EP0409725B1 - Système de protection de documents ou d'objets enfermés dans un contenant inviolable - Google Patents
Système de protection de documents ou d'objets enfermés dans un contenant inviolable Download PDFInfo
- Publication number
- EP0409725B1 EP0409725B1 EP90402060A EP90402060A EP0409725B1 EP 0409725 B1 EP0409725 B1 EP 0409725B1 EP 90402060 A EP90402060 A EP 90402060A EP 90402060 A EP90402060 A EP 90402060A EP 0409725 B1 EP0409725 B1 EP 0409725B1
- Authority
- EP
- European Patent Office
- Prior art keywords
- box
- mode
- transition
- station
- internal management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 230000007704 transition Effects 0.000 claims abstract description 57
- 208000000044 Amnesia Diseases 0.000 claims abstract 2
- 231100000863 loss of memory Toxicity 0.000 claims abstract 2
- 230000006870 function Effects 0.000 claims description 11
- 238000012795 verification Methods 0.000 claims description 6
- 230000016571 aggressive behavior Effects 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 5
- 230000015556 catabolic process Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 5
- 238000006731 degradation reaction Methods 0.000 claims description 4
- 238000000034 method Methods 0.000 abstract description 14
- 229940079593 drug Drugs 0.000 abstract description 6
- 239000003814 drug Substances 0.000 abstract description 6
- 238000013478 data encryption standard Methods 0.000 description 16
- 238000007726 management method Methods 0.000 description 14
- 238000012546 transfer Methods 0.000 description 12
- 230000006378 damage Effects 0.000 description 11
- 230000008901 benefit Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000008520 organization Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 241001441732 Ostraciidae Species 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 229940082150 encore Drugs 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000002574 poison Substances 0.000 description 1
- 231100000614 poison Toxicity 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 230000003442 weekly effect Effects 0.000 description 1
Images
Classifications
-
- E—FIXED CONSTRUCTIONS
- E05—LOCKS; KEYS; WINDOW OR DOOR FITTINGS; SAFES
- E05G—SAFES OR STRONG-ROOMS FOR VALUABLES; BANK PROTECTION DEVICES; SAFETY TRANSACTION PARTITIONS
- E05G1/00—Safes or strong-rooms for valuables
- E05G1/14—Safes or strong-rooms for valuables with means for masking or destroying the valuables, e.g. in case of theft
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07D—HANDLING OF COINS OR VALUABLE PAPERS, e.g. TESTING, SORTING BY DENOMINATIONS, COUNTING, DISPENSING, CHANGING OR DEPOSITING
- G07D11/00—Devices accepting coins; Devices accepting, dispensing, sorting or counting valuable papers
- G07D11/10—Mechanical details
- G07D11/12—Containers for valuable papers
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F9/00—Details other than those peculiar to special kinds or types of apparatus
- G07F9/06—Coin boxes
-
- E—FIXED CONSTRUCTIONS
- E05—LOCKS; KEYS; WINDOW OR DOOR FITTINGS; SAFES
- E05G—SAFES OR STRONG-ROOMS FOR VALUABLES; BANK PROTECTION DEVICES; SAFETY TRANSACTION PARTITIONS
- E05G1/00—Safes or strong-rooms for valuables
- E05G1/005—Portable strong boxes, e.g. which may be fixed to a wall or the like
Definitions
- the present invention relates to a system for protecting documents or valuables, and in particular means of payment such as banknotes, checks, or bank cards, enclosed in a physically inviolable container, which also passes through a succession of logical states authenticated in limited number.
- the degradation device used for this purpose can be, for example, that described in patent FR-A-2,574,845 in the name of the Applicant.
- the degradation device In the case of the transport of valuables, for example dangerous medicines (drugs, poisons) or of high added value, the degradation device is significantly different; those skilled in the art know, as such, the known and specific means to be used.
- the object of the aforementioned patents consists in rendering unusable, or destroying, in the event of aggression, the funds contained in a box and whose significant fiduciary value is much lower than their real value (which is the case of tickets, cards and checks; the lust for these funds thus becomes ineffective, they being destroyed before they can be reached.
- the sensors associated with these systems and which make it possible in particular to detect physical attacks on the box can be of very light structure, unlike traditional shields; such a wall integrity sensor is for example described in French patent FR-A-2,615,987 in the name of the Applicant.
- the protection systems described do not make it possible to determine the persons those responsible for the assault that caused this destruction; indeed, during its destruction, it is desirable, and even necessary, that the box mark, or destroy, not only the funds, but also erases all the information having a confidential character and which it needs for its correct functioning: algorithms monitoring its physical states, algorithms for coding and decoding messages exchanged with the outside world, nature and content of these messages such as secret codes, destinations and recipients of the funds transported.
- each of these boxes With the external computer becomes possible; the latter is then able to generate the inexorable process regulating the "history" of a box and to control its initiation, which is carried out after various verifications, including those of secret codes held by people with valid access to cash registers (such as a banker, or a customer).
- the invention aims to decisively improve the various known systems, by proposing a system for protecting documents or valuables, and in particular means of payment such as banknotes, checks, or bank cards, enclosed in at least one physically inviolable container, called a box, which, in the event of aggression, causes their degradation by appropriate means, this system being characterized in that the box is provided with internal management means functioning in the same way as a "limited mode machine" whose operating cycle includes a limited number of logical states, called modes, the transition from a first mode to a second mode being the consequence of a one-off event the lawfulness of which is, or has been previously verified by an independent means which can be put in contact with said internal management means of the box, said transition being then accompanied by the per te memory of the previous mode.
