MXPA98004542A

MXPA98004542A - Method to load an electronic payment to an account

Info

Publication number: MXPA98004542A
Application number: MXPA/A/1998/004542A
Authority: MX
Inventors: Wissenburgh Jelle; Feiken Albertus; Muller Frank; Brehler Johannes; Klaas De Lange Martin; Johannes Wilhelmus Maria Hendricus; De Pavert Van
Original assignee: Koninklijke Ptt Nederland Nv
Priority date: 1995-12-08
Filing date: 1998-06-05
Publication date: 1999-04-06

Abstract

The invention relates to a method for protected transactions that includes a so-called smart card and a terminal, such as a cash register to prevent the smart card from simultaneously making transactions with several terminals. The invention provides an authentication value that is used in the exchange of data between the smart card and the terminal to identify only subsequent transactions.

Description

METHOD TO CHARGE AN ELECTRONIC STEP MEDIA TO AN ACCOUNT BACKGROUND OF THE INVENTION.

The invention relates to a method for charging an electronic payment means to an account, such as an electronic payment card provided with an integrated circuit ("chip card"). In particular, but not exclusively, the invention relates to a method for securely charging to an account prepaid electronic payment cards ("prepaid cards") when they are used, for example, for telephone booths. In this text »the term means of payment will be used irrespectively of the form or type of specific means of payment. Therefore, a means of payment can be made up of, for example, a revalueable payment card (that is, a payment card whose balance can be increased) or an electronic means of payment that does not have the form of a card. In recent years »electronic means of payment are being applied more and more» not only to pay for the use of public telephone equipment »but also for many other payment purposes. Since these means of payment generally consist of a balance (credit) that represents a monetary value "it is necessary to have the exchange of data between said means of payment and a payment station (such as a telephone equipment designed for electronic payment or a cashier electronic register) that runs according to a protected method (payment protocol). Here »it must be ensured» for example »that an amount (monetary value or numerical units of calculation) charged to the payment means account corresponds to an amount (monetary value or calculation units) paid elsewhere: The amount paid by a customer must correspond to the amount to be received by a provider. The amount paid will be stored "for example" in a protected module present in the payment station. The prior art payment methods "as described in for example European patent application number EP 0.637.004" consists of: a first step "in which the balance of the means of payment is charged by the payment station »A second step» in which the balance of the means of payment is reduced (charge to the account of the means of payment); and a third step "in which the balance of the means of payment is charged again. From the difference between the balances of the first and third steps the amount paid »and hence the amount to be paid at the payment station» can be determined. The second step can be repeated several times »possibly in combination with the third step. To prevent frauds "in the case of using this method the first step is made use of a random number that is generated by the payment station and is transferred to the means of payment" for example "as part of a code such as the balance is withdrawn. Based on said random number »the means of payment generates as a first response an authentication code that can be constituted by (for example» cryptographic) a processed form of »among others, the random number and the balance. Using a different random number for each transaction »prevents a transaction from being imitated by repetition. In addition »in the third step a second random number is used» which is also generated by the payment station and transferred to the means of payment. Based on the second random number, the means of payment as a second response generate a second new authentication code which may consist of a processed form of. among others, the second random number and the new balance. Based on the difference between the two balances transferred »the payment station (or a protected module of the payment station, as the case may be) can determine by what amount the balance of the payment station must be paid. Said known method is basically very resistant to fraud as long as a means of payment is communicated with a payment station (or protected module). However, the disadvantage of the known method lies in the fact that the first and second authentication codes are independent. If a second or third payment station (or protected module) communicates with the means of payment »it is possible, due to that independence »separate the first step of the second and third steps. As a result, an apparently complete transaction can be achieved without the means of payment in question being charged for the same amount as the amount for which the payment stations (or protected modules) are fully paid. It will be understood that this situation is undesirable. In the patent of E.U.A. 5,495,09B and in the corresponding European patent application EP 0 621,570 a method is described in which the identity of the security module of the payment station is used to ensure that a data exchange is carried out between the card and only one term. The protection of data exchange between the security module, the station and the card is relatively complicated and requires extensive cryptographic calculations. Other methods of the prior art are described in, for example, European patent applications EP 0 223 213 and EP 0.570 924. but these documents offer no solution to the problems mentioned above.

