WO2016066253A1 - Procédé permettant l'exécution sans fil d'une transaction - Google Patents

Procédé permettant l'exécution sans fil d'une transaction Download PDF

Info

Publication number
WO2016066253A1
WO2016066253A1 PCT/EP2015/002096 EP2015002096W WO2016066253A1 WO 2016066253 A1 WO2016066253 A1 WO 2016066253A1 EP 2015002096 W EP2015002096 W EP 2015002096W WO 2016066253 A1 WO2016066253 A1 WO 2016066253A1
Authority
WO
WIPO (PCT)
Prior art keywords
eap
transaction
terminal
sim
security element
Prior art date
Application number
PCT/EP2015/002096
Other languages
German (de)
English (en)
Inventor
Ullrich Martini
Frank Schäfer
Original Assignee
Giesecke & Devrient Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Giesecke & Devrient Gmbh filed Critical Giesecke & Devrient Gmbh
Publication of WO2016066253A1 publication Critical patent/WO2016066253A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3229Use of the SIM of a M-device as secure element
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3278RFID or NFC payments by means of M-devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Definitions

  • the present invention relates to a method for contactlessly performing a transaction between a mobile terminal and a terminal.
  • a payment transaction or a transaction can be carried out, which provides access to a user of the terminal, for example, to a building or a room in a building.
  • tickets, tickets or the like can be purchased by means of such transactions.
  • the non-contact implementation of a transaction is understood to be the implementation of the transaction via a radio interface, for example NFC ("Near Field Communication"), via a radio network, for example a WLAN, or via a telecommunications network.
  • NFC interfaces for short-range communication
  • a security element of the terminal such as a SIM / UICC mobile card
  • the security element can then be For example, data and / or keys for authenticating and / or saving the transaction be stored.
  • a transaction application for securely performing the transaction by the terminal may be stored and executed on the security element of the terminal.
  • the present invention is based on the idea of embedding the transaction-defining commands, for example in the form of APDU commands, in data packets of an EAP-SIM or EAP-AKA protocol and via a wireless network, in particular a WLAN, via which the terminal with a Terminal via a base station can be connected to tunnel.
  • EAP-SIM protocol and the EAP-AKA protocol each form specific embodiments of the E AP (Extensible Authentication Protocol) protocol, which has been generally designed as an authentication protocol basis (see RFC 3748)
  • EAP has been developed to support a dial-up of a mobile terminal into a foreign network, without it being necessary to know exactly the respective exact infrastructure with each authentication.
  • EAP supports different authentication methods, among others also by means of a SIM / UICC mobile card which has been quasi specified in RFC 4186 or RFC 4187 as EAP-SIM protocol (for GSM) or EAP-AKA protocol (for UMTS) are.
  • a corresponding security element that is to say a SIM / UICC mobile communication card, is used to authenticate a mobile terminal in a wireless network.
  • a corresponding EAP request command is sent from the terminal to the terminal via a base station which provides the network.
  • An operating system of the terminal e.g. Android or iOS, can recognize from the specific embodiment of the EAP request command in the form of an EAP-SIM or EAP-AKA request command that this command to the
  • This mechanism is used herein to transport such commands defining the transaction to be performed between the terminal and a transactional application on the security element of the terminal.
  • the data packets of the EAP-SIM or EAP-AKA protocol are thus not used for authentication of the mobile terminal in the wireless network provided by the base station, but rather as a transport frame for the commands defining the actual transaction, which basically do not belong to any prescribed protocol are bound.
  • these commands are in the form of APDU commands between the terminal and the transactional application on the security element of the terminal transmitted.
  • a terminal that does not have an NFC module can easily and securely perform a transaction without contact with the terminal.
  • An adaptation of an existing infrastructure is not necessary, just as a change of existing and used communication protocols. All necessary functionalities can be implemented in the terminal and the security element, in particular in the transaction application of the security element.
  • the process remains transparent. There is no need for user interaction, preserving all the benefits of contactless transaction execution.
  • the transaction can also be carried out safely, since the security element of the mobile terminal stores all data and applications necessary for performing and / or authenticating the transaction, in particular the transaction application according to the invention, in a secure manner.
  • the EAP-SIM or EAP-AKA data packets are forwarded unchanged according to the EAP-SIM or EAP-AKA protocol from the base station, which provides the network via which the mobile terminal can be connected to the terminal .
  • Such forwarding of EAP commands by a base station is also provided according to the EAP specification.
  • the base station can also be designed as a component of the terminal. Then such a transfer can be practically omitted.
  • the terminal will be connected to the base station via a suitable communications network, such as the Internet.
  • the security element on the terminal recognizes such EAP-SIM or EAP-AKA data packets received via the base station and the mobile terminal from the terminal, which comprise transaction commands defining request commands, i. such EAP data packets used to tunnel transaction commands.
  • the security element is arranged to distinguish such EAP-SIM or EAP-AKA data packets from conventional EAP-SIM or EAP-AKA data packets which do not have embedded, i. tunneled transaction commands.
