WO2006132435A1 - Portable token device - Google Patents

Portable token device Download PDF

Info

Publication number
WO2006132435A1
WO2006132435A1 PCT/JP2006/311974 JP2006311974W WO2006132435A1 WO 2006132435 A1 WO2006132435 A1 WO 2006132435A1 JP 2006311974 W JP2006311974 W JP 2006311974W WO 2006132435 A1 WO2006132435 A1 WO 2006132435A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
holder
access
portable token
remote
Prior art date
Application number
PCT/JP2006/311974
Other languages
French (fr)
Inventor
Timothy James Wilson
Andrew Kay
Original Assignee
Sharp Kabushiki Kaisha
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sharp Kabushiki Kaisha filed Critical Sharp Kabushiki Kaisha
Publication of WO2006132435A1 publication Critical patent/WO2006132435A1/en

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/28Individual registration on entry or exit involving the use of a pass the pass enabling tracking or indicating presence

Definitions

  • the present invention relates to a portable token device for providing a device-holder associated with the token device with a convenient means of providing information relating to the device-holder to a remote system, with the information enabling a function of the remote system.
  • Radio-frequency identification (RFID) tags are in
  • RFID tag is embedded in or affixed to an obj ect, and is used to transmit certain information relating to that obj ect to an interrogating reader. The information would typically identify the object, or type of object, to the reader. For example, in a retail application, a RFID tag could be attached to items of merchandise, with information relating to each item being stored in an attached RFID tag which is then accessed at the point of sale for various purposes, for example to determine the price of the item and/ or for stock control. RFID tags also find use in many other applications, for example security and tracking applications. US 6,505,780 (“Personalize vehicle settings using RF tags”) describes a method for configuring a vehicle according to each driver's preferences. This involves identification of the driver by means of an RF tag. The privacy of the individual is not considered.
  • the existing literature describes the use of RFID tags within a closed framework, in which a pool of RFID tags is issued and maintained by a central authority. It is desirable to move away from such an architecture, and doing so in itself raises new technical and security-related issues which have not previously been considered.
  • a portable token device for providing a device-holder associated with the device with a convenient means of providing information relating to the device-holder to any one or more of a plurality of remote apparatuses to enable a function thereof, and the device including: an access control information storing section for concerning access rights of remote apparatuses to information transmitted from the device; an enabling section for enabling the device-holder to control management of the access control information; a communicating section for communicating with a remote apparatus using local area wireless transmission to establish sufficient information to determine the access rights of the apparatus from the access control information, and for communicating information to the remote apparatus using local area wireless transmission in accordance with the determined access rights; and a preventing section for preventing at least some such transmissions from the device that might be used to identify the device or the device-holder except where allowed by the determined access rights.
  • the preventing section may be operable to prevent any such transmissions from the device that might be used to identify the device or the device-holder, at least up to a predetermined level of identifying content, except where allowed by the determined access rights.
  • the preventing section may be operable to prevent any such transmissions from the device that might be used to identify the device or the device-holder except where allowed by the determined access rights .
  • the device may comprise an encrypting for encrypting communications between the portable token device and the remote apparatus. At least some of the information communicated to the remote apparatus may be encrypted. A symmetric encryption key may be used for the encryption.
  • the information may be communicated to the . remote apparatus only after the access rights have been determined.
  • the device may comprise an authenticating section for authenticating the remote apparatus.
  • the authenticating section may be operable to verify an identifier transmitted from the remote apparatus to the token device.
  • the identifier may include a cryptographic key.
  • the identifier may be certified by a trusted certificate authority, and the authenticating section may be operable to verify the authenticity of the received identifier with the certificate authority.
  • the device may comprise an authenticating section for authenticating the sufficient information.
  • the information may be communicated to the remote apparatus only after positive authentication has been ⁇ . completed.
  • the device may comprise an varying, clarifying or confirming section for varying, clarifying or confirming the determined access rights.
  • the varying, clarifying or confirming section may comprise a push-button.
  • the enabling section may comprise an interface allowing the device-holder to manage the access control information.
  • the interface may comprise a keypad.
  • the interface may comprise a display.
  • the interface may comprise a connecting section for connecting to an external terminal for use in managing tire access control information.
  • the access control information may comprise a plurality of access rules, with each access rule specifying what information can be transmitted from the device and who is authorised to receive that information.
  • An access rule may ⁇ be capable of specifying a 1 level of authentication required to enable that access rule to be valid.
  • the access control rules may form a hierarchical structure according to the required level of authentication. At least one access rule may relate to the access rights to information that might be used to identify the device or the device-holder.
  • the device may comprise an authenticating section for authenticating the device-holder to the portable token device.
  • the device may comprise a disabling section for disabling at least part of the device.
  • the disabling means ⁇ may be operable to disable the device upon receipt of a predetermined signal from a remote apparatus.
  • the device may comprise a mobile telephone.
  • the device may comprise a Personal Digital Assistant.
  • the device may comprise a smart card.
  • a radio frequency identification tag device comprising a device according to the first aspect of the present invention.
  • a system of portable token devices and remote apparatuses each device being one according to the first or second aspect of the present invention, and each remote apparatus comprising a communicating section for communicating with a portable token device using local area wireless transmission to provide sufficient information to enable the portable token device to determine the access rights of the apparatus, from the access control information stored on the portable token device, and for receiving the information communicated from the portable token device in accordance with the determined access rights.
  • At least one remote apparatus may comprise a main apparatus that performs the function, and a separate reader device for performing the wireless communication with the portable token device and for communicating the information
  • a physical connection may be provided for communication between the main apparatus and the separate reader device.
  • At least one remote apparatus may comprise a service provider, and the function comprises providing a service to the device-holder.
  • At least one remote apparatus may comprise a physical barrier for restricting the device-holder access to a predetermined area, the function of the at least one remote apparatus being to allow access to the device-holder in there is provided an operating program which, when loaded into an apparatus, causes the apparatus to become one according to the first or second aspect of the present invention.
  • the operating program may be carried on a carrier medium.
  • the carrier medium may be a transmission medium.
  • the carrier medium may be a storage medium.
  • FIG. 1 is a block diagram illustrating a portable token device and system embodying the present invention
  • Figure 2 is an illustrative diagram showing a token device embodying the present invention in use
  • FIG. 3 is a flow diagram showing the interaction between a token device embodying the present invention and a remote reader device;
  • FIG. 4 illustrates one possible implementation of a token device embodying the present invention
  • FIG. 5 illustrates another possible implementation of a token device embodying the present invention.
  • Figure 1 is a block diagram showing a system embodying the present invention comprising a portable token device 10 in wireless communication with a plurality of apparatuses
  • the portable token device 10 comprises an information store 18, an information processor 20, a security portion 22 and a local area wireless communication portion 24.
  • the portable token device 10 also comprises an access control information store 12 , an access control manager 14 and an access control interface 16.
  • the portable token device 10 is intended to provide a device-holder associated with the portable token device 10 with a convenient means of providing information relating to the device-holder to one or more of the remote apparatuses
  • apparatus 30- 1 to 30-4 enables a function of that apparatus 30-1 to 30-4.
  • the apparatuses 30- 1 to 30-4 comprise respective readers 32- 1 to 32-4, and information received at the respective readers 32- 1 to 32-4 is used within those apparatuses 30- 1 to 30-4 to enable respective functions marked illustratively in Figure 1 as blocks labelled F l to F4 respectively.
  • the function may be performed in the same physical device or structure in which the reader is housed, as illustrated for the apparatuses 30- 1 and 30-4 , or it may be performed at a separate device, organisation or institution, as illustrated by apparatuses 30-2 and 30-3 in Figure 1.
