Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/60—Protecting data
  • G06F21/606—Protecting data by securing the transmission between two devices or processes
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
  • G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
  • G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
  • G06F21/77—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/2129—Authenticate client device independently of the user
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/2137—Time limited access, e.g. to a computer or data

Definitions

• the present invention relates to a nomadic terminal for electronic transactions. It also relates to a secure electronic transaction system comprising one or more nomadic terminals.
• the invention applies in particular to the securing of terminals operating controls and contractual transactions on media equipped with memories, these media can be by contactless reading and writing cards comprising for example tickets, means of payment or any other securities to be claimed.
• An example of electronic transactions using contactless cards relates to tickets. These cards allow users to access the means of transport by passing them in front of readers placed at the entry points of the stations or at the entrance of the vehicles. Titles are dematerialized and stored in card memory. As for conventional means, of the type for example orange cards in the Paris region, the securities stored in the cards correspond to different types of subscription or contracts depending in particular on the geographical area covered, the quality of the user and of duration. Controlling the validity of a subscription requires special means unlike a conventional paper title where the characteristics of the subscription are visible. In particular, electronic reading means are necessary to read the content of the contract stored in a card. The agents in charge of the control of tickets must therefore be permanently equipped with reading devices for electronic media such as memory cards for example. These agents, the controllers, must also be able to issue tickets or modify contracts, for example subscriptions. Their devices must therefore also be able to read and write the data stored in the card memory.
• reading and writing devices can also be used in fixed points of sale, for example at tobacconists who are authorized to issue tickets.
• users must be able to charge their cards in these fixed points of sale.
• the problem of security arises for agents or sales outlets, tobacconists for example.
• An object of the invention is notably to prevent any malicious or fraudulent use of an electronic transaction terminal.
• the subject of the invention is a nomadic electronic transaction terminal comprising an application support and a coupler for performing the read and write operations on a medium necessary for electronic transactions in relation to the application.
• the coupler comprises means for creating a write time window and a read time window from a secure input signal, any writing and reading being blocked outside the corresponding windows.
• the coupler includes a clock, a first register for counting the time of the read time window and a second register for counting the time of the write time window, the registers being initialized according to the secure signal. .
• the value of the first register is compared with a first value REG_R defining the reading time window and the value of the second register is compared with a second value REG_W defining the time value of writing, the reading being blocked when the value of the first register reaches the first value REG_R and the writing being blocked when the value of the second register reaches the second value REG_W.
• the read time window and the write time window have different values.
• the writing time window is for example less than the reading time window.
• the exchanges with the coupler are done for example according to two channels: the coupler and the application support communicate between them by a confidential link; the coupler communicates with an external control device (5) via a secure link; the key Kv to open the confidential session being generated by the coupler, the opening of a confidential session being performed by mutual identification by means of the key Kv.
• this key Kv is supplied to the application support via the external control device.
• the link between the coupler and the control member passes for example by the application support which includes a routing program to route the data of the coupler to the control member.
• the secure signal from which the initialization of the write and read time windows is generated is generated by the opening of a communication session between the coupler and the control member.
• a time window may be initialized by a coded signal input to the application support.
• only the write time window can be initialized by a signal input to the application support.
• the application support and the coupler each comprise, for example, a history of the electronic transactions carried out in a given period, the histories being sent to a control organ which makes a reconciliation of the histories, a failure of reconciliation revealing a missing or falsified transaction.
• the invention also relates to a secure electronic transaction system composed of a control member and one or more terminals such as that described above.
• the control member and the coupler communicate in secure session form by mutual authentication based on a key contained in the control member and in the coupler.
• the main advantages of the invention are that it secures the use of a mobile electronic transaction terminal, that it makes it possible to detect fraudulent data or software downloads on this type of mobile device. terminal and prevent its use, and is suitable for all types of electronic transaction applications.
• FIG. 1 by a block diagram of an electronic transaction terminal according to the invention
• FIG. 2 an illustration of a possible embodiment of a system and a terminal according to the invention
• FIG. 3 an example of relative durations of a write time window and a reading time window.
• FIG. 1 presents by a block diagram a nomadic terminal of electronic transactions according to the invention.
• the terminal 1 comprises an application support 2 and a coupler 3.
• the support 2 and the coupler 3 exchange data via a link 4.
• the terminal can communicate with a server 5 via a link 6.
• the application carried by the support 2 deals for example with a ticketing application, ranging for example from the control of securities to the issuance of securities and the generation or modification of subscription contracts.
• the support 2 is for example of the type of handheld computer more commonly called PDA.
• the coupler 3 comprises in particular the function of reading the contents of an electronic medium and / or the writing function on the same medium.
• This electronic support is for example a smart card without contact with possibility of reading and writing.
• the coupler is not dedicated as such to a particular application, it is a simple device for reading and writing a contactless card for example.
• FIG. 2 presents a more detailed block diagram of an exemplary embodiment of a terminal 1 according to the invention.
• Terminal 1 is a device for the control and sale of dematerialized transport tickets, stored on contactless reading cards. It comprises a PDA 2 and a ticketing coupler 3.
