WO1998029983A1 - Transaction key generation system - Google Patents

Transaction key generation system Download PDF

Info

Publication number
WO1998029983A1
WO1998029983A1 PCT/AU1997/000887 AU9700887W WO9829983A1 WO 1998029983 A1 WO1998029983 A1 WO 1998029983A1 AU 9700887 W AU9700887 W AU 9700887W WO 9829983 A1 WO9829983 A1 WO 9829983A1
Authority
WO
WIPO (PCT)
Prior art keywords
transaction
key
customer
merchant
issuer
Prior art date
Application number
PCT/AU1997/000887
Other languages
French (fr)
Inventor
Michael Joseph Mapson
Original Assignee
Commonwealth Bank Of Australia
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Commonwealth Bank Of Australia filed Critical Commonwealth Bank Of Australia
Priority to AU78936/98A priority Critical patent/AU7893698A/en
Publication of WO1998029983A1 publication Critical patent/WO1998029983A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1016Devices or methods for securing the PIN and other transaction-data, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the present invention relates to the generation of an encryption key for a message to be transmitted over a communications network, where there is no real time link between the encryption and decryption devices.
  • one application of the present invention is in financial transactions between a customer, vendor and financial institution. Background Art
  • Electronic messaging is traditionally carried out using one of several mechanisms.
  • all terminals are uniquely identified, the communication lines are considered insecure, and transaction keys are generated for each transaction using real time on-line links between the terminal and the host.
  • transaction keys are generated for each transaction using real time on-line links between the terminal and the host.
  • such a system is not suitable where messages may be received out of order, as in a packet based system, and/or where communications real-time links may be unreliable.
  • asymmetrical key encryption such as RSA
  • RSA asymmetrical key encryption
  • a public key is disseminated, with the private key held only by the intended receiving party.
  • a corresponding relationship needs to be established to allow for two-way communications.
  • the same key is used for numerous transactions, which creates a security risk over time - in other words, the key is not unique to any given communication.
  • the present invention comprises a system for encrypting and decrypting a message
  • the encrypting means comprising an encryption engine, and a random or pseudo-random number generator providing a numerical input to said engine, said engine in response to the numerical input generating a unique transaction key, said key being used to encrypt a message and incorporate the encrypted form in a message block, said message block further including said numerical input as unencrypted data, said decryption means being adapted to produce a corresponding decryption key from said random number and thereby decrypt said encrypted message.
  • the present invention stems from the recognition that if the transactions are not necessarily to occur in real time nor in an environment of total security in transmission, then the transaction must be considered as unidirectional from the customer (or their device) to the issuer.
  • a unique key is generated for each transaction, preferably without reference to external devices.
  • the unique key protects in particular, a PIN or the like provided by the cardholder.
  • the device issuing institution will be aware of the basic encryption key for each device, and when coupled with further data (in the illustrative case a random number input to a rotation or other rearrangement algorithm), the issuer can recover the correct key and decrypt this protected part of the transaction identification block.
  • two unidirectional transactions may form a bidirectional transaction session.
  • a further aspect which is in contrast to existing electronic payment systems is that merchant data will, at least to some extent, need to be supplied to the cardholder for inclusion in the encrypted transaction identification block.
  • Merchant data allows identification of the merchant.
  • the intermediary parties play no part in the encryption, the data will have to be provided to the cardholder (customer) device for encryption.
  • Some of this data may have to be attached to the transaction identification block in a non secure environment, there may also be provided verification of this within the encrypted part.
  • the present invention is directed to a method of effecting a financial transaction as herein disclosed.
  • the encryption is performed using an encryption engine contained within a secure hardware element of the transmitting means.
  • the transmitting means may comprise a secure card reader in combination with the customer's credit or debit card, and a PC or similar device connected to a modem.
  • the message block further includes a unique identifier for the secure encryption means, and the decrypting device has access to the specific encryption engine used for that device, so that input of the numerical input allows the key to be re-generated separately at the decryption means. This provides a unique key for each message without the necessity for a real time link.
  • the encrypted data further includes a unique transaction identifier, generated from a predetermined set by the encryption means.
  • Each encrypted message will have a unique transaction number.
  • the decryption means stores a set of at least those transaction numbers which have been used. If a decrypted message contains an invalid or previously used transaction number, it can be identified as a duplication or replay of another message - further enhancing the system security.
  • the present invention is particularly applicable to systems such as the internet, and more particularly to arrangements in which a secure transaction may pass through several parties before being presented to the intended recipient.
  • An example of such an application is a payment instruction from a party to purchase goods via the internet. The fundamental relationship to effect the payment is between the customer and the financial institution which will pay the vendor.
