20 of the Umlenksäule 14 and the connecting bore 15 of the inverting cylinder 12 blow out into the output channel 7 . Starting from the drawn position of the deflection cylinder 12 , it is pivoted clockwise by 90 ° for the purpose of blowing out the chip card. In addition, the deflecting column 14 also has a vent hole 21 , which is open, while the blowing stream from the contacting channel 10 conveys a chip card into the receiving pocket 11 of the CUE 9 . The receiving pocket 11 is connected to the output channel 7 via a connecting channel 24 . The CUE 8 connected to the input channel 6 also has a deflecting column 14 with a corresponding connecting channel 24 .

Deflection cylinder 12 and deflection column 14 of the two CUEs are made of highly permeable ferro-magnetic material for the purpose of shielding against external magnetic field influences; they are preferably made of mu-metal.

For the purpose of magnetic shielding, the CPE is surrounded in its entirety by a capsule 51 made of highly permeable ferromagnetic material, which is connected to the inside of the casing 2 .

FIG. 2 shows the CPE 1 according to FIG. 1 in a schematically simplified representation. Following the input channel 6 and the output channel 7, the chip card deflection devices are shown in simplified form, in that only the deflection cylinder 12 is shown in each case. There are six chip cards 17 in the contacting channel 10 , which are positioned on the respective stop bolts 18 . Both deflecting cylinders 12 are each pivoted with the opening of their receiving pocket in the direction of the contacting channel, so that the contacting channel is closed on both sides. The electrical personalization of the chip cards 17 takes place in this position of the two deflecting cylinders 12 . If the card block consisting of six chip cards 17 in the contacting channel 10 is completely processed, then the chip cards 17 are blown into the deflecting cylinder 12 of the output channel 7 one after the other, for which purpose the deflecting cylinder 12 is pivoted 90 ° counterclockwise relative to the drawn position by one chip record card 17 from the contacting channel 10 ; then it is pivoted back into the position shown and the chip card located in its receiving pocket is blown out of the blow hole 20 in the direction of arrow P1 by the compressed air. For this purpose, an adjustable throttle 27 is switched to by passage from a compressed air feed line 25 via a solenoid valve 26 , so that 20 compressed air enters the output channel 7 through the blow hole. The compressed air in the compressed air feed line 25 is supplied by a compressor located outside the CPE via a feed line 28 and from there passes via a solenoid valve 29 , a pressure control valve 30 and a check valve 31 into a pressure accumulator 32 which is connected to the compressed air feed line 25 ,

Looking at the input channel 6 , this is in the position shown connected to a suction bore 13 , at which a negative pressure prevails for the purpose of inserting empty chip cards. This is generated in an ejector 33 with a sound damper 34 , to whose vacuum ejector 35 the suction hole 13 is connected via a vacuum line 36 . In the clockwise 90 ° pivoted position of the associated deflection cylinder 12 , the connection bore 15 is connected to a blow hole 16 , so that a chip card located in the receiving pocket of the deflection cylinder 12 is blown into the contacting channel 10 . If there is still no chip card in the contacting channel 10 , this will take the last contacting position in front of the output channel 7 and the chip cards that follow will occupy the subsequent contacting position. Each contacting position is controlled individually in that stop bolts 18 are extended electromagnetically. The blow stream is fed to the blow hole 16 via the pressure line 37 , the adjustable throttle 38 and the solenoid valve 39 . Via further solenoid valves 40 , unthrottled compressed air from the compressed air feed line 25 reaches a swivel drive 41 for actuating the two deflecting cylinders 12 . A unit consisting of an adjustable throttle 42 and a muffler 43 is provided on a ventilation hole 21 in the deflection column assigned to the discharge channel 7 , which serves to discharge exhaust air.

Referring to FIGS. 3 and 4, the control of the CPE is shown schematically, wherein the label contained in the individual blocks speaks for itself, that requires no further comments. "Card block" means the chip cards lined up in the contacting channel 10 . By "machine" is meant the CPE. In accordance with the step-by-step processing sequence, the individual blocks are numbered with Arabic numerals. The block No. 6 drawn with a double line in FIG. 3 is shown in detail in FIG. 4. The blocks 6.2 , 6.3 and 6.4 can there again be divided into individual steps, which, however, are meaningless in the context of the present description of the figures and can therefore be omitted.

Claims (19)