BRIEF DESCRIPTION OF THE INVENTION An objective of this invention is to eliminate the above problems and other disadvantages of the prior art "and to provide a method that offers an even greater degree of protection for charge account transactions. In particular, an object of the invention is to provide a method that ensures that during a transaction only the communication between the means of payment and a payment station or protected module takes place. More particularly, an object of the invention is to provide a method that ensures that the amount by which the balance of a payment means is decreased during a transaction, corresponds to the amount by which the balance of a single payment station or protected module is increased. Therefore, this invention provides a method for performing a transaction using means of payment and a payment station "the method consisting in the repeated execution of an interrogation step in which the payment station interrogates the means of payment and receives data from the means of payment in response, the data of the means of payment consisting of an authentication code produced by a predetermined procedure »a subsequent authentication code being linked to a preceding authentication code of the same transaction by a value of authentication produced both in the means of payment and in the payment station. By joining the authentication codes by authentication values, it is possible to distinguish the authentication codes of the original transaction from the authentication codes of an interference transaction. Preferably, the authentication value is altered in each step of interaction, thus providing improved security. More specifically, this invention provides a method for performing protected transactions using an electronic means of payment and a payment station, the method consisting of: an initial step, in which: the payment station transfers a first random value to the means of payment. - the means of payment, in response to the first random number, transfer a first authentication code to the payment station »whose first authentication code is determined based on at least the first random value and a first authentication value» the Payment station (12) reviews the first authentication code (CAM1). - an intermediate step, in which: - the payment station transfers a command to the means of payment, and a balance of the means of payment is changed based on the command »and - an additional step» in which: - the payment station (12) transfers a second random number (R2) to the means of payment (11) »- the means of payment transfer a second authentication code to the payment station» with a second authentication code being determined with based on at least a second random number and a second authentication value, the second authentication value being determined from the first authentication value »and - the payment station derives the second authentication value from the first authentication value and check the second authentication code. By forming the authentication codes based on, among others, mutually related authentication values, the possibility of testing whether the second authentication code (of the third step) is related to the first authentication code (of the first step) is offered. . By now generating a new authentication value each time an authentication code has to be determined, it offers the possibility of distinguishing consecutive authentication codes »and from there distinguishing authentication codes associated with different transactions. Yes. each time the first or third step is carried out, a unique authentication value is generated, it can be unequivocally determined which second authentication code is related to which first code. From there it can also be determined if. within a transaction, a second authentication code has already been issued. Authentication values are basically generated autonomously by means of payment. Preferably no external influence is possible »to prevent fraud. Authentication values can be generated in various ways »for example» by a random generator or by a counter. The first and second authentication values of a transaction may be related, for example, to the same value, or by these having mutually dependent values as consecutive values of a counter. Also, the first authentication value can be a random number »and the second authentication value can be formed from the first one? value by adding a certain number. Basically, each pair of authentication values must be related in such a way that this is able to be unambiguously checked. In addition, another objective of the invention is to provide an electronic means of payment and a payment station where the method is applied.

BRIEF DESCRIPTION OF THE DRAWINGS The invention will be explained in more detail below with reference to the Figures. Figure 1 shows schematically a payment system in which the invention can be applied. Figure 2 schematically shows a method in which the invention is applied. Figure 3 schematically shows the production of an authentication code as used in the method of Fig. 2. Figure 4 shows schematically the integrated circuit of a payment means with which the invention can be applied.

