Key management technique for establishing a secure channel
First Claim
1. A method for establishing a secure channel through an indeterminate number of nodes in a network comprising:
- enrolling a smart card with a unique key per smart card, the unique key derived from a private key that is assigned and distinctive to systems and a card base of a card issuer, an enrolled smart card containing a stored public entity-identifier and the secret unique key;
transacting at a point of entry to the network, the transaction creating a PIN encryption key derived from the smart card unique key and a transaction identifier that uniquely identifies the point of entry and transaction sequence number;
communicating the PIN encryption key point-to-point in encrypted form through a plurality of nodes in the network; and
recovering the PIN at a card issuer server from the PIN encryption key using the card issuer private key.
10 Assignments
0 Petitions
Accused Products
Abstract
A key management technique establishes a secure channel through an indeterminate number of nodes in a network. The technique comprises enrolling a smart card with a unique key per smart card. The unique key is derived from a private key that is assigned and distinctive to systems and a card base of a card issuer. An enrolled smart card contains a stored public entity-identifier and the secret unique key. The technique further comprises transacting at a point of entry to the network. The transaction creates a PIN encryption key derived from the smart card unique key and a transaction identifier that uniquely identifies the point of entry and transaction sequence number. The technique also comprises communicating the PIN encryption key point-to-point in encrypted form through a plurality of nodes in the network, and recovering the PIN at a card issuer server from the PIN encryption key using the card issuer private key.
-
Citations
30 Claims
-
1. A method for establishing a secure channel through an indeterminate number of nodes in a network comprising:
-
enrolling a smart card with a unique key per smart card, the unique key derived from a private key that is assigned and distinctive to systems and a card base of a card issuer, an enrolled smart card containing a stored public entity-identifier and the secret unique key;
transacting at a point of entry to the network, the transaction creating a PIN encryption key derived from the smart card unique key and a transaction identifier that uniquely identifies the point of entry and transaction sequence number;
communicating the PIN encryption key point-to-point in encrypted form through a plurality of nodes in the network; and
recovering the PIN at a card issuer server from the PIN encryption key using the card issuer private key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A data security apparatus comprising:
a smart card capable of establishing a secure channel through an indeterminate number of nodes in a network comprising;
an interface capable of communicating with a card reader and/or writer;
a processor coupled to the interface; and
a memory coupled to the processor that stores a public entity-identifier and a secret unique key derived from a private key that is assigned and distinctive to systems and a card base of a card issuer, the memory further comprising a computable readable program code embodied therein that creates a PIN encryption key derived from the smart card unique key and a transaction identifier that uniquely identifies the point of entry and transaction sequence number. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
20. A data security apparatus comprising:
an enrollment system capable of usage for establishing a secure channel through an indeterminate number of nodes in a network, the enrollment system comprising;
a communication interface capable of communicating with a writer configured to accept a smart card;
a processor coupled to the communication interface; and
a memory coupled to the processor and having a computable readable program code embodied therein capable of causing the processor to initialize and personalize a smart card with a unique key per smart card, the unique key derived from a private key that is assigned and distinctive to systems and a card base of a card issuer. - View Dependent Claims (21, 22)
-
23. A data security apparatus comprising:
a card issuer server capable of usage for establishing a secure channel through an indeterminate number of nodes in a network, the card issuer server comprising;
a communication interface capable of communicating with the network;
a processor coupled to the communication interface; and
a memory coupled to the processor and having a computable readable program code embodied therein capable of causing the processor to recover a Personal Identification Number (PIN) from a transaction PIN encryption key received via the network using a card issuer private key, the transaction PIN encryption key being derived from a smart card unique key initialized and personalized to the smart card and derived from the card issuer private key, and a transaction identifier that uniquely identifies the point of entry and transaction sequence number. - View Dependent Claims (24, 25, 26, 27)
-
28. A transaction system comprising:
-
a network;
a plurality of servers and/or hosts mutually coupling to the network;
a plurality of terminals coupled to the servers and/or hosts via the network and available for transacting;
a plurality of smart cards enrolled in the transaction system and capable of insertion into the terminals and transacting via the servers; and
a plurality of processors distributed among the smart cards, the servers, and/or the terminals, at least one of the processors being capable of establishing a secure channel through an indeterminate number of nodes in the network by creating, communicating, and decrypting a PIN encryption key derived from a smart card unique key and a transaction identifier that uniquely identifies a point of entry terminal and transaction sequence number, the smart card unique key being derived from a private key that is assigned and distinctive to systems and a card base of a card issuer.
-
-
29. A transaction system comprising:
-
a network;
a plurality of servers and/or hosts mutually coupling to the network;
a plurality of terminals coupled to the servers and/or hosts via the network and available for transacting;
a plurality of smart cards enrolled in the transaction system and capable of insertion into the terminals and transacting via the servers; and
a plurality of processors distributed among the smart cards, the servers, and/or the terminals, at least one of the processors being capable of establishing a secure channel through an indeterminate number of nodes in the network by creating, communicating, and decrypting a PIN encryption key derived from a smart card unique key and a hash of transaction data elements, enabling simultaneous key management and integrity checking.
-
-
30. A transaction system capable of establishing a secure channel through an indeterminate number of nodes in a network comprising:
-
means for enrolling a smart card with a unique key per smart card, the unique key being derived from a private key that is assigned and distinctive to systems and a card base of a card issuer, an enrolled smart card containing a stored public entity-identifier and the secret unique key;
means for transacting at a point of entry to the network, the transaction creating a PIN encryption key derived from the smart card unique key and a transaction identifier that uniquely identifies the point of entry and transaction sequence number;
means for communicating the PIN encryption key point-to-point in encrypted form through a plurality of nodes in the network; and
means for recovering the PIN at a card issuer server from the PIN encryption key using the card issuer private key.
-
Specification