  • the apparatus 30-2 comprises a separate institution 34-2 , for example a supermarket, which is in communication with the reader 32-2 and which performs the function F2, while the apparatus 30-3 comprises a separate device or apparatus 34-3 that performs the function F3 on the basis of information received from the reader 32-3.
  • the portable token device 10 is intended as a personal token in the sense that the portable token device can essentially be seen as representing information relating to the holder of the portable token device 10, with the representational information being conveniently transferred to a remote apparatus 30- 1 to 30-4 so as to enable a particular function to be performed by that remote apparatus 30- 1 to
  • the information store 18 is used for storing such information to be transmitted to the remote apparatuses 30- 1 to 30-4.
  • the information is transmitted to the readers 32- 1 to 32-4 in the remote apparatuses 30- 1 to 30-4 respectively by the local area wireless communication portion 24.
  • Any form of local area wireless transmission can be used for the wireless transmission between the local area wireless communication portion 24 and the respective readers 32- 1 to 32-4.
  • "Local area" is intended to mean a maximum range measured in' tens of metres .
  • the information Before passing to the local area wireless communication portion 24 from the information store 18, the information passes through the information processor 20 and the security- portion 22.
  • the information stored in the information store 18 is not necessarily passed in unamended form for transmission by the local area wireless communication portion 24; some data or information might be manipulated by the information processor 20 before transmission. It is also possible that some information does not originate from the information store 18 but is instead generated by the information processor 20 itself, or some other part of the portable token device 10.
  • ⁇ . token device 10 is important. In particular, the privacy of the information, and accordingly also of the device-holder, is important. In view of this, an embodiment of the present invention is adapted to provide the device-holder with ultimate control over what information is revealed by the portable token device 10. These features are provided by the security portion 22, the access control information store 12, the access control manager 14, and the access control interface 16, which will now be described in more detail.
  • the default behaviour of a portable token device 10 embodying 'the present invention is not to reveal any identifying information to any reader 32- 1 to 32-4.
  • identifying information includes any response, at any level on the protocol stack, that could help one system, or several cooperating systems, to identify the same device or its device-holder across multiple communication sessions, even probabilistically.
  • identifying information includes any information or partial information which might allow a remote party or parties to infer any property or distinguishing feature of the portable token device 10 or the device-holder. This would include, for example, any information which would enable such a party or parties to identify the same device again subsequently, even probabilistically where a remote party or parties may successfully identify the same device at different times with better than random odds.
  • This behaviour of a portable token device 10 embodying the present invention is governed by the security portion 22 , which prevents any transmission from the portable token device 10 that might be used to identify the device 10 or the device-holder, except in the circumstances set out below.
  • the security portion 22 ensures that any information it passes to the local area wireless communication portion 24 does not prejudice the privacy of the device 10 or the device-holder.
  • the security portion 22 illustrated in Figure 1 is intended to represent any parts of the portable token device 10, wherever they are located within the portable token device 10, that are specifically adapted to perform processing without producing or revealing any such identifying information.
  • the default behaviour of the portable token device 10 is not to reveal any identifying information to any of the apparatuses 30- 1 to 30-4, it must be able to reveal its identity or other information that may be required to enable certain functions of the remote apparatuses 30- 1 to 30-4.
  • the access control information store 12 , access control manager 14 and access control interface 16 cooperate to provide the device-holder with the means to control management of what information can be revealed to whom.
  • the device-holder is able, by use of the access control interface 16 to add or select (and, subsequently, remove)
  • those apparatuses 30- 1 to 30-4 that he pre-approves to access information, including identifying information, from his portable token device 10.
  • the device-holder may choose to restrict or deny access to entire apparatuses 30- 1 to 30-4, including readers 32- 1 to 32-4 and any devices or institutions 34-2 , 34-3 associated with the readers 32-2 , 32-3, or just a particular reader 32- 1 to 32-4, or just particular devices or
  • the various remote apparatuses 30- 1 to 30-4 and/ or their constituents might be granted different levels of access rights to different types of information held on the portable token device 10.
  • the access rights may be specified on the basis of particular companies, individuals, organisations or groups of any of these, or of certain characteristics of the company, individual or organisation; or any other type of information, for example "UK supermarkets”, “banks”, “employees of company X”, “residents of town Y", “shop Z”, “individuals aged between 2 1 and 30", “all security gates in zone A of building B between the hours of 0900 hrs and 1700 hrs", “motorway toll stations in France", and so on.
  • Sufficient information is provided by a remote apparatus 30- 1 to 30-4 to enable the portable token device 10 to determine the access rule concerned and hence what information can and cannot be provided back to the remote apparatus 30- 1 to 30-4 (and
  • Such access control information is stored in the access control information store 12 and managed through the access control manager 14, with the access control interface 16 providing a physical interface between the access control manager 14 and the device-holder. Together, these parts 12 , 14 and 16 enable the device-holder to control management of the access control information.
  • the type of access control interface 16' will depend on the particular use intended for the portable token device 10, and this will be discussed in more detail below with reference to Figures 4 and 5.
  • FIG. 2 is an illustrative diagram showing use of a portable token device 10 embodying the present invention in two straightforward situations; a more detailed explanation of operation will be provided below with reference to Figure 3.
  • the device-holder 5 has used the access control interface 16 to store access control information in the access control information store 12 to indicate that the portable token device 10 is not to reveal any identifying information to any type of market research company (such as the institution 34-2 forming part of apparatus 30-2) , but is permitted to reveal the device-holder's identity, stored in the information store 18, to the
  • a portable token device 10 embodying the present invention is to prevent identifying information being revealed to any remote apparatus, or certain types of remote apparatus, or any unknown or untrusted remote apparatus, such that the only action required of the device holder is to specifically grant access to chosen remote apparatuses, such as the device-holder's car (apparatus 30-4) .
  • the portable token device 10 communicates with the apparatuses -30-4 and 30-2 in a non-identifying manner in order to establish sufficient information to determine the access rights of the apparatuses from the access control information in the access control information store 12.
  • the security portion 22, which is responsible for authenticating the remote apparatuses 30-4 and 30-2 communicates with the access control manager 14 to determine the access rights.
  • FIG. 3 is a flow diagram showing in more detail the operations performed by the portable token device 10 and any one of the readers 32- 1 to 32-4 in this particular embodiment.
  • Step S l both the portable token device 10 and the reader 32- 1 are in polling mode, polling to find a reader or a token device respectively with which to communicate (or the reader 32- 1 alone could be in polling mode) .
  • Step S2 the portable token device 10 communicates in a non-identifying manner with the reader 32- 1 , performing a suitable multiple access or anti-collision algorithm required to establish a channel over which the reader 32- 1 (and/ or any affiliated device, apparatus or institution) can be authenticated and the access rights established.
  • the portable token device 10 uses only freshly-generated random data.
  • the authentication process may involve verifying the
  • the reader 32- 1 communicates to the portable token device 10 a digital certificate, comprising a public key KR associated with the reader 32- 1 and optional additional components R associated with the reader 32- 1 , together with a cryptographic signature of said key and components" issued by a certificate authority (CA) 1 trusted by the portable token device 10 (the signature being made by the CA using private key KCA- I ) .
  • the additional components R could be names of the reader 32- 1 and/ or of a remote apparatuses and organisations with which the reader 32- 1 is affiliated.
  • the identifier comprises those elements of R together with the public key KR that are used by the portable token device 10 to perform a check against the access list as represented by the access control information in the access control information store 12.
  • Step S4 the portable token device 10 verifies the authenticity of the signature sent in Step S3 using the certificate authority's public key and also verifies that the identifier sent by reader 32- 1 is in the access list as represented by the access control information in the access control information store 12. If either condition is not met, then communication with the reader 32- 1 is terminated and the portable token device 10 is returned to the powered down or polling mode in Step S l . Else, processing continues to step S5.
  • Step S5 the portable token device 10 generates a suitably-sized random session key Ksession for use with an appropriate symmetric encryption algorithm and communicates said key to the reader 32- 1 encrypted under the public key KR communicated in Step S3.