DESCRIPTION OF THE PREFERRED MODALITIES The electronic payment system 10 shown schematically in Figure 1. as an example consists of electronic means of payment, such as the known chip card or logical card 11. a payment station 12 »a first payment institution 13» and a second payment institution 14. The payment station (terminal) 12 is shown in Figure 1 as a "cash register" but may also consist, for example, of a (public) telephone equipment. The payment institutions 13 and 14. both denoted as a bank in Figure 1. can not only be banks but also other institutions that have at their disposal a means (computers) to establish payments. In practice, payment institutions 13 and 14 can form a payment institution. In the example shown »the means of payment 11 consists of a substrate and an integrated circuit having contacts 15. whose circuit is designed to process transactions (payment). The means of payment can also consist of an electronic wallet. An exchange of payment data PD1 is made between the payment means 11 and the payment station 12. The means of payment 11 are associated with the payment institution 13. while the payment station 12 is associated with the payment institution 14. Between the payment institutions 13 and 14 a settlement is made after a transaction. exchange of payment data PD2 »which is derived from the payment data PD1. During a transaction basically no communication is carried out between the payment station 12 and the payment institution 14 in question (called the offline system). Transactions must therefore occur under controlled conditions to ensure that no abuse can be made to the system. This abuse can be "for example" increase a balance of the means of payment (card) 11 that does not agree with a change of balance of a counterpart account in the payment institution 13. The diagram in Figure 2 shows the exchange data between (the integrated circuit of) means of payment denoted as "Card" (11 in Figure 1) and (the protected module of) a payment station denoted as "Terminal" (12 in Figure 1) »with events consecutive ones that show one below the other. In the first step »denoted by I» the terminal (payment station) produces a first random number Rl and transfers this number to the card (means of payment) (sub-step la). In practice »the random number Rl can be part of a code for removing an authentication code. According to the invention, the card and the terminal produce a first authentication value Al, for example, by increasing a counter by activating a random number generator or both. Based on the random number Rl »the first authentication value and other data» preferably including the SI card balance of the means of payment »the card produces an authentication code CAM1 = F (R1» Yes. ...). where F can be a cryptographic function known per se (sub-step Ib). The SI and Al card data as well as the authentication code CAM1 are transferred to the terminal (sub-step le). The terminal checks the authentication code based on. among others. Rl. YES and Al and »in case of a positive check result» records the balance YES. It should be noted that the transfer of Al value to the terminal is not essential to this invention but serves to provide additional protection against fraud. In the second step denoted as II »the terminal produces a debit command D» consisting of the value (amount) to be charged to the card. The D command to charge the card is transferred to the card »after this the SI balance of the card is decreased by the amount to be charged to S2. The second step can possibly be repeated several times. In the third step "denoted as III" the terminal produces a second random number R2 and transfers this to the card (Illa substeps). The card generates a second authentication value A2. Based on the random number R2. the second authentication value A2 and other data »including the new balance S2 of the card» the card produces an authentication code CAM2 = F (R2 »S2» ...) • where F can be a known cryptographic function per se (sub-step Illb). The card balance S2 and the authentication value A2 as well as the authentication code CAM1 are transferred to the terminal (sub-step lile). The third step can then run analogously to the first step. The terminal checks the authentication code CAM2 »for example» by reproducing the authentication code and comparing the random number R2. The terminal also checks whether the second received authentication value A2 is equal to the corresponding value produced in the terminal. If the A2 authentication values are not equal, the transaction is terminated and the balance of the terminal is not modified. If the verification of the CAM2 authentication code has a positive result, the terminal registers the balance S2. Instead of playing the authentication codes CAM1 and CAM2. a decipherment can be made. for example, doing the inverse of the function F. In a fourth step, denoted as IV. the difference of balances SI and S2 can be determined and recorded in the terminal. In this connection »that difference can be stored separately or added to an existing value (balance of the payment station) to be established later. Said fourth step, as well as the following possible steps, is not essential for the invention. The steps shown in Figure 2 may be preceded by an authentication or verification step, which, however, is also not essential for this invention. In the diagram »that has been mentioned above» the random values Rl and R2 can be identical (R1 = R2 = R) »however» so that in step III it can be verified whether use of the CAM2 code is still being used of the same random number R (= R1). It should be noted that strictly speaking the number Rl »as well as the number R2 >; it does not need to be a random number; it serves for the unambiguous identification of the authentication code CAM1 as a response to Rl ("challenge"). It is essential that only Rl is not recognizable to the card. In accordance with the methods of the prior art, the authentication codes CAM1 and CAM2 are basically independent. This means that »if the random numbers Rl and R2 differ» there is no direct or indirect relationship between the values of CAMl and CAM2. Due to this independence »basically there is no guarantee that steps I and III will be carried out between the same card and the same terminal. However, according to the invention when the second authentication code is determined, an authentication value is assumed that is directly related to the authentication value used to determine the first authentication code. As a result, a relationship is established between the two authentication codes of the transaction in question. This relation is preferably in a straight line (for example A2 = Al + l) allowing a simple check. If "for example" the card receives a (first) random value Rl 'from a second terminal after the card has issued a second authentication code CAM1 to the first term »the card will issue a second authentication code CAM2. If after that the first terminal, after issuing a debit command »again removes an authentication code» the card issues an additional authentication code CAM3 which is based »among others» on the additional authentication value A3. The terminal will observe that the authentication codes CAM1 and CAM3 are not related »and will not be able to use the balance value S3 that was included in the authentication code CAM3. Similarly »a CAM4 authentication» which is removed by the second terminal »does not provide any valid authentication and therefore no valid balance value. In this way »the transfer of the modified balance values for several terminals is effectively prevented. The authentication values are preferably formed by consecutive numbers "eg" counter positions that are incremented alternately (second time to generate an authentication value) "so that each time two consecutive authentication values are equal. It should be noted that the means of payment can distinguish between the first and the third step "but it is not necessary to do so. Said dependence on the authentication values according to the invention ensures that all the steps of the transaction in which the method according to the invention is applied »are carried out between the same payment means and the same terminal.