- a limited mode machine whose operating cycle includes a limited number of logical states, called modes
- One of the objectives of the present invention is thus to make a logical state, called mode, correspond to each situation in which a box can be found, this mode being explicitly delimited by two terminals of a purely conceptual nature, which makes it possible to rigorously and reliably organize the operating cycle of the internal management means of said box; the systems known to date only knew two implicit limits, that is to say "the transition between mobile and fixed boxes" and vice versa.
- the present invention provides the flexibility necessary for a more intelligent management of the protection provided by the boxes. But it is then essential that at each stage of the protection process, that at each transition between two logical states, the box does not keep any trace of its previous logical state; we already know that this trace is useless; it is also understood that this trace is dangerous, since it is vital, for the security of the system, that confidential messages such as codes cannot be read, if they are not destroyed entirely in the event of attack. We will finally understand, thanks to the following, that this trace cannot exist.
- the present invention provides a reliable means and sure to define various operating cycles, which correspond to many cases inaccessible to systems known until today, for which a single "story" can exist between the closing and opening of a box.
- the rigor of such an organization translates, for the protection system in accordance with the invention, by an additional intelligence rendering in a way "logically inviolable" the boxes and the system as a whole.
- This logical inviolability is also reflected, according to another characteristic of the invention, in that, during the transport of a box - which is delimited, on the one hand, by the transition from a mode where said box is considered to be being fixed at a mode where it is considered to be mobile, and on the other hand, by the transition from a mode where the box is considered to be mobile to a mode where it is considered to be fixed -, the management means internal of said box are absolutely autonomous, that is to say are solely responsible for the security of the funds enclosed therein.
- a box can share this responsibility with other parts of the system, necessarily outside of its transport, for example with the autonomous means which can get in touch with the internal management means of the box.
- the system according to the invention is used for the protection of funds which have been placed in a box 1 by the manager of a bank branch, hereinafter called shipper 2.
- Box 1 must be transported by a conveyor 3 towards, for example, a branch of this bank branch.
- the means which can be put in contact with the boxes to produce the transfer of responsibility is made up of a single computer 4.
- This computer 4 has a supervisory role and manages the logical security of the boxes 1, that is to say checks the legality of the transitions of certain operating modes of the internal management means thereof to certain other modes.
- box 1 there are thus three types of modes for a box 1 - in fact for the system as a whole, but only box 1 participates in the whole of the protection since it is it which, in the end, makes it possible to remove the lust of third parties - according to whether it is considered to be mobile and closed, in accordance with case a), according to whether it is stationary and closed, in accordance with case b), and finally according to whether it is stationary and open, in accordance with case c).
- the mobility of the box 1 is, therefore, a purely logical attribute of the system, which goes beyond its real physical mobility, but of course covers it without paradox.
- This considerable advantage of the system is one of the most unexpected consequences of the organization in a machine with limited modes of the physically mobile part of it: the box 1.
- the system according to the invention can be compared to a computer network where a "token”, symbolizing the possession of decision-making power, can be exchanged between the terminals of the network; the terminal holding the “token” can also choose to transfer it, this transfer therefore being accompanied by the loss or sharing of power.
- the "token” transferred into the system of the invention is made up, it will be understood, by the responsibility attached to the protection of the funds enclosed, or not, in a box 1.
- an unexpected advantage of the use, according to the invention, of a single computer 4 supervising the system is to limit the redundancy of the information necessary for the secure management of the latter, that is to say their possible transfer.
- a second computer were to exist - one could for example place a computer at the place of departure of a box, and another computer at its place of arrival, which is the case in particular of the system described in the French patent application FR -A-2,594,169 - it would be imperative to integrate this second computer in a reliable manner into the system: box / first computer: so that it becomes a box / first computer / second computer system:; the reliable integration of the recipient of the funds enclosed in the box 1 would then become possible, via this second computer.
- the step of integrating the second computer is not necessary because it provides neither simplification (on the contrary), nor additional security, the recipient of funds that can be integrated directly by the first computer.
- boxes 1 are completely independent of each other and that each system: box / computer / user: must be considered as a particular network, even if the supervisor computer 4 can be the same for all the boxes 1 It is thus good to recall that there is no dialogue constantly circulating between the boxes 1, which constitutes a notable advantage with respect to the system described in patent FR-A-2 550 364.
- the four parts of the box 1, computer 4, shipper 2, and conveyor 3, can be connected to a single terminal, called station 5 below, to constitute a star network of which said station 5 is the center.
- a station 5 can never constitute a means capable of controlling the legality of an event which may cause a transition from an operating mode of the internal management means of a box 1 to another mode.
- a message exchanged between two integral parts of a star network does not pass through the other parts as, for example, in a ring: we can then speak of a structural confidentiality of this type of network.
- each part of the system has an electronic interface which must manage sometimes complex exchanges.
- a station 5 which can connect, in accordance with the invention, all the parts to each other, advantageously and unexpectedly makes it possible to simplify and lighten said interfaces.
- Station 5 has for this purpose all the heavy electronic interfaces, and it remains for box 1 and the user to manage only an elementary connection dialogue with said station 5.
- the computer 4 can, for its part, manage more complex exchanges, and that it is also advantageous, according to the invention, to make it a server center located at a distance from all the stations 5 , of all the users, and of all the boxes 1, which makes it possible to protect it effectively, at the same time, from possible attacks, both logical and physical.
