EP0409725B1 - Système de protection de documents ou d'objets enfermés dans un contenant inviolable - Google Patents

Système de protection de documents ou d'objets enfermés dans un contenant inviolable Download PDF

Info

Publication number
EP0409725B1
EP0409725B1 EP90402060A EP90402060A EP0409725B1 EP 0409725 B1 EP0409725 B1 EP 0409725B1 EP 90402060 A EP90402060 A EP 90402060A EP 90402060 A EP90402060 A EP 90402060A EP 0409725 B1 EP0409725 B1 EP 0409725B1
Authority
EP
European Patent Office
Prior art keywords
box
mode
transition
station
internal management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
EP90402060A
Other languages
German (de)
English (en)
French (fr)
Other versions
EP0409725A1 (fr
Inventor
Franklin Devaux
Christophe Genevois
Marc Geoffroy
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AXYVAL
Original Assignee
AXYVAL
AXYVAL SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by AXYVAL, AXYVAL SA filed Critical AXYVAL
Publication of EP0409725A1 publication Critical patent/EP0409725A1/fr
Application granted granted Critical
Publication of EP0409725B1 publication Critical patent/EP0409725B1/fr
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • EFIXED CONSTRUCTIONS
    • E05LOCKS; KEYS; WINDOW OR DOOR FITTINGS; SAFES
    • E05GSAFES OR STRONG-ROOMS FOR VALUABLES; BANK PROTECTION DEVICES; SAFETY TRANSACTION PARTITIONS
    • E05G1/00Safes or strong-rooms for valuables
    • E05G1/14Safes or strong-rooms for valuables with means for masking or destroying the valuables, e.g. in case of theft
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07DHANDLING OF COINS OR VALUABLE PAPERS, e.g. TESTING, SORTING BY DENOMINATIONS, COUNTING, DISPENSING, CHANGING OR DEPOSITING
    • G07D11/00Devices accepting coins; Devices accepting, dispensing, sorting or counting valuable papers
    • G07D11/10Mechanical details
    • G07D11/12Containers for valuable papers
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F9/00Details other than those peculiar to special kinds or types of apparatus
    • G07F9/06Coin boxes
    • EFIXED CONSTRUCTIONS
    • E05LOCKS; KEYS; WINDOW OR DOOR FITTINGS; SAFES
    • E05GSAFES OR STRONG-ROOMS FOR VALUABLES; BANK PROTECTION DEVICES; SAFETY TRANSACTION PARTITIONS
    • E05G1/00Safes or strong-rooms for valuables
    • E05G1/005Portable strong boxes, e.g. which may be fixed to a wall or the like