  • the customer may send a message block to the vendor, including unencrypted data such as the amount, the customer's financial institution, and the date, together with an encrypted confirmation of these details and confidential details such as a credit or debit card number, a PIN ( personal identification number), the amount ( to alleviate tampering of the transaction value by an intermediary or the merchant ) and the customer's account details.
  • the vendor may pass the message block to a bank or financial institution for later submission to the customer's bank.
  • the vendor may store the message blocks and submit them as a batch to a bank or similar financial institution, preferably in pseudo real time for later processing.
  • the key is a transaction key
  • the underlying encryption function is preferably unique to a given encryption means, even if a single message is intercepted and decrypted by some means, the key for only that transaction will be obtained. Even if the encryption means is subverted, the keys used for all other encryption means will remain secure.
  • Figure 1 is a schematic overview of a general arrangement in which the present invention may be used
  • Figure 2 is a block diagram illustrating one possible encryption process in the transmitting device
  • Figure 3 is an example transaction certificate format
  • Figure 4 is an example of a block message format
  • Figure 5 illustrates an exemplary algorithm for generating a transaction key.
  • the arrangement shown is one in which a domestic customer wishes to purchase goods or services from a cyber merchant - e.g. one accessible via the internet.
  • the home user has a magnetic stripe or smartcard credit, debit or customer card, a secure device card reader, and a PC and modem connected conventionally for internet access.
  • the other parties shown are the merchant, which is the vendor; the acquirer, which is the financial institution with whom the merchant has a relationship; the card issuer, who has a relationship with the customer; and the device issuer, who supplied the secure device card reader. It will be appreciated that less complicated arrangements are possible where, for example, the device issuer is the card issuer, or the merchant and customer share the same financial institution.
  • a typical debit purchase transaction may operate as follows:
  • Customer has a mag stripe, linked or smartcard debit card.
  • Merchant provides purchase details - for example, merchant ID, value of transaction, and other relevant data.
  • the merchant ID is transported securely
  • Customer purchase software confirms debit and requests card reading / swipe. The secure device checks for correct reading of the card. 5. Customer purchase software initiates "GetPIN" to secure device, which encrypts and stores the entered clients PIN. 6. Secure device concentrates encrypted PIN results with other transaction data. An advancing or other suitable transaction number is assigned - this may be simply 1 , 2, etc, or selected from a more complex predefined set. Concatenated result is cryptographically incorporated into a transaction certificate using a second encryption process. An illustrative transaction certificate is shown in figure 3. This encryption may be, for example, using the public key of an asymmetrical key pair, issued by the device issuer.
  • the secure device is capable of PIN encryption possibly with symmetric double length keys and is capable of encrypting multiple data blocks with a stored protected asymmetric 'n' bit modulus Secure Device Issuer public key half.
  • the 'n' bit modulus may be 1024 bit, or other as considered suitable.
  • the asymmetric encryption process may be replaced with a symmetric encryption process using a variant key derived from a base key and the random number.
  • Assembled purchase transaction is sent to the merchant, e.g. via email or Internet, see Figure 3 & 4.
  • the transaction may be stored by the merchant for batching into a set of transactions for upload to the acquirer institution.
  • a transaction transfer protocol is designed or exists to satisfy these requirements.
  • the Merchant Acquirer may or may not have issued the customer Secure Device reader and / or the customer mag stripe card. In this scenario, it is assumed that the Acquirer has issued neither. Thus, where the Merchant Acquirer has issued one or both the reader or card, simplification of these steps is possible.
  • the acquirer determines, from for example unencrypted information in the message block, which institution issued the secure device sourcing the transaction.
  • the transaction message provides a Secure Device identifier to be contained within external plain text data, as well as within the certificate.
  • the transaction is forwarded to the secure device issuer, for certificate data recovery, using existing (INTERCHANGE) interbank secure communication systems.
  • the secure device issuer decrypts the certificate data and checks the transaction number against a transaction number database indicating the possible transaction numbers for the device, and which of those transaction numbers have been used. If the transaction number has been used, the device issuer will send a message indicating an error or duplication to the acquiring institution. The entire recovered transaction is now sent to the acquirer, for normal processing and exchange with the issuing institution. The acquirer will then advise the merchant whether funds are cleared or not.
  • the secure device issuer can verify the transaction certificate and check for device transaction duplication (replay) in the transaction number database. The checking application will record the current transaction in the database so it too cannot be duplicated and recover the transaction in an SCM (card no., $val, etc).
  • the process proceeds as an existing interchange transaction, via the Acquirer.
  • the secure device issuer can return (interchange) the reconstructed message data to the Acquirer for standard interchange processing.
  • the merchant is informed if the funds are to be forwarded or not.
  • a funds failure mechanism exists to provide the merchant with payment "OK” or "Rejected".
  • interbank communications may proceed as normal - the only change is the requirement for involvement by the device issuer.
  • Purchase software is already widely utilised for internet shopping - the only modification required is to ensure adequate security and controls between the software and the secure device.
  • the secure device may be merely a simplified version of the card readers currently used for POS transactions.