  • the security element can analyze the corresponding data packets and, on the basis of an analysis, in particular of the data portion of such a data packet, infer whether the data packet comprises embedded commands defining the transaction or not.
  • EAP-SIM or EAP-AKA data packets have a predefined structure and contain defined attributes that enable unambiguous recognition.
  • the security element recognizes, on the basis of an identification code of the terminal, whether data communication via the EAP-SIM or EAP-AKA protocol is used for carrying out the transaction, ie whether the corresponding EAP-SIM or EAP-AKA data packets are embedded , transaction-defining com- Mandos include.
  • a corresponding identifier of the terminal is provided according to the EAP protocol and can be easily checked quickly.
  • the terminal can the terminal, ie so inform the security element of the terminal / easily that the e AP data packets are used for tunneling transaction commands.
  • the security element for example, a list of terminal identifiers is stored, which specify such terminals that are set up for tunneling transaction commands in EAP data packets.
  • the security element can recognize on the basis of an identification code of the base station, which provides the network, via which the mobile terminal is connected to the terminal, or an identification code of the network, whether a data communication via the EAP-SIM or EAP-AKA Protocol to be used to perform the transaction.
  • an identification code of the base station which provides the network, via which the mobile terminal is connected to the terminal
  • an identification code of the network whether a data communication via the EAP-SIM or EAP-AKA Protocol to be used to perform the transaction.
  • a list of corresponding base station and / or network identifiers may be stored in the security element. If the security element has detected that the received E AP data packets comprise embedded, transaction-defining commands, the security element forwards the corresponding EAP data packets to the transaction application. The transaction application then extracts from an EAP-SIM or EAP-AKA data packet received by the security element the corresponding request commands defining the transaction and interprets them in a predefined manner.
  • the transaction application then embeds the response commands defining the transaction in an EAP SIM card. or EAP-AKA data packet and forwards this EAP data packet as an EAP-SIM or EAP-AKA response command to the security element of the mobile terminal.
  • the security element in turn sends this EAP-SIM or EAP-AKA response command to the terminal via the terminal and the base station.
  • the terminal is set up transaction requesting commands, i. e.g. Inquiry APDUs to embed in EAP-SIM or EAP-AKA data packets and as EAP-SIM or EAP-AKA
  • the terminal is set up to extract the transaction-defining response commands from EAP-SIM or EAP-AKA response commands received from the security element, via the terminal and the base station, and to interpret them appropriately.
  • a payment transaction or an access transaction can be carried out by means of the transaction.
  • the terminal can specifically address a so-called "Card Manager” on the security element as part of the transaction.
  • the "Card Manager” is a special application of the security element, with the aid of which applications can be selected on the security element if it is installed there and are selectable.
  • a concrete example of such a status request to the terminal can be made with a specific application called PPSE ("Proximity Payment System Environment"). ment ”) in order to obtain the status of the payment applications installed on a security element of the terminal.
  • PPSE Proximity Payment System Environment
  • a security element according to the invention for a mobile terminal in particular in the form of a SIM-UICC mobile communication card, therefore comprises a transaction application which is set up to carry out a transaction with a terminal via a contactless data communication channel.
  • the security element is further set up if the transaction-defining commands embedded in data packets of an EAP-SIM or EAP-AKA protocol between the transactional application on the security element and the terminal are tunneled over a wireless network, such EAP-SIM received by the terminal. or recognize EAP-AKA data packets that comprise request commands defining the transaction.
  • the security element is set up to forward the recognized EAP-SIM or EAP-AKA data packets to the transaction application.
  • the security element is set up to forward the EAP-SIM or EAP-AKA data packets received from the transaction application into which corresponding response commands defining the transaction are forwarded to the terminal.
  • the transaction application is set up on the security element to extract the transaction-defining request commands from E AP-SIM or EAP-AKA data packets received from the security element and to interpret them appropriately. Furthermore, the transaction application is set up, the transaction-defining response commands in EAP-SIM or EAP-AKA data packets. and forward to the security element for forwarding to the terminal.
  • a mobile terminal according to the invention comprises a security element described above.
  • An inventive terminal is configured to perform a transaction with a transaction application of a security element for a mobile terminal, in particular in the form of a SIM / UICC mobile card.
  • the terminal is set up to tunnel commands defining the transaction to the transactional application via a wireless network, to request requests defining the transaction in EAP-SIM or EAP-AKA data packets and to send them to the security element via the base station and the terminal.
  • the terminal is set up to extract appropriate response commands defining the transaction from EAP-SIM or EAP-AKA data packets received from the security element via the terminal and the base station and to interpret them appropriately for carrying out the transaction.