Definitions

  • the present invention relates to a system for protecting documents or valuables, and in particular means of payment such as banknotes, checks, or bank cards, enclosed in a physically inviolable container, which also passes through a succession of logical states authenticated in limited number.
  • the degradation device used for this purpose can be, for example, that described in patent FR-A-2,574,845 in the name of the Applicant.
  • the degradation device In the case of the transport of valuables, for example dangerous medicines (drugs, poisons) or of high added value, the degradation device is significantly different; those skilled in the art know, as such, the known and specific means to be used.
  • the object of the aforementioned patents consists in rendering unusable, or destroying, in the event of aggression, the funds contained in a box and whose significant fiduciary value is much lower than their real value (which is the case of tickets, cards and checks; the lust for these funds thus becomes ineffective, they being destroyed before they can be reached.
  • the sensors associated with these systems and which make it possible in particular to detect physical attacks on the box can be of very light structure, unlike traditional shields; such a wall integrity sensor is for example described in French patent FR-A-2,615,987 in the name of the Applicant.
  • the protection systems described do not make it possible to determine the persons those responsible for the assault that caused this destruction; indeed, during its destruction, it is desirable, and even necessary, that the box mark, or destroy, not only the funds, but also erases all the information having a confidential character and which it needs for its correct functioning: algorithms monitoring its physical states, algorithms for coding and decoding messages exchanged with the outside world, nature and content of these messages such as secret codes, destinations and recipients of the funds transported.
  • each of these boxes With the external computer becomes possible; the latter is then able to generate the inexorable process regulating the "history" of a box and to control its initiation, which is carried out after various verifications, including those of secret codes held by people with valid access to cash registers (such as a banker, or a customer).
  • the invention aims to decisively improve the various known systems, by proposing a system for protecting documents or valuables, and in particular means of payment such as banknotes, checks, or bank cards, enclosed in at least one physically inviolable container, called a box, which, in the event of aggression, causes their degradation by appropriate means, this system being characterized in that the box is provided with internal management means functioning in the same way as a "limited mode machine" whose operating cycle includes a limited number of logical states, called modes, the transition from a first mode to a second mode being the consequence of a one-off event the lawfulness of which is, or has been previously verified by an independent means which can be put in contact with said internal management means of the box, said transition being then accompanied by the per te memory of the previous mode.
  • a limited mode machine whose operating cycle includes a limited number of logical states, called modes
  • One of the objectives of the present invention is thus to make a logical state, called mode, correspond to each situation in which a box can be found, this mode being explicitly delimited by two terminals of a purely conceptual nature, which makes it possible to rigorously and reliably organize the operating cycle of the internal management means of said box; the systems known to date only knew two implicit limits, that is to say "the transition between mobile and fixed boxes" and vice versa.
  • the present invention provides the flexibility necessary for a more intelligent management of the protection provided by the boxes. But it is then essential that at each stage of the protection process, that at each transition between two logical states, the box does not keep any trace of its previous logical state; we already know that this trace is useless; it is also understood that this trace is dangerous, since it is vital, for the security of the system, that confidential messages such as codes cannot be read, if they are not destroyed entirely in the event of attack. We will finally understand, thanks to the following, that this trace cannot exist.
  • the present invention provides a reliable means and sure to define various operating cycles, which correspond to many cases inaccessible to systems known until today, for which a single "story" can exist between the closing and opening of a box.
  • the rigor of such an organization translates, for the protection system in accordance with the invention, by an additional intelligence rendering in a way "logically inviolable" the boxes and the system as a whole.
  • This logical inviolability is also reflected, according to another characteristic of the invention, in that, during the transport of a box - which is delimited, on the one hand, by the transition from a mode where said box is considered to be being fixed at a mode where it is considered to be mobile, and on the other hand, by the transition from a mode where the box is considered to be mobile to a mode where it is considered to be fixed -, the management means internal of said box are absolutely autonomous, that is to say are solely responsible for the security of the funds enclosed therein.
  • a box can share this responsibility with other parts of the system, necessarily outside of its transport, for example with the autonomous means which can get in touch with the internal management means of the box.
  • the system according to the invention is used for the protection of funds which have been placed in a box 1 by the manager of a bank branch, hereinafter called shipper 2.
  • Box 1 must be transported by a conveyor 3 towards, for example, a branch of this bank branch.
  • the means which can be put in contact with the boxes to produce the transfer of responsibility is made up of a single computer 4.
  • This computer 4 has a supervisory role and manages the logical security of the boxes 1, that is to say checks the legality of the transitions of certain operating modes of the internal management means thereof to certain other modes.
  • box 1 there are thus three types of modes for a box 1 - in fact for the system as a whole, but only box 1 participates in the whole of the protection since it is it which, in the end, makes it possible to remove the lust of third parties - according to whether it is considered to be mobile and closed, in accordance with case a), according to whether it is stationary and closed, in accordance with case b), and finally according to whether it is stationary and open, in accordance with case c).
  • the mobility of the box 1 is, therefore, a purely logical attribute of the system, which goes beyond its real physical mobility, but of course covers it without paradox.
  • This considerable advantage of the system is one of the most unexpected consequences of the organization in a machine with limited modes of the physically mobile part of it: the box 1.
