SMART CARD READER WITH A SECURE LOGGING FEATURE

US 20130119130A1
Filed: 11/14/2012
Published: 05/16/2013
Est. Priority Date: 11/14/2011
Status: Active Grant

First Claim

Patent Images

1. A smart card reader for generating electronic signatures in conjunction with an inserted smart card comprising:

a communication interface for communicating with a host computer;

a smart card connector for communicating with the smart card;

a first memory component for securely storing one or more cryptographic keys;

a second memory component for storing a log;

a user interface comprising a user output interface for presenting information to the user and a user input interface for receiving user indications;

a data processing component for communicating with the host computer, communicating with the smart card and driving the user interface;

said smart card reader adapted to exchange smart card commands with a smart card using the smart card connector;

said smart card reader further adapted to operate in a secure logging mode in which the smart card reader logs in said log security related events relative to the reader or the reader'"'"'s usage; and

said smart card reader further adapted to generate a reader signature on said log using at least one of the one or more cryptographic keys stored in said first memory.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure smart card reader is disclosed that is enabled to make reader signatures on data representative of events and actions which may be security related and which may include data representative of reader commands received from a host or remote application, smart card commands exchanged with an inserted smart card, data presented to a user for approval, and/or configuration parameters applied when dealing with any of the foregoing. The smart card reader may be adapted to maintain logs of events and actions which may include exchanging reader commands, exchanging smart card commands, and/or interactions with a user. The logs may include data representative of the reader commands received, the smart card commands exchanged, data presented to the user for approval, and/or configuration parameters applied when dealing with any of the foregoing. The secure smart card reader may be adapted to generate a reader signature over the logs.

Citations

35 Claims

1. A smart card reader for generating electronic signatures in conjunction with an inserted smart card comprising:
- a communication interface for communicating with a host computer;
  
  a smart card connector for communicating with the smart card;
  
  a first memory component for securely storing one or more cryptographic keys;
  
  a second memory component for storing a log;
  
  a user interface comprising a user output interface for presenting information to the user and a user input interface for receiving user indications;
  
  a data processing component for communicating with the host computer, communicating with the smart card and driving the user interface;
  
  said smart card reader adapted to exchange smart card commands with a smart card using the smart card connector;
  
  said smart card reader further adapted to operate in a secure logging mode in which the smart card reader logs in said log security related events relative to the reader or the reader'"'"'s usage; and
  
  said smart card reader further adapted to generate a reader signature on said log using at least one of the one or more cryptographic keys stored in said first memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 34, 35)
- - 2. The smart card reader of claim 1, further adapted to perform reader commands received from the host computer and to log in said log at least some of the received reader commands.
  - 3. The smart card reader of claim 2, further adapted to support one or more reader commands to instruct the reader to present data to a user for review and approval by the user;
    - and to present to the user the data for review and approval using the output interface; and
      
      to capture the user'"'"'s approval or rejection of the data for review and approval using the input interface; and
      