- communications between two parts of the system are carried out according to a protocol allowing the party receiving a message to authenticate the party which is supposed to have sent it, this authentication being possibly accompanying the sending of a good reception message to said sending party.
- all the parts of the system comprise means of computer authentication of the messages received from a transmitting part integrated into said system; in the event of authentication of a message, said authentication means are then capable of cooperating with transmission means to cause the sending, to said transmitting party, of a message of good reception.
- certain authentications are carried out in both directions because it is necessary, for example, for a box 1 to be sure that the computer 4 is not a clone computer, and that conversely, the computer 4 is sure that said box 1 is not a clone box: we then speak of mutual authentication of the parties.
- a station 5 to which a box 1 is connected is authenticated, which prohibits the existence of clone stations.
- the measures to be taken for the security of a box 1, and for the security of the transactions in which it participates, are then well known, and aim to eliminate, on the one hand, threats to the confidentiality of the messages exchanged between two integral parts of the system, including for example the box, and on the other hand, threats to the integrity of these messages (deliberate or unauthorized alteration of their content).
- a first measure eliminating threats to confidentiality consists in encrypting the messages exchanged, and we know to do this many cryptographic processes.
- DES symmetric type encryption algorithm
- FIPS PUB 46 Federal Information Processing Standards Publication 46.
- One measure to eliminate threats to the integrity of messages is to sign those messages; a signature is sent at the same time as the message, and its verification by the recipient party is used to authenticate the message and its author.
- this signature has nothing to do with the "token” symbolizing, according to the invention, the transfer of responsibility attached to the protection of funds enclosed or not in a box 1; this "token” is a message like any other, and it is not necessarily transmitted during an authentication (for example it is never transmitted to a station 5, which however must be authenticated by its partners, directly or indirectly).
- the signature is a proof and the taking into account of the messages is only possible after verification of this proof.
- this signature, or proof is calculated on the parameters of the transaction, that is to say the content of the messages, according to an algorithm similar to the DES encryption algorithm, which provides the notable advantage of simplifying the development of messages exchanged between parts of the system.
- the encryption and authentication keys are different, which further increases cryptographic security.
- the "DES chip” therefore proceeds both to the encryption of the message and to the constitution of the signature on this message.
- encryption is not a compulsory operation, since knowledge by a third party of the content of messages, for example instructions for changing modes or parameters of a transport, does not jeopardize security of the system ; only the authentication provided by the signature built on these messages counts, and it would therefore not be possible to fool the electronics of a box with a false unencrypted clear message. Encryption is a precaution essentially aimed at reassuring users about the confidentiality capabilities of the system.
- the stations 5 also have a "DES chip", physically protected, and containing encryption and authentication keys of the messages which it transmits to the supervisor computer 4. It will be noted that these keys are different from the keys used by the boxes 1.
- a message intended for the computer 4, coming from a box 1, is in this way doubly encrypted and authenticated: by the box 1 with a first pair of keys, and by station 5 with a second pair of keys.
- a symmetric encryption algorithm has been chosen, that is to say an algorithm for which the same key is used by the two parties.
- This algorithm is perfectly suited for transactions which are established between a cash register 1, a station 5 and the supervisor computer 4, since they can be fitted with electronic circuits used for this purpose without any problem.
- the encryption key is different from the key used to create the signature, with practically the same algorithm. This means that to authenticate all the other parties, each part of the system must share with these others a unique pair of keys.
- each box 1 must be able to authenticate each of the stations 5 to which it connects, each station 5 having to authenticate each box 1; the number of keys to be stored in such conditions quickly becomes overwhelming and it has been chosen, according to a preferred variant of the invention, to carry out the authentication indirectly between in particular the boxes 1 and the stations 5.
- indirect authentication is possible by transitivity, that is to say that if two parties A and B have authenticated each other, and if party A and one party C have also authenticated each other, then parties B and C authenticate each other through A, since it is a reliable partner of all parties.
- the supervisor computer 4 plays the role of part A, the boxes 1, the stations 4, and the users playing the role of parts B or C. Only the computer 4 knows all the keys. The other parties only share a single key with this computer 4.
- the computer 4 nevertheless becomes, in this case, a compulsory intermediary for transactions, and may, unexpectedly, memorize the history thereof.
- the computer 4 is therefore the unsuspected memory of the system.
- each user has a secret code allowing him to access the system.
- This code is known to the supervisor computer 4, which sometimes transmits it to a box 1 when it is in a mode where knowledge of it is necessary.
- the station 5 connecting the parties may possibly also know this code, so as not to authorize a connection of the user to the computer 5 without prior verification. It is therefore obvious that this code transits between the parties.
- this code can be encrypted during its transit through station 5, in particular by means of the algorithm preferentially used in the invention.
- the procedure is in accordance with the authentication procedures used between the other parties.
- the user has a memory card and a fixed code; after internal recognition of the code, the card generates a "token" which is sent to the system, this "token” being encrypted and signed by the same algorithms as those used elsewhere - the DES algorithm is implemented for this purpose in the microprocessor of the map -.
- Confidentiality and integrity is perfect, since the information that circulates between the parties is perfectly random, and does not allow us to trace the code or the encryption and authentication keys. To enter the system, it is then necessary to have both the card and the code.
- the other blocks containing the code CS represent the establishment of a connection between the box 1 and the supervisor computer 4.