  • a system according to the invention comprises a terminal as described above, at least one terminal described above having a security element according to the invention and at least one base station connected to the terminal, which is set up to provide a wireless network via which the mobile terminal can be connected to the terminal.
  • the terminal, the base station and the security element of the terminal are each configured to execute a method described above.
  • the base station can also be designed as a part of the terminal.
  • FIG. 1 shows components of a preferred embodiment of a system according to the invention
  • the system 1000 which is schematically indicated in FIG. 1, comprises at least one mobile terminal 100.
  • the terminal 100 may be for example a smartphone, a mobile radio terminal, a tablet computer or the like.
  • the terminal 100 is controlled by an operating system (OS).
  • OS operating system
  • a security element 10 is integrated.
  • the security element 10 can be firmly connected to the terminal 100 or removably integrated therein.
  • SIM / UICC mobile cards are particularly suitable.
  • Other security elements of known type can also be used, for example in the form of hardware and / or software means, specially secured areas in the terminal (eg TEE, trusted execution environment, vSIM)
  • the security element 10 comprises a transaction application 12, which is configured to perform a transaction with a terminal 300 in the manner described below with reference to FIG.
  • the terminal 300 is usually assigned to a provider of a transaction and can be provided, for example, by a server of a bank, via which an EMV payment transaction by means of the terminal 100 of the user is to be performed as a transaction.
  • the terminal 300 is connected to a base station 200 for this purpose.
  • the base station 200 is configured to provide a wireless network (WLAN) via which the terminal 100 can contact the terminal 300.
  • WLAN wireless network
  • FIG. 2 illustrates steps of a preferred embodiment of a method for performing a contactless transaction between the terminal 300 and the transactional application 12 on the security element 10 of the terminal 100.
  • the base station 200 provides a wireless network.
  • step S2 To perform the transaction (step S2), the following sub-steps can be performed in detail.
  • the transaction-specific descriptive parameters such as a purchase item or a purchase price, may be previously entered in a suitable manner, for example by keyboard input or voice input, by the user via a suitable input device connected to the terminal.
  • the terminal 300 embeds a request command defining the transaction, preferably in the form of an APDU request command, in an EAP-AKA data packet.
  • the data portion of such a data packet is suitable for embedding any data, thus also for embedding of APDU commands.
  • the EAP-AKA protocol refer to RFC 4187.
  • step S2.2 the terminal 300 sends the EAP-AKA data packet to the base station 200 in accordance with the EAP-AKA protocol as an EAP-AKA request command.
  • the base station 200 forwards the EAP-AKA request unchanged to the mobile terminal 100 (step S2.3).
  • EAP request command - in the form of an EAP-AKA request command - the operating system of the terminal 100 recognizes that the corresponding data communication is to be forwarded to the security element 10 of the terminal 100.
  • the security element 10 of the terminal 100 receives the EAP-AKA request command in step S2.4 and recognizes that the EAP-AKA request command is used for tunneling a request command defining the transaction, for example in the form of an APDU request.
  • recognition can be made visible to the terminal 100, for example, by means of an identifier of the terminal 300 which is part of the EAP data packet or by means of an identification of the base station or the network (SSID) provided by the base station is done.
  • step S2.5 the security element 10 forwards the recognized EAP-AKA data packet to the transaction application 12.
  • the transaction application in step S2.6, extracts the request APDU from the EAP-AKA data packet and interprets this command accordingly.
  • the transactional application 12 embeds a response command, ie a response APDU, in an EAP-AKA data packet and forwards the EAP-AKA data packet to the security element 10 as an EAP-AKA response command.
  • step S2.7 the security element 10 in turn forwards the EAP-AKA response command to the base station 200.
  • the base station 200 forwards the EAP-AKA response command unchanged to the terminal 300, which extracts the response APDU from the EAP-AKA data packet in step S2.9 and interprets it accordingly. It is possible that steps S2.1 to S2.9 have to be repeated several times in order to carry out the transaction. In principle, however, it may also be sufficient for performing the transaction that each of the steps 2.1 to S2.9 is performed only once. Deviating from the method described above, the terminal 300, before the step S2.1, try to address the terminal 100 via a suitable interface of the base station, via an NFC protocol. Only when it is detected by means of a missing response that the terminal 100 does not support an NFC protocol or, due to the lack of an NFC module, can not receive a corresponding request, a method according to FIG. 2 is initiated.
  • the security element 10 is set up, firstly a method as described above, as illustrated with reference to FIG and secondly, to securely support a corresponding transaction via an NFC module of a terminal.
  • a security element can then be used both in a terminal 100, as shown in Figure 1, which has no NFC module, as well as in a terminal equipped with an NFC module to perform a transaction.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Strategic Management (AREA)
  • Signal Processing (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephone Function (AREA)