  • a key feature of the present invention is that the secure message is assembled by the customer's secure device, not the merchant, with a unique identifier for the secure device and for the transaction, as well as the usual PIN inserted by the customer.
  • the probity of intermediaries is not crucial to a secure transaction occurring.
  • the present invention enables the device issuer to identify the source of the message, and verify that replay or duplication of the transaction has not occurred, without any direct communication between the secure device and the device issuer. Moreover, no acknowledgment needs to be sent to the issuer's customer, other than a normal statement entry in due course.
  • the transaction certificate may also be used as a specific transaction ID, for example as an invoice number, between the customer, the merchant, the device Issuer and the funds Issuer, for audit or reconciliation purposes.
  • the present invention fully supports current standards for the interchange of financial institution data, and provides a complete audit trail with key regeneration capability.
  • the merchant data is preferably sent to the customer using appropriate encryption established between the merchant and the customer.
  • Symmetric encryption uses a common shared key between two parties.
  • the DES algorithm (Data Encryption Standard - DEA1), has been the accepted means of symmetric encryption, within the Financial Industry.
  • DES has traditionally used Single Length (8 byte / 64 bit) keys, of which 56 bits are actually used in the encryption process. Because of increases in attacking computer power, single length keys must be extended to double length, using a modified encryption process. The double length key is split into components called Key Left and Key Right. A double length key is denoted by an asterisk, e.g. * KM1. (This example shows Double length Masterkey number one). Secure Device Encryption Process
  • the device * Master Key, (*KM) is loaded by the Secure Device ISSUER.
  • the key is passed through a non linear modification algorithm, seeded by random value. (R1).
  • Each Secure Device will produce a sequentially incremented device transaction number (T1).
  • Tl cannot be read in plain text prior to transaction certificate encryption. It can only be recovered by the Device Issuer host, during transaction verification.
  • the device transaction number size will be of sufficient length to allow a reasonable time span of events to be recorded for replay checking and velocity checking at the host databases. The counter is never reset and only advances in value. At the end of its cycle life, sufficient time will have elapsed for the host database to recognise that roll-over to , for example, 00000000 is a reasonable event for that particular device.
  • Each transaction value of (T1) is placed in the Certificate generator.
  • Any transaction will require the user to swipe a card for Track 2 or other relevant data to be captured.
  • the data may also be captured from another source, for example a smart card data file.
  • Track 2 contains all pertinent data to determine account details. It is protected by placing the entire track 2 data within the Transaction Certificate generator.
  • the secure Device will use an asymmetric key half, (PK1), which may be termed the PUBLIC key component.
  • PK1 asymmetric key half
  • this key component need not be public and can be stored, in device secure storage, along with the device master key.
  • the transaction certificate generator is an asymmetric encryption algorithm within the card reader device.
  • the asymmetric key half (PK1) used to produce the certificate is treated, in the device, as a secure generic key, unique to the Secure Device Issuer.
  • Each Secure Device could have its own unique asymmetric key set. However, this is a waste of resources when the "Public" half of the key can be protected in the same way that the unique device * Master Key is stored.
  • each Secure Device PK1 could be delivered, from the reader device, to an associated terminal PC, together with the assembled content of the generator ( Figure 3 illustrates an example TC1 Format ). This might permit faster transaction certificate assembly. It would also support a case for a device unique PK1. However, this is not a preferred method and would greatly reduce the security of the transaction, potentially allowing fund values and Merchant ID etc to be altered.
  • the transaction certificate, TC1 can only be recovered by the Secure Device Issuer. Thus, ALL transactions must come through the device Issuer, before the transaction can be placed into conventional Interchange, for processing. This would allow selling transactions back to other card issuers, if the
  • Figure 4 illustrates an example of both a symmetric and asymmetric block message format.
  • the reader device may be purpose built or may be existing technology.
  • the reader can be constructed with a security processor chip capable of operating to industry standards.
  • the encryption processing can be capable of both DES and asymmetric operation.
  • the asymmetric key length moduli is 1024 bits.
  • a fixed timing block of output of results may be provided.
  • Device power control etc may be activated by any suitable means, for example DSR or RTS type combinations or similar signals from associated equipment.
  • Base Key *KM (Reference numeral 1) Consists of a device unique key, 128 bits long. This key is programmed by the Issuer, into each device and also stored securely in the Issuer OCRF database, protected by a domain master key. (Conventional process). The key is recalled for each PIN decryption process, to derive the transaction key(s) for the current transaction.
  • the combined random components R1 and R2 are each a minimum of 64 bits long. * S1 is thus decoupled from * KM for additional protection against known cryptanalysis attacks, etc.
  • the combined 16 byte resultant value is transmitted in the plain text message sent to the Issuer.
  • Hash Function (#Fn): (Reference numeral 3) Each #Fn may be, but not necessarily, functionally identical.
  • the 128 bit device key * KM is hashed to 64 bits using the left and right (R1)L and (R2)R components respectively.
  • Each 64 bit product is denoted #1 L and #2R in Figure 5 schematic.
  • Each 64 bit hash product is then concatenated to produce the final 128 bit transaction key S1 (reference numeral 4) required by the encrypt function to produce C1 ( ⁇ PIN) in Figure 2.