      to log in said log the data for review and approval.
  - 4. The smart card reader of claim 3, further adapted to log in said log at least some transparent smart card commands exchanged between the host and the smart card.
  - 5. The smart card reader of claim 4, wherein the transparent smart card commands that the reader logs comprise transparent smart card commands for submitting to the inserted smart card data to be signed by the smart card.
  - 6. The smart card reader of claim 4, wherein the transparent smart card commands that the reader logs comprise transparent smart card commands for obtaining from the inserted smart card a generated electronic card signature over submitted data.
  - 7. The smart card reader of claim 4, wherein the reader is adapted to log all transparent smart card commands in a period from a first point in time to a second point in time.
  - 8. The smart card reader of claim 7, wherein the period wherein the reader logs all transparent smart card commands comprises the period wherein the data to be signed is submitted to the inserted smart card or the period wherein the generated electronic card signature over the submitted data is obtained from the inserted smart card.
  - 9. The smart card reader of claim 1, wherein the reader stores a set of configuration data which determine at least in part which events the reader logs.
  - 10. The smart card reader of claim 9, wherein the reader is adapted to log the current set of configuration data.
  - 11. The smart card reader of claim 10, wherein the reader supports one or more reader commands to change the set of configuration data.
  - 12. The smart card reader of claim 1, further comprising a clock and adapted to add one or more time stamps to the log.
  - 13. The smart card reader of claim 12, wherein the reader is adapted to add a time stamp to at least some of the logged events.
  - 14. The smart card reader of claim 1, further adapted to receive a challenge through a reader command and to log the received challenge.
  - 15. The smart card reader of claim 1, further comprising a counter and further adapted to log a value related to said counter.
  - 16. The smart card reader of claim 15, wherein the reader is further adapted to increment the counter value automatically when entering the secure logging mode or when generating the reader signature on the log.
  - 17. The smart card reader of claim 1, wherein the log comprises multiple log files and wherein the reader signature on the log comprises multiple signatures over the multiple log files.
  - 18. The smart card reader of claim 1, further adapted to support a reader command for verifying the user identity.
  - 19. The smart card reader of claim 18, further adapted to log the result of verifying the user identity.
  - 20. The smart card reader of claim 18, further adapted to request the user on the user output interface to enter a PIN value and to capture on the user input interface a PIN value that the user entered and to submit the captured PIN value to the inserted smart card for verification.
  - 34. A method for securing a user'"'"'s accessing an application comprising the steps of:
    - providing a smart card for signing data to a user;
      
      providing a smart card reader according to claim 1 to a user;
      
      providing the user interaction with the application from a host computer that the reader is connected to;
      
      assembling transaction data;
      
      assembling data to be reviewed and approved that are related to the assembled transaction data;
      
      assembling data to be signed that are related to the assembled transaction data;
      
      ensuring that the smart card is inserted into the smart card reader;
      
      ensuring that the reader enters a secure logging mode;
      
      submitting to the reader data for review and approval by a user;
      
      presenting to the user by the reader using a user output interface on the reader the data for review and approval by a user;
      
      capturing by the reader using a user input interface on the reader the user'"'"'s approval of the presented data;
      
      logging by the reader in a log on the reader the data for review and approval;
      
      submitting to the inserted smart card data to be signed, thereafter generating by the inserted smart card an electronic card signature over the submitted data to be signed, and thereafter obtaining from the inserted smart card the generated electronic card signature over the submitted data;
      
      logging by the reader in the log on the reader the data to be signed submitted to the card or the electronic card signature generated by the inserted smart card;
      
      generating by the reader an electronic reader signature over the log on the reader using a cryptographic data signing algorithm parameterized with a cryptographic key stored in the reader and thereafter obtaining the electronic reader signature over the log generated by the reader;
      
      verifying the obtained electronic card signature;
      
      verifying the obtained reader signature over the log generated by the reader;
      
      verifying the consistency between the log signed by the reader and the assembled transaction data.
  - 35. The method of claim 34, wherein submitting to the inserted smart card data to be signed comprises exchanging between the host computer and the inserted smart card transparent smart card commands for submitting data to be signed to the smart card;
    - and wherein logging by the reader in the log on the reader the data to be signed submitted to the card or the electronic card signature generated by the inserted smart card comprises logging transparent smart card commands exchanged between the host computer and the inserted smart card for submitting data to be signed to the smart card or for retrieving an electronic card signature generated by the inserted smart card on data submitted to the card for signing.