  • Step' S ⁇ the reader 32- 1 decrypts the communication sent in Step S5. Provided no third party has interfered with any of the previous communications, the reader 32- 1 is now in possession of the session key Ksession, known only to the reader 32- 1 and the portable token device 10.
  • Step S7 a secure communication session is established, encrypted with the session key Ksession, to communicate information to the reader 32- 1 in accordance with the access rights determined in Step S4. When this communication is complete, the secure communication session is closed.
  • Step S4 the access rights of the reader 32- 1 are indexed in ⁇ .
  • This identifier could have been preloaded in the portable token device 10 prior to issuance, or could have been added to the access control information store 12 by the user through access control interface 16, or could have been downloaded from some external source.
  • a public key infrastructure could be used, with trusted third parties managing the issuance of cryptographic certificates to readers 32- 1 to 32-4 and/ or apparatuses 30- 1 to 30-4 and/ or other trusted third parties and certificate authorities.
  • the portable token device 10 could provide a mechanism for copying credentials from one device to another, or to a backup medium.
  • the portable token device 10 When, and only when, a reader or apparatus from the "approved” list successfully authenticates itself to the portable token device 10 , will the portable token device 10 grant access (directly or indirectly) to identifying and other information it contains.
  • This information might include: an identity code unique to the portable token device 10; an identity code unique to the portable token device 10 but also specific to that reader 32- 1 to 32-4 or remote apparatus 30- 1 to 30-4 (a form of "pseudonymity") , with the code either being stored on the portable token device 10 or being derived from the remote apparatus 30-1 to 30-4 each time it is required; the name of the device-holder; public cryptographic keys belonging to the device-holder; or other personal information concerning the device-holder.
  • FIG 4 shows one possible implementation of a portable token device 10 embodying the present invention.
  • the portable token device 10 is provided with an access control interface 16 comprising a keypad and a display for use in managing the access control information in the access control information store 12.
  • the portable token device 10 may form part of a mobile telephone or personal digital assistant (PDA) , or other such portable information device; the portable token device could share parts with the other functions provided by that device.
  • PDA personal digital assistant
  • the portable token device 10 need not have any display or other physical input mechanism such as a keypad, and may be in the form of, and/ or the size of, a RFID tag.
  • a connection mechanism or other means of connection to a separate terminal device would be provided, whether wired or wireless.
  • the device-holder would administer the access control information through a (probably temporary) connection to the terminal device.
  • This would allow the portable token device to be built into a small form-factor such as a key fob, wristwatch, item of jewellery or implant. It may or may not contain a built-in power supply; if not, it could draw power remotely from the reader. If the administration
  • the device-holder could authenticate himself to the device in order to administer it, for example using a password, PIN, cryptographic key, smart card, biometric identification and so on.
  • the connection could be wired or wireless and might use proprietary or standard communication protocols (HTTP, WAP, etc) .
  • FIG. 5 Another possible implementation is shown in Figure 5, having a simple push-button forming at least part of the access control interface 16.
  • the push-button could be used by the device-holder -to indicate approval of an operation, whereby the push-button mechanism is linked to a category of "semi-approved" apparatuses that can access identifying information only with the conscious consent of the device-holder by pushing the push-button.
  • Some form of signal might be given by the device to alert the device-holder that such a reader or system wishes to access such information.
  • the same mechanism could be used for adding
  • the portable token device 10 could authenticate itself cryptographically to an approved apparatus. This would enable the portable token device 10 to be used for secure operations, such as physical or logical access control and
  • the portable token device 10 could be provided with a channel through which the device-holder may authenticate himself to the portable token device 10. Suitable mechanisms for authentication include passwords, PINs, cryptographic keys, smart cards, "parasitic” authenticators (see Ebringer et al, "Parasitic authentication to protect your e-wallet", IEEE Computer, 33( 10) : 54-60) and biometric identifiers.
  • This channel could be used when the remote apparatus 30- 1 to 30-4 requires confidence that the portable token device * 10 is not being used fraudulently and that the registered device-holder, or other authorised party, is actually present at the time of the transaction.
  • the communication may be directly between the device-holder and the portable token device 10, for example using a keyboard or sensor built into the portable token device 10, or may make use of an independent system, for example a personal computer.
  • the portable token device may have a mode of operation in which it is allowed to communicate its identity to remote apparatuses even pre- authentication.
  • the portable token device 10 can include a feature to ⁇ . enable it to be disabled remotely by the device-holder in case of lost or theft. Such a mechanism could make use of the infrastructure provided by the remote apparatuses 30- 1 to 30-4, so that the portable token device 10 is disabled whenever it next comes into range of a suitable reader, 32- 1 to 32-4, or it may use an entirely separate channel (GSM, for example) . An appropriate level of authentication would be required from the device-holder to the portable token device 10 before the operation would be allowed.
  • GSM entirely separate channel
  • each apparatus 30- 1 to 30-4 as comprising 'a single reader 32- 1 to 32-4 associated, with a single function-providing element (whether as part of the same physical device or in a separate apparatus 34-2 , 34-3)
  • a single reader can be associated with more than one organisation, apparatus, device or institution, and likewise an organisation, device, apparatus or institution could make use of more than one reader.
  • the device could support more complex access rules than simply a list which either allows or disallows access. For example, it could support hierarchical access rules such as " 1. Allow all readers belonging to system X; 2. Block reader Y belonging to system X" . Different stored information and modes of operation might have different access conditions, for example allowed apparatuses and required strength of authentication.
  • a key advantage provided by an embodiment of the present invention over the existing technology is that the device-holder retains full control over who can discover or track his whereabouts and over who can gain access to the personal information stored on the device .
  • This is highly advantageous as it allows a move away from an issuer-centric paradigm, in which a single issuer controls all the readers and devices, towards an extensible, user-centric system that allows multiple, independent systems to access the portable token device 10 owned and/ or controlled by the device-holder.
  • the device-holder can be confident that his privacy will not be compromised, and service providers can be sure that they have the device-holder's consent for their activities.
  • the information provided by the portable token device 10 enables a function of some sort to be performed.
  • the function may be to allow physical or electronic access to the device-holder, or to accept payment from the user, or to store, manipulate, process or forward information provided by the device-holder, or to 'perform a configuration operation, and so on.
  • an embodiment of the present invention may provide other forms of protection against direct attack through hardware countermeasures, for example by using memory scrambling and other forms of protection against side channel attacks used for example in smart card applications.
  • the use of local area wireless communication as described above means that the portable token device 10 is required to be in relatively close proximity to the reader 32- 1 to 32-4 with which it is communicating. This helps to prevent widespread dissemination of information and helps to preserve privacy. This requirement may also be used in a particular application to provide location-based or
  • any form of local area wireless protocol would be suitable for local area wireless transmission in an embodiment of the present invention, and various industry standards for local area wireless transmission would be readily available for use by the skilled person.
  • the protocols used in present or future RFID devices or contactless smart cards might be suitable, as might the IEEE 802. 1 1 standard, the Bluetooth® protocol, or the NFCIP standards.
  • an embodiment of the present invention is intended to prevent transmissions from the device that might be used to identify the device or the device-holder, except where allowed by the determined access rights
  • certain known protocols might not be suitable because they intrinsically provide for the transmission of identifying information with many or every communication.
  • the IEEE 802. 1 1 b protocol specifies the sending of a fixed, unique MAC address with every communication.
  • the IEEE 802. 1 1 standard could be used for such transmissions.
  • the operating program may be stored on a computer-readable medium, or could be embodied in a signal such as a downloadable data signal provided from an Internet website.
  • An embodiment of the present invention may therefore be enabled by an operating program, either supplied by itself, or as a record on a carrier, or as a signal, or in any other form.
  • a portable token device of the invention may be incorporated in a mobile telephone or personal digital assistant (PDA) , or other such portable information device.
  • PDA personal digital assistant