Figure 3 shows schematically how a CAM authentication code ("Message Authentication Code"), such as CAM1 and CAM2 of Fig. 2 »can be produced. Various parameters are introduced into a processing means 20 encompassing a function denoted as "F". This function F may be a cryptographic function (such as the function known as DES) or the function called "revolver", both of which are well known in the art. Alternatively, the function F is a relatively simple combinatorial function, in which case the processing means 20 may consist of a change register with selective feedback. The input of the parameters within the processing means 20 and therefore the function F are in the example of FIG. 3: a random value R »a balance of S» an authentication value A and a key K and a initialisation vector (initial value) Q. The random value R corresponds to for example the values Rl and R2 transmitted to the card in step I and step III respectively. The card balance S corresponds to, for example, the balances SI and S2 stored on the card. The key K can be a (secret) key which is preferably unique to a specific card or batch of cards. A card identifier can be exchanged with the terminal in an authentication or verification step prior to step I of Figure 2. The initialization vector Q. which initializes the procedure F »can always have a fixed value» eg zero. Alternatively, the vector Q depends on the residual (final state) of the function F after the previous step of the transaction. Preferably, the vector Q is re-established when a new transaction is initiated. The authentication value A is in the example shown generated by the counter 21. The counter is preferably increased at each interrogation step (for example, step I and step III). that is, at each step in which an authentication code (CAM) is produced in response to a random number (R). This results in a different authentication value A being used for each authentication code. While the increase (in this case +1, but +2 or +10 are also possible) is predetermined, the terminal is able to verify the authentication code. Preferably, the authentication value is also transmitted and verified by the terminal. The counter 21 is established when a new transaction is initiated. In the example of Fig. 3. the authentication value A is produced by a counter. Alternatively »the counter 21 is replaced by a random number generator» which generates a new authentication value A for each interrogation step (for example, steps I and III) of the transaction. In this case, the authentication value of the previous step must be used as the initialization vector ("seed") of the random number generator to preserve the mutual dependency and the reproducibility of the authentication values.

It will be understood that the scheme of Fig. 3 applies to both the card and the terminal. The terminal therefore produces authentication values To »A2» ... and authentication codes MAC1 »MAC2 ... and compares them with the corresponding authentication codes and the values received from the card. A balance (for example S ") will only be accepted by the terminal if the authentication codes produced and received and the values are the same .. Based on Fig. 4» it will further be explained how the method according to the invention can be applied to the payment cards The diagram of Fig. 4 shows a circuit 100 having a control unit 101. a memory 102 and an input / output unit 103. which are mutually connected.The control unit can be formed, for example, by a microprocessor or microcontroller, the memory 102 may consist of a RAM and / or ROM, the memory 102 preferably consists of a rewritten ROM (EEPROM), in accordance with the invention., the circuit 100 also consists of a supplementary memory 105 for storing authentication values. As shown in Fig. 4. said memory 105 can form a separate unit, but it can also be part of the memory 102 and for example be formed by a few memory locations of the memory 102. The memory 105 is preferably formed by a counter circuit. Alternatively, a separate counter circuit as shown in Fig. 3 may be used. In a preferred embodiment, consecutive authentication values are formed by consecutive counter positions. A first authentication value Al »which is used to form the authentication code CAM1» corresponds to a position of the counter »as stored in the memory 105. After the second step (see also Fig. 2) the position of the counter is increased in one. The initial position of the counter can be basically random, but it can also be reset by a predetermined value »for example zero. Generating authentication values occurs autonomically »that is, without (possible) influence from the outside. As a result, resistance to fraud also increases. It will be understood that »instead of increasing each time the position of the counter, it can each time be increased by one. Also »the position of the counter can be increased each time or decreased by one at a time. for example, by two or four. It is also possible to construct the circuit 100 so that the authentication value (s) are not modified within a transaction but only between transactions. In that case »the payment station is of course arranged for that purpose. A payment station for the application of the invention consists of a means (such as a card reader) for communicating with a means of payment »a means for performing authentications (such as a processor) and a means for recording balance values (such as a semiconductor memory). The payment station is constructed in such a way that a failed authentication makes it possible for a new balance value to be registered. The authentication according to the invention also consists of the authentication values. The steps of the method according to the invention can also be extended both in equipment (specific circuit) and an ASIC and in programs (suitable program for a processor). It will be understood by those skilled in the art that the invention is not limited to the modes shown "and that many modifications and amendments are possible without departing from the scope of the invention. Therefore »the principle of the invention is described above on the basis of debiting a means of payment» but said principle can also be applied to pay a means of payment.

