EP1398741A2 - Mémorisation sécurisée de données de journal - Google Patents

Mémorisation sécurisée de données de journal Download PDF

Info

Publication number
EP1398741A2
EP1398741A2 EP03018535A EP03018535A EP1398741A2 EP 1398741 A2 EP1398741 A2 EP 1398741A2 EP 03018535 A EP03018535 A EP 03018535A EP 03018535 A EP03018535 A EP 03018535A EP 1398741 A2 EP1398741 A2 EP 1398741A2
Authority
EP
European Patent Office
Prior art keywords
printer
signature
data
printer according
cryptographic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP03018535A
Other languages
German (de)
English (en)
Other versions
EP1398741A3 (fr
Inventor
Günter Baitz
Dominik Widmaier
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wincor Nixdorf International GmbH
Original Assignee
Wincor Nixdorf International GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wincor Nixdorf International GmbH filed Critical Wincor Nixdorf International GmbH
Publication of EP1398741A2 publication Critical patent/EP1398741A2/fr
Publication of EP1398741A3 publication Critical patent/EP1398741A3/fr
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07GREGISTERING THE RECEIPT OF CASH, VALUABLES, OR TOKENS
    • G07G1/00Cash registers
    • G07G1/12Cash registers electronically operated
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07GREGISTERING THE RECEIPT OF CASH, VALUABLES, OR TOKENS
    • G07G5/00Receipt-giving machines