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A portable token device (10) provides a device-holder associated with the device (10) with a convenient means of providing information relating to the device-holder to any one or more of a plurality of remote apparatuses (30-1 to 30-4). The information enables functions (F1 to F4) of the remote apparatuses (30-1 to 30-4). The device (10) comprises a portion (12) for storing access control information concerning access rights of remote apparatuses (30-1 to 30-4) to information transmitted from the device (12). The device (10) comprises a portion (14, 16) which enables the device-holder to control management of the access control information. The device (10) comprises a portion (22, 24) for communicating with a remote apparatus (30-1 to 30-4) using local area wireless transmission to establish sufficient information to determine the access rights of the apparatus (30-1 to 30-4) from the access control information, and for communicating information to the remote apparatus (30-1 to 30-4) using local area wireless transmission in accordance with the determined access rights.

Description

DESCRIPTION
PORTABLE TOKEN DEVICE
TECHNICAL FIELD
The present invention relates to a portable token device for providing a device-holder associated with the token device with a convenient means of providing information relating to the device-holder to a remote system, with the information enabling a function of the remote system.
BACKGROUND ART
Radio-frequency identification (RFID) tags are in
■ . common use today. In a typical RFID application, a low-cost
RFID tag is embedded in or affixed to an obj ect, and is used to transmit certain information relating to that obj ect to an interrogating reader. The information would typically identify the object, or type of object, to the reader. For example, in a retail application, a RFID tag could be attached to items of merchandise, with information relating to each item being stored in an attached RFID tag which is then accessed at the point of sale for various purposes, for example to determine the price of the item and/ or for stock control. RFID tags also find use in many other applications, for example security and tracking applications. US 6,505,780 ("Personalize vehicle settings using RF tags") describes a method for configuring a vehicle according to each driver's preferences. This involves identification of the driver by means of an RF tag. The privacy of the individual is not considered.
US 6,842, 106 ("Challenged-based tag authentication model") proposes a mechanism for authenticating a reader to an RFID tag, or vice versa, for robustness against spoofing attacks; privacy is not considered. The article "Privacy by Design - Principles of
Privacy-Aware Ubiquitous Systems" (2001 ) - Langheinrich
(available from http: / / citeseer.ist.psu. edu/ 491722.html) introduces principles for privacy design, including ideas
• . about consent, randomized IDs and "pressing the OK button on my cell phone ... to authorize transfer" . Does not propose any device for solving problems of consent and privacy.
The article "RFID Systems and Security and Privacy
Implications" (2002) - Sarma et al (available from http: / / citeseer.ist.psu. edu/ sarmaO2rfid.html) describes privacy problems with existing RFID tags and various solutions are discussed.
The article "Ubiquitous Personalization: a Smart Card
Based Approach" (2002) - Potonniee (available from http: / / citeseer.ist.psu.edu/ 693866.html) describes a system for storing a user's personal preferences together with an access rights management interface on a contact-mode smart card.
The article "RFID Privacy Using User-controllable Uniqueness" (2003) - Inoue, Yasuura (available from http: / / citeseer.ist.psu.edu/ inoue03rfid.html) describes a system that allows the user some control over privacy by controlling the link between IDs and the objects they represent.
The article "Cryptographic Approach to Privacy-Friendly Tags" (2003) - Ohkubo et al (available from http: / / citeseer.ist.psu. edu/ ohkubo03cryptographic .html) reviews various approaches for tackling user privacy concerns arising from RFID tags, and proposes a system that uses a hashing algorithm in conjunction with a back-end database system.
The article "The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy" (2003) - Juels et al (available from http: / / citeseer.ist.psu.edu/juels03blocker.html) proposes the use of "blocker tags" that are carried by individuals when they want to prevent readers accessing other
RFID tags they are carrying. This mechanism blocks all readers from accessing the chosen tags, so does not allow the user to use the tags for any positive purposes, even with trusted systems, while the blocker is being used. The article "Privacy and Security in Library RFID Issues, Practices, and Architectures" (2004) - Molnar, Wagner (available from http: / / citeseer.ist.psu. edu/ 698785. html) describes a protocol for protecting privacy in a simple, closed system in which one issuing authority controls all the readers and tags.
The existing literature describes the use of RFID tags within a closed framework, in which a pool of RFID tags is issued and maintained by a central authority. It is desirable to move away from such an architecture, and doing so in itself raises new technical and security-related issues which have not previously been considered.
DISCLOSURE OF INVENTION . According to a first aspect of the present invention there is provided a portable token device for providing a device-holder associated with the device with a convenient means of providing information relating to the device-holder to any one or more of a plurality of remote apparatuses to enable a function thereof, and the device including: an access control information storing section for concerning access rights of remote apparatuses to information transmitted from the device; an enabling section for enabling the device-holder to control management of the access control information; a communicating section for communicating with a remote apparatus using local area wireless transmission to establish sufficient information to determine the access rights of the apparatus from the access control information, and for communicating information to the remote apparatus using local area wireless transmission in accordance with the determined access rights; and a preventing section for preventing at least some such transmissions from the device that might be used to identify the device or the device-holder except where allowed by the determined access rights. The preventing section may be operable to prevent any such transmissions from the device that might be used to identify the device or the device-holder, at least up to a predetermined level of identifying content, except where allowed by the determined access rights. The preventing section may be operable to prevent any such transmissions from the device that might be used to identify the device or the device-holder except where allowed by the determined access rights .
The device may comprise an encrypting for encrypting communications between the portable token device and the remote apparatus. At least some of the information communicated to the remote apparatus may be encrypted. A symmetric encryption key may be used for the encryption.
The information may be communicated to the . remote apparatus only after the access rights have been determined. The device may comprise an authenticating section for authenticating the remote apparatus. The authenticating section may be operable to verify an identifier transmitted from the remote apparatus to the token device. The identifier may include a cryptographic key. The identifier may be certified by a trusted certificate authority, and the authenticating section may be operable to verify the authenticity of the received identifier with the certificate authority. The device may comprise an authenticating section for authenticating the sufficient information.
The information may be communicated to the remote apparatus only after positive authentication has been ■ . completed. The device may comprise an varying, clarifying or confirming section for varying, clarifying or confirming the determined access rights. The varying, clarifying or confirming section may comprise a push-button.
The enabling section may comprise an interface allowing the device-holder to manage the access control information.
The interface may comprise a keypad. The interface may comprise a display. The interface may comprise a connecting section for connecting to an external terminal for use in managing tire access control information. The access control information may comprise a plurality of access rules, with each access rule specifying what information can be transmitted from the device and who is authorised to receive that information. An access rule may¬ be capable of specifying a1 level of authentication required to enable that access rule to be valid. The access control rules may form a hierarchical structure according to the required level of authentication. At least one access rule may relate to the access rights to information that might be used to identify the device or the device-holder. The device may comprise an authenticating section for authenticating the device-holder to the portable token device.
The device may comprise a disabling section for disabling at least part of the device. The disabling means . may be operable to disable the device upon receipt of a predetermined signal from a remote apparatus.
The device may comprise a mobile telephone. The device may comprise a Personal Digital Assistant. The device may comprise a smart card.
According to a second aspect of the present invention there is provided a radio frequency identification tag device comprising a device according to the first aspect of the present invention.
According to a third aspect of the present invention there is provided a system of portable token devices and remote apparatuses, each device being one according to the first or second aspect of the present invention, and each remote apparatus comprising a communicating section for communicating with a portable token device using local area wireless transmission to provide sufficient information to enable the portable token device to determine the access rights of the apparatus, from the access control information stored on the portable token device, and for receiving the information communicated from the portable token device in accordance with the determined access rights. At least one remote apparatus may comprise a main apparatus that performs the function, and a separate reader device for performing the wireless communication with the portable token device and for communicating the information
. received from the portable token device to the main apparatus.
A physical connection may be provided for communication between the main apparatus and the separate reader device.
At least one remote apparatus may comprise a service provider, and the function comprises providing a service to the device-holder.
At least one remote apparatus may comprise a physical barrier for restricting the device-holder access to a predetermined area, the function of the at least one remote apparatus being to allow access to the device-holder in there is provided an operating program which, when loaded into an apparatus, causes the apparatus to become one according to the first or second aspect of the present invention. The operating program may be carried on a carrier medium. The carrier medium may be a transmission medium. The carrier medium may be a storage medium.
BRIEF DESCRIPTION OF DRAWINGS Reference will now be made, by way of example, to the accompanying drawings, in which:
Figure 1 is a block diagram illustrating a portable token device and system embodying the present invention; Figure 2 is an illustrative diagram showing a token device embodying the present invention in use;
Figure 3 is a flow diagram showing the interaction between a token device embodying the present invention and a remote reader device;
Figure 4 illustrates one possible implementation of a token device embodying the present invention; and
Figure 5 illustrates another possible implementation of a token device embodying the present invention.
BEST MODE- FOR CARRYING OUT THE INVENTION Figure 1 is a block diagram showing a system embodying the present invention comprising a portable token device 10 in wireless communication with a plurality of apparatuses
30- 1 , 30-2, 30-3 and 30-4. The portable token device 10 comprises an information store 18, an information processor 20, a security portion 22 and a local area wireless communication portion 24. The portable token device 10 also comprises an access control information store 12 , an access control manager 14 and an access control interface 16.