  • the system according to the invention can be compared to a computer network where a "token”, symbolizing the possession of decision-making power, can be exchanged between the terminals of the network; the terminal holding the “token” can also choose to transfer it, this transfer therefore being accompanied by the loss or sharing of power.
  • the "token” transferred into the system of the invention is made up, it will be understood, by the responsibility attached to the protection of the funds enclosed, or not, in a box 1.
  • an unexpected advantage of the use, according to the invention, of a single computer 4 supervising the system is to limit the redundancy of the information necessary for the secure management of the latter, that is to say their possible transfer.
  • a second computer were to exist - one could for example place a computer at the place of departure of a box, and another computer at its place of arrival, which is the case in particular of the system described in the French patent application FR -A-2,594,169 - it would be imperative to integrate this second computer in a reliable manner into the system: box / first computer: so that it becomes a box / first computer / second computer system:; the reliable integration of the recipient of the funds enclosed in the box 1 would then become possible, via this second computer.
  • the step of integrating the second computer is not necessary because it provides neither simplification (on the contrary), nor additional security, the recipient of funds that can be integrated directly by the first computer.
  • boxes 1 are completely independent of each other and that each system: box / computer / user: must be considered as a particular network, even if the supervisor computer 4 can be the same for all the boxes 1 It is thus good to recall that there is no dialogue constantly circulating between the boxes 1, which constitutes a notable advantage with respect to the system described in patent FR-A-2 550 364.
  • the four parts of the box 1, computer 4, shipper 2, and conveyor 3, can be connected to a single terminal, called station 5 below, to constitute a star network of which said station 5 is the center.
  • a station 5 can never constitute a means capable of controlling the legality of an event which may cause a transition from an operating mode of the internal management means of a box 1 to another mode.
  • a message exchanged between two integral parts of a star network does not pass through the other parts as, for example, in a ring: we can then speak of a structural confidentiality of this type of network.
  • each part of the system has an electronic interface which must manage sometimes complex exchanges.
  • a station 5 which can connect, in accordance with the invention, all the parts to each other, advantageously and unexpectedly makes it possible to simplify and lighten said interfaces.
  • Station 5 has for this purpose all the heavy electronic interfaces, and it remains for box 1 and the user to manage only an elementary connection dialogue with said station 5.
  • the computer 4 can, for its part, manage more complex exchanges, and that it is also advantageous, according to the invention, to make it a server center located at a distance from all the stations 5 , of all the users, and of all the boxes 1, which makes it possible to protect it effectively, at the same time, from possible attacks, both logical and physical.
  • communications between two parts of the system are carried out according to a protocol allowing the party receiving a message to authenticate the party which is supposed to have sent it, this authentication being possibly accompanying the sending of a good reception message to said sending party.
  • all the parts of the system comprise means of computer authentication of the messages received from a transmitting part integrated into said system; in the event of authentication of a message, said authentication means are then capable of cooperating with transmission means to cause the sending, to said transmitting party, of a message of good reception.
  • certain authentications are carried out in both directions because it is necessary, for example, for a box 1 to be sure that the computer 4 is not a clone computer, and that conversely, the computer 4 is sure that said box 1 is not a clone box: we then speak of mutual authentication of the parties.
  • a station 5 to which a box 1 is connected is authenticated, which prohibits the existence of clone stations.
  • the measures to be taken for the security of a box 1, and for the security of the transactions in which it participates, are then well known, and aim to eliminate, on the one hand, threats to the confidentiality of the messages exchanged between two integral parts of the system, including for example the box, and on the other hand, threats to the integrity of these messages (deliberate or unauthorized alteration of their content).
  • a first measure eliminating threats to confidentiality consists in encrypting the messages exchanged, and we know to do this many cryptographic processes.
  • DES symmetric type encryption algorithm
  • FIPS PUB 46 Federal Information Processing Standards Publication 46.
  • One measure to eliminate threats to the integrity of messages is to sign those messages; a signature is sent at the same time as the message, and its verification by the recipient party is used to authenticate the message and its author.
  • this signature has nothing to do with the "token” symbolizing, according to the invention, the transfer of responsibility attached to the protection of funds enclosed or not in a box 1; this "token” is a message like any other, and it is not necessarily transmitted during an authentication (for example it is never transmitted to a station 5, which however must be authenticated by its partners, directly or indirectly).
  • the signature is a proof and the taking into account of the messages is only possible after verification of this proof.
  • this signature, or proof is calculated on the parameters of the transaction, that is to say the content of the messages, according to an algorithm similar to the DES encryption algorithm, which provides the notable advantage of simplifying the development of messages exchanged between parts of the system.
  • the encryption and authentication keys are different, which further increases cryptographic security.
  • the "DES chip” therefore proceeds both to the encryption of the message and to the constitution of the signature on this message.
  • encryption is not a compulsory operation, since knowledge by a third party of the content of messages, for example instructions for changing modes or parameters of a transport, does not jeopardize security of the system ; only the authentication provided by the signature built on these messages counts, and it would therefore not be possible to fool the electronics of a box with a false unencrypted clear message. Encryption is a precaution essentially aimed at reassuring users about the confidentiality capabilities of the system.
  • the stations 5 also have a "DES chip", physically protected, and containing encryption and authentication keys of the messages which it transmits to the supervisor computer 4. It will be noted that these keys are different from the keys used by the boxes 1.
  • a message intended for the computer 4, coming from a box 1, is in this way doubly encrypted and authenticated: by the box 1 with a first pair of keys, and by station 5 with a second pair of keys.