Definitions

  • the invention relates to the backup of journal data in POS systems and self-service stations.
  • Patent application DE 44 35 902 A1 describes that for this purpose also a memory card with processing function, often referred to as a smart card or chip card, is usable.
  • a memory card with processing function often referred to as a smart card or chip card
  • the processing function of the card ensures that only information added, but none changed or deleted can be.
  • the module thus provides a write-only memory
  • the operating program of the cash register then does not need to be certified and protected; the memory card performs this function. Then there are the data firmly with the data carrier, here the memory card, connected. This is an advantage in some areas of application.
  • the data is linked to the memory card also disadvantageous, for example not by simple Type of data can be secured against loss and because the storage capacity of a memory card is relatively small is. Therefore, a solution is needed that is tamper-proof Storage of data from a journal with allows conventional rewritable mass storage devices, even if the operating programs using the mass storage not certified and protected against change are.
  • the control computer is not an application of the known methods unproblematic. If the cryptographic algorithms like other programs also run on the control computer of the cash register falsification of the data cannot be ruled out because the cryptographic signatures at all times can be formed again. This also applies if the formation of the signature by an autonomous and against Manipulation of secured cryptographic module takes place, as he is known from the neighboring area of ATMs is. It is then ensured that the secret Key is not exposed and that is why the singnature was formed in the cryptographic module. A appropriate manipulated control can still Provide manipulated data for signing.
  • US Pat. No. 5,136,646 describes a method with a time stamp on the document can be. For this, a hash function is placed on the document applied, the result of which is sent to a central office ('time stamping authority ', TSA) is sent, which one Timestamp and hash value of the previous registration adds a new hash and the result as confirmation. Every request is made at the TSA recorded and kept.
  • TSA time stamping authority
  • the above-mentioned task of tamper-proof storage of journal data with conventional rewritable Mass storage is solved by the invention in that that the cryptographic signature by the control program of the cash register or self-service station is formed immediately before printing. It deals are printers, especially receipt printers, which use receive an interface to print out data and then a cryptographically secure signature of this data return.
  • the signature preferably includes one Sequence number or a timestamp.
  • FIG. 1 shows the structure of a cash register schematically, in which the invention is used.
  • the borders serve to represent the structure and do not imply any special modularization.
  • the cash register uses a control 10 and - not shown - Displays and input keyboards. It also includes one Interface 11 to which a cable 19 is connected.
  • the cable can 19 omitted.
  • a printer 20 for receipts belongs to the cash register. This one has an interface 24 corresponding to the interface 11 and a printing unit 21 for receipts.
  • the printer also includes a controller 22 which is connected to both the interface 24 and is also connected to the printing unit 21.
  • a cryptographic unit 30 in the printer contain a cryptographic processor 31 and a Key store 32 includes.
  • the cryptographic unit is preferably constructed as a module, because in many cases describing the key store in a special secure environment and the module thus initialized, where the key (s) can no longer be removed are installed in the prepared printer. The latter can possibly only take place at the customer.
  • the module in the form of a chip card or a PCMCIA / PC-CARD Unity designed.
  • journal records 14 are stored.
  • Data that is generated via operator inputs 15 a suitable (software) journal module 12 to the Interface 11 are passed on and from there on Cable 19 to interface 24 of the printer. she are divided into two data streams by the controller.
  • the print data stream 25a arrives at the printing unit and is printed out.
  • a mosaic printer is usually used as the printing unit used that the information to be printed out Composed of pixels.
  • the conversion of the interface received coded (alphanumeric) into uncoded Pixel data occurs either in the controller 22 or in the printing unit 21.
  • the controller simultaneously routes the receiving data or a predetermined part thereof to be signed Data 25b to the cryptographic module 30. This determines a signature 26 about the data to be signed 25b and returns them to the controller, which controls them Data via interfaces 11 and 24 back to the checkout sends.
  • the journal module 12 receives the signature 26 and stores them together with those via the interface 11 data sent to the printer 20 in the journal file.
  • the format of the storage is designed so that the signatures are easily assigned to the journal data can. The easiest way to do this is by using the signature is appended to the respective journal dates.
  • the printer control 22 determines which parts of the expression are relevant and are transferred to a journal data record. This can be done using control codes such as those known for formatting are used. These parts are made by the Printer control connected to a journal record and signed by means of the cryptographic module 30. thereupon the signature 26 is appended to the data record and this Complete journal record to the cash register for filing sent back to the mass storage device 13. In this like in the following variants only the printer is required certified, tested and against modifications of the operating software to be assured. The software of the actual Cash register 10 incl. Journal module 12 does not have to be modified be secured.
  • a first solution according to the invention is in the Part of the journal record over which the signature is formed will also include the signature of the previous record, for example from the journal module in the record is inserted and, if necessary, taken from the journal file can be. It can then be easily inserted or deleted or both are easily recognized. (The simple manipulation of a single record is already made recognizable by the signature.) Should be part of a Manipulation deleting or inserting multiple records remain undetected, the following are not deleted Re-sign records, which is the case with the present Invention only by printing out the corresponding documents is possible. As will be described later, this can be done by an imprint of the signature or a 'fingerprint' of the same are encountered on the receipt. This is already a big one Solution offering counterfeit security has the Advantage that the printer and its cryptographic module do not need non-volatile memory.
  • the cryptographic Module or the sealed control of the printer has non-volatile memory.
  • the last signature saved and used Formation of the signature of the next data record also used are preferred, by inserting them into this data record. The The case of manipulation described above thus takes effect prevented.
  • This run number is created after each creation passed a signature and flows during formation the signature. This is achieved by, for example the sequence number in a predetermined field of the data record is used before the signature is formed. If not the cryptographic module the whole, with the respective one Modified the run number and added the signature Returns record must at least for synchronization the current status of the cryptographic module the order number can be queried. Usually the solution look so that the record to be signed in the cryptographic Module is written. The cryptographic functions meanwhile form the signature, for which purpose a storage of the entire data set is not necessary. Subsequently the input becomes the saved sequence number switched and thus logically attached to the data record.
  • Sequence number is preferably a whole number increased by one Number used because it pauses the order the journal records are immediately visible.
  • Sequence number is preferably a whole number increased by one Number used because it pauses the order the journal records are immediately visible.