Abstract

The present invention relates to the generation of an encryption key for a message to be transmitted over a communications network, where there is no real time link between the encryption and decryption devices. Without limitation, one application of the present invention is in financial transactions between a customer, vendor and financial institution. In essence, the present invention stems from the recognition that if the transactions are not necessarily to occur in real time nor in an environment of total security in transmission, then the transaction must be considered as unidirectional from the customer (or their device) to the issuer. Thus, from the customers end, a unique key is generated for each transaction, preferably without reference to external devices. In one form, the unique key protects in particular, a PIN or the like provided by the cardholder. However, the device issuing institution will be aware of the basic encryption key for each device, and when coupled with further data (in the illustrative case a random number input to a rotation or other rearrangement algorithm), the issuer can recover the correct key and decrypt this protected part of the transaction identification block. Also two unidirectional transactions may form a bidirectional transaction session.

Description

TRANSACTION KEY GENERATION SYSTEM Technical Field
The present invention relates to the generation of an encryption key for a message to be transmitted over a communications network, where there is no real time link between the encryption and decryption devices. Without limitation, one application of the present invention is in financial transactions between a customer, vendor and financial institution. Background Art
Electronic messaging systems of various types have come into increasing use over the last decade. Such developments as widespread use of internal networks, and the increase of internet access and use, have contributed to this growth.
Electronic messaging is traditionally carried out using one of several mechanisms. In one type of arrangement, exemplified by electronic funds transfer, all terminals are uniquely identified, the communication lines are considered insecure, and transaction keys are generated for each transaction using real time on-line links between the terminal and the host. However, such a system is not suitable where messages may be received out of order, as in a packet based system, and/or where communications real-time links may be unreliable.
Another alternative is the use of asymmetrical key encryption, such as RSA, in which a public key is disseminated, with the private key held only by the intended receiving party. A corresponding relationship needs to be established to allow for two-way communications. In such systems, the same key is used for numerous transactions, which creates a security risk over time - in other words, the key is not unique to any given communication.
It is an object of the present invention to provide an encryption system which allows for an encryption key to be generated for each message, but where there is no real time link required between the sender and the receiver. It is further object of the present invention to provide an encryption system which allows regeneration of the message encryption key by an authorised recipient, using data from the message. Summary of the Invention
According to a first aspect, the present invention comprises a system for encrypting and decrypting a message, the encrypting means comprising an encryption engine, and a random or pseudo-random number generator providing a numerical input to said engine, said engine in response to the numerical input generating a unique transaction key, said key being used to encrypt a message and incorporate the encrypted form in a message block, said message block further including said numerical input as unencrypted data, said decryption means being adapted to produce a corresponding decryption key from said random number and thereby decrypt said encrypted message.
In essence, the present invention stems from the recognition that if the transactions are not necessarily to occur in real time nor in an environment of total security in transmission, then the transaction must be considered as unidirectional from the customer (or their device) to the issuer. Thus, from the customers end, a unique key is generated for each transaction, preferably without reference to external devices. In one form, the unique key protects in particular, a PIN or the like provided by the cardholder. However, the device issuing institution will be aware of the basic encryption key for each device, and when coupled with further data (in the illustrative case a random number input to a rotation or other rearrangement algorithm), the issuer can recover the correct key and decrypt this protected part of the transaction identification block.
Also two unidirectional transactions may form a bidirectional transaction session.
A further aspect which is in contrast to existing electronic payment systems is that merchant data will, at least to some extent, need to be supplied to the cardholder for inclusion in the encrypted transaction identification block. Merchant data allows identification of the merchant. As the intermediary parties play no part in the encryption, the data will have to be provided to the cardholder (customer) device for encryption. Some of this data may have to be attached to the transaction identification block in a non secure environment, there may also be provided verification of this within the encrypted part. In a still further aspect, the present invention is directed to a method of effecting a financial transaction as herein disclosed.
Preferably, the encryption is performed using an encryption engine contained within a secure hardware element of the transmitting means. For example, the transmitting means may comprise a secure card reader in combination with the customer's credit or debit card, and a PC or similar device connected to a modem. Preferably, the message block further includes a unique identifier for the secure encryption means, and the decrypting device has access to the specific encryption engine used for that device, so that input of the numerical input allows the key to be re-generated separately at the decryption means. This provides a unique key for each message without the necessity for a real time link.
Preferably, the encrypted data further includes a unique transaction identifier, generated from a predetermined set by the encryption means. Each encrypted message will have a unique transaction number. The decryption means stores a set of at least those transaction numbers which have been used. If a decrypted message contains an invalid or previously used transaction number, it can be identified as a duplication or replay of another message - further enhancing the system security. The present invention is particularly applicable to systems such as the internet, and more particularly to arrangements in which a secure transaction may pass through several parties before being presented to the intended recipient. An example of such an application is a payment instruction from a party to purchase goods via the internet. The fundamental relationship to effect the payment is between the customer and the financial institution which will pay the vendor. Hence, the customer may send a message block to the vendor, including unencrypted data such as the amount, the customer's financial institution, and the date, together with an encrypted confirmation of these details and confidential details such as a credit or debit card number, a PIN ( personal identification number), the amount ( to alleviate tampering of the transaction value by an intermediary or the merchant ) and the customer's account details. The vendor may pass the message block to a bank or financial institution for later submission to the customer's bank. Alternatively, if the transaction has a small value, the vendor may store the message blocks and submit them as a batch to a bank or similar financial institution, preferably in pseudo real time for later processing. In either case only the issuing bank and the customer have access to the relevant encryption and decryption data. Also, as the key is a transaction key, and indeed the underlying encryption function is preferably unique to a given encryption means, even if a single message is intercepted and decrypted by some means, the key for only that transaction will be obtained. Even if the encryption means is subverted, the keys used for all other encryption means will remain secure.