  • a symmetric encryption algorithm has been chosen, that is to say an algorithm for which the same key is used by the two parties.
  • This algorithm is perfectly suited for transactions which are established between a cash register 1, a station 5 and the supervisor computer 4, since they can be fitted with electronic circuits used for this purpose without any problem.
  • the encryption key is different from the key used to create the signature, with practically the same algorithm. This means that to authenticate all the other parties, each part of the system must share with these others a unique pair of keys.
  • each box 1 must be able to authenticate each of the stations 5 to which it connects, each station 5 having to authenticate each box 1; the number of keys to be stored in such conditions quickly becomes overwhelming and it has been chosen, according to a preferred variant of the invention, to carry out the authentication indirectly between in particular the boxes 1 and the stations 5.
  • indirect authentication is possible by transitivity, that is to say that if two parties A and B have authenticated each other, and if party A and one party C have also authenticated each other, then parties B and C authenticate each other through A, since it is a reliable partner of all parties.
  • the supervisor computer 4 plays the role of part A, the boxes 1, the stations 4, and the users playing the role of parts B or C. Only the computer 4 knows all the keys. The other parties only share a single key with this computer 4.
  • the computer 4 nevertheless becomes, in this case, a compulsory intermediary for transactions, and may, unexpectedly, memorize the history thereof.
  • the computer 4 is therefore the unsuspected memory of the system.
  • each user has a secret code allowing him to access the system.
  • This code is known to the supervisor computer 4, which sometimes transmits it to a box 1 when it is in a mode where knowledge of it is necessary.
  • the station 5 connecting the parties may possibly also know this code, so as not to authorize a connection of the user to the computer 5 without prior verification. It is therefore obvious that this code transits between the parties.
  • this code can be encrypted during its transit through station 5, in particular by means of the algorithm preferentially used in the invention.
  • the procedure is in accordance with the authentication procedures used between the other parties.
  • the user has a memory card and a fixed code; after internal recognition of the code, the card generates a "token" which is sent to the system, this "token” being encrypted and signed by the same algorithms as those used elsewhere - the DES algorithm is implemented for this purpose in the microprocessor of the map -.
  • Confidentiality and integrity is perfect, since the information that circulates between the parties is perfectly random, and does not allow us to trace the code or the encryption and authentication keys. To enter the system, it is then necessary to have both the card and the code.
  • the other blocks containing the code CS represent the establishment of a connection between the box 1 and the supervisor computer 4.
  • the funds are then under the responsibility of the head of the central agency.
  • a station 5 of the network constituting the protection system according to the invention At this station 5, called the departure station, is connected a box 1 (it can be connected to several) not necessarily containing funds.
  • box 1 the three possible modes for box 1 are Open mode, Box mode, and Safe mode.
  • the box 1 In the Open mode, the box 1 is considered to be open, but its physical opening, by means provided for this purpose, is not compulsory; it can be opened and closed like a simple drawer, the protection of funds placed inside being then zero. Neither box 1, nor computer 4, nor the departure station are responsible for this.
  • Cash register mode is a "local" mode, that is to say that the transition to this mode from Open mode is possible without the computer 4 intervening.
  • the branch manager entrusts the fund 1 with funds. After payment of these funds and closure, it can only be opened by means of an authentication by the head of the agency, that is to say for example by means of a secret code a, including the box 1 and the departure station only know the transformed by a unilateral function such as the DES ( x , a ) function - it will be noted that the fixed message x is different for box 1 and for station 5.
  • DES x , a
  • the fixed message x is different for box 1 and for station 5.
  • responsibility for the protection of funds are therefore shared, in this Cashier mode, between the branch manager and cashier 1 (remember that the departure station, which is the common network transmission terminal, is never responsible). It should be noted that the transition from Open mode to Cashier mode extended the system for the first time: we went from the system: branch manager: to the system: branch manager / cash
  • the Safe mode is a "global" mode, that is to say that the transition from Open mode to this mode is only possible with the authorization of the remote supervisor computer 4.
  • the branch manager entrusts funds to the system and transfers responsibility for their protection completely. After placing the funds in a box 1, and closing it, he gives his code which is authenticated by the departure station, and indicates to the system that he wishes to use box 1 in Safe mode.
  • the departure station establishes a connection with the computer 4, in accordance with a mutual authentication protocol.
  • the computer 4 then authenticates the agency manager.
  • Box 1 in which he wants to place funds must be in good condition and not be a clone; the latter must therefore authenticate each other with the computer 4 via the departure station, which is a reliable partner of the computer 4, but cannot directly authenticate the box 1 for reasons expressed above. All the authentications being directly or implicitly carried out, the system, by through the computer 4, accepts, on the one hand, the transfer of responsibility coming from the branch manager, and on the other hand, turns the box 1 in the Safe mode.
  • branch manager to the system: cash desk / computer :. This transition was carried out gradually, the responsibility belonging to the branch manager until the final agreement of computer 4 - there were successive enlargements then a shrinking of the system -.
  • the transitions from the Open mode to the Cash register or Safe modes may also depend on an hourly schedule, transmitted by the computer 4 to the cash register 1 when it arrives at the agency.
  • Such an hourly programming can be weekly and in particular makes it possible to prohibit the opening of the box 1 outside certain hours fixed in advance.
  • the Cash and Safe modes can be grouped into a single mode, called for example Storage mode, to which two opening options are associated - Cash or Safe -, the choice between these options being made by time programming transmitted at a given time to the box 1 by the computer 4.
  • the branch manager can request to send funds to the branch.
  • a Verse mode similar to the Open mode, but which cannot be followed by the Cash register mode or the Safe mode.
