INTEGRITY PROTECTED SMART CARD TRANSACTION

US 20110179283A1
Filed: 03/25/2011
Published: 07/21/2011
Est. Priority Date: 07/27/2007
Status: Active Grant

First Claim

Patent Images

1. At least one computer storage media storing instructions that, when executed by a computer, cause the computer to perform a method for authorization using a smart card, the method comprising:

receiving, by the computer from the smart card, an encrypted modifier based on a random modifier that was previously encrypted using a randomly-generated data key;

decrypting, by the computer, the received encrypted modifier based on an integrity key that includes a previous system code that uniquely identifies a previous configuration state of the computer held tamperproof by the computer, and that is further based on a storage root key held secret by the computer, the integrity key securely stored on the computer;

receiving, by the computer from a user, a personal identification number;

calculating, by the computer, a prime personal identification number based on the received personal identification number and the decrypted modifier; and

unlocking, by the computer, the smart card in response to the calculated prime personal identification number matching a previously-set prime personal identification number stored on the smart card, the unlocking resulting in the authorization succeeding.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and technologies for configuring a conventional smart card and a client machine, and for performing a smart card authorization using the configured smart card and client. Further, the combination of methods provides for mutual authentication—authentication of the client to the user, and authentication of the user to the client. The authentication methods include presenting a specified token to the user sufficient to authenticate the client to the user and thus protect the user-provided PIN. Security is strengthened by using an integrity key based on approved client system configurations. Security is further strengthened by calculating a PIN′ value based on a user-specified PIN and a modifier and using the PIN′ value for unlocking the smart card.

Citations

20 Claims

1. At least one computer storage media storing instructions that, when executed by a computer, cause the computer to perform a method for authorization using a smart card, the method comprising:
- receiving, by the computer from the smart card, an encrypted modifier based on a random modifier that was previously encrypted using a randomly-generated data key;
  
  decrypting, by the computer, the received encrypted modifier based on an integrity key that includes a previous system code that uniquely identifies a previous configuration state of the computer held tamperproof by the computer, and that is further based on a storage root key held secret by the computer, the integrity key securely stored on the computer;
  
  receiving, by the computer from a user, a personal identification number;
  
  calculating, by the computer, a prime personal identification number based on the received personal identification number and the decrypted modifier; and
  
  unlocking, by the computer, the smart card in response to the calculated prime personal identification number matching a previously-set prime personal identification number stored on the smart card, the unlocking resulting in the authorization succeeding.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The at least one computer storage media of claim 1 wherein the computer is configured to modify the tamperproof system code in response to a change in a configuration state of the computer.
  - 3. The at least one computer storage media of claim 1 wherein the change is a change in hardware of the computer or a change in an operating system of the computer.
  - 4. The at least one computer storage media of claim 1 further comprising reading, from the smart card, a group blob and corresponding group identifier that represents a group to which the user belongs, the group blob previously generated by encrypting a randomly-generated data key using a group key that represents the group and that includes the previous system code.
  - 5. The at least one computer storage media of claim 4 further comprising failing the authorization in response to the corresponding group identifier not matching a group identifier indicated by an encrypted group key stored on the computer, the encrypted group key based on the group key.
  - 6. The at least one computer storage media of claim 5 further comprising decrypting, using the securely stored integrity key and in response to the corresponding group identifier matching the group identifier indicated by the encrypted group key, the encrypted group key resulting in the group key that includes the previous system code.
  - 7. The at least one computer storage media of claim 6 further comprising failing the authorization in response to the previous system code not matching a current system code that uniquely identifies a current configuration state of the computer.
  - 8. The at least one computer storage media of claim 7 further comprising decrypting, using the group key and in response to the previous system code matching the current system code, the group blob resulting in the randomly-generated data key.
  - 9. The at least one computer storage media of claim 8 further comprising decrypting the received encrypted modifier using the decrypted randomly-generated data key.
  - 10. The at least one computer storage media of claim 1 further comprising failing the authorization in response to the calculated prime personal identification number not matching the previously-set prime personal identification number stored on the smart card.

11. A system configured for authorization using a smart card, the system comprising:
- a computer configured for receiving, from the smart card, an encrypted modifier based on a modifier that was previously encrypted using a randomly-generated data key;
  
  the computer further configured for decrypting the received encrypted modifier based on the securely stored integrity key that includes a previous system code that uniquely identifies a previous configuration state of the computer held tamperproof by the computer, and that is further based on a storage root key held secret by the computer, the integrity key securely stored on the computer;
  
  the computer further configured for receiving, from a user, a personal identification number;
  
  the computer further configured for calculating a prime personal identification number based on the received personal identification number and the decrypted modifier; and
  
  the computer further configured for unlocking the smart card in response to the calculated prime personal identification number matching a previously-set prime personal identification number stored on the smart card, the unlocking resulting in the authorization succeeding.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11 wherein the computer is further configured to modify the tamperproof system code in response to a change in a configuration state of the computer.
  - 13. The system of claim 11 wherein the change is a change in hardware of the computer or a change in an operating system of the computer.
  - 14. The system of claim 11 further comprising the computer further configured for reading, from the smart card, a group blob and corresponding group identifier that represents a group to which the user belongs, the group blob previously generated by encrypting a randomly-generated data key using a group key that represents the group and that includes the previous system code.
  - 15. The system of claim 14 further comprising the computer further configured for failing the authorization in response to the corresponding group identifier not matching a group identifier indicated by an encrypted group key stored on the computer, the encrypted group key based on the group key.
  - 16. The system of claim 15 further comprising the computer further configured for decrypting, using the securely stored integrity key and in response to the corresponding group identifier matching the group identifier indicated by the encrypted group key, the encrypted group key resulting in the group key that includes the previous system code.
  - 17. The system of claim 16 further comprising the computer further configured for failing the authorization in response to the previous system code not matching a current system code that uniquely identifies a current configuration state of the computer.
  - 18. The system of claim 17 further comprising the computer further configured for decrypting, using the group key and in response to the previous system code matching the current system code, the group blob resulting in the randomly-generated data key.
  - 19. The system of claim 18 further comprising the computer further configured for decrypting the received encrypted modifier using the decrypted randomly-generated data key.
  - 20. The system of claim 11 further comprising the computer further configured for failing the authorization in response to the calculated prime personal identification number not matching the previously-set prime personal identification number stored on the smart card.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Mysore, Shivaram H., Ellison, Carl M., Thom, Stefan, Bays, Valerie Kathleen, Holt, Erik Lee

Granted Patent

US 8,423,774 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/185
CPC Class Codes

G06F 21/34   involving the use of extern...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/388   using mutual authentication...

G06Q 20/40975   using encryption therefor

G07F 7/1008   Active credit-cards provide...

H04L 9/0897   involving additional device...

INTEGRITY PROTECTED SMART CARD TRANSACTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

INTEGRITY PROTECTED SMART CARD TRANSACTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links