The portable token device 10 is intended to provide a device-holder associated with the portable token device 10 with a convenient means of providing information relating to the device-holder to one or more of the remote apparatuses
30- 1 to 30-4. The information provided to a remote
■ . apparatus 30- 1 to 30-4 enables a function of that apparatus 30-1 to 30-4.
The apparatuses 30- 1 to 30-4 comprise respective readers 32- 1 to 32-4, and information received at the respective readers 32- 1 to 32-4 is used within those apparatuses 30- 1 to 30-4 to enable respective functions marked illustratively in Figure 1 as blocks labelled F l to F4 respectively. The function may be performed in the same physical device or structure in which the reader is housed, as illustrated for the apparatuses 30- 1 and 30-4 , or it may be performed at a separate device, organisation or institution, as illustrated by apparatuses 30-2 and 30-3 in Figure 1. In this respect, the apparatus 30-2 comprises a separate institution 34-2 , for example a supermarket, which is in communication with the reader 32-2 and which performs the function F2, while the apparatus 30-3 comprises a separate device or apparatus 34-3 that performs the function F3 on the basis of information received from the reader 32-3.
The portable token device 10 is intended as a personal token in the sense that the portable token device can essentially be seen as representing information relating to the holder of the portable token device 10, with the representational information being conveniently transferred to a remote apparatus 30- 1 to 30-4 so as to enable a particular function to be performed by that remote apparatus 30- 1 to
• . 30-4 on the basis of that information. The information store 18 is used for storing such information to be transmitted to the remote apparatuses 30- 1 to 30-4.
The information is transmitted to the readers 32- 1 to 32-4 in the remote apparatuses 30- 1 to 30-4 respectively by the local area wireless communication portion 24. Any form of local area wireless transmission can be used for the wireless transmission between the local area wireless communication portion 24 and the respective readers 32- 1 to 32-4. "Local area" is intended to mean a maximum range measured in' tens of metres . Before passing to the local area wireless communication portion 24 from the information store 18, the information passes through the information processor 20 and the security- portion 22. In this respect, the information stored in the information store 18 is not necessarily passed in unamended form for transmission by the local area wireless communication portion 24; some data or information might be manipulated by the information processor 20 before transmission. It is also possible that some information does not originate from the information store 18 but is instead generated by the information processor 20 itself, or some other part of the portable token device 10.
In an embodiment of the present invention, the security of information residing on or emanating from the portable
. token device 10 is important. In particular, the privacy of the information, and accordingly also of the device-holder, is important. In view of this, an embodiment of the present invention is adapted to provide the device-holder with ultimate control over what information is revealed by the portable token device 10. These features are provided by the security portion 22, the access control information store 12, the access control manager 14, and the access control interface 16, which will now be described in more detail.
The default behaviour of a portable token device 10 embodying 'the present invention is not to reveal any identifying information to any reader 32- 1 to 32-4. Such identifying information includes any response, at any level on the protocol stack, that could help one system, or several cooperating systems, to identify the same device or its device-holder across multiple communication sessions, even probabilistically. Such identifying information includes any information or partial information which might allow a remote party or parties to infer any property or distinguishing feature of the portable token device 10 or the device-holder. This would include, for example, any information which would enable such a party or parties to identify the same device again subsequently, even probabilistically where a remote party or parties may successfully identify the same device at different times with better than random odds.
. This behaviour of a portable token device 10 embodying the present invention is governed by the security portion 22 , which prevents any transmission from the portable token device 10 that might be used to identify the device 10 or the device-holder, except in the circumstances set out below. The security portion 22 ensures that any information it passes to the local area wireless communication portion 24 does not prejudice the privacy of the device 10 or the device-holder. The security portion 22 illustrated in Figure 1 is intended to represent any parts of the portable token device 10, wherever they are located within the portable token device 10, that are specifically adapted to perform processing without producing or revealing any such identifying information.
Although the default behaviour of the portable token device 10 is not to reveal any identifying information to any of the apparatuses 30- 1 to 30-4, it must be able to reveal its identity or other information that may be required to enable certain functions of the remote apparatuses 30- 1 to 30-4. The access control information store 12 , access control manager 14 and access control interface 16 cooperate to provide the device-holder with the means to control management of what information can be revealed to whom.
The device-holder is able, by use of the access control interface 16 to add or select (and, subsequently, remove)
• . those apparatuses 30- 1 to 30-4 that he pre-approves to access information, including identifying information, from his portable token device 10. The device-holder may choose to restrict or deny access to entire apparatuses 30- 1 to 30-4, including readers 32- 1 to 32-4 and any devices or institutions 34-2 , 34-3 associated with the readers 32-2 , 32-3, or just a particular reader 32- 1 to 32-4, or just particular devices or
. institutions 34-2 , 34-3, or any combination of these. The various remote apparatuses 30- 1 to 30-4 and/ or their constituents might be granted different levels of access rights to different types of information held on the portable token device 10. The access rights may be specified on the basis of particular companies, individuals, organisations or groups of any of these, or of certain characteristics of the company, individual or organisation; or any other type of information, for example "UK supermarkets", "banks", "employees of company X", "residents of town Y", "shop Z", "individuals aged between 2 1 and 30", "all security gates in zone A of building B between the hours of 0900 hrs and 1700 hrs", "motorway toll stations in France", and so on. Sufficient information is provided by a remote apparatus 30- 1 to 30-4 to enable the portable token device 10 to determine the access rule concerned and hence what information can and cannot be provided back to the remote apparatus 30- 1 to 30-4 (and
. hence to any organisation or individual associated with and able to receive that information from the remote apparatus
30- 1 to 30-4) .
Such access control information is stored in the access control information store 12 and managed through the access control manager 14, with the access control interface 16 providing a physical interface between the access control manager 14 and the device-holder. Together, these parts 12 , 14 and 16 enable the device-holder to control management of the access control information. The type of access control interface 16' will depend on the particular use intended for the portable token device 10, and this will be discussed in more detail below with reference to Figures 4 and 5.
Figure 2 is an illustrative diagram showing use of a portable token device 10 embodying the present invention in two straightforward situations; a more detailed explanation of operation will be provided below with reference to Figure 3.
In the example shown in Figure 2 , the device-holder 5 has used the access control interface 16 to store access control information in the access control information store 12 to indicate that the portable token device 10 is not to reveal any identifying information to any type of market research company (such as the institution 34-2 forming part of apparatus 30-2) , but is permitted to reveal the device-holder's identity, stored in the information store 18, to the
• . device-holder's car (apparatus 30-4) . It is preferable that the default behaviour of a portable token device 10 embodying the present invention is to prevent identifying information being revealed to any remote apparatus, or certain types of remote apparatus, or any unknown or untrusted remote apparatus, such that the only action required of the device holder is to specifically grant access to chosen remote apparatuses, such as the device-holder's car (apparatus 30-4) .
The portable token device 10 communicates with the apparatuses -30-4 and 30-2 in a non-identifying manner in order to establish sufficient information to determine the access rights of the apparatuses from the access control information in the access control information store 12. The security portion 22, which is responsible for authenticating the remote apparatuses 30-4 and 30-2 , communicates with the access control manager 14 to determine the access rights.
In the example shown in Figure 2, once it is determined that the market research company 34-2 , forming part of apparatus
34-2, is not entitled to any identifying information from the information store 18, further communication between the market research company 34-2 and the portable token device
10 is refused.
On the other hand, once it is determined that the device-holder's car 30-4 is entitled to certain identifying
. information from the information store 18, for example in order to determine the device-holder's driving preferences so as to enable a function of the car 30-4 to be configured, further communication is allowed and the portable token device 10 is able to reveal the device-holder's name to the car 30-4. Figure 3 is a flow diagram showing in more detail the operations performed by the portable token device 10 and any one of the readers 32- 1 to 32-4 in this particular embodiment.
For the purpose of this illustration, it will be assumed that the portable token device 10 is communicating with the reader 32- 1. In Step S l , both the portable token device 10 and the reader 32- 1 are in polling mode, polling to find a reader or a token device respectively with which to communicate (or the reader 32- 1 alone could be in polling mode) . Once found, in Step S2 the portable token device 10 communicates in a non-identifying manner with the reader 32- 1 , performing a suitable multiple access or anti-collision algorithm required to establish a channel over which the reader 32- 1 (and/ or any affiliated device, apparatus or institution) can be authenticated and the access rights established. To prevent any identifying information from being revealed, the portable token device 10 uses only freshly-generated random data.
The authentication process may involve verifying the
. authenticity of any or all information used to determine the access rights. For example, if an access rule is being used on the basis of certain information provided by the remote apparatus 30- 1 to 30-4, then the genuineness of that information should preferably be verified.
In Step S3. the reader 32- 1 communicates to the portable token device 10 a digital certificate, comprising a public key KR associated with the reader 32- 1 and optional additional components R associated with the reader 32- 1 , together with a cryptographic signature of said key and components" issued by a certificate authority (CA) 1 trusted by the portable token device 10 (the signature being made by the CA using private key KCA- I ) . The additional components R could be names of the reader 32- 1 and/ or of a remote apparatuses and organisations with which the reader 32- 1 is affiliated. The identifier comprises those elements of R together with the public key KR that are used by the portable token device 10 to perform a check against the access list as represented by the access control information in the access control information store 12.
In Step S4, the portable token device 10 verifies the authenticity of the signature sent in Step S3 using the certificate authority's public key and also verifies that the identifier sent by reader 32- 1 is in the access list as represented by the access control information in the access control information store 12. If either condition is not met, then communication with the reader 32- 1 is terminated and the portable token device 10 is returned to the powered down or polling mode in Step S l . Else, processing continues to step S5.