Other applications of the inventive system will be apparent to the reader. Thus, the present invention provides for a transaction key to be generated, without a handshake between the encrypter and decrypter. Brief Description of the Drawings One illustrative embodiment of the present invention will now be described with reference to the accompanying figures, in which: Figure 1 is a schematic overview of a general arrangement in which the present invention may be used; Figure 2 is a block diagram illustrating one possible encryption process in the transmitting device;
Figure 3 is an example transaction certificate format;
Figure 4 is an example of a block message format; and
Figure 5 illustrates an exemplary algorithm for generating a transaction key.
Detailed Description The present invention will be described with reference to a particular application, that of funds transfer over a communications network such as the internet. However, it will be understood that with suitable modifications the present invention is more broadly applicable. The design and details of the encryption system, and receiver and transmitter elements, are not essential in detail to the present invention - it is only their functionality which defines the present invention. Greater or lesser levels of encryption security may be used depending upon the wishes of the system implementer. Furthermore, where # (hash) is referred to in the following text, it may preferably consist of, but not be confined to, any cryptographically robust One Way Function (OWF), such as, for exemplary purposes only AS2805 OWF, or Secure Hash Standard (SHS), HAVAL or MD Series. Referring to figure 1 , the arrangement shown is one in which a domestic customer wishes to purchase goods or services from a cyber merchant - e.g. one accessible via the internet. The home user has a magnetic stripe or smartcard credit, debit or customer card, a secure device card reader, and a PC and modem connected conventionally for internet access. The other parties shown are the merchant, which is the vendor; the acquirer, which is the financial institution with whom the merchant has a relationship; the card issuer, who has a relationship with the customer; and the device issuer, who supplied the secure device card reader. It will be appreciated that less complicated arrangements are possible where, for example, the device issuer is the card issuer, or the merchant and customer share the same financial institution. A typical debit purchase transaction may operate as follows:
1. Customer selects item(s) for home purchase from the merchant's web site, and initiates purchase software between the merchant's site and the home PC. An applicable software "shopping" application exists, with hooks to import and export data to a Secure Device attached to, for example COM2. The import / export control between the application and the Secure Device will be a separate control protocol.
2. Customer has a mag stripe, linked or smartcard debit card.
3. Merchant provides purchase details - for example, merchant ID, value of transaction, and other relevant data. The merchant ID is transported securely
(eg SSL) between the merchant's web site and the customer, for inclusion in the purchase certificate (TC1).
4. Customer purchase software confirms debit and requests card reading / swipe. The secure device checks for correct reading of the card. 5. Customer purchase software initiates "GetPIN" to secure device, which encrypts and stores the entered clients PIN. 6. Secure device concentrates encrypted PIN results with other transaction data. An advancing or other suitable transaction number is assigned - this may be simply 1 , 2, etc, or selected from a more complex predefined set. Concatenated result is cryptographically incorporated into a transaction certificate using a second encryption process. An illustrative transaction certificate is shown in figure 3. This encryption may be, for example, using the public key of an asymmetrical key pair, issued by the device issuer. The secure device is capable of PIN encryption possibly with symmetric double length keys and is capable of encrypting multiple data blocks with a stored protected asymmetric 'n' bit modulus Secure Device Issuer public key half. The 'n' bit modulus may be 1024 bit, or other as considered suitable. Alternatively, the asymmetric encryption process may be replaced with a symmetric encryption process using a variant key derived from a base key and the random number.
7. Assembled purchase transaction is sent to the merchant, e.g. via email or Internet, see Figure 3 & 4.
8. The transaction may be stored by the merchant for batching into a set of transactions for upload to the acquirer institution. A transaction transfer protocol is designed or exists to satisfy these requirements.
Note: The Merchant Acquirer may or may not have issued the customer Secure Device reader and / or the customer mag stripe card. In this scenario, it is assumed that the Acquirer has issued neither. Thus, where the Merchant Acquirer has issued one or both the reader or card, simplification of these steps is possible.
9. The acquirer determines, from for example unencrypted information in the message block, which institution issued the secure device sourcing the transaction. The transaction message provides a Secure Device identifier to be contained within external plain text data, as well as within the certificate.
10. The transaction is forwarded to the secure device issuer, for certificate data recovery, using existing (INTERCHANGE) interbank secure communication systems. 11. The secure device issuer decrypts the certificate data and checks the transaction number against a transaction number database indicating the possible transaction numbers for the device, and which of those transaction numbers have been used. If the transaction number has been used, the device issuer will send a message indicating an error or duplication to the acquiring institution. The entire recovered transaction is now sent to the acquirer, for normal processing and exchange with the issuing institution. The acquirer will then advise the merchant whether funds are cleared or not. The secure device issuer can verify the transaction certificate and check for device transaction duplication (replay) in the transaction number database. The checking application will record the current transaction in the database so it too cannot be duplicated and recover the transaction in an SCM (card no., $val, etc).
12. The process proceeds as an existing interchange transaction, via the Acquirer. The secure device issuer can return (interchange) the reconstructed message data to the Acquirer for standard interchange processing.
13. The merchant is informed if the funds are to be forwarded or not. A funds failure mechanism exists to provide the merchant with payment "OK" or "Rejected".
It will be appreciated that many of the elements of the system are already in use, and hence will not be explained further in detail. For example, interbank communications may proceed as normal - the only change is the requirement for involvement by the device issuer. Purchase software is already widely utilised for internet shopping - the only modification required is to ensure adequate security and controls between the software and the secure device. Similarly, the secure device may be merely a simplified version of the card readers currently used for POS transactions.