21. A method for generating an electronic signature over data to be signed comprising the steps of:
- connecting a smart card reader to a host computer;
  
  inserting a smart card in the reader;
  
  the reader entering a secure logging mode;
  
  submitting to the reader data for review and approval by a user;
  
  presenting to the user by the reader using a user output interface on the reader the data for review and approval by a user;
  
  capturing by the reader using a user input interface on the reader the user'"'"'s approval of the presented data;
  
  logging by the reader in a log on the reader the data for review and approval;
  
  submitting to the inserted smart card data to be signed, thereafter generating by the inserted smart card an electronic card signature over the submitted data to be signed, and thereafter obtaining from the inserted smart card the generated electronic card signature over the submitted data;
  
  generating by the reader an electronic reader signature over the log on the reader using a cryptographic data signing algorithm parameterized with a cryptographic key stored in the reader and thereafter obtaining the electronic reader signature over the log generated by the reader.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 22. The method of claim 21, further comprising the step of logging by the reader in the log on the reader the data to be signed submitted to the card or the electronic card signature generated by the inserted smart card.
  - 23. The method of claim 22, wherein submitting to the inserted smart card data to be signed and obtaining from the inserted smart card the generated electronic card signature over the submitted data comprises the host computer exchanging transparent smart card commands with the inserted smart card using the smart card reader;
    - and wherein logging by the reader in the log on the reader the data to be signed submitted to the card or the electronic card signature generated by the inserted smart card comprises logging by the reader in the log on the reader at least some of the exchanged transparent smart card commands.
  - 24. The method of claim 23, wherein the transparent smart card commands that the host computer exchanges with the inserted smart card using the smart card reader comprise at least transparent smart card commands for submitting to the inserted smart card data to be signed;
    - and wherein the at least some of the exchanged transparent smart card commands that the reader logs in the log on the reader comprises at least transparent smart card commands for submitting to the inserted smart card data to be signed or transparent smart card commands for obtaining from the inserted smart card a generated electronic card signature over submitted data.
  - 25. The method of claim 23, wherein the at least some of the exchanged transparent smart card commands that the reader logs in the log on the reader comprises all transparent smart card commands exchanged during a certain period.
  - 26. The method of claim 25, wherein the period wherein the reader logs all exchanged transparent smart card commands comprises the period wherein the data to be signed is submitted to the inserted smart card or the period wherein the generated electronic card signature over the submitted data is obtained from the inserted smart card.
  - 27. The method of claim 21, further comprising configuring a set of configuration data on the reader that determine at least partly which events the reader logs in the log on the reader.
  - 28. The method of claim 27, further comprising the step of logging, by the reader, in the log on the reader the current set of configuration data.
  - 29. The method of claim 28, further comprising configuring the set of configuration data such that the reader logs in a log on the reader the data for review and approval.
  - 30. The method of claim 28, further comprising configuring the set of configuration data such that the reader logs in a log on the reader the data to be signed submitted to the card or the electronic card signature generated by the inserted smart card.
  - 31. The method of claim 27, further comprising configuring the set of configuration data such that the reader logs in a log on the reader the reader commands for presenting data to the user for review and approval.
  - 32. The method of claim 27, further comprising configuring the set of configuration data such that the reader logs in a log on the reader a set of transparent smart card commands.
  - 33. The method of claim 32, further comprising configuring the set of configuration data such that the reader logs in a log on the reader a set of transparent smart card commands comprising smart card commands for submitting to the inserted smart card data to be signed or for obtaining from the inserted smart card an electronic signature generated on data submitted to the smart card.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Onespan North America Incorporated (OneSpan, Inc.)
Original Assignee
Vasco Data Security Incorporated (OneSpan, Inc.)
Inventors
BRAAMS, HARM

Granted Patent

US 8,967,477 B2
Time in Patent Office

Days
Field of Search
US Class Current

235/382
CPC Class Codes

G06F 1/00   Details not covered by grou...

G06F 21/552   involving long-term monitor...

G06F 21/64   Protecting data integrity, ...

G06F 21/77   in smart cards

G06F 2221/2105   Dual mode as a secondary as...

G06K 7/042   controlling electric circuits

G06Q 20/38215   Use of certificates or encr...

G06Q 20/3825   Use of electronic signatures

G06Q 20/385   using an alias or single-us...

G06Q 20/4012   Verifying personal identifi...

G07F 7/0873