- the funds are then under the responsibility of the head of the central agency.
- a station 5 of the network constituting the protection system according to the invention At this station 5, called the departure station, is connected a box 1 (it can be connected to several) not necessarily containing funds.
- box 1 the three possible modes for box 1 are Open mode, Box mode, and Safe mode.
- the box 1 In the Open mode, the box 1 is considered to be open, but its physical opening, by means provided for this purpose, is not compulsory; it can be opened and closed like a simple drawer, the protection of funds placed inside being then zero. Neither box 1, nor computer 4, nor the departure station are responsible for this.
- Cash register mode is a "local" mode, that is to say that the transition to this mode from Open mode is possible without the computer 4 intervening.
- the branch manager entrusts the fund 1 with funds. After payment of these funds and closure, it can only be opened by means of an authentication by the head of the agency, that is to say for example by means of a secret code a, including the box 1 and the departure station only know the transformed by a unilateral function such as the DES ( x , a ) function - it will be noted that the fixed message x is different for box 1 and for station 5.
- DES x , a
- the fixed message x is different for box 1 and for station 5.
- responsibility for the protection of funds are therefore shared, in this Cashier mode, between the branch manager and cashier 1 (remember that the departure station, which is the common network transmission terminal, is never responsible). It should be noted that the transition from Open mode to Cashier mode extended the system for the first time: we went from the system: branch manager: to the system: branch manager / cash
- the Safe mode is a "global" mode, that is to say that the transition from Open mode to this mode is only possible with the authorization of the remote supervisor computer 4.
- the branch manager entrusts funds to the system and transfers responsibility for their protection completely. After placing the funds in a box 1, and closing it, he gives his code which is authenticated by the departure station, and indicates to the system that he wishes to use box 1 in Safe mode.
- the departure station establishes a connection with the computer 4, in accordance with a mutual authentication protocol.
- the computer 4 then authenticates the agency manager.
- Box 1 in which he wants to place funds must be in good condition and not be a clone; the latter must therefore authenticate each other with the computer 4 via the departure station, which is a reliable partner of the computer 4, but cannot directly authenticate the box 1 for reasons expressed above. All the authentications being directly or implicitly carried out, the system, by through the computer 4, accepts, on the one hand, the transfer of responsibility coming from the branch manager, and on the other hand, turns the box 1 in the Safe mode.
- branch manager to the system: cash desk / computer :. This transition was carried out gradually, the responsibility belonging to the branch manager until the final agreement of computer 4 - there were successive enlargements then a shrinking of the system -.
- the transitions from the Open mode to the Cash register or Safe modes may also depend on an hourly schedule, transmitted by the computer 4 to the cash register 1 when it arrives at the agency.
- Such an hourly programming can be weekly and in particular makes it possible to prohibit the opening of the box 1 outside certain hours fixed in advance.
- the Cash and Safe modes can be grouped into a single mode, called for example Storage mode, to which two opening options are associated - Cash or Safe -, the choice between these options being made by time programming transmitted at a given time to the box 1 by the computer 4.
- the branch manager can request to send funds to the branch.
- a Verse mode similar to the Open mode, but which cannot be followed by the Cash register mode or the Safe mode.
- the Verse mode requires that the funds placed in a box 1 be transported. Transitions from Cashier mode or Chest mode to Verse mode are carried out in the same way as the transitions from these modes to the Open mode, that is to say that they are initiated by the prior authentication of the agency manager's code.
- Lock mode box 1 must necessarily be transported to the arrival station to be able to be reopened (unless the computer 4 indicates otherwise).
- the system then waits for the conveyor 3 of the box 1 which is authenticated, on arrival, by verification of a code, the transformed of which by a unilateral function is known to the system; a connection is established with the computer 4 which alone knows this code and the corresponding unilateral function (it is not indeed necessary for the box 1 or the station to know it).
- Lock mode can last a very long time: computer 4, which received from the station. the transport parameters, has not yet transmitted them to the box 1.
- One of these parameters is in particular the expected duration of the transport - in accordance with French patent FR-2 550 364, time instructions indeed limit the duration of a route and lead to the destruction of a box 1 in the event of an overshoot -.
- the computer 4 After authentication of the conveyor 3, the computer 4 gives the authorization to remove the box 1 which is then in the start mode.
- the transition from Lock mode to this mode is accompanied by the transfer of responsibility for the system: box / computer: to the system: box:, that is to say box 1 fully protects the funds to be transported. This is why the time transport instructions are initiated as soon as they transition into this mode; the box 1 is therefore considered to be mobile, whether or not it is physically removed from its base. If the planned delivery time is exceeded, the box considers itself to be attacked and degrades its content by appropriate means.
- box 1 leaves the Start mode for the Sidewalk mode. This corresponds to the journey on foot made by the conveyor 3 carrying the box 1, between the departure station and a vehicle, or another station (if the entire journey is on foot). This mode is limited in time by a duration provided for this purpose, so as to reduce the risk of diversion during the journey; if the planned journey time is exceeded, box 1 degrades its content.
- box 1 In Depalarm mode, box 1 is physically in an unforeseen situation and must be disconnected from its receptacle; otherwise, after a determined time (for example 30 seconds), the countdown of the duration of the journey on foot resumes. However, box 1 waits to be disconnected before logically returning from Depalarm mode to Sidewalk mode: in this way, Sidewalk mode always corresponds to the physical disconnection of Box 1.