A key feature of the present invention is that the secure message is assembled by the customer's secure device, not the merchant, with a unique identifier for the secure device and for the transaction, as well as the usual PIN inserted by the customer. The probity of intermediaries is not crucial to a secure transaction occurring. The present invention enables the device issuer to identify the source of the message, and verify that replay or duplication of the transaction has not occurred, without any direct communication between the secure device and the device issuer. Moreover, no acknowledgment needs to be sent to the issuer's customer, other than a normal statement entry in due course. Moreover, the transaction certificate may also be used as a specific transaction ID, for example as an invoice number, between the customer, the merchant, the device Issuer and the funds Issuer, for audit or reconciliation purposes. Even if transactions occur out of order, for example transaction 15 is received by the issuer after transaction 16, the transaction can still proceed and be confirmed as valid - this is not possible with conventional EFTPOS systems. The transaction described above relates to debit transactions - however, it could be applied to credit transactions, or to any other process where it is essential to confirm that the data originated from the correct source, as well as keep the data itself secure, but real time connection is not always possible. Examples include medical and insurance data, confidential reporting and negotiable security instructions.
The present invention fully supports current standards for the interchange of financial institution data, and provides a complete audit trail with key regeneration capability.
The merchant data is preferably sent to the customer using appropriate encryption established between the merchant and the customer.
There are two relevant forms of encryption. They are Symmetric & Asymmetric respectively. Symmetric Keys - General
Symmetric encryption uses a common shared key between two parties. The DES algorithm (Data Encryption Standard - DEA1), has been the accepted means of symmetric encryption, within the Financial Industry.
DES has traditionally used Single Length (8 byte / 64 bit) keys, of which 56 bits are actually used in the encryption process. Because of increases in attacking computer power, single length keys must be extended to double length, using a modified encryption process. The double length key is split into components called Key Left and Key Right. A double length key is denoted by an asterisk, e.g. *KM1. (This example shows Double length Masterkey number one). Secure Device Encryption Process
Referring to Figure 2, the top two boxes of this diagram show the device master key. It is a *Master Key. The key is loaded into secure device storage and cannot be recovered or read back outside the device. PIN Encryption Process for UATEKS
The device *Master Key, (*KM) is loaded by the Secure Device ISSUER. When required to encrypt an entered PIN, the key is passed through a non linear modification algorithm, seeded by random value. (R1).
The resultant derived ^Transaction Key (*S1) encrypts the PIN:
C1 = * β (PIN) = *,n(R1.*KM).
The encrypted double length result, C1 , together with the random seed, (R1), is passed to and stored by the Transaction Certificate generator. Device Transaction Tracking Process
Each Secure Device will produce a sequentially incremented device transaction number (T1). Tl cannot be read in plain text prior to transaction certificate encryption. It can only be recovered by the Device Issuer host, during transaction verification. The device transaction number size will be of sufficient length to allow a reasonable time span of events to be recorded for replay checking and velocity checking at the host databases. The counter is never reset and only advances in value. At the end of its cycle life, sufficient time will have elapsed for the host database to recognise that roll-over to , for example, 00000000 is a reasonable event for that particular device. Each transaction value of (T1) is placed in the Certificate generator.
Magnetic Swipe Track 2 Data
Any transaction will require the user to swipe a card for Track 2 or other relevant data to be captured. The data may also be captured from another source, for example a smart card data file. Track 2 contains all pertinent data to determine account details. It is protected by placing the entire track 2 data within the Transaction Certificate generator. Transaction Certificate Generator
Asymmetric Keys
The secure Device will use an asymmetric key half, (PK1), which may be termed the PUBLIC key component. In reality, this key component need not be public and can be stored, in device secure storage, along with the device master key.
The transaction certificate generator is an asymmetric encryption algorithm within the card reader device. The asymmetric key half (PK1) used to produce the certificate is treated, in the device, as a secure generic key, unique to the Secure Device Issuer.
Note 1: Each Secure Device could have its own unique asymmetric key set. However, this is a waste of resources when the "Public" half of the key can be protected in the same way that the unique device *Master Key is stored.
This removes the need for "PK1" certification. Device unique keys would also require additional Issuer host storage space.
Note 2: Alternatively each Secure Device PK1 could be delivered, from the reader device, to an associated terminal PC, together with the assembled content of the generator ( Figure 3 illustrates an example TC1 Format ). This might permit faster transaction certificate assembly. It would also support a case for a device unique PK1. However, this is not a preferred method and would greatly reduce the security of the transaction, potentially allowing fund values and Merchant ID etc to be altered.
Note 3: If an asymmetric PK1 is impractical, it is possible to use a symmetric derivative variant of the base key, to produce a signing key in lieu of PK1.
The transaction certificate, TC1 , can only be recovered by the Secure Device Issuer. Thus, ALL transactions must come through the device Issuer, before the transaction can be placed into conventional Interchange, for processing. This would allow selling transactions back to other card issuers, if the
Secure Device Issuer were not the Card Issuer as well. Figure 4 illustrates an example of both a symmetric and asymmetric block message format.
Secure Reader device
The reader device may be purpose built or may be existing technology. The reader can be constructed with a security processor chip capable of operating to industry standards. The encryption processing can be capable of both DES and asymmetric operation. Preferably, the asymmetric key length moduli is 1024 bits. A fixed timing block of output of results may be provided. Device power control etc may be activated by any suitable means, for example DSR or RTS type combinations or similar signals from associated equipment.
Key Rotation Algorithm
Referring to Figure 5, Base Key *KM: (Reference numeral 1) Consists of a device unique key, 128 bits long. This key is programmed by the Issuer, into each device and also stored securely in the Issuer OCRF database, protected by a domain master key. (Conventional process). The key is recalled for each PIN decryption process, to derive the transaction key(s) for the current transaction. Random Generator (R1)L & (R2)R: (Reference numeral 2)
The combined random components R1 and R2 are each a minimum of 64 bits long. *S1 is thus decoupled from *KM for additional protection against known cryptanalysis attacks, etc. The combined 16 byte resultant value is transmitted in the plain text message sent to the Issuer.
Hash Function (#Fn): (Reference numeral 3) Each #Fn may be, but not necessarily, functionally identical. The 128 bit device key *KM is hashed to 64 bits using the left and right (R1)L and (R2)R components respectively. Each 64 bit product is denoted #1 L and #2R in Figure 5 schematic. Each 64 bit hash product is then concatenated to produce the final 128 bit transaction key S1 (reference numeral 4) required by the encrypt function to produce C1 (∑PIN) in Figure 2. Suitable modifications and alternatives to key lengths, algorithms and other terms, functions or the embodiments and examples given, as would be considered suitable by those skilled in the art, without departing from the generality of the disclosure of the present invention, are to be included within the scope of the present application.