In Step S5, the portable token device 10 generates a suitably-sized random session key Ksession for use with an appropriate symmetric encryption algorithm and communicates said key to the reader 32- 1 encrypted under the public key KR communicated in Step S3.
In Step' Sδ, the reader 32- 1 decrypts the communication sent in Step S5. Provided no third party has interfered with any of the previous communications, the reader 32- 1 is now in possession of the session key Ksession, known only to the reader 32- 1 and the portable token device 10.
If it is determined in Step S4 that the reader 32- 1 is entitled access to certain information from the information store 18 or generated by the information processor 20, in Step S7 a secure communication session is established, encrypted with the session key Ksession, to communicate information to the reader 32- 1 in accordance with the access rights determined in Step S4. When this communication is complete, the secure communication session is closed.
In the method described above with reference to Figure 3, in Step S4 the access rights of the reader 32- 1 are indexed in . the access control information store 12 by the identifier of the reader 32- 1. This identifier could have been preloaded in the portable token device 10 prior to issuance, or could have been added to the access control information store 12 by the user through access control interface 16, or could have been downloaded from some external source. If identifiers and/ or cryptographic keys are to be loaded post-issuance, a public key infrastructure could be used, with trusted third parties managing the issuance of cryptographic certificates to readers 32- 1 to 32-4 and/ or apparatuses 30- 1 to 30-4 and/ or other trusted third parties and certificate authorities. . The portable token device 10 could provide a mechanism for copying credentials from one device to another, or to a backup medium.
When, and only when, a reader or apparatus from the "approved" list successfully authenticates itself to the portable token device 10 , will the portable token device 10 grant access (directly or indirectly) to identifying and other information it contains. This information might include: an identity code unique to the portable token device 10; an identity code unique to the portable token device 10 but also specific to that reader 32- 1 to 32-4 or remote apparatus 30- 1 to 30-4 (a form of "pseudonymity") , with the code either being stored on the portable token device 10 or being derived from the remote apparatus 30-1 to 30-4 each time it is required; the name of the device-holder; public cryptographic keys belonging to the device-holder; or other personal information concerning the device-holder.
Figure 4 shows one possible implementation of a portable token device 10 embodying the present invention. In Figure 4, the portable token device 10 is provided with an access control interface 16 comprising a keypad and a display for use in managing the access control information in the access control information store 12. The portable token device 10 may form part of a mobile telephone or personal digital assistant (PDA) , or other such portable information device; the portable token device could share parts with the other functions provided by that device.
However, the portable token device 10 need not have any display or other physical input mechanism such as a keypad, and may be in the form of, and/ or the size of, a RFID tag. A connection mechanism or other means of connection to a separate terminal device would be provided, whether wired or wireless. The device-holder would administer the access control information through a (probably temporary) connection to the terminal device. This would allow the portable token device to be built into a small form-factor such as a key fob, wristwatch, item of jewellery or implant. It may or may not contain a built-in power supply; if not, it could draw power remotely from the reader. If the administration
• . terminal is in an insecure environment, the device-holder could authenticate himself to the device in order to administer it, for example using a password, PIN, cryptographic key, smart card, biometric identification and so on. The connection could be wired or wireless and might use proprietary or standard communication protocols (HTTP, WAP, etc) .
Another possible implementation is shown in Figure 5, having a simple push-button forming at least part of the access control interface 16. In one example, the push-button could be used by the device-holder -to indicate approval of an operation, whereby the push-button mechanism is linked to a category of "semi-approved" apparatuses that can access identifying information only with the conscious consent of the device-holder by pushing the push-button. Some form of signal (audio, visual, or even touch) might be given by the device to alert the device-holder that such a reader or system wishes to access such information. The same mechanism could be used for adding
. apparatuses to the more permanent "approved" status in the access control information. The portable token device 10 could authenticate itself cryptographically to an approved apparatus. This would enable the portable token device 10 to be used for secure operations, such as physical or logical access control and
. financial transactions. The portable token device 10 could be provided with a channel through which the device-holder may authenticate himself to the portable token device 10. Suitable mechanisms for authentication include passwords, PINs, cryptographic keys, smart cards, "parasitic" authenticators (see Ebringer et al, "Parasitic authentication to protect your e-wallet", IEEE Computer, 33( 10) : 54-60) and biometric identifiers. This channel could be used when the remote apparatus 30- 1 to 30-4 requires confidence that the portable token device* 10 is not being used fraudulently and that the registered device-holder, or other authorised party, is actually present at the time of the transaction. The communication may be directly between the device-holder and the portable token device 10, for example using a keyboard or sensor built into the portable token device 10, or may make use of an independent system, for example a personal computer.
Although the default behaviour is described above as being not to reveal any identifying information to any remote apparatus, this behaviour is not fixed, and may be moderated or disabled. For example, the portable token device may have a mode of operation in which it is allowed to communicate its identity to remote apparatuses even pre- authentication.
The portable token device 10 can include a feature to . enable it to be disabled remotely by the device-holder in case of lost or theft. Such a mechanism could make use of the infrastructure provided by the remote apparatuses 30- 1 to 30-4, so that the portable token device 10 is disabled whenever it next comes into range of a suitable reader, 32- 1 to 32-4, or it may use an entirely separate channel (GSM, for example) . An appropriate level of authentication would be required from the device-holder to the portable token device 10 before the operation would be allowed.
Although Figure 1 shows each apparatus 30- 1 to 30-4 as comprising 'a single reader 32- 1 to 32-4 associated, with a single function-providing element (whether as part of the same physical device or in a separate apparatus 34-2 , 34-3) , it will be appreciated that a single reader can be associated with more than one organisation, apparatus, device or institution, and likewise an organisation, device, apparatus or institution could make use of more than one reader.
It will be appreciated that the device could support more complex access rules than simply a list which either allows or disallows access. For example, it could support hierarchical access rules such as " 1. Allow all readers belonging to system X; 2. Block reader Y belonging to system X" . Different stored information and modes of operation might have different access conditions, for example allowed apparatuses and required strength of authentication.
• A key advantage provided by an embodiment of the present invention over the existing technology is that the device-holder retains full control over who can discover or track his whereabouts and over who can gain access to the personal information stored on the device . This is highly advantageous as it allows a move away from an issuer-centric paradigm, in which a single issuer controls all the readers and devices, towards an extensible, user-centric system that allows multiple, independent systems to access the portable token device 10 owned and/ or controlled by the device-holder.
The device-holder can be confident that his privacy will not be compromised, and service providers can be sure that they have the device-holder's consent for their activities.
Possible applications of an embodiment of the present invention include, but are not limited to:
* physical access control (security, tickets, etc.) ; * computer log-in;
* personalization of shared systems and terminals;
* home automation;
* driver preferences in vehicles;
* toll-booths; * shop loyalty schemes;
* targeted advertising;
* billing and payment;
* e-government (voting, passports, driving licences, - . welfare benefits, etc.) ; * medical records;
* tracking of individuals (children by their parents, for example) ;
* storing emergency contact information.
In each case, the information provided by the portable token device 10 enables a function of some sort to be performed. The function may be to allow physical or electronic access to the device-holder, or to accept payment from the user, or to store, manipulate, process or forward information provided by the device-holder, or to 'perform a configuration operation, and so on. In addition to the security measures described above, an embodiment of the present invention may provide other forms of protection against direct attack through hardware countermeasures, for example by using memory scrambling and other forms of protection against side channel attacks used for example in smart card applications.
The use of local area wireless communication as described above means that the portable token device 10 is required to be in relatively close proximity to the reader 32- 1 to 32-4 with which it is communicating. This helps to prevent widespread dissemination of information and helps to preserve privacy. This requirement may also be used in a particular application to provide location-based or
. presence-based services to the device-holder, and may be used as a form of authentication to the remote apparatus
30- 1 to 30-4 that the portable token device 10 (and the device-holder or authorised representative should there be an additional device-holder to device authentication step) is physically present near the reader 32- 1 to 32-4. Any form of local area wireless protocol would be suitable for local area wireless transmission in an embodiment of the present invention, and various industry standards for local area wireless transmission would be readily available for use by the skilled person. For example, depending on the intended use, the protocols used in present or future RFID devices or contactless smart cards might be suitable, as might the IEEE 802. 1 1 standard, the Bluetooth® protocol, or the NFCIP standards. However, where an embodiment of the present invention is intended to prevent transmissions from the device that might be used to identify the device or the device-holder, except where allowed by the determined access rights, certain known protocols might not be suitable because they intrinsically provide for the transmission of identifying information with many or every communication. For example, the IEEE 802. 1 1 b protocol specifies the sending of a fixed, unique MAC address with every communication. In other situations where privacy is less of a concern or a lower level of privacy is required, the IEEE 802. 1 1 standard could be used for such transmissions. The functions performed by the various elements of an embodiment of the present invention described above may be enabled at least in part by a central processing device under control of an operating program. The operating program may be stored on a computer-readable medium, or could be embodied in a signal such as a downloadable data signal provided from an Internet website. An embodiment of the present invention may therefore be enabled by an operating program, either supplied by itself, or as a record on a carrier, or as a signal, or in any other form. INDUSTRIAL APPLICABILITY
A portable token device of the invention may be incorporated in a mobile telephone or personal digital assistant (PDA) , or other such portable information device.