- the Truck mode corresponds to the logical sequence of transport.
- the box 1 cannot be disconnected without being informed thereof; it degrades its content beyond a certain time interval (for example 10 seconds) if it has not been reconnected.
- the conveyor 3 authenticates again to the box 1 via the on-board computer - the code of the conveyor 3 has been provisionally transmitted to the box 1 by the computer 4 supervisor when transitioning from Lock mode to Start mode -. If box 1 accepts the conveyor code 3, it goes into Start mode (from where it can go into Base mode and finally into Connect mode).
- Base mode to Connect mode takes place if box 1 recognizes that it is connected to a station. It then immediately requests to be connected to the supervisor computer 4, which requires prior mutual authentication of the station and of this computer 4; if this mutual authentication is possible, we already know that the station is not a clone. The computer 4 and the box 1 then authenticate each other. If the station to which box 1 is connected is not the correct one, then there is a transition from Connect mode to Depalarm mode. If the station is the planned arrival station, the system: box: becomes the system: box / computer / arrival station: and we go from Connect mode to Selfouv mode or to Servouv mode.
- the box 1 can be emptied of its funds, the responsibility for their protection being then transferred to the head of the branch.
- the box 1 can again be used either as a box, or as a chest, or for another transport, in accordance with the procedures described above.
- a protocol is therefore implemented for the correction of transmission errors between a terminal of the system, or station 5, and the supervisor computer 4.
- This protocol splits the message to be transmitted into blocks of a few bytes to a few tens of bytes. If a block is transmitted with errors, only this block is retransmitted, which eliminates the need to repeat all of the very long messages which are exchanged (typically with a length of 300 bytes).
- the integrity of a block is checked by means of a signature developed with the content of the block and with its header - this header essentially comprising the information on the length of the block -.
- the algorithm for calculating this non-secret signature is advantageously that used for encryption and authentication of messages; the "DES chip" is again used in this way, without having to write and store, in particular in the station, a new algorithm.
- the station 5 After reconstitution of the split message on transmission, and in the case where the sending party is the supervising computer 4, the station 5 authenticates and decrypts with its own keys said message (thanks to the "DES chip" placed in the station) . Then it transmits to box 1, the identification number of which serves to identify it now appears in clear, the part of the message which is intended for him; box 1 authenticates and decrypts this message with its own keys, using the "DES chip” provided for this purpose. It then confirms receipt thereof at computer 4 and prepares for this purpose an encrypted and authenticated message with these same keys; this message is transmitted to computer 4 - supplemented by the number of box 1 - encrypted and authenticated with the keys of station 5. Computer 4 then returns, according to the same protocol, an acknowledgment to box 1, which may possibly change mode, but only upon receipt of this receipt.
- the telecommunications protocol described is of course not limited to the preferred embodiment described above, and one can for example use the principles of functional architecture popularized by the open systems interconnection model (OSI layered model), or direct derivatives of this model.
- OSI layered model open systems interconnection model
- the present invention is in particular intended for the protection of documents or valuables, and in particular of means of payment such as tickets, checks or bank cards, or of dangerous medicines (drugs) or with high added value. This protection is ensured both inside a bank branch (or a pharmacy, or other), as well as during transport from this branch to a branch.
- the present invention is further limited neither by the size nor by the weight of the objects or documents of value which it is desired to protect, and it is within the capacity of a person skilled in the art to carry out any modification aimed at adapting the invention to objects or documents other than those given here by way of nonlimiting examples.
Landscapes
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Packages (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Details Of Rigid Or Semi-Rigid Containers (AREA)
- Storage Device Security (AREA)
- Cartons (AREA)
- Burglar Alarm Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Purses, Travelling Bags, Baskets, Or Suitcases (AREA)
- Tires In General (AREA)
- Credit Cards Or The Like (AREA)
- Facsimile Transmission Control (AREA)
- Sorting Of Articles (AREA)
- Auxiliary Devices For And Details Of Packaging Control (AREA)
- Lock And Its Accessories (AREA)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR8909579A FR2649748B1 (fr) | 1989-07-17 | 1989-07-17 | Systeme de protection de documents ou d'objets de valeur enfermes dans un contenant inviolable physiquement, qui passe par ailleurs par une succession d'etats logiques authentifies en nombre restreint |