Claims

THE CLAIMS DEFINING THE INVENTION ARE AS FOLLOWS:
1. A system for encrypting and decrypting a message, the encrypting means comprising an encryption engine, and a random or pseudo-random number generator providing a numerical input to said engine, said engine in response to the numerical input generating a unique transaction key, said key being used to encrypt a message and incorporate the encrypted form in a message block, said message block further including said numerical input as unencrypted data, said decryption means being adapted to produce a corresponding decryption key from said random number and thereby decrypt said encrypted message.
2. A system for effecting a financial transaction in an environment which lacks a relatively high level of security, including a key generator, issued by an acquirer or an Issuer, which generates a unique key for each transaction without reference to external devices, and a customer card which includes PIN and other relevant details which is encrypted by the customer device and transmitted via a transaction identification block, wherein the basic encryption key for each customer device is known by the issuer, and therefore the issuer can recover the correct key and decrypt the relevant part of the transaction identification block.
3. A method of effecting a financial transaction in an electronic payment systems, comprising: suppling from a merchant to a customer device, merchant data for identifying the merchant, in consequence of trade between the merchant and a customer, and the data being included in an encrypted transaction identification block.
4. A method of effecting a debit purchase transaction, including the steps of: a. Customer selects item(s) for home purchase from the merchant's web site, b. Customer has a mag stripe, linked or smartcard debit card. c. Merchant provides purchase details to customer device, for inclusion in a purchase certificate (TC1). d. Customer device confirms debit and requests card reading / swipe. e. Customer device initiates "GetPIN" to secure device, which encrypts and stores the entered clients PIN. f. Secure device encrypts PIN and concatenates result with other transaction data, g. a transaction number is assigned h. assembled purchase transaction is sent to the merchant, i. the transaction is sent to the acquirer, j the acquirer determines which institution issued the secure device sourcing the transaction from a Secure Device identifier contained within the data, k. the transaction is forwarded to the secure device issuer, for certificate data recovery.
5. The method as claimed in claim 4, further including the steps of:
I. the secure device issuer decrypts the certificate data and checks the transaction number against a transaction number database indicating the possible transaction numbers for the device, and which of those transaction numbers have been used to determine whether the transaction is to be valid or rejected, m. the merchant is informed if the funds are to be forwarded or not.
6. An encryption method and device which allows regeneration of the message encryption key by an authorised recipient, using data from the message, as herein disclose
7. A device, system or method as herein described.
PCT/AU1997/000887 1996-12-30 1997-12-30 Transaction key generation system WO1998029983A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU78936/98A AU7893698A (en) 1996-12-30 1997-12-30 Transaction key generation system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AUPO4417A AUPO441796A0 (en) 1996-12-30 1996-12-30 Transaction key generation system
AUPO4417 1996-12-30

Publications (1)

Publication Number Publication Date
WO1998029983A1 true WO1998029983A1 (en) 1998-07-09

Family

ID=3798725

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU1997/000887 WO1998029983A1 (en) 1996-12-30 1997-12-30 Transaction key generation system

Country Status (4)

Country Link
AU (1) AUPO441796A0 (en)
TW (1) TW369645B (en)
WO (1) WO1998029983A1 (en)
ZA (1) ZA9711631B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1063812A2 (en) * 1999-06-21 2000-12-27 Fujitsu Limited Methods and equipment for encrypting/decrypting, and indentification systems
EP1135887A1 (en) * 1998-12-04 2001-09-26 Lyal Sidney Collins Message identification with confidentiality, integrity, and source authentication
US7630989B2 (en) 2002-05-17 2009-12-08 Colonial First State Investments Ltd. Transaction management system
US20110106710A1 (en) * 2009-11-05 2011-05-05 Judson Reed Encryption switch processing
WO2020146602A1 (en) * 2019-01-09 2020-07-16 Visa International Service Association Method, system, and computer program product for network bound proxy re-encryption and pin translation