Claims

1. A portable token device for providing a device-holder associated with the device with a convenient means of providing information relating to the device-holder to any one or more of a plurality of remote apparatuses to enable a function thereof, and the device comprising: means for storing access control information concerning access rights of remote apparatuses to information
"transmitted from the device; means for enabling the device-holder to control management of the access control information;
. means for communicating with a remote apparatus using local area wireless transmission to establish sufficient information to determine the access rights of the apparatus from the access control information, and for communicating information to the remote apparatus using local area wireless transmission in accordance with the determined access rights; and means for preventing at least some such transmissions from the device that might be used to identify the device or the device-holder except where allowed by the determined access rights'.
2. A device as claimed in claim 1 , wherein the preventing means are operable to prevent any such transmissions from the device that might be used to identify the device or the device-holder, at least up to a predetermined level of identifying content, except where allowed by the determined access rights .
3. A device as claimed in claim 1 or 2, wherein the preventing means are operable to prevent any such transmissions from the device that might be used to identify the device or the device-holder except where allowed by the determined access rights.
4. A device as claimed in claim 1 or 2 , comprising means for encrypting communications between the portable token device and the remote apparatus.
5. A device as claimed in claim 4, wherein at least some of the information communicated to the remote apparatus is encrypted.
6. A device as claimed in claim 4 , wherein a symmetric encryption key is used for the encryption.
7. A device as claimed in claim 1 or 2 , wherein the information is communicated to the remote apparatus only- after the access rights have been determined.
8. A device as claimed in claim 1 or 2, comprising means for authenticating the remote apparatus.
9. A device as claimed in claim 8, wherein the authenticating means are operable to verify an identifier transmitted from the remote apparatus to the token device.
10. A device as claimed in claim 9 , wherein the identifier includes a cryptographic key.
1 1. A device as claimed in claim 9 , wherein the identifier is certified by a trusted certificate authority, and the authenticating means are operable to verify the authenticity of the received identifier with the certificate authority.
12. A device as claimed in claim 1 or 2 , comprising means for authenticating the sufficient information.
13. A device as claimed in claim 8 , wherein the information is communicated to the remote apparatus only after positive authenticati'on has been completed.
14. A device as claimed in claim 1 or 2 , comprising means for varying, clarifying or confirming the determined access rights.
15. A device as claimed in claim 14, wherein the varying, clarifying or confirming means comprise a push-button.
16. A device as claimed in claim 1 or 2 , wherein the enabling means comprise an interface allowing the device-holder to manage the access control information.
17. A device as claimed in claim 16, wherein the interface comprises a keypad.
18. A device as claimed in claim 16, wherein the interface comprises a display.
19. A device as claimed in claim 16, wherein the interface comprises means for connecting to an external terminal for use in managing the access control information.
20. A device as claimed in claim 1 or 2 , wherein the access control information comprises a plurality of access rules, with each access rule specifying what information can be transmitted from the device and who is authorised to receive that information.
21 . A device as claimed in claim 20, wherein an access rule is capable of specifying a level of authentication required to enable that access rule to be valid.
22. A device as claimed in claim 21 , wherein, the access control rules can form a hierarchical structure according to the required level of authentication.
23. A device as claimed in claim 20, wherein at least one access rule relates to the access rights to information that might be used to identify the device or the device-holder.
24. A device as claimed in claim 1 or 2 , comprising means for authenticating the device-holder to the portable token device.
25. A device as claimed in claim 1 or 2, comprising means for disabling at least part of the device .
26. A device as claimed in claim 25, wherein the disabling means are operable to disable the device upon receipt of a predetermined signal from a remote apparatus .
.
27. A device as claimed in claim 1 or 2, comprising a mobile telephone.
28. A device as claimed in claim 1 or 2 , comprising a Personal Digital Assistant.
29. A radio frequency identification tag device comprising a device as claimed in claim 1 or 2.
30. A system of portable token devices and remote apparatuses, each device being one as claimed in claim 1 or 2 , and each remote apparatus comprising means for communicating with a portable token device using local area wireless transmission to provide sufficient information to enable the portable token device to determine the access rights of the apparatus from the access control information stored on the portable token device, and for receiving the information communicated from the portable token device in accordance with the determined access rights.
31 . A system as claimed in claim 30, wherein at least one remote apparatus comprises a main apparatus that performs the function, and a separate reader device for performing the wireless communication with the portable token -device and for communicating the information received from the portable token device to the main apparatus .
32. A system as claimed in claim 31 , wherein a physical connection is provided for communication between the main apparatus and the separate reader device.
33. A system as claimed in claim 30, wherein at least one remote apparatus comprises a service provider, and the function comprises providing a service to the device-holder.
34. A system as claimed in claim 30, wherein at least one remote apparatus comprises a physical barrier for restricting the device-holder access to a predetermined area, the function of the at least one remote apparatus being to allow access to the device-holder in dependence on the information communicated from the device-holder's portable token device.
35. An operating program which, when loaded into an apparatus, causes the apparatus to become one as claimed in claim 1 or 2.
36. An operating program as claimed in claim 35, carried on a carrier medium.
37. An operating program as claimed in claim 36, wherein the carrier medium is a transmission medium.
38. An operating program as claimed in claim 36, wherein the carrier medium is a storage medium.
PCT/JP2006/311974 2005-06-10 2006-06-08 Portable token device WO2006132435A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0511742.9 2005-06-10
GB0511742A GB2427055A (en) 2005-06-10 2005-06-10 Portable token device with privacy control