Claims

NQVE ATJ E V? N? IQN CLAIMS

1. - Method to Really protect a transaction using electronic means of payment (11) and a payment station (12) »the method consisting of: an initial step (I) in which: the payment station (12) transfers a first random value (Rl) to the means of payment (11) »the means of payment (11)» in response to said first random value (Rl) transfer a first authentication code (CAM1) to the payment station (12) whose first authentication code (CAM1) is determined based on at least a first random number (Rl) »and a first authentication value (A)» the payment station (12) checks the first code of authentication (CAM1) and an additional step (III) »in which: the payment station (12) transfers a second random value (R2) to the means of payment (11), the means of payment (11) transfer a second authentication code (CAM2) to the payment station (12) with the second authentication code being determined do based on at least a second random number (R2) and a second authentication value (A2), the second authentication value (A2) being derived from the first authentication value (Al), and the payment station (12) ) derives the second authentication value (A2) from the first authentication value (Al) and checks the second authentication code (CAM2).

2. The method according to claim 1. further characterized in that the first and second authentication values (Al. A2) are identical.

3. The method according to claim 2, further characterized in that the first and second authentication codes (A1. A2) consist of consecutive counter values.

4. The method according to claim 1 »further characterized in that an authentication value (for example A2) is each time formed based on a random number (for example R2) and the value of prior authentication (To the).

5. The method according to any of the previous claims "constituted by an intermediate step (II) »in which: the payment station (12) transfers a command (D) the means of payment (11) »and a balance of the means of payment (11) is changed based on the command (D).

6. The method according to any of the preceding claims "further characterized in that the first random number (Rl) is equal to the second random number (R2)

7. The method according to any of the above re vindication. further characterized in that an authentication code (eg, MAC2) is also determined based on a key and an identi cation code.

8. The method according to any of the preceding claims, further characterized in that an authentication code (for example MAC1) is determined with the help of a cryptographic function (F).

9. The method according to any of the previous claims "further characterized in that in the first and third steps (I» III) the means of payment (11) transfer a balance (for example, SI) to the payment station ( 12).

10. The method according to any of the preceding claims "further characterized in that in the first and third steps (I. III) the means of payment (11) transfer the current authentication value (for example Al) to the station of payment (12).

11. The method according to any of the preceding claims "further characterized in that the third step (III) is performed repeatedly.

12. The method according to any of the preceding claims, which further consists of a fourth step (IV) further characterized in that the difference (S1-S2) between the balances of the first and third steps is recorded in the payment station ( 12).

13. The method according to any of the preceding claims, further characterized in that the payment station (12) consists of a module for recording data protectedly.

14. The method according to any of the preceding claims, further characterized in that the command (D) is a debit command carried out in the second step (II) a decrease in the balance (SI) of the means of payment (11) . RESUME AND INVENTION The invention relates to a method for protected transactions that includes a so-called smart card and a terminal »such as a cash register; to prevent the smart card from simultaneously making transactions with several terminals »the invention provides an authentication value that is used in the exchange of data between the smart card and the terminal to identify only subsequent steps of the transaction. P98 / 540F SO.