  • the Verse mode requires that the funds placed in a box 1 be transported. Transitions from Cashier mode or Chest mode to Verse mode are carried out in the same way as the transitions from these modes to the Open mode, that is to say that they are initiated by the prior authentication of the agency manager's code.
  • Lock mode box 1 must necessarily be transported to the arrival station to be able to be reopened (unless the computer 4 indicates otherwise).
  • the system then waits for the conveyor 3 of the box 1 which is authenticated, on arrival, by verification of a code, the transformed of which by a unilateral function is known to the system; a connection is established with the computer 4 which alone knows this code and the corresponding unilateral function (it is not indeed necessary for the box 1 or the station to know it).
  • Lock mode can last a very long time: computer 4, which received from the station. the transport parameters, has not yet transmitted them to the box 1.
  • One of these parameters is in particular the expected duration of the transport - in accordance with French patent FR-2 550 364, time instructions indeed limit the duration of a route and lead to the destruction of a box 1 in the event of an overshoot -.
  • the computer 4 After authentication of the conveyor 3, the computer 4 gives the authorization to remove the box 1 which is then in the start mode.
  • the transition from Lock mode to this mode is accompanied by the transfer of responsibility for the system: box / computer: to the system: box:, that is to say box 1 fully protects the funds to be transported. This is why the time transport instructions are initiated as soon as they transition into this mode; the box 1 is therefore considered to be mobile, whether or not it is physically removed from its base. If the planned delivery time is exceeded, the box considers itself to be attacked and degrades its content by appropriate means.
  • box 1 leaves the Start mode for the Sidewalk mode. This corresponds to the journey on foot made by the conveyor 3 carrying the box 1, between the departure station and a vehicle, or another station (if the entire journey is on foot). This mode is limited in time by a duration provided for this purpose, so as to reduce the risk of diversion during the journey; if the planned journey time is exceeded, box 1 degrades its content.
  • box 1 In Depalarm mode, box 1 is physically in an unforeseen situation and must be disconnected from its receptacle; otherwise, after a determined time (for example 30 seconds), the countdown of the duration of the journey on foot resumes. However, box 1 waits to be disconnected before logically returning from Depalarm mode to Sidewalk mode: in this way, Sidewalk mode always corresponds to the physical disconnection of Box 1.
  • the Truck mode corresponds to the logical sequence of transport.
  • the box 1 cannot be disconnected without being informed thereof; it degrades its content beyond a certain time interval (for example 10 seconds) if it has not been reconnected.
  • the conveyor 3 authenticates again to the box 1 via the on-board computer - the code of the conveyor 3 has been provisionally transmitted to the box 1 by the computer 4 supervisor when transitioning from Lock mode to Start mode -. If box 1 accepts the conveyor code 3, it goes into Start mode (from where it can go into Base mode and finally into Connect mode).
  • Base mode to Connect mode takes place if box 1 recognizes that it is connected to a station. It then immediately requests to be connected to the supervisor computer 4, which requires prior mutual authentication of the station and of this computer 4; if this mutual authentication is possible, we already know that the station is not a clone. The computer 4 and the box 1 then authenticate each other. If the station to which box 1 is connected is not the correct one, then there is a transition from Connect mode to Depalarm mode. If the station is the planned arrival station, the system: box: becomes the system: box / computer / arrival station: and we go from Connect mode to Selfouv mode or to Servouv mode.
  • the box 1 can be emptied of its funds, the responsibility for their protection being then transferred to the head of the branch.
  • the box 1 can again be used either as a box, or as a chest, or for another transport, in accordance with the procedures described above.
  • a protocol is therefore implemented for the correction of transmission errors between a terminal of the system, or station 5, and the supervisor computer 4.
  • This protocol splits the message to be transmitted into blocks of a few bytes to a few tens of bytes. If a block is transmitted with errors, only this block is retransmitted, which eliminates the need to repeat all of the very long messages which are exchanged (typically with a length of 300 bytes).
  • the integrity of a block is checked by means of a signature developed with the content of the block and with its header - this header essentially comprising the information on the length of the block -.
  • the algorithm for calculating this non-secret signature is advantageously that used for encryption and authentication of messages; the "DES chip" is again used in this way, without having to write and store, in particular in the station, a new algorithm.
  • the station 5 After reconstitution of the split message on transmission, and in the case where the sending party is the supervising computer 4, the station 5 authenticates and decrypts with its own keys said message (thanks to the "DES chip" placed in the station) . Then it transmits to box 1, the identification number of which serves to identify it now appears in clear, the part of the message which is intended for him; box 1 authenticates and decrypts this message with its own keys, using the "DES chip” provided for this purpose. It then confirms receipt thereof at computer 4 and prepares for this purpose an encrypted and authenticated message with these same keys; this message is transmitted to computer 4 - supplemented by the number of box 1 - encrypted and authenticated with the keys of station 5. Computer 4 then returns, according to the same protocol, an acknowledgment to box 1, which may possibly change mode, but only upon receipt of this receipt.
  • the telecommunications protocol described is of course not limited to the preferred embodiment described above, and one can for example use the principles of functional architecture popularized by the open systems interconnection model (OSI layered model), or direct derivatives of this model.
  • OSI layered model open systems interconnection model
  • the present invention is in particular intended for the protection of documents or valuables, and in particular of means of payment such as tickets, checks or bank cards, or of dangerous medicines (drugs) or with high added value. This protection is ensured both inside a bank branch (or a pharmacy, or other), as well as during transport from this branch to a branch.
  • the present invention is further limited neither by the size nor by the weight of the objects or documents of value which it is desired to protect, and it is within the capacity of a person skilled in the art to carry out any modification aimed at adapting the invention to objects or documents other than those given here by way of nonlimiting examples.