1. Trust center unit (TCE) for the operation of a public key infrastructure (PKI) with a walk-in but in normal operation deserted security cell, the envelope ( 2 ) of which is secured against intrusion and one of security-critical function modules outside usable chip card personalization device (CPE) ( 1 ), which is connected for automatic electrical personalization of chip cards to control devices in the TCE and connects data cards via data lines chip cards ( 17 ) with system components of the TCE for applying the private key, and the CPE ( 1 ) has at least one implementation for the input and output of chip cards through the sleeve ( 2 ) of the security cell by means of a transport device which is secure against external penetration and one or more contacting places for chip cards ( 17 ) to be personalized within the sleeve. 2. Trust center unit according to claim 1, characterized in that the casing ( 2 ) has two bushings ( 4 , 5 ), one for an input channel ( 6 ), the other for an output channel ( 7 ) and that both channels in the interior of the envelope ( 2 ) are connected to one another by a contacting channel ( 10 ) which has a plurality of contacting places for data exchange in the context of the electrical personalization of chip cards ( 17 ). 3. Trust center unit according to claim 2, characterized in that a chip card deflection device (CUE) ( 8 , 9 ) is provided in the two corner joints of the channels, which for the transfer of a chip card ( 17 ) between a connection position one of the outwardly leading channels ( 6 , 7 ) and a connection position to the contacting channel ( 10 ) can be pivoted in such a way that in each connection position the respectively connected channel ends inside the CUE ( 8 , 9 ). 4. Trust center unit according to claim 2, characterized in that each contacting place by at least one transversely to the chip card ( 17 ) in the contacting channel ( 10 ) engaging stop element against which the leading edge of the chip card ( 17 ) strikes, is limited and that in the contacting channel ( 10 ) the number of contacting places corresponding number of stop elements are provided in a row. 5. Trust center unit according to claim 2, characterized in that a write / read head for electrical personalization of the chip card ( 17 ) is assigned to each contacting place. 6. Trust center unit according to claim 5, characterized in that resilient contact elements on contact surfaces ( 19 ) of the chip cards are lowered through openings in the contacting channel ( 10 ), with these contact elements having a direct electrical connection between the chip card ( 17 ) and the associated security technology relevant system components. 7. Trust center unit according to claim 2, characterized in that a pneumatic transport system is provided for the transport of the chip cards ( 17 ) at least in the two outwardly leading channels ( 6 , 7 ). 8. Trust center unit according to claim 7, characterized in that the chip cards ( 17 ) are sucked in through the input channel ( 6 ) and blown out through the output channel ( 7 ). 9. Trust center unit according to claim 7, characterized in that the chip cards ( 17 ) are moved through the contacting channel ( 10 ) by bubbles until all the intended contacting positions are occupied by empty chip cards and after electrical personalization has taken place again from the contacting channel ( 10 ) into the CUE ( 9 ) assigned to the output channel. 10. Trust center unit according to claim 3, characterized in that the CUE ( 8 , 9 ) is formed by a deflecting column ( 14 ) to which the assigned channels are tightly connected and which encloses a deflecting cylinder ( 12 ) which an axis which is vertical to the plane of the channels can be pivoted and has a receiving pocket ( 11 ) in this plane for the chip cards ( 17 ) to be implemented between the connected channels, and in the deflecting column ( 14 ) there are short connecting channels ( 24 ) which assign the assigned channels Connect the channels in the respective swivel position to the receiving pocket ( 11 ). 11. Trust center unit according to claim 10, characterized in that the receiving pocket ( 11 ) of the deflectable cylinder ( 12 ) connectable to the input channel ( 6 ) via a connection bore ( 15 ) optionally to a suction bore ( 13 ) or a blow bore ( 16 ) the deflecting column ( 14 ) can be connected, depending on the pivoting position of the receiving pocket ( 11 ) to the input or to the contacting channel. 12. Trust center unit according to claim 10, characterized in that the receiving pocket ( 11 ) of the deflectable cylinder ( 12 ) which can be connected to the output channel ( 7 ) via a connection bore ( 15 ) optionally to a blow bore ( 20 ) or a vent bore ( 21 ) the deflecting column ( 14 ) can be connected, depending on the pivoting position of the receiving pocket ( 11 ) to the dispensing or contacting channel. 13. Trust center unit according to claim 7, characterized in that the channels for the transport and contacting of the chip cards ( 17 ) are formed as communicating flat channels, the cross section of which is somewhat larger than the cross section of the chip cards, such that these only lying lengthwise with little play in it. 14. Trust center unit according to claim 10, characterized in that the receiving pocket ( 11 ) is only slightly deeper than the length of a chip card ( 17 ). 15. Trust center unit according to claim 10, characterized in that the deflecting column ( 14 ) and deflecting cylinder ( 12 ) for shielding against magnetic field influences are made of highly permeable ferromagnetic material and that the deflecting cylinder ( 12 ) with a close fit in a bore of the deflecting column ( 14 ) is pivotally received. 16. Trust center unit according to claim 2, characterized in that the contacting channel ( 10 ) has walls ( 50 ) made of a highly permeable ferromagnetic material. 17. Trust center unit according to claim 1, characterized in that the CPE within the envelope forming the security cell is received in its entirety in a capsule ( 51 ) made of highly permeable ferromagnetic material. 18. Trust center unit according to claim 7, characterized in that the pneumatic transport system is connected to a compressed air reservoir ( 32 ) which is supplied by a compressor arranged outside the casing ( 2 ) and that the negative pressure in the input channel ( 6 ) is by means of an ejector valve ( 33 ) is generated. 19. Trust center unit according to claim 4, characterized in that the stop elements in the contacting channel are formed by longitudinally movably mounted stop bolts ( 18 ) which are raised by means of lifting magnets from the channel floor transversely to the channel longitudinal direction.