Publications (1)

Publication Number Publication Date
WO2006132435A1 true WO2006132435A1 (en) 2006-12-14

Family

ID=34855267

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2006/311974 WO2006132435A1 (en) 2005-06-10 2006-06-08 Portable token device

Country Status (2)

Country Link
GB (1) GB2427055A (en)
WO (1) WO2006132435A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102006061338A1 (en) * 2006-12-22 2008-06-26 Giesecke & Devrient Gmbh Authentication of portable data carriers
WO2012116446A1 (en) * 2011-02-28 2012-09-07 Research In Motion Limited Methods and apparatus to integrate logical and physical access control
US8989767B2 (en) 2011-02-28 2015-03-24 Blackberry Limited Wireless communication system with NFC-controlled access and related methods
CN108289027A (en) * 2017-01-09 2018-07-17 福特全球技术公司 The method for operating motor vehicles using portable control device
CN110324806A (en) * 2018-03-30 2019-10-11 丰田自动车株式会社 Control device, recording medium and control method
CN111183660A (en) * 2017-10-11 2020-05-19 金泰克斯公司 System and method for operating a transmitter

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2931278B1 (en) * 2008-05-14 2017-11-03 Airtag METHOD FOR COMMUNICATING AT LEAST ONE TARGET MESSAGE FROM A SERVICE PROVIDER TO A USER OF A PORTABLE TERMINAL
DE102009049754B4 (en) * 2009-10-17 2023-07-13 Bayerische Motoren Werke Aktiengesellschaft Method for conducting a financial transaction, transaction unit and system for conducting a financial transaction
US9203609B2 (en) 2011-12-12 2015-12-01 Nokia Technologies Oy Method and apparatus for implementing key stream hierarchy
US9386069B2 (en) * 2011-12-28 2016-07-05 The Nielsen Company (Us), Llc Media exposure data collection and security
AT512419A1 (en) * 2012-01-31 2013-08-15 Evva Sicherheitstechnologie METHOD AND APPARATUS FOR ACCESS CONTROL
WO2014023998A1 (en) 2012-08-07 2014-02-13 Nokia Corporation Access control for wireless memory
FR3029665B1 (en) * 2014-12-03 2018-02-02 Oberthur Technologies METHOD IMPLEMENTED IN IDENTITY DOCUMENT AND ASSOCIATED IDENTITY DOCUMENT

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002043325A2 (en) * 2000-11-22 2002-05-30 Telefonaktiebolaget Lm Ericsson (Publ) System and method for anonymous bluetooth devices
EP1457915A1 (en) * 2003-03-14 2004-09-15 Sony Ericsson Mobile Communications Japan, Inc. Information processing apparatus, information processing method and program for preventing unauthorized non-contact access

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6802007B1 (en) * 2000-04-24 2004-10-05 International Business Machines Corporation Privacy and security for smartcards in a method, system and program
US7831278B2 (en) * 2001-12-18 2010-11-09 Intel Corporation Method and device for communicating data with a personal wireless storage device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002043325A2 (en) * 2000-11-22 2002-05-30 Telefonaktiebolaget Lm Ericsson (Publ) System and method for anonymous bluetooth devices
EP1457915A1 (en) * 2003-03-14 2004-09-15 Sony Ericsson Mobile Communications Japan, Inc. Information processing apparatus, information processing method and program for preventing unauthorized non-contact access

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102006061338A1 (en) * 2006-12-22 2008-06-26 Giesecke & Devrient Gmbh Authentication of portable data carriers
WO2012116446A1 (en) * 2011-02-28 2012-09-07 Research In Motion Limited Methods and apparatus to integrate logical and physical access control
US8989767B2 (en) 2011-02-28 2015-03-24 Blackberry Limited Wireless communication system with NFC-controlled access and related methods
CN108289027A (en) * 2017-01-09 2018-07-17 福特全球技术公司 The method for operating motor vehicles using portable control device
CN111183660A (en) * 2017-10-11 2020-05-19 金泰克斯公司 System and method for operating a transmitter
CN110324806A (en) * 2018-03-30 2019-10-11 丰田自动车株式会社 Control device, recording medium and control method
CN110324806B (en) * 2018-03-30 2022-09-13 丰田自动车株式会社 Control device, recording medium, and control method

Also Published As

Publication number Publication date
GB2427055A (en) 2006-12-13
GB0511742D0 (en) 2005-07-20

Similar Documents

Publication Publication Date Title
US11664997B2 (en) Authentication in ubiquitous environment
WO2006132435A1 (en) Portable token device
US11336642B2 (en) Self-authenticating chips
US7624280B2 (en) Wireless lock system
KR101460934B1 (en) Privacy enhanced identity scheme using an un-linkable identifier
CN106576044B (en) Authentication in ubiquitous environments
US5721781A (en) Authentication system and method for smart card transactions
US10607211B2 (en) Method for authenticating a user to a machine
US7832001B2 (en) Identification system and method
US6954855B2 (en) Integrated circuit devices with steganographic authentication, and steganographic authentication methods
US6950942B2 (en) Integrated circuit device with data modifying capabilities and related methods
US20110142234A1 (en) Multi-Factor Authentication Using a Mobile Phone
US20130219481A1 (en) Cyberspace Trusted Identity (CTI) Module
US20140365366A1 (en) System and device for receiving authentication credentials using a secure remote verification terminal
KR100408890B1 (en) Method for certificating an credit dealing using a multi-certificated path and system thereof
EP2234423B1 (en) Secure identification over communication network
KR100657577B1 (en) System and method for authorization using client information assembly
US12021863B2 (en) Self-authenticating chips
Sabzevar Security in RFID Systems
Jacobs et al. Biometrics and Smart Cards in Identity Management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06747301

Country of ref document: EP

Kind code of ref document: A1