FR8909579 | 1989-07-17 |
Publications (2)
Publication Number | Publication Date |
---|---|
EP0409725A1 EP0409725A1 (fr) | 1991-01-23 |
EP0409725B1 true EP0409725B1 (fr) | 1994-05-04 |
Family
ID=9383836
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP90402060A Expired - Lifetime EP0409725B1 (fr) | 1989-07-17 | 1990-07-17 | Système de protection de documents ou d'objets enfermés dans un contenant inviolable |
Country Status (20)
Country | Link |
---|---|
US (1) | US5315656A (hu) |
EP (1) | EP0409725B1 (hu) |
JP (1) | JPH05506700A (hu) |
AT (1) | ATE105367T1 (hu) |
AU (1) | AU648510B2 (hu) |
CA (1) | CA2064204C (hu) |
DD (1) | DD296732A5 (hu) |
DE (1) | DE69008634T2 (hu) |
DK (1) | DK0409725T3 (hu) |
ES (1) | ES2056406T3 (hu) |
FI (1) | FI93761C (hu) |
FR (1) | FR2649748B1 (hu) |
HU (1) | HU217539B (hu) |
MA (1) | MA21906A1 (hu) |
NO (1) | NO302259B1 (hu) |
OA (1) | OA09531A (hu) |
RO (1) | RO108889B1 (hu) |
RU (1) | RU2078894C1 (hu) |
WO (1) | WO1991001428A1 (hu) |
ZA (1) | ZA905546B (hu) |
Families Citing this family (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2706058B1 (fr) * | 1993-06-02 | 1995-08-11 | Schlumberger Ind Sa | Dispositif pour contrôler et commander l'accès différentiel à au moins deux compartiments à l'intérieur d'une enceinte. |
DE69704684T2 (de) * | 1996-02-23 | 2004-07-15 | Fuji Xerox Co., Ltd. | Vorrichtung und Verfahren zur Authentifizierung von Zugangsrechten eines Benutzers zu Betriebsmitteln nach dem Challenge-Response-Prinzip |
FR2751111B1 (fr) | 1996-07-10 | 1998-10-09 | Axytrans | Systeme de transport securise d'objets en conteneur inviolable dont au moins une station destinatiare est mobile et transportable |
JP3541607B2 (ja) * | 1997-03-11 | 2004-07-14 | 株式会社日立製作所 | 電子マネー取引装置 |
JP2000113085A (ja) * | 1998-10-08 | 2000-04-21 | Sony Corp | 電子現金システム |
US6275151B1 (en) * | 2000-01-11 | 2001-08-14 | Lucent Technologies Inc. | Cognitive intelligence carrying case |
US20010054025A1 (en) * | 2000-06-19 | 2001-12-20 | Adams William M. | Method of securely delivering a package |
AU2001291636A1 (en) * | 2000-09-26 | 2002-04-08 | Sagem Denmark A/S | A box for encapsulating an electronic device, and a method for gluing a circuit board onto the inner surface of a box |
DE10123383A1 (de) | 2001-05-14 | 2003-01-16 | Giesecke & Devrient Gmbh | Verfahren und Vorrichtung zum Öffnen und Schließen einer Kassette |
US20050155876A1 (en) * | 2003-12-15 | 2005-07-21 | Tamar Shay | Method and device for organizing, storing, transporting and retrieving paperwork and documents associated with the paperwork-generating introduction of a new family member |
KR100527169B1 (ko) * | 2003-12-31 | 2005-11-09 | 엘지엔시스(주) | 매체자동지급기의 매체카세트 개폐장치 |
FR2869939B1 (fr) * | 2004-05-06 | 2006-06-23 | Axytrans Sa | Systeme securise pour le transport ou la conservation de valeurs telles que des billets de banque |
US7757301B2 (en) * | 2004-12-21 | 2010-07-13 | Seagate Technology Llc | Security hardened disc drive |
EP1843000B1 (de) * | 2006-04-03 | 2018-10-31 | Peter Villiger | Sicherheitssystem mit ad-hoc Vernetzung einzelner Komponenten |
DE102007022460A1 (de) | 2007-05-09 | 2008-11-13 | Horatio Gmbh | Einrichtung und Verfahren zum Nachweis des gegenständlichen Besitzes von Objekten gegenüber einer Prüfinstanz über beliebige Entfernungen |
DE102008045607A1 (de) * | 2008-09-03 | 2010-03-04 | Wincor Nixdorf International Gmbh | Anordnung und Verfahren zur Aufbewahrung von mindestens einem Wertschein |
US8836509B2 (en) * | 2009-04-09 | 2014-09-16 | Direct Payment Solutions Limited | Security device |
WO2016137573A1 (en) | 2015-02-25 | 2016-09-01 | Private Machines Inc. | Anti-tamper system |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4236463A (en) * | 1979-05-14 | 1980-12-02 | Westcott Randy L | Tamper proof case for the protection of sensitive papers |
SE417023B (sv) * | 1979-11-29 | 1981-02-16 | Leif Lundblad | Anleggning for seker och ekonomiskt optimal hantering av verdedokument inom en penninginrettning |
FR2550364B1 (fr) * | 1983-08-05 | 1986-03-21 | Kompex | Systeme de securite de transport de fonds ou d'effets bancaires |
DE3400526A1 (de) * | 1984-01-10 | 1985-10-24 | Peter 7212 Deißlingen Pfeffer | Einrichtung zum ueberwachen von geldscheinbuendeln |
US4691355A (en) * | 1984-11-09 | 1987-09-01 | Pirmasafe, Inc. | Interactive security control system for computer communications and the like |
FR2574845B1 (fr) * | 1984-12-14 | 1987-07-31 | Axytel Sarl | Procede de marquage et/ou de destruction notamment de documents de valeur et dispositif de mise en oeuvre |
GB2182467B (en) * | 1985-10-30 | 1989-10-18 | Ncr Co | Security device for stored sensitive data |
FR2594169B1 (fr) * | 1986-02-11 | 1990-02-23 | Axytel Sa | Systeme de protection de produits de valeur notamment de fonds et/ou de produits bancaires. |
US4860351A (en) * | 1986-11-05 | 1989-08-22 | Ibm Corporation | Tamper-resistant packaging for protection of information stored in electronic circuitry |
NL8700165A (nl) * | 1987-01-23 | 1988-08-16 | Seculock B V I O | Cheques- en creditcards-opberginrichting met ingebouwd vernietigingssysteem. |
FR2615987B1 (fr) * | 1987-05-27 | 1994-04-01 | Axytel | Dispositif de controle de l'integrite d'une paroi quelconque, metallique ou non, destine a declencher automatiquement une intervention en cas d'agression commise a l'encontre de cette paroi |
SE455653B (sv) * | 1987-08-11 | 1988-07-25 | Inter Innovation Ab | Anleggning for seker overforing av atminstone verdet av verdepapper fran ett flertal utspritt fordelade teminaler till en centralt placerad penninginrettning |
JP2609473B2 (ja) * | 1989-10-23 | 1997-05-14 | シャープ株式会社 | 通信装置 |
EP0527725A1 (en) * | 1990-05-11 | 1993-02-24 | Gte Sylvania N.V. | Apparatus for destroying the contents of a closed and preferably portable safety container upon any abusive handling thereof |
-
1989
- 1989-07-17 FR FR8909579A patent/FR2649748B1/fr not_active Expired - Fee Related
-
1990
- 1990-07-16 ZA ZA905546A patent/ZA905546B/xx unknown
- 1990-07-16 MA MA22176A patent/MA21906A1/fr unknown
- 1990-07-17 DD DD90342844A patent/DD296732A5/de not_active IP Right Cessation
- 1990-07-17 RO RO92-0817A patent/RO108889B1/ro unknown
- 1990-07-17 DK DK90402060.9T patent/DK0409725T3/da active
- 1990-07-17 AU AU60529/90A patent/AU648510B2/en not_active Expired
- 1990-07-17 HU HU9200168A patent/HU217539B/hu not_active IP Right Cessation
- 1990-07-17 DE DE69008634T patent/DE69008634T2/de not_active Expired - Lifetime
- 1990-07-17 RU SU905011184A patent/RU2078894C1/ru active
- 1990-07-17 EP EP90402060A patent/EP0409725B1/fr not_active Expired - Lifetime
- 1990-07-17 AT AT9090402060T patent/ATE105367T1/de not_active IP Right Cessation
- 1990-07-17 JP JP90510518A patent/JPH05506700A/ja active Pending
- 1990-07-17 WO PCT/FR1990/000538 patent/WO1991001428A1/fr active IP Right Grant
- 1990-07-17 ES ES90402060T patent/ES2056406T3/es not_active Expired - Lifetime
- 1990-07-17 CA CA002064204A patent/CA2064204C/fr not_active Expired - Lifetime
-
1992
- 1992-01-15 NO NO920194A patent/NO302259B1/no not_active IP Right Cessation
- 1992-01-16 FI FI920187A patent/FI93761C/fi active
- 1992-01-17 OA OA60129A patent/OA09531A/fr unknown
- 1992-03-16 US US07/876,712 patent/US5315656A/en not_active Expired - Lifetime
Also Published As
Publication number | Publication date |
---|---|
RO108889B1 (ro) | 1994-09-30 |
FI93761B (fi) | 1995-02-15 |
ZA905546B (en) | 1991-04-24 |
DK0409725T3 (da) | 1994-09-19 |
FI93761C (fi) | 1995-05-26 |
NO920194D0 (no) | 1992-01-15 |
FR2649748A1 (fr) | 1991-01-18 |
AU6052990A (en) | 1991-02-22 |
WO1991001428A1 (fr) | 1991-02-07 |
HUT62063A (en) | 1993-03-29 |
DD296732A5 (de) | 1991-12-12 |
FI920187A0 (fi) | 1992-01-16 |
HU9200168D0 (en) | 1992-09-28 |
NO920194L (no) | 1992-03-10 |
NO302259B1 (no) | 1998-02-09 |
HU217539B (hu) | 2000-02-28 |
EP0409725A1 (fr) | 1991-01-23 |
OA09531A (fr) | 1992-11-15 |
CA2064204A1 (fr) | 1991-01-18 |
JPH05506700A (ja) | 1993-09-30 |
US5315656A (en) | 1994-05-24 |
DE69008634D1 (de) | 1994-06-09 |
RU2078894C1 (ru) | 1997-05-10 |
ATE105367T1 (de) | 1994-05-15 |
CA2064204C (fr) | 2001-04-10 |
FR2649748B1 (fr) | 1991-10-11 |
AU648510B2 (en) | 1994-04-28 |
ES2056406T3 (es) | 1994-10-01 |
DE69008634T2 (de) | 1994-12-01 |
MA21906A1 (fr) | 1991-04-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP0409725B1 (fr) | Système de protection de documents ou d'objets enfermés dans un contenant inviolable | |
EP0426541B1 (fr) | Procédé de protection contre l'utilisation frauduleuse de cartes à microprocesseur, et dispositif de mise en oeuvre | |
EP1008257B1 (fr) | Procede et systeme pour securiser les centres de gestion d'appels telephoniques | |
EP0317400B1 (fr) | Dispositif et procédé de sécurisation d'échange de données entre un terminal vidéotex et un serveur | |
FR2718091A1 (fr) | Dispositif de sûreté contre le vol appliquant un codage électronique d'autorisation d'utilisation pour véhicule. | |
WO1998013971A1 (fr) | Procede et systeme pour securiser les prestations de service a distance des organismes financiers | |
WO2000056007A1 (fr) | Procede de verification de signature d'un message | |
EP0960406B1 (fr) | Systeme de transport securise d'objets en conteneur inviolable dont au moins une station destinataire est mobile et transportable | |
WO2002052389A2 (fr) | Methode anti-clonage d'un module de securite | |
CA2500691A1 (fr) | Procede de consultation securisee de recepisses de livraison d'objets | |
FR2776454A1 (fr) | Systeme de telephonie mobile avec carte de prepaiement | |
EP1875426A2 (fr) | Terminal nomade de transactions electroniques securise et systeme de transactions electroniques securise | |
EP0447386A2 (fr) | Système de sécurité pour système informatique | |
WO2004084525A2 (fr) | Procede de protection d’un terminal de telecommunication de type telephone mobile | |
FR2788154A1 (fr) | Supports et systemes d'echange de donnees securises notamment pour paiements et telepaiements | |
FR2566155A1 (fr) | Procede et systeme pour chiffrer et dechiffrer des informations transmises entre un dispositif emetteur et un dispositif recepteur | |
FR2710769A1 (fr) | Système de traitement des données d'une carte à microcircuit, carte et lecteur pour ce système et procédé de mise en Óoeuvre. | |
EP0413636A1 (fr) | Système et procédé pour contrôler la collecte de bornes à prépaiement | |
FR2657446A1 (fr) | Procede et dispositif destine a controler et a permettre l'acces a un site ou a un service. | |
FR2774834A1 (fr) | Procede de transmission securisee de messages de donnees entre deux utilisateurs de deux equipements de transmission respectifs relies par un reseau de transmission de donnees | |
FR2811794A1 (fr) | Appareil et procede de paiement par carte de debit dans une station de distribution de carburant | |
EP4254286A1 (fr) | Système d'acheminement d'objets contenus dans des boîtes sur lesquelles sont prévus des moyens d'identification du destinataire | |
EP1962239A1 (fr) | Procédé de vérificatiion d'un code identifiant un porteur, carte à puce et terminal respectivement prévus pour la mise en ceuvre dudit procédé | |
FR2595523A1 (fr) | Procede et installation de transmission de donnees | |
FR2805561A1 (fr) | Dispositif electronique permettant d'utiliser une combinaison a usage unique pour le deverrouillage d'une serrure electronique autonome |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE CH DE DK ES FR GB GR IT LI LU NL SE |
|
17P | Request for examination filed |
Effective date: 19910621 |
|
17Q | First examination report despatched |
Effective date: 19921019 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
RAP3 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: AXYVAL |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AT BE CH DE DK ES FR GB GR IT LI LU NL SE |
|
REF | Corresponds to: |
Ref document number: 105367 Country of ref document: AT Date of ref document: 19940515 Kind code of ref document: T |
|
REF | Corresponds to: |
Ref document number: 69008634 Country of ref document: DE Date of ref document: 19940609 |
|
ITF | It: translation for a ep patent filed |
Owner name: DOTT. GIOVANNI LECCE & C. |
|
REG | Reference to a national code |
Ref country code: DK Ref legal event code: T3 |
|
GBT | Gb: translation of ep patent filed (gb section 77(6)(a)/1977) |
Effective date: 19940824 |
|
REG | Reference to a national code |
Ref country code: ES Ref legal event code: FG2A Ref document number: 2056406 Country of ref document: ES Kind code of ref document: T3 |
|
EPTA | Lu: last paid annual fee | ||
REG | Reference to a national code |
Ref country code: GR Ref legal event code: FG4A Free format text: 3012797 |
|
EAL | Se: european patent in force in sweden |
Ref document number: 90402060.9 |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
26N | No opposition filed | ||
REG | Reference to a national code |
Ref country code: FR Ref legal event code: TP |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: IF02 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PUE Owner name: AXYTRANS S.A. Free format text: AXYVAL#102, BOULEVARD MALESHERBES#PARIS (FR) -TRANSFER TO- AXYTRANS S.A.#102, BOULEVARD MALESHERBES#75017 PARIS (FR) |
|
NLS | Nl: assignments of ep-patents |
Owner name: AXYTRANS S.A. |
|
REG | Reference to a national code |
Ref country code: ES Ref legal event code: PC2A |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: 732E |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: LU Payment date: 20080714 Year of fee payment: 19 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GR Payment date: 20080724 Year of fee payment: 19 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DK Payment date: 20090728 Year of fee payment: 20 Ref country code: ES Payment date: 20090727 Year of fee payment: 20 Ref country code: FR Payment date: 20090730 Year of fee payment: 20 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: CD |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DE Payment date: 20090707 Year of fee payment: 20 Ref country code: GB Payment date: 20090728 Year of fee payment: 20 Ref country code: NL Payment date: 20090724 Year of fee payment: 20 Ref country code: SE Payment date: 20090727 Year of fee payment: 20 Ref country code: AT Payment date: 20090724 Year of fee payment: 20 Ref country code: CH Payment date: 20090727 Year of fee payment: 20 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: BE Payment date: 20090724 Year of fee payment: 20 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: IT Payment date: 20090730 Year of fee payment: 20 |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: V4 Effective date: 20100717 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
BE20 | Be: patent expired |
Owner name: S.A. *AXYTRANS Effective date: 20100717 |
|
REG | Reference to a national code |
Ref country code: DK Ref legal event code: EUP |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: PE20 Expiry date: 20100716 |
|
REG | Reference to a national code |
Ref country code: ES Ref legal event code: FD2A Effective date: 20100719 |
|
EUG | Se: european patent has lapsed | ||
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: NL Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION Effective date: 20100717 Ref country code: ES Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION Effective date: 20100719 Ref country code: GR Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20100204 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GB Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION Effective date: 20100716 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20090717 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DE Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION Effective date: 20100717 |