Landscapes

  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Packages (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Details Of Rigid Or Semi-Rigid Containers (AREA)
  • Storage Device Security (AREA)
  • Burglar Alarm Systems (AREA)
  • Cartons (AREA)
  • Purses, Travelling Bags, Baskets, Or Suitcases (AREA)
  • Tires In General (AREA)
  • Auxiliary Devices For And Details Of Packaging Control (AREA)
  • Sorting Of Articles (AREA)
  • Facsimile Transmission Control (AREA)
  • Credit Cards Or The Like (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Lock And Its Accessories (AREA)
EP90402060A 1989-07-17 1990-07-17 Système de protection de documents ou d'objets enfermés dans un contenant inviolable Expired - Lifetime EP0409725B1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR8909579 1989-07-17
FR8909579A FR2649748B1 (fr) 1989-07-17 1989-07-17 Systeme de protection de documents ou d'objets de valeur enfermes dans un contenant inviolable physiquement, qui passe par ailleurs par une succession d'etats logiques authentifies en nombre restreint

Publications (2)

Publication Number Publication Date
EP0409725A1 EP0409725A1 (fr) 1991-01-23
EP0409725B1 true EP0409725B1 (fr) 1994-05-04

Family

ID=9383836

Family Applications (1)

Application Number Title Priority Date Filing Date
EP90402060A Expired - Lifetime EP0409725B1 (fr) 1989-07-17 1990-07-17 Système de protection de documents ou d'objets enfermés dans un contenant inviolable

Country Status (20)

Country Link
US (1) US5315656A (es)
EP (1) EP0409725B1 (es)
JP (1) JPH05506700A (es)
AT (1) ATE105367T1 (es)
AU (1) AU648510B2 (es)
CA (1) CA2064204C (es)
DD (1) DD296732A5 (es)
DE (1) DE69008634T2 (es)
DK (1) DK0409725T3 (es)
ES (1) ES2056406T3 (es)
FI (1) FI93761C (es)
FR (1) FR2649748B1 (es)
HU (1) HU217539B (es)
MA (1) MA21906A1 (es)
NO (1) NO302259B1 (es)
OA (1) OA09531A (es)
RO (1) RO108889B1 (es)
RU (1) RU2078894C1 (es)
WO (1) WO1991001428A1 (es)
ZA (1) ZA905546B (es)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2706058B1 (fr) * 1993-06-02 1995-08-11 Schlumberger Ind Sa Dispositif pour contrôler et commander l'accès différentiel à au moins deux compartiments à l'intérieur d'une enceinte.
EP0792044B1 (en) * 1996-02-23 2001-05-02 Fuji Xerox Co., Ltd. Device and method for authenticating user's access rights to resources according to the Challenge-Response principle
FR2751111B1 (fr) * 1996-07-10 1998-10-09 Axytrans Systeme de transport securise d'objets en conteneur inviolable dont au moins une station destinatiare est mobile et transportable
JP3541607B2 (ja) * 1997-03-11 2004-07-14 株式会社日立製作所 電子マネー取引装置
JP2000113085A (ja) * 1998-10-08 2000-04-21 Sony Corp 電子現金システム
US6275151B1 (en) * 2000-01-11 2001-08-14 Lucent Technologies Inc. Cognitive intelligence carrying case
US20010054025A1 (en) * 2000-06-19 2001-12-20 Adams William M. Method of securely delivering a package
WO2002028157A1 (en) * 2000-09-26 2002-04-04 Sagem Denmark A/S A box for encapsulating an electronic device, and a method for gluing a circuit board onto the inner surface of a box
DE10123383A1 (de) 2001-05-14 2003-01-16 Giesecke & Devrient Gmbh Verfahren und Vorrichtung zum Öffnen und Schließen einer Kassette
US20050155876A1 (en) * 2003-12-15 2005-07-21 Tamar Shay Method and device for organizing, storing, transporting and retrieving paperwork and documents associated with the paperwork-generating introduction of a new family member
KR100527169B1 (ko) * 2003-12-31 2005-11-09 엘지엔시스(주) 매체자동지급기의 매체카세트 개폐장치
FR2869939B1 (fr) * 2004-05-06 2006-06-23 Axytrans Sa Systeme securise pour le transport ou la conservation de valeurs telles que des billets de banque
US7757301B2 (en) * 2004-12-21 2010-07-13 Seagate Technology Llc Security hardened disc drive
EP1843000B1 (de) * 2006-04-03 2018-10-31 Peter Villiger Sicherheitssystem mit ad-hoc Vernetzung einzelner Komponenten
DE102007022460A1 (de) 2007-05-09 2008-11-13 Horatio Gmbh Einrichtung und Verfahren zum Nachweis des gegenständlichen Besitzes von Objekten gegenüber einer Prüfinstanz über beliebige Entfernungen
DE102008045607A1 (de) * 2008-09-03 2010-03-04 Wincor Nixdorf International Gmbh Anordnung und Verfahren zur Aufbewahrung von mindestens einem Wertschein
US8836509B2 (en) * 2009-04-09 2014-09-16 Direct Payment Solutions Limited Security device
EP3262782B1 (en) 2015-02-25 2022-07-27 Private Machines Inc. Anti-tamper system