Abstract

L'invention concerne un procédé permettant l'exécution sans fil d'une transaction entre un appareil terminal mobile (100) et un terminal (300). Des instructions définissant la transaction, en particulier sous forme d'instructions d'une unité APDU, sont intégrées dans des paquets de données d'un protocole EAP-SIM ou EAP-AKA et sont canalisées en tunnel entre une application de transaction (12) sur un élément de sécurité (10) de l'appareil terminal mobile (100), en particulier une carte de radiocommunication mobile SIM/UICC, et le terminal (300) par l'intermédiaire d'un réseau sans fil (S2.1 à S2.9).
PCT/EP2015/002096 2014-10-27 2015-10-22 Procédé permettant l'exécution sans fil d'une transaction WO2016066253A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102014015847.0 2014-10-27
DE102014015847.0A DE102014015847A1 (de) 2014-10-27 2014-10-27 Verfahren zum kontaktlosen Durchführen einer Transaktion

Publications (1)

Publication Number Publication Date
WO2016066253A1 true WO2016066253A1 (fr) 2016-05-06

Family

ID=54364243

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2015/002096 WO2016066253A1 (fr) 2014-10-27 2015-10-22 Procédé permettant l'exécution sans fil d'une transaction

Country Status (2)

Country Link
DE (1) DE102014015847A1 (fr)
WO (1) WO2016066253A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180165667A1 (en) * 2016-12-09 2018-06-14 Mastercard International Incorporated Control of permissions for making transactions

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9137621B2 (en) * 2012-07-13 2015-09-15 Blackberry Limited Wireless network service transaction protocol