• the PDA 2 includes the ticketing application program 21.
• This application deals with, for example, the control of the tickets stored in the contactless cards as well as the issue of securities. It also deals with changes or renewals of the subscription contract. A title control is done by reading the card. Title issuance or contract amendment / renewal is done by a read and write operation on the card. The nature and duration of a subscription are stored on a card by a write operation. To determine the price to be paid by the user, a reading operation may be necessary to check the characteristics of the user, his rights to reduction for example. To process all the ticketing operations the application 21 contained in the PDA stores for example all types of contracts by type of user, durations, geographical areas, by means of transport etc ... The PDA exchange data with the coupler 3 by a link 4.
• connection can be wireless, of the "bluetooth" type, for example.
• the application or a part of the ticketing application is loaded into the coupler via this link 4 in a memory space 22 provided for this purpose.
• the terminal 1 also comprises a link 6 with a server 5.
• the link 4 between the PDA 2 and the coupler 3 thus allows the exchange of data between these two elements.
• the confidentiality of the exchanges between the coupler and the PDA is ensured by a key Kv which serves as mutual identification.
• the key Kv serves as a mutual identification, for example by exchange of keys drawn randomly. It is for example changed regularly on the initiative of the coupler or PDA. In an operating mode, this key Kv is for example renewed randomly by the coupler and supplied to the PDA.
• a key Kv 1+ I is for example sent to the encrypted PDA with the previous session key Kv ,.
• the coupler 3 comprises a program 23 for managing this key Kv, in particular of the generation random of the various keys Kv, which compose it.
• the PDA is not deemed reliable, this key is simply confidential.
• the coupler 3 is the secure element of the mobile terminal 1. It comprises for example a ticketing application for performing the readings and writes of securities, the ticketing processing being implemented elsewhere by PDA. Only the coupler 3 can perform the operations of reading and writing contactless cards necessary for electronic ticketing transactions.
• the link 6 between the terminal 1 and the server 5 allows in particular the exchange of data between the coupler 3 and the server 5.
• the connection between the coupler and the server is for example secured by mutual authentication based on keys 24, 24 contained in the server 5 and in the coupler 3.
• the authentication responds for example to the ISO 9798-2 protocol.
• the coupler and the server are deemed reliable, these keys are secret.
• the PDA 2 can serve as communication relay between the coupler and the server.
• it comprises a routing program 26.
• the exchanges it routes through this program 26 are therefore encrypted by the key Kab and are therefore known only from the ends of the chain, namely the coupler 3 and the server 5.
• the coupler 3 is considered as a device from the ticketing point of view. However it is not as such dedicated to a ticketing application.
• the application depends in particular on the software loaded in the memory 22 of the coupler dedicated to the application. It is possible to load all types of applications, especially other than ticketing.
• the coupler communicates with the PDA and with the server. Its links with the outside are thus done by two channels:
• the confidential session prevents the operation of an unpaired coupler with a PDA.
• the confidential session is established through the link 4 between the coupler and the PDA. If the PDA does not know the key Kv generated by the coupler 3, the opening of sessions between the PDA and the coupler is not possible.
• the two elements 2, 3 can not be paired and the terminal 1 does not work.
• the secure session 6 is in particular the only one that allows to reload the internal data necessary for the operation of the coupler, that is to say in particular the application. It thus makes it possible to load the application software 22 specific to the coupler, in the case of the example of FIG. 2, and the other necessary internal data.
• the server 5 also allows the coupler and the PDA to be paired by providing the PDA with the key Kv, confidential, when the coupler gives it to him in a secure session using a key Kab.
• the means of finding it is to connect to the server in a secure manner by the link coupler-server 6. This is particularly the case in the case of the first initialization where the server reloads the Kv key in the PDA after being aware of the coupler under secure session obtained with the key Kab.
• the coupler 3 comprises a real-time clock 27 and registers for storing read time window values 10 and write 1 1.
• the coupler 3 also includes time registers 28, 29 associated with the clock 27 for measure time intervals. More particularly, a first time register 28 is assigned to the counting of the time of the reading time window and a second time register 29 is assigned to counting the time of the write time window.
• the clock and its associated registers 28, 29 even evolve off.
• the clock 27 is for example a counter incremented by fronts of a quartz oscillator.
• the coupler compares the value REG_R and REG_W of these registers 28, 29 with the data the value REGJH of the clock 27 increased by respectively T_R and T_W entered in the registers 10, 1 1.
• These data T_R and T_W respectively define the value of the temporal opening in reading and the opening time in writing.
• the coupler is blocked in writing. He can no longer perform ticket sales or subscription operations, or contract modification for example.
• T_W may be set to one day and T_R may for example be set to one week.
• FIG. 3 illustrates in two timing diagrams an example of a time window 31 for writing and an example of a time window 32 for reading.
• the coupler stores the time of the last initialization of the time registers 28, 29. This initialization is performed at a time t 0 during a communication established with the server 5.
• the server can also modify the values of the registers 10, 1 1 for defining the time windows. In fact, during a communication session with the server 5, the following data can be reloaded:
• an application software for example ticketing
• the values T_R and T_W of the durations of the time windows of reading and writing are an application software, for example ticketing; the values T_R and T_W of the durations of the time windows of reading and writing.
• a write time window is initialized and a read window is initialized. Beyond the first window any write operation is impossible and beyond the second window any read operation is impossible.
• An agent can thus connect the coupler 3 to the server 5 at the beginning of the mission for example. Then he disconnects and goes on a mission. If its terminal 1 is stolen or lost, ticket sales operations or subscription contracts may not exceed 24 hours from the initialization connection to the server. Of even after one week any reading operation will be impossible.
• the durations of the time windows do not have the same duration for writing and reading. For some applications these windows could be of the same duration.
• An advantage provided by different window durations 31, 32 is the flexibility of use.