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4236463A (en) * 1979-05-14 1980-12-02 Westcott Randy L Tamper proof case for the protection of sensitive papers
SE417023B (sv) * 1979-11-29 1981-02-16 Leif Lundblad Anleggning for seker och ekonomiskt optimal hantering av verdedokument inom en penninginrettning
FR2550364B1 (fr) * 1983-08-05 1986-03-21 Kompex Systeme de securite de transport de fonds ou d'effets bancaires
DE3400526A1 (de) * 1984-01-10 1985-10-24 Peter 7212 Deißlingen Pfeffer Einrichtung zum ueberwachen von geldscheinbuendeln
US4691355A (en) * 1984-11-09 1987-09-01 Pirmasafe, Inc. Interactive security control system for computer communications and the like
FR2574845B1 (fr) * 1984-12-14 1987-07-31 Axytel Sarl Procede de marquage et/ou de destruction notamment de documents de valeur et dispositif de mise en oeuvre
GB2182467B (en) * 1985-10-30 1989-10-18 Ncr Co Security device for stored sensitive data
FR2594169B1 (fr) * 1986-02-11 1990-02-23 Axytel Sa Systeme de protection de produits de valeur notamment de fonds et/ou de produits bancaires.
US4860351A (en) * 1986-11-05 1989-08-22 Ibm Corporation Tamper-resistant packaging for protection of information stored in electronic circuitry
NL8700165A (nl) * 1987-01-23 1988-08-16 Seculock B V I O Cheques- en creditcards-opberginrichting met ingebouwd vernietigingssysteem.
FR2615987B1 (fr) * 1987-05-27 1994-04-01 Axytel Dispositif de controle de l'integrite d'une paroi quelconque, metallique ou non, destine a declencher automatiquement une intervention en cas d'agression commise a l'encontre de cette paroi
SE455653B (sv) * 1987-08-11 1988-07-25 Inter Innovation Ab Anleggning for seker overforing av atminstone verdet av verdepapper fran ett flertal utspritt fordelade teminaler till en centralt placerad penninginrettning
JP2609473B2 (ja) * 1989-10-23 1997-05-14 シャープ株式会社 通信装置
WO1991017681A1 (en) * 1990-05-11 1991-11-28 Gte Sylvania N.V. Apparatus for destroying the contents of a closed and preferably portable safety container upon any abusive handling thereof

Also Published As

Publication number Publication date
JPH05506700A (ja) 1993-09-30
ZA905546B (en) 1991-04-24
HU217539B (hu) 2000-02-28
WO1991001428A1 (fr) 1991-02-07
HU9200168D0 (en) 1992-09-28
CA2064204A1 (fr) 1991-01-18
AU6052990A (en) 1991-02-22
FI920187A0 (fi) 1992-01-16
EP0409725A1 (fr) 1991-01-23
HUT62063A (en) 1993-03-29
DK0409725T3 (da) 1994-09-19
NO302259B1 (no) 1998-02-09
RU2078894C1 (ru) 1997-05-10
RO108889B1 (ro) 1994-09-30
DE69008634D1 (de) 1994-06-09
DE69008634T2 (de) 1994-12-01
NO920194D0 (no) 1992-01-15
MA21906A1 (fr) 1991-04-01
FI93761C (fi) 1995-05-26
US5315656A (en) 1994-05-24
ATE105367T1 (de) 1994-05-15
CA2064204C (fr) 2001-04-10
DD296732A5 (de) 1991-12-12
OA09531A (fr) 1992-11-15
AU648510B2 (en) 1994-04-28
FR2649748A1 (fr) 1991-01-18
NO920194L (no) 1992-03-10
FR2649748B1 (fr) 1991-10-11
FI93761B (fi) 1995-02-15
ES2056406T3 (es) 1994-10-01

Similar Documents

Publication Publication Date Title
EP0409725B1 (fr) Système de protection de documents ou d'objets enfermés dans un contenant inviolable
EP0426541B1 (fr) Procédé de protection contre l'utilisation frauduleuse de cartes à microprocesseur, et dispositif de mise en oeuvre
EP0317400B1 (fr) Dispositif et procédé de sécurisation d'échange de données entre un terminal vidéotex et un serveur
FR2718091A1 (fr) Dispositif de sûreté contre le vol appliquant un codage électronique d'autorisation d'utilisation pour véhicule.
WO1998013971A1 (fr) Procede et systeme pour securiser les prestations de service a distance des organismes financiers
WO2000056007A1 (fr) Procede de verification de signature d'un message
EP0960406B1 (fr) Systeme de transport securise d'objets en conteneur inviolable dont au moins une station destinataire est mobile et transportable
WO2002052389A2 (fr) Methode anti-clonage d'un module de securite
FR2776454A1 (fr) Systeme de telephonie mobile avec carte de prepaiement
CA2500691A1 (fr) Procede de consultation securisee de recepisses de livraison d'objets
EP1875426A2 (fr) Terminal nomade de transactions electroniques securise et systeme de transactions electroniques securise
EP0447386A2 (fr) Système de sécurité pour système informatique
FR2566155A1 (fr) Procede et systeme pour chiffrer et dechiffrer des informations transmises entre un dispositif emetteur et un dispositif recepteur
FR2710769A1 (fr) Système de traitement des données d'une carte à microcircuit, carte et lecteur pour ce système et procédé de mise en Óoeuvre.
EP0413636A1 (fr) Système et procédé pour contrôler la collecte de bornes à prépaiement
FR2657446A1 (fr) Procede et dispositif destine a controler et a permettre l'acces a un site ou a un service.
FR2774834A1 (fr) Procede de transmission securisee de messages de donnees entre deux utilisateurs de deux equipements de transmission respectifs relies par un reseau de transmission de donnees
FR2811794A1 (fr) Appareil et procede de paiement par carte de debit dans une station de distribution de carburant
EP4254286A1 (fr) Système d'acheminement d'objets contenus dans des boîtes sur lesquelles sont prévus des moyens d'identification du destinataire
FR2913162A1 (fr) Procede de verification d'un code identifiant un porteur, carte a puce et terminal respectivement prevus pour la mise en oeuvre dudit procede.
EP3021515A1 (fr) Amelioration de l'integrite authentique de donnees a l'aide du dernier bloc chiffrant ces donnees en mode cbc
FR2595523A1 (fr) Procede et installation de transmission de donnees
FR2908204A1 (fr) Methode et systeme de deblocage d'un appareil electronique et appareil electronique compatible
FR2805561A1 (fr) Dispositif electronique permettant d'utiliser une combinaison a usage unique pour le deverrouillage d'une serrure electronique autonome