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1988001817A1 (en) * 1986-09-02 1988-03-10 Unisys Corporation Stations for communicating with encrypted messages via randomly selected circularly stored keys
US5478994A (en) * 1994-07-13 1995-12-26 Rahman; Sam Secure credit card which prevents unauthorized transactions
WO1997016902A2 (en) * 1995-11-02 1997-05-09 Tri-Strata Security, Inc. Unified end-to-end security methods and systems for operating on insecure networks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1988001817A1 (en) * 1986-09-02 1988-03-10 Unisys Corporation Stations for communicating with encrypted messages via randomly selected circularly stored keys
US5478994A (en) * 1994-07-13 1995-12-26 Rahman; Sam Secure credit card which prevents unauthorized transactions
WO1997016902A2 (en) * 1995-11-02 1997-05-09 Tri-Strata Security, Inc. Unified end-to-end security methods and systems for operating on insecure networks

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7095855B1 (en) 1998-12-04 2006-08-22 Lyal Sidney Collins Message identification with confidentiality, integrity, and source authentication
EP1135887A1 (en) * 1998-12-04 2001-09-26 Lyal Sidney Collins Message identification with confidentiality, integrity, and source authentication
EP1135887A4 (en) * 1998-12-04 2002-11-06 Lyal Sidney Collins Message identification with confidentiality, integrity, and source authentication
US7962754B2 (en) 1999-06-21 2011-06-14 Fujitsu Limited Method and equipment for encrypting/decrypting physical characteristic information, and identification system utilizing the physical characteristic information
EP1063812A3 (en) * 1999-06-21 2004-07-14 Fujitsu Limited Methods and equipment for encrypting/decrypting, and indentification systems
US7200549B1 (en) 1999-06-21 2007-04-03 Fujitsu Limited Method and equipment for encrypting/decrypting physical characteristic information, and identification system utilizing the physical characteristic information
EP1063812A2 (en) * 1999-06-21 2000-12-27 Fujitsu Limited Methods and equipment for encrypting/decrypting, and indentification systems
US7630989B2 (en) 2002-05-17 2009-12-08 Colonial First State Investments Ltd. Transaction management system
US20110106710A1 (en) * 2009-11-05 2011-05-05 Judson Reed Encryption switch processing
US9633351B2 (en) * 2009-11-05 2017-04-25 Visa International Service Association Encryption switch processing
WO2020146602A1 (en) * 2019-01-09 2020-07-16 Visa International Service Association Method, system, and computer program product for network bound proxy re-encryption and pin translation
CN113316765A (en) * 2019-01-09 2021-08-27 维萨国际服务协会 Methods, systems, and computer program products for network binding agent re-encryption and PIN translation
US11488152B2 (en) 2019-01-09 2022-11-01 Visa International Service Association Method, system, and computer program product for network bound proxy re-encryption and pin translation
CN113316765B (en) * 2019-01-09 2022-11-04 维萨国际服务协会 Methods, systems, and computer program products for network binding agent re-encryption and PIN translation
US11736295B2 (en) 2019-01-09 2023-08-22 Visa International Service Association Method, system, and computer program product for network bound proxy re-encryption and PIN translation
US11757644B2 (en) 2019-01-09 2023-09-12 Visa International Service Association Method, system, and computer program product for network bound proxy re-encryption and PIN translation

Also Published As

Publication number Publication date
TW369645B (en) 1999-09-11
ZA9711631B (en) 1998-07-09
AUPO441796A0 (en) 1997-01-23

Similar Documents

Publication Publication Date Title
US5848161A (en) Method for providing secured commerical transactions via a networked communications system
US7039809B1 (en) Asymmetric encrypted pin
US10817874B2 (en) Purchase transaction system with encrypted payment card data
US6240187B1 (en) Key replacement in a public key cryptosystem
US9294268B2 (en) System and method for variable length encryption
US5590197A (en) Electronic payment system and method
US6128391A (en) Method and apparatus for asymetric key management in a cryptographic system
US6681328B1 (en) System and method for global internet digital identification
US7195154B2 (en) Method for generating customer secure card numbers
US9704159B2 (en) Purchase transaction system with encrypted transaction information
US20110161671A1 (en) System and method for securing data
US20120317037A1 (en) Methods for Providing Secure Transactions
CN102696047A (en) Encryption switch processing
JPH0218512B2 (en)
JPH0334641A (en) Method of encrypting transmission data using special key
WO1998052316A1 (en) Initial secret key establishment including facilities for verification of identity
CA2406375C (en) An improved method and system for conducting secure payments over a computer network
SK176199A3 (en) Payment process and system
Yang The security of electronic banking
JP2606827B2 (en) Encryption device using IC card
WO1998029983A1 (en) Transaction key generation system
WO1998032260A1 (en) Secure messaging table system
AU2001270012B2 (en) An improved method and system for conducting secure payments over a computer network without a pseudo or proxy account number
Jayasinghe et al. Enhancing EMV online PIN verification
CA2385954C (en) System and method for global internet digital identification

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM GW HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW AM AZ BY KG KZ MD RU TJ TM

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AT BE CH DE DK ES FI FR GB GR IE

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase