Classifications

• • G—PHYSICS
  • G07—CHECKING-DEVICES
  • G07F—COIN-FREED OR LIKE APPARATUS
  • G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
  • G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
  • G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
  • G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
  • G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
  • G06Q20/351—Virtual cards
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
  • G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
  • G06Q20/367—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
  • G06Q20/3674—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes involving authentication
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/38—Payment protocols; Details thereof
  • G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
  • G06Q20/409—Device specific authentication in transaction processing
  • G06Q20/4093—Monitoring of device authentication
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/38—Payment protocols; Details thereof
  • G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
  • G06Q20/409—Device specific authentication in transaction processing
  • G06Q20/4097—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/38—Payment protocols; Details thereof
  • G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
  • G06Q20/409—Device specific authentication in transaction processing
  • G06Q20/4097—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
  • G06Q20/40975—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
• • G—PHYSICS
  • G07—CHECKING-DEVICES
  • G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
  • G07C9/00—Individual registration on entry or exit
  • G07C9/20—Individual registration on entry or exit involving the use of a pass
  • G07C9/21—Individual registration on entry or exit involving the use of a pass having a variable access code
• • G—PHYSICS
  • G07—CHECKING-DEVICES
  • G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
  • G07C9/00—Individual registration on entry or exit
  • G07C9/20—Individual registration on entry or exit involving the use of a pass
  • G07C9/215—Individual registration on entry or exit involving the use of a pass the system having a variable access-code, e.g. varied as a function of time

Definitions

• the present invention relates to an electronic system for authenticating individuals and / or messages, in particular for controlling the access of a user to a function, enabling a user to conditionally obtain a service or another service. to be supplied by a specialized service unit associated with the system in question.
• the invention relates to a system for controlling access to or for authenticating messages in a computer or, more generally, a computer network, the use of which is reserved for persons who have been duly legitimized.
• Such networks can be used, for example, to provide all kinds of services involving a transaction, most often for economic consideration, such as teleshopping, pay television, home banking, interactive televised games, or also facsimile. confidential, etc.
• US Patent 4,720,860 describes an authentication system in which, to generate passwords, a static variable and a dynamic variable are used.
• a static variable In this patent, at the start of an access request procedure, the user must enter a fixed code in an authentication unit ("token") each time a transaction must be carried out.
• the fixed code is a static variable.
• a second variable is also generated in the authentication unit, and this varies dynamically as a function of time, in particular as a function of the instant at which the fixed code is introduced into the authentication unit by l 'user.
• the two variables, one of which is static and the other dynamic are then used as input parameters for a secret encryption algorithm used to generate a password in the authentication unit. This password is displayed on the authentication unit and the user is invited to transfer it to a verification server.
• the fixed code is also transferred to the server which, using the same encryption algorithm and a dynamic variable having in principle the same value as that used in the authentication unit, also calculates the password.
• the latter is compared to the password transmitted to the server by the user and, if there is a match, an authorization to access the function can be issued.
• This access control system therefore uses a static variable with the help of which the encryption algorithm calculates the password while also using the dynamic variable.
• the object of the present invention is to provide an authentication system offering better security against fraud.
• Another object of the invention is to provide an authentication system providing dynamic passwords, in particular dynamic passwords that are functions of time, while at least partially using conventional hardware means.
• the subject of the present invention is an authentication system for controlling the access of at least one user to a function, said system comprising at least a first unit personalized for said user and at least a second verification unit. controlling access to said function, • said first unit comprising:
• - second generator means for, in response to an access request made using a determinate of said first units, generate at least one dynamic variable assigned to this first determined unit;
• said first and second generating means provided respectively in said first and second units generating said first dynamic variable of said first unit and said dynamic variable of said second unit in concert, but independently;
• said first unit comprises a microcircuit card comprising the first calculation means and a card reader and,
• said dynamic variable of each of said first and second units varies as a function of time.
• FIG. 1 is a general diagram of an authentication system according to a first embodiment of the invention
• FIG. 2 is a flowchart illustrating the principle of operations in the system according to the invention, when an access request is processed;
• FIG. 3 is a flow diagram of the mode of calculation of an encryption key used in the calculation of the password;
• FIG. 4 shows an alternative embodiment of the operations shown in Figure 2;
• Figure 5 is a flowchart illustrating password calculation operations using a simplified version of the first embodiment shown in Figure 1;
• Figure 6 is a block diagram illustrating a second embodiment of the invention.
• FIG. 1 there is shown a very simplified diagram of an authentication system according to a first embodiment of the invention.
• the system is supposed to give conditional access to a function which is symbolized by the rectangle 1 in figure 1.
• function must be taken in a very broad sense. It designates any function to which access is conditioned by an authorization involving authentication involving verification of the terminal using which the request is made, and preferably also an identification of the person requesting access to the function for find out if his request is legitimate.
• the function can be of any kind, for example a function of access to a room, to a computer network or to a computer, to a pecuniary transaction (teleshopping, home banking, interactive television game, pay TV), etc.
• the function may also involve authentication of messages.
• the system according to the invention comprises at least a first authentication unit 2 and at least a second verification unit 3.
• the authentication system according to l he invention may include a large number of first units and one or more second units, but in any case in a number of second units significantly lower than that of the first units.
• the numbers of units 2 and 3 are therefore in no way limitative of the invention.
• the first unit 2 comprises a microcircuit card 4, a microcircuit card reader 5 and a computer 6 such as a personal computer (PC) to which the card reader 5 is connected by an appropriate interface such as an RS- port. 232 or a parallel port, a keyboard or a PCMIA interface.
• the microcircuit card 4 includes a microcontroller 7 suitably programmed to execute an ALGO cryptographic algorithm, as well as the usual ROM memory. It also includes a programmable memory, such as an EEPROM, represented in FIG. 1 by a register 8 for storing the content Nn of an event counter and by a register 9 for storing a dynamic secret key Kn.
• the computer 6 comprises a keyboard 10 intended to allow the entry of data, such as for example the personal identification number PIN of the user of the microcircuit card 4. It also includes a display screen 11, and a clock to increment a counter 13 which provides a dynamic variable T representing time.
• the computer 6 also includes the microprocessor, the memories, the usual interfaces which have not been shown in the drawing.
• the second unit 3 hereinafter called the server, communicates with the computer or computer 6 by the link 14.
• This communication can be provided at short distance or long distance by any suitable means.
• the data transmitted on this link include in particular the word pass to be verified in the server 3 and possibly data to be authenticated and processed by the server.
• the server 3 comprises in particular a processor 15 capable of conditionally releasing the functions 1, targeted by the access requests formulated by the various first units 2, these functions being able to be provided inside the server 3 or outside. It should be noted that the server 3 generally cooperates with a large number of first units 2.
• the server 5 also includes a memory 16 for storing a secret dynamic key Kna for each microcircuit card 4, a clock 17 for incrementing a counter 18 which provides a dynamic variable T c representing time, and a memory 19 for storing the content Nna of an event counter for each microcircuit card 4.
• FIG. 2 represents a simplified flowchart of the various operations which take place when a request for access to a function is made by the user of a first unit 2.
• FIG. 2 is divided into two parts, the part to the left of dashed line L representing the operations executed in the first unit 2 and the part to the right of this line showing those which take place in the server 3.
• Card 4 is personalized so as to be personally assigned to a given user. It carries a public identification number ("USER ID”) and / or this number can be recorded in it in an unencrypted form and assigned to this card at the time of its initialization. It can also be formed by the name of the user or any other information which is specific to him.
• the public identification number (USER ID) must first be communicated to server 15. This operation can be carried out in different ways.
• the public identification number
• (USER ID) can be transmitted to the server 3 by the computer 6, for example directly as soon as the card 4 is inserted into the reader 5, or after it has been introduced to the keyboard 10 of the computer 6 by the user himself. even.
• the user must also give his legitimation by typing, in 20, his personal identification code or PIN code on the keyboard 10 of the computer 6.
• the code entered on the keyboard is checked at 21 in card 4 by comparison with the PIN code stored in card memory 4.
• the access request is immediately refused at 22 by card 4, the user possibly being allocated several consecutive attempts before a final refusal is opposed, if they all remain unsuccessful.
• the program triggers at 23 the operation for calculating the password in the card 4.
• the calculation consists of encryption using an encryption algorithm which can be secret or public (block 25). In the latter case, it may be an algorithm called DES (Data Encryption Standard) by specialists in this technique.
• an encryption algorithm which can be secret or public (block 25). In the latter case, it may be an algorithm called DES (Data Encryption Standard) by specialists in this technique.
• the algorithm in question uses input parameters based on dynamic variables which, in the case shown, are three in number. Two of them are a variable Nn stored in the register 8 of the card 4 and which represents the number of access requests made by the card 4, and a variable T representing the current time and corresponding to the position of the counter 13 of the computer 6. During initialization, these variables can be set to initial values, NO and / or TO respectively, which are not necessarily equal to 0 and which can be secret or not. Likewise, Nn and T may vary according to functions involving parameters such as the number of access requests, a function of the number of access requests and the current time respectively.
• Each of the variables Nn and T can comprise 32 bits and be subjected beforehand to a concatenation operation in the computer 6, at 24, thus offering an input parameter or "challenge" of 64 bits in total.
• the operation carried out in 24 can, as a variant, be constituted by any treatment or combination such as interlacing, chopping, an operation OU-EXCLUSIVE or AND, etc. performed on Nn and T.
• the operation at 24 is not limited to these various variants, but it can consist of any operation executed with the aim of producing an output (for example on 64 bits) by combination or treatment of Nn and T according to one of virtually an infinite number of possibilities.
• This challenge is applied by the computer 6 to the microcircuit card 4 and is encrypted by the ALGO algorithm at 25 by means of the encryption key Kn stored in the register 9 of the microcircuit card 4.
• Another means of defining l algorithm implemented in 25 consists in saying that the algorithm generates a password as a function of the current values of Nn, T and Kn or that Kn is encrypted as a function of a key comprising a value generated by concatenation of Nn and T in 24.
• the encryption carried out at 25 in the card 4 generates a password A at 26 and causes the unit 6, at 27, to increment a unit by the position of the register 8 for requesting access to the card 4 which stores Nn.
• the incremented number Nn + 1 is stored in register 8 and subjected to a calculation operation at 28 in card 4 to calculate the new value Kn + 1 of the third dynamic variable or secret encryption key.
• the output of block 27 could command the incrementation of register 8 by a number other than the number 1, that is to say that the incrementation could be two units (or any other number) at each time.
• the number of increment units can vary from one access request to the next. Of course, the incrementation must then be synchronized with that implemented in the server 3.
• FIG. 3 An example of the operations which can be carried out at 28 for the calculation of this new value is shown in FIG. 3. These operations are carried out together both in the microcircuit card 4 and in the server 3.
• the values Nn + 1 and Kn are subjected at 29 to a logical combination operation, for example an OU- EXCLUSIVE combination.
• the resulting intermediate variable Z is subject to encryption at 30 using a known or public algorithm which may be the same as that used at 25.
• the encryption can be performed using a encryption key which is preferably the value of the current dynamic variable Kn, although another secret key Q (block 31) can also be used.
• the result of the encryption operation at 30 is the new value Kn + 1 of the encryption key which will be used during the next access request. This value is stored in register 9.
• this password may be the complete result of the encryption operation in 25 (64 bits long) or only part of this result, for example a 32 bit word.
• This communication symbolized by the dotted line 33
• This communication can be done for example by typing the word on the keyboard 10 of the computer 6.
• This communication can also be carried out automatically, for example by modem, and in this case it is not password A must be presented to the user at 32.
• the program of the microprocessor 15 executes, in concert with the first unit 2 and using dynamic variables generated independently of the first unit 2, calculation operations identical to those carried out therein. These operations have therefore been indicated in FIG. 2 by the same reference numbers followed by the letter "a".
• the variables Kna and Nna are extracted from the memories 16 and 19 of the server 3.
• the memories 16 and 19 store the variables Kna and Nna of each microcircuit card 4 with which the server is called upon to cooperate.
• the variable T c is also extracted from the counter 18. If the computers 6 which are used with the microcircuit cards 4 have not all been initialized to the same value TO, the computer 6 must be identified by the server 3, for example when the USER ID number is transmitted to the server 3. In response to this identification, the microprocessor 15 reads from a memory the initial value T0 of the variable T for this calculator and calculates from TO and T c a time variable Ta which must be equal to the time variable T in the calculator 6.
• the server 3 produces for its part, and without the dynamic variables produced in the first unit 2 being communicated to it, a password Aa which is compared with the password A transmitted to the server 3 by the user. If the microcircuit card 4 is authentic, the passwords A and Aa must be identical or at least match according to predetermined rules. If the test at 34 results in an affirmative answer, function 1 is released. Otherwise, access will be refused in 35.
• the authentication process of the first unit 2 leading to the release of the function at 1 is carried out using three dynamic variables, one of which is the key to encryption Kn (Kna) and the others of which are the number Nn (Nna) of access requests already made and the time T (Ta) (or numbers calculated according to a predetermined function of these variables).
• the encryption key Kn (Kna) itself derives from one access request to the other and it is dynamically variable depending on the value Nn (Nna) with which it can be logically combined, then encrypted to give rise to the encryption key Kn + 1 (Kna + 1) used during the next access request.
• the data can be processed during the performance of the function 1, insofar as naturally the authorization has been given for this following the test in 34.
• the user when formulating his access request, enters in 36 the data in the first unit 2 using his keyboard 10.
• These data are logically combined in 37 with the concatenated value of the two variables Nn and T, the result being used as an input parameter of the encryption procedure carried out at 25.
• the data can also be directly combined with the result of the encryption operation at 25 or else the data can constitute another key for the algorithm at 25.
• the essential aspect is that the output of block 25 is a function of the data to be transferred.
• the data are also transferred to the server 3, for example by means of the keyboard 10 of the computer 6 or automatically via the link 14.
• the data thus received at 36a in the server 3 is processed there in the same way as in the first unit 2. More particularly, the data can be combined by a logical operation at 37a with the concatenated value of Nna and Ta, the result being used as an input parameter for the encryption process at 25a. As a variant, the data can be directly combined with the result of the encryption operation at 25a or else the data can constitute another key for the algorithm at 25a. The data are also communicated in clear to the device responsible for executing function 1.
• the authenticity of the data can be verified by comparing the passwords A and Aa which are both functions of the value representing the data.
• the implementation of function 1 will therefore receive a refusal if there is a mismatch between the data presented on the two sides.
• the function 28 (shown in FIGS. 2 and 3) can vary as a function of T.
• the algorithm 30 can be changed with each new derivation of Kn.
• the algorithm used in 25 can be changed each time a password is generated.
• the modules 25, 25a and 30, 30a can store several algorithms used separately during the various operations for calculating passwords. Synchronized changes must then be made in the server 3 with regard to the function 28a, the algorithm 30a and the algorithm
• function 29 ( Figure 3) may be different from an OU-
• EXCLUSIVE such as an AND operation or any other logical operation.
• function 29 is not essential, Nn + 1 being able to be directly used by algorithm 30 so as to be encrypted by Kn and Q.
• Q can be subjected with Nn + 1 to a OU-EXCLUSIVE operation in 29, Kn and Q being used as encryption key for the encryption of the output produced by the logical operation in 29.
• Another modification consists in providing an AND gate between the modules 26 and 27 of FIG. 2, the output of the module 26 constituting one of the inputs of this AND gate, the other input being formed by a signal from the server 3 and which is only generated if the module 26a generates an output.
• the register 8 in the card 4 and the register 19 in the server 3 will be incremented synchronously. There will then be no loss of synchronization of the values Nn and Nna.
• such communication back from the server to the card may not be desirable.
• Kn can be derived twice for each calculation of the password. We can do this for example before and after the calculation of the word past. Kn can also be rederived in parallel with the calculation of the password. In other words, Kn can be rederived during the calculation of a password, the outputs of module 25 and of module 25a then being directly used as inputs of modules 27 and 27a respectively.
• Nn and T can be introduced directly into the encryption module 25. The data can also be logically combined directly with Nn and T, or the data can be split into two parts combined with Nn or T respectively.
• FIG. 4 shows a variant of the first embodiment which simplifies the software installed in the personal computer PC and limits the exchange of information between the personal computer PC and the microcircuit card.
• the same references as in FIG. 2, but increased by the number 100, have been used to designate corresponding elements.
• What is missing in the microcircuit card 104 is the clock counter 113 storing the time variable T. All the other functions implemented for the generation of the password are implemented in the microcircuit card 104.
• the personal computer or PC 106 sends the variable T stored in the counter 113 to the microcircuit card 104.
• Nn and the variable T are concatenated or otherwise processed, as described above with respect to FIG. 2, to generate in the card 104 an input parameter or challenge of , for example, 64-bit.
• This challenge is encrypted by the ALGO algorithm at 125 using the encryption key Kn stored in the register 109.
• the encryption performed at 125 generates the password A at 126 which is formatted and displayed on the screen of the PC 106 at 132.
• This password A is communicated to the server or second unit 103 as described with reference to FIG. 2.
• the personal computer 106 communicates the password A directly to the second unit 103, for example by modem, it is not necessary to display the password A for the user.
• the encryption performed in 125 also causes the incrementation in
• the incrementation can be an incrementation of a unit or another type of incrementation as described above.
• the incremented number Nn + 1 is also subjected in 128 to a calculation operation to calculate a new value Kn + 1 of the third dynamic variable or secret encryption key. This calculation operation has also been described above.
• a simplified version of the first embodiment, shown in FIG. 5, can consist in eliminating the event counter and the key derivation, that is to say the dynamic variables other than T, the key Kn being static.
• the same references as in FIG. 2, but increased by the number 200, have been used to designate the corresponding elements.
• the various operations represented in FIG. 5 are similar to those of FIGS. 2 and 4 and will not be described in detail.
• the microcircuit card reader 5 represented in the first embodiment of FIGS. 1 to 5 is a passive microcircuit card reader, that is to say that it simply transmits the data between the microcircuit card 4 and the personal computer 6.
• the microcircuit card reader 5 can be an "intelligent” or active microcircuit card reader and can be portable.
• the "smart" microcircuit card reader 305 reads the microcircuit card 304 of the first embodiment and is adapted to be used with a second unit 303 which may be the same as the second unit 3, 103 or 203.
• the microcircuit card reader 305 comprises a keyboard 310, a display screen 311, a register 313 and a clock 312 corresponding to the keyboard 10, to the display screen 11, to the register 13 and to the clock 12 and can also include its own source of electrical energy, such as a battery 350.
• Such a reader microcircuit card can implement the functions described in figure 2 for the PC 306, or in figures 4 and 5 for the PC 106 and 206 respectively.
• microcircuit card reader 305 can be configured to provide T
• microcircuit card 304 can be configured to implement the other operations of the first unit 302 as described in connection with Figures 4 and 5 .
• the microcircuit card reader 305 can be configured to carry out the same operations as the personal computer 6 of FIG. 2 and the microcircuit card 304 can be configured to implement the other operations of the first unit 302.
• the time variable T can be supplied by a personal computer PC 306 to the microcircuit card reader 305, thus eliminating the need for the clock 312 in the reader 305.
• a first unit such as 2, 102, 202 or 302 can be installed in any device owned by the user such as a personal digital assistant (PDA), cell phone or other type of telephone receiver, provided that such a device is configured from the hardware and / or software point of view to read a microcircuit card and to implement the functions described with reference to FIGS. 2, 4 or 5.
• PDA personal digital assistant
• the present invention differs from the prior art in that the dynamic variable T representing the current time is not generated where the algorithm and the keys are stored and implemented.
• the prior art describes embodiments in which the generation of a clock signal is performed where the algorithm and the keys are stored.
• the present invention is based on the fact that a time-dependent variable is generated outside the microcircuit card by a personal computer or an "intelligent" card reader and transmitted to the microcircuit card to generate a password using a key stored in the microcircuit card.
• This arrangement is advantageous because, without any permanent power source being required in the card, it combines the advantages of the hardware and software security mechanisms available in a microcircuit card with those offered by dynamic passwords depending on the times that are more secure than static passwords.
• This arrangement is also advantageous because it makes it possible to use very widely used electronic devices such as personal computers, personal digital assistants, cell phones, etc., which are generally not secure, to supply, in combination with a card.
• microcircuit a highly secure authentication system delivering dynamic passwords as a function of time.