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FR GB GR IT LI LU NL SE

17P Request for examination filed

Effective date: 19910621

17Q First examination report despatched

Effective date: 19921019

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

RAP3 Party data changed (applicant data changed or rights of an application transferred)

Owner name: AXYVAL

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT BE CH DE DK ES FR GB GR IT LI LU NL SE

REF Corresponds to:

Ref document number: 105367

Country of ref document: AT

Date of ref document: 19940515

Kind code of ref document: T

REF Corresponds to:

Ref document number: 69008634

Country of ref document: DE

Date of ref document: 19940609

ITF It: translation for a ep patent filed

Owner name: DOTT. GIOVANNI LECCE & C.

REG Reference to a national code

Ref country code: DK

Ref legal event code: T3

GBT Gb: translation of ep patent filed (gb section 77(6)(a)/1977)

Effective date: 19940824

REG Reference to a national code

Ref country code: ES

Ref legal event code: FG2A

Ref document number: 2056406

Country of ref document: ES

Kind code of ref document: T3

EPTA Lu: last paid annual fee
REG Reference to a national code

Ref country code: GR

Ref legal event code: FG4A

Free format text: 3012797

EAL Se: european patent in force in sweden

Ref document number: 90402060.9

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed
REG Reference to a national code

Ref country code: FR

Ref legal event code: TP

REG Reference to a national code

Ref country code: GB

Ref legal event code: IF02

REG Reference to a national code

Ref country code: CH

Ref legal event code: PUE

Owner name: AXYTRANS S.A.

Free format text: AXYVAL#102, BOULEVARD MALESHERBES#PARIS (FR) -TRANSFER TO- AXYTRANS S.A.#102, BOULEVARD MALESHERBES#75017 PARIS (FR)

NLS Nl: assignments of ep-patents

Owner name: AXYTRANS S.A.

REG Reference to a national code

Ref country code: ES

Ref legal event code: PC2A

REG Reference to a national code

Ref country code: GB

Ref legal event code: 732E

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: LU

Payment date: 20080714

Year of fee payment: 19

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GR

Payment date: 20080724

Year of fee payment: 19

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DK

Payment date: 20090728

Year of fee payment: 20

Ref country code: ES

Payment date: 20090727

Year of fee payment: 20

Ref country code: FR

Payment date: 20090730

Year of fee payment: 20

REG Reference to a national code

Ref country code: FR

Ref legal event code: CD

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20090707

Year of fee payment: 20

Ref country code: GB

Payment date: 20090728

Year of fee payment: 20

Ref country code: NL

Payment date: 20090724

Year of fee payment: 20

Ref country code: SE

Payment date: 20090727

Year of fee payment: 20

Ref country code: AT

Payment date: 20090724

Year of fee payment: 20

Ref country code: CH

Payment date: 20090727

Year of fee payment: 20

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: BE

Payment date: 20090724

Year of fee payment: 20

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: IT

Payment date: 20090730

Year of fee payment: 20

REG Reference to a national code

Ref country code: NL

Ref legal event code: V4

Effective date: 20100717

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

BE20 Be: patent expired

Owner name: S.A. *AXYTRANS

Effective date: 20100717

REG Reference to a national code

Ref country code: DK

Ref legal event code: EUP

REG Reference to a national code

Ref country code: GB

Ref legal event code: PE20

Expiry date: 20100716

REG Reference to a national code

Ref country code: ES

Ref legal event code: FD2A

Effective date: 20100719

EUG Se: european patent has lapsed
PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20100717

Ref country code: ES

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20100719

Ref country code: GR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20100204

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20100716

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20090717

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DE

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20100717