  • a pseudo-random number after the known one Modulo process (see e.g. the standard work of D.E. Knuth, The Art of Computer Programming) which creates a permutation of the integers. For a complete control of the journal file is required anyway the entire database will be checked so that control the sequence of the pseudo-random numbers does not matter falls.
  • the controller 22 or the Cryptography module 30 provided with a day clock the respective status in the same way as a serial number in the Formation of the signature is included.
  • This variant also has the advantage of quick verifiability the journal file.
  • the printer control can also be designed in this way that the time and date do not depend on the Cash register 10 itself is placed in the data to be printed, but only substitute symbols are used for this are replaced by the printer controller becomes. In such a case, the return is the whole Journal record particularly useful. However then determine a procedure for setting the clock, the one Manipulation difficult. There is a simple solution in allowing only one actuation per 24 hours.
  • the cryptographic Module uses a random private key this then for signature. Should the signature be checked the cryptographic module is initiated, the Hand out the key and no longer use it, but to create a new one. Then this is useful if the electronic journal from a trustworthy Person copied from the mass storage and then is kept safe with other measures. The Journal can then be deleted from the mass storage. In this case, the expression with the associated, now no longer secret, key of the backed up copy of the Journals can be assigned.
  • the processing power of the cryptographic module it allows the two different ones to be better Public key cryptography used.
  • the key to the formation of the signature must logically against reading from the cryptographic module 30 be stored securely.
  • the second, public Keys can be read out as desired and unprotected be disseminated, especially in the journal file be included.
  • the printer 20 can be initiated to the public Part of the key currently in use to output the printing unit 21. Because with the 'public key' Cryptography becomes the problem of secrecy through that (more manageable) problem that replaces authenticity of the public key is to be secured. By the method of expression on an otherwise against manipulation secured printer, this authenticity is simple ascertainable.
  • the cryptographic Module 30 in which the cryptographic Module 30 is easily interchangeable Temporarily remove the inspector, in a separate one Device read the public key and thus then check the journal file.
  • the cryptographic Module equipped with optical authenticity features be or via another key store and a cryptographic process for identity or authenticity control to prove authenticity.
  • the cryptographic Module forms the secret key itself as a random number
  • 'public key' cryptography more applicable because the cryptographic module only equipped for the announcement of the public key have to be.
  • the public key can be issued as often as required be repeated. The public key is used if necessary in a message about commissioning passed on to the competent authority.
  • a confirmation is sent the receipt of the signature by the journal module. Only after the journal module has received the journal data, storage on the mass storage included, the receipt is printed out. This prevents that in the event of memory problems, especially if the hard disk is full, receipts without Journal entry to be printed. This procedure corresponds the 'two-way commit' known from databases for secure Completing a transaction.
  • a reverse approach may be desirable where the signature is only returned after the receipt is printed in full.
  • This solution can be combined with the previous one in two different Signatures are formed; one before and one after printing. Whether two keys are used or the Data record predetermined, at least by changing one bit or insert a time counter, is changed, the user left. The selection is based on which solution by the licensing authorities as appropriate is seen.
  • a public key in particular is considered a Technique called fingerprinting used.
  • a public one The key is usually more than 512 bits long and includes thus more than 90 characters in printable form.
  • This Technology is applicable, for example, by the public Key is stored in the journal file. During the exam the journal file, which is already checked by another Program must be done, the fingerprint of the public key formed and displayed.
  • the Examiner needs the fingerprint that he either brought with him or print out from the cryptographic module on the printing unit leaves. If the fingerprint matches, is with high probability the public key of the right keys. Without this measure, the entire public key can be compared.
  • a variant of the invention is in addition to that of Control delivered data on the receipt additional data provided by the cryptographic module.
  • this is meter number or the last digits of the count number. It can turn into a printed Document easily found the right journal entry become.
  • the manipulation specified above when making entries deleted and the subsequent ones created and if necessary the printed receipts are destroyed is not here more possible because the count number differs significantly.
  • a fingerprint of the signing key is also printed out becomes. This is preferred for public closings applied.
  • private keys is a direct one Inference of the private key is not possible; however, the fingerprint allows, provided the hash algorithm is faster than the encryption itself, an acceleration of a direct attack.
  • the description has referred to variants in which the print data alphanumeric characters, i.e. encoded data, and not pixels, i.e. uncoded data.
  • This preferred version requires little space on the journal and facilitates the extraction of the data to be signed. It is also possible that the print data has already been rendered are and only represent pixel data.
  • the signature is formed over the entire receipt and if necessary the entire receipt can be saved in graphic form.
  • Another variant of the invention uses a printer, where both the printer control and the cryptographic module on a removable insert are housed, the whole against manipulation and regarding of the key store secured against spying is ('tamper resistant').
  • This module has a connection to the interface 24, via which encoded data is sent and an exit to the printing unit, through which Pixel data are sent.
  • the fuse is of the cable connections and a seal combined them Module against exchange in many applications unnecessary.
  • the user can easily use the module exchange for another who prints the same receipts.
  • such a module is not possible generate valid journal data since the module does not have has the secret key. In some areas of application This eliminates any sealing of interfaces and connections because the effort to recreate the module disproportionate to the possible gain from manipulation of the journal.
  • PCMCIA / PC card Can be designed with both a CD-ROM for the operating software as well as an interface for the provides cryptographic module. This is for the protocol used for the SCSI interface is well suited, because several devices of different types can be addressed are. Because the software and cryptographic module can be addressed separately are to be ensured by other measures that from the CPU only the programs stored on the module be carried out.
  • journal storage which acts as a filter module the interface 24 of the printer plugged in and then secured against exchange by sealing
  • this solution is also possible for the cryptographic module.
  • a filter module with a simple control provided, which monitors the data stream to the printer and of the relevant parts through the cryptographic module have the signature formed as described and send it back or inserts into the print data stream.
  • the invention has the advantage that the journal file or Parts of the same copied at any time and via data carrier or Remote data transmission means can be sent. So can, for example, use a conventional floppy disk at the end of the day be created or at the end of the day the daily sales by remote data processing transmitted to the responsible tax office become. Any form of data backup is suitable to protect the journal against loss.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Pharmaceuticals Containing Other Organic And Inorganic Compounds (AREA)
  • Storage Device Security (AREA)
  • Record Information Processing For Printing (AREA)
EP03018535A 2002-09-10 2003-08-16 Mémorisation sécurisée de données de journal Withdrawn EP1398741A3 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE20213981 2002-09-10
DE20213981U 2002-09-10