Landscapes

• Business, Economics & Management (AREA)
• Engineering & Computer Science (AREA)
• Accounting & Taxation (AREA)
• General Physics & Mathematics (AREA)
• Physics & Mathematics (AREA)
• General Business, Economics & Management (AREA)
• Strategic Management (AREA)
• Theoretical Computer Science (AREA)
• Finance (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Microelectronics & Electronic Packaging (AREA)
• Storage Device Security (AREA)
• Control Of Vending Devices And Auxiliary Devices For Vending Devices (AREA)
• Credit Cards Or The Like (AREA)
• Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Priority Applications (7)

Applications Claiming Priority (2)

Publications (1)

Family

ID=25478799

Family Applications (1)

Country Status (8)

Cited By (10)

Families Citing this family (163)

Citations (8)

Family Cites Families (4)

• 1997
  • 1997-10-02 US US08/942,904 patent/US5937068A/en not_active Expired - Lifetime
• 1998
  • 1998-10-01 JP JP52112999A patent/JP4221680B2/ja not_active Expired - Fee Related
  • 1998-10-01 ES ES98946544T patent/ES2241166T3/es not_active Expired - Lifetime
  • 1998-10-01 DE DE69829642T patent/DE69829642T2/de not_active Expired - Lifetime
  • 1998-10-01 EP EP98946544A patent/EP0941525B1/fr not_active Expired - Lifetime
  • 1998-10-01 CA CA002273859A patent/CA2273859A1/en not_active Abandoned
  • 1998-10-01 AT AT98946544T patent/ATE292832T1/de active
  • 1998-10-01 WO PCT/FR1998/002104 patent/WO1999018546A1/fr not_active Ceased

Patent Citations (8)

Also Published As

Similar Documents

Legal Events