• the case of a control and ticketing agent illustrates this advantage.
• the agent connects its terminal 1 to the server. More particularly, the coupler 3 enters into communication with the server 5.
• the time window for writing is then opened for example for a duration of 24 hours and the time window for the reading is then open for a duration of one week. In this case, it is possible to provide the possibility of resetting the time register 29 provided for the write time window a certain number of times without direct connection to the server.
• the agent can then call a service that gives him a code to reset this time register 29, the time window being reset for 24 hours.
• the operation can be repeated one week during the opening time of the read time window 32.
• This window 32 requires a connection to the server 5 to be reset.
• an agent who lives far from the server storage location 5 does not need to move every day to reset the time window for writing to or near the server. Beyond a week, however, any use of the terminal is impossible because the time window for reading is closed and it can be reactivated only by a mutual authentication connection to the server.
• a system is for example provided to inhibit the operation of the coupler. In the exemplary embodiment of FIG.
• the initialization of the write 31 and read 32 write windows is done by a secure connection to the server 5.
• the initialization of the time windows is done by a secure signal from a server or other external device.
• This secure signal can also be entered as a code grasped by an agent or a user on the coupler, particularly and advantageously for opening the write window 31.
• the coupler 3 comprises a register 12 which includes the history of the transactions carried out by the coupler 3 during a given limited period or not.
• the latter memorizes in this history 12 all the cards he has processed.
• it can store for each transaction a sequence number 121, an operation code 122 and a physical number of the card 123 or any other identification code of the card.
• This history is sent by secure session to the server 5, for example each time the coupler is put into communication by mutual authentication with the server.
• the secure session can be done via the link 6 between the coupler and the server by the use of the key Kab.
• the PDA 2 also includes a transaction history 13 during a given period, limited or not. These are transactions made by PDA itself.
• the transactions stored in this history are stored at each transaction performed by the PDA 2.
• the history 13 of the PDA includes for each stored transaction the sequence number 131 seen from the PDA, the number 132 of the PDA or any other identifier thereof and the physical number 133 of the card object of the transaction or any other code making it possible to identify this card.
• the identifier of the card is sent by the coupler via the link 4.
• the transactions stored by the PDA correspond to the transactions memorized by the coupler.
• the histories 12, 13 comprise, for example, the instant of each transaction, the instant being for example provided by the clock 27 of the coupler 3.
• the history 13 may be sent regularly to the server 5, for example via link 6 between the coupler 3 and the server 5 which passes through the PDA.
• the history 13 of the PDA can also be sent by any other means to the server, for example by telephone link or network.
• the server thus has two transaction histories, the history 12 stored by the coupler and the history 13 stored by the PDA. Theoretically these histories relate to the same transactions.
• the server can thus comprise a comparison function of these two 13.
• Advantageously these two histories provide an additional degree of security to the terminal 1. In particular, this security makes it possible to detect fraudulent transactions.
• a difference between the two histories, for example a transaction missing in the history 13 of the PDA is a fraud. This fraud may be due for example to a fraudulent sale stored in the history 12 of the coupler but not stored in the history 13 of PDA, or vice versa. It is thus possible to detect and identify transactions deleted or modified by an agent or malicious user.
• the server 5 can correlate the transaction data it receives from the PDA 2, which are unreliable, with the transaction data, safe, it receives from the coupler 3 in the form of history. Its monitoring role extends to other terminals. In particular, he verifies that what has been validated has been sold and what has been sold has been paid for. It makes it possible to pair a coupler with a PDA by supplying the PDA with the confidential key Kv when the coupler gives it to it under secure session by the key Kab. A system composed of the server 5 and one or more mobile electronic transaction terminals such as that presented above then forms a secure electronic transaction system.
• the server 5 is the only element of the system that allows to recharge the coupler since it is the only one to know the key Kab.
• the histories 12, 13 could be sent to other control organs than the server 5 to perform their approximation, with the appropriate links.
• This control member 5 reconciles the transactions stored in the history 12 of the coupler 3 with those stored in the history 13 of the PDA 2.
• a mis-match that is to say a transaction present in a register and no in the other, reports a wrong transaction, fraudulent or not.
• An example of reconciliation is the comparison made on the aforementioned data121, 122, 123, 131, 132, 133 of the records 12, 13.
• Other types of transaction reconciliations stored in these histories 12, 13 are possible.
• the invention has been presented for a ticketing application, more particularly for the processing of tickets by a nomadic terminal. It can of course apply to other areas and more generally to other types of electronic transactions using a mobile terminal requiring a certain level of security.
• the media used in the example application is a contactless read and write card. It is obviously possible to use other types of media.
• the application support 2 has been described as being a PDA. It is possible to use other types of application media, for example a laptop, a mobile phone or any other type of human-machine interface capable of connecting to a server 5 and a coupler 3.
• the link 6 between the coupler 3 and the server 5 and the link 4 between the coupler and the PDA have been described as being wireless links, for example of the bluetooth type.
• the application support 2 and the coupler 3 have been presented as two components having different physical supports. In another embodiment, the application support 2 and the coupler 3 could be placed on the same physical support. However, the separation of the application support 1 and the coupler 3, that is to say the fact of communicating via a confidential link 4, provides an additional security element.
• the server 5 or any other external control device only makes it possible to pair a coupler 3 and an application support 2.
• the key Kv for example that makes it possible to open the communication sessions between the application support 2 and the coupler 3 is provided by the server 5 to the coupler by secure connection, by means of the key Kab for example. The coupler then transmits this key Kv to the application support 2. As indicated above, this key may be renewed, for example in a random manner.

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Computer Hardware Design (AREA)
• Physics & Mathematics (AREA)
• General Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Software Systems (AREA)
• General Physics & Mathematics (AREA)
• Mathematical Physics (AREA)
• General Health & Medical Sciences (AREA)
• Health & Medical Sciences (AREA)
• Bioethics (AREA)
• Storage Device Security (AREA)
• Devices For Checking Fares Or Tickets At Control Points (AREA)
• Credit Cards Or The Like (AREA)
• Control Of Vending Devices And Auxiliary Devices For Vending Devices (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=35276387

Family Applications (1)

Country Status (12)

Families Citing this family (4)

Family Cites Families (5)

• 2005
  • 2005-04-29 FR FR0504389A patent/FR2885246B1/fr not_active Expired - Fee Related
• 2006
  • 2006-04-28 RU RU2007144513/08A patent/RU2412484C2/ru not_active IP Right Cessation
  • 2006-04-28 BR BRPI0610977-2A patent/BRPI0610977A2/pt not_active IP Right Cessation
  • 2006-04-28 CA CA002610049A patent/CA2610049A1/en not_active Abandoned
  • 2006-04-28 EP EP06754934A patent/EP1875426A2/de not_active Withdrawn
  • 2006-04-28 US US11/912,933 patent/US8719570B2/en not_active Expired - Fee Related
  • 2006-04-28 MX MX2007013557A patent/MX2007013557A/es not_active Application Discontinuation
  • 2006-04-28 WO PCT/EP2006/061944 patent/WO2006117351A2/fr active Application Filing
  • 2006-04-28 CN CNA2006800233448A patent/CN101208717A/zh active Pending
• 2007
  • 2007-10-29 EG EGNA2007001178 patent/EG25527A/xx active
  • 2007-11-22 MA MA30413A patent/MA29525B1/fr unknown
  • 2007-11-28 ZA ZA200710305A patent/ZA200710305B/xx unknown

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events