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DO VAN THANH ET AL: "Offering SIM Strong Authentication to Internet Services", INTERNET CITATION, 1 October 2006 (2006-10-01), XP002427454, Retrieved from the Internet <URL:http://www.strongsim.org/docs/MKT_SIM_StrongAuthWhitePaper.pdf> [retrieved on 20070330] *
HAVERINEN H ET AL: "Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM); rfc4186.txt", 5. JCT-VC MEETING; 96. MPEG MEETING; 16-3-2011 - 23-3-2011; GENEVA; (JOINT COLLABORATIVE TEAM ON VIDEO CODING OF ISO/IEC JTC1/SC29/WG11 AND ITU-T SG.16 ); URL: HTTP://WFTP3.ITU.INT/AV-ARCH/JCTVC-SITE/, INTERNET ENGINEERING TASK FORCE, IETF, CH, 1 January 2006 (2006-01-01), XP015054875, ISSN: 0000-0003 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180165667A1 (en) * 2016-12-09 2018-06-14 Mastercard International Incorporated Control of permissions for making transactions

Also Published As

Publication number Publication date
DE102014015847A1 (de) 2016-04-28

Similar Documents

Publication Publication Date Title
EP2393032B1 (fr) Procédé de sortie d&#39;une application à l&#39;aide d&#39;un support de données portatif
EP2779722B1 (fr) Procédé de personnalisation d&#39;un module de sécurité d&#39;un terminal de télécommunication
DE102017122799A1 (de) Verfahren und Anordnung zur Übermittlung von Transaktionsdaten unter Nutzung eines öffentlichen Datennetzes
DE102014116183A1 (de) Verfahren zum Bereitstellen eines Zugangscodes auf einem portablen Gerät und portables Gerät
EP2764479B1 (fr) Systeme de transaction
EP3271855B1 (fr) Procédé de génération d&#39;un certificat pour un jeton de sécurité
DE112012005291T5 (de) Sichere finanzielle Transaktionen unter Verwendung mehrerer Kommunikationstechnologien
EP2575385B1 (fr) Procédé d&#39;initialisation et/ou d&#39;activation d&#39;au moins un compte d&#39;utilisateur, de réalisation d&#39;une transaction, ainsi que terminal
EP1829320A1 (fr) Procede pour connecter un terminal de communication mobile a un reseau local
WO2016066253A1 (fr) Procédé permettant l&#39;exécution sans fil d&#39;une transaction
EP2764480A1 (fr) Système de transaction
EP2952029A1 (fr) Procédé d&#39;accès à un service d&#39;un serveur par l&#39;intermédiaire d&#39;une application d&#39;un terminal
EP3341882A1 (fr) Système de transaction
DE10262183B4 (de) Mobiles Telekommunikationsgerät und Chipkartensystem
DE102011112855A1 (de) Verfahren zur elektronischen Durchführung einer Zahlungstransaktion
EP3451263A1 (fr) Système de sécurité permettant l&#39;exécution d&#39;une application électronique
DE102017112233A1 (de) Verfahren und Vorrichtung zum Erkennen eines Relais-Angriffs
EP3435697B1 (fr) Procédé d&#39;authentification d&#39;un utilisateur contre un fournisseur de services et système d&#39;authentification
EP2767059B1 (fr) Blocage de l&#39;échange de données pour protéger la communication NFC
DE102012011838A1 (de) Nahfeldkommunikationsmodul zum Austausch von Daten
DE102015210551A1 (de) Verfahren für eine verbesserte Installation einer auf ein sicheres Element bezogenen Dienstanwendung in einem sicheren Element, das sich in einer Kommunikationsvorrichtung befindet, System und Telekommunikationsnetz für eine verbesserte Installation einer auf ein sicheres Element bezogenen Dienstanwendung in einem sicheren Element, das sich in einer Kommunikationsvorrichtung befindet, Programm, das einen maschinenlesbaren Programmcode umfasst, und Computerprogrammprodukt
DE102013000967B4 (de) Verfahren zur Autorisierung einer elektronischen Transaktion
EP3360099A1 (fr) Gestion, authentification et activation d&#39;un support de données
DE102007004337A1 (de) Sicherheitsmodul
EP2840757B1 (fr) Administration individuelle et centrale des cartes de puce

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15787462

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15787462

Country of ref document: EP

Kind code of ref document: A1