Publications (2)

Publication Number Publication Date
EP1398741A2 true EP1398741A2 (fr) 2004-03-17
EP1398741A3 EP1398741A3 (fr) 2004-07-28

Family

ID=31724916

Family Applications (1)

Application Number Title Priority Date Filing Date
EP03018535A Withdrawn EP1398741A3 (fr) 2002-09-10 2003-08-16 Mémorisation sécurisée de données de journal

Country Status (2)

Country Link
EP (1) EP1398741A3 (fr)
DE (1) DE10255053A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102010015456A1 (de) * 2010-04-16 2011-10-20 Dirmeier Schanktechnik Gmbh & Co. Kg Warenabgabeeinrichtung mit einer Steuerung, insbesondere eine Schankanlage
WO2012063617A1 (fr) * 2010-11-11 2012-05-18 Seiko Epson Corporation Imprimante fiscale
ITPD20110152A1 (it) * 2011-05-13 2012-11-14 Ap Esse S P A Registratore di cassa fiscale
EP3553726A1 (fr) * 2018-04-12 2019-10-16 Bundesdruckerei GmbH Procédé de mémorisation à fiabilité de manipulation des données de transaction dans un système de caisses enregistreuses électroniques et système

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE528368C2 (sv) 2005-02-02 2006-10-31 Axtronic Ab System och förfarande för registreringskontroll
EP3576004B1 (fr) * 2018-05-30 2024-03-20 Diebold Nixdorf Systems GmbH Agencement pour l'impression securisée de données fiscales

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0780808A2 (fr) * 1995-12-19 1997-06-25 Pitney Bowes Inc. Système et procédé de reprise en cas de sinistre dans un système ouvert de dosage
EP0811955A2 (fr) * 1996-06-06 1997-12-10 Pitney Bowes Inc. Appareil sécurisé et procédé pour imprimer des valeurs avec une imprimante de valeur
US6199049B1 (en) * 1998-09-30 2001-03-06 International Business Machines Corporation Verifiable electronic journal for a point of sale device and methods for using the same
WO2001097441A2 (fr) * 2000-06-16 2001-12-20 International Business Machines Corporation Procede, systemes et programme informatique pour reduire les possibilites de piratage
WO2002015516A2 (fr) * 2000-08-17 2002-02-21 Hewlett-Packard Company Impression securisee de documents precieux

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0780808A2 (fr) * 1995-12-19 1997-06-25 Pitney Bowes Inc. Système et procédé de reprise en cas de sinistre dans un système ouvert de dosage
EP0811955A2 (fr) * 1996-06-06 1997-12-10 Pitney Bowes Inc. Appareil sécurisé et procédé pour imprimer des valeurs avec une imprimante de valeur
US6199049B1 (en) * 1998-09-30 2001-03-06 International Business Machines Corporation Verifiable electronic journal for a point of sale device and methods for using the same
WO2001097441A2 (fr) * 2000-06-16 2001-12-20 International Business Machines Corporation Procede, systemes et programme informatique pour reduire les possibilites de piratage
WO2002015516A2 (fr) * 2000-08-17 2002-02-21 Hewlett-Packard Company Impression securisee de documents precieux

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102010015456A1 (de) * 2010-04-16 2011-10-20 Dirmeier Schanktechnik Gmbh & Co. Kg Warenabgabeeinrichtung mit einer Steuerung, insbesondere eine Schankanlage
WO2012063617A1 (fr) * 2010-11-11 2012-05-18 Seiko Epson Corporation Imprimante fiscale
CN102568121A (zh) * 2010-11-11 2012-07-11 精工爱普生株式会社 财务打印机
ITPD20110152A1 (it) * 2011-05-13 2012-11-14 Ap Esse S P A Registratore di cassa fiscale
EP3553726A1 (fr) * 2018-04-12 2019-10-16 Bundesdruckerei GmbH Procédé de mémorisation à fiabilité de manipulation des données de transaction dans un système de caisses enregistreuses électroniques et système

Also Published As

Publication number Publication date
EP1398741A3 (fr) 2004-07-28
DE10255053A1 (de) 2004-03-18

Similar Documents

Publication Publication Date Title
DE69527867T2 (de) Verfahren und Vorrichtung zum Authentifizieren eines Datanträgers, bestimmt zum Zulassen einer Transaktion oder des Zuganges zu einer Dienstleistung oder zu einem Ort; und entsprechender Datenträger
DE60011431T2 (de) Sichere systeme zum drucken von authentifizierenden digitalen unterschriften
EP1944716B1 (fr) Procédé et dispositif de sécurisation d'un document comportant une signature apposée et des données biométriques dans un système informatique
DE3044463C2 (fr)
DE69931967T2 (de) Methode zur sicherung von elektronischer information
DE69605627T2 (de) Anonymes Informationsverwaltungssystem für Statistiken, insbesondere für elektronische Wahlverfahren oder periodische Verbrauchsstücklisten
DE69329447T3 (de) Verfahren und Vorrichtung zum Herstellen eines gesicherten Dokuments und zum Überprüfen seiner Echtheit
DE69913365T2 (de) Überprüfbares elektronishes logbuch für ein verkaufsstellenendgerät und verfahren zu dessen verwendung
DE19532617C2 (de) Verfahren und Vorrichtung zur Versiegelung von Computerdaten
EP0030381B1 (fr) Procédé et dispositif pour la production et le contrôle de documents protégés contre des falsifications et document utilisé à cet effet
DE3729342A1 (de) Sicherheitsdrucker fuer ein wertdrucksystem
DE10023820B4 (de) Software-Schutzmechanismus
EP0927971B1 (fr) Procédé et dispositif postal avec une unité de lecture/écriture de cartes à puce pour le rechargement de données de changement dans une carte à puce
EP1784756B1 (fr) Procédé et système de securité pour le codage sur et univoque d'un module de securité
EP1398741A2 (fr) Mémorisation sécurisée de données de journal
EP1807808B1 (fr) Procede et dispositif d'affranchissement d'envois postaux
DE69605654T2 (de) Elektronisch verhandelbare dokumente
DE2933764C2 (de) Verfahren und Einrichtung zum Verschlüsseln bzw. Entschlüsseln und Sichern von Daten
WO2005025128A1 (fr) Procede pour signer une quantite de donnees dans un systeme a cle publique et systeme de traitement de donnees pour la mise en oeuvre dudit procede
EP0889445B1 (fr) Procédé pour identifier des personnes ou des animaux participant aux concours sportifs
DE10020562C1 (de) Verfahren zum Beheben eines in einer Datenverarbeitungseinheit auftretenden Fehlers
EP0947072A1 (fr) Procede pour la memorisation protegee electroniquement de donnees dans une banque de donnees
DE69313777T2 (de) Verfahren und Vorrichtung zum Schreiben von einer Information auf einen Datenträger, mit Möglichkeit zur Bestätigung der Originalität dieser Information
DE102018200807A1 (de) Verfahren und Servervorrichtung zum Bereitstellen eines digitalen Fahrzeugbegleitbuchs für ein Kraftfahrzeug
EP4174703B1 (fr) Récupération de clé cryptographique

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK

PUAL Search report despatched

Free format text: ORIGINAL CODE: 0009013

AK Designated contracting states

Kind code of ref document: A3

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK

17P Request for examination filed

Effective date: 20041022

17Q First examination report despatched

Effective date: 20050222

AKX Designation fees paid

Designated state(s): DE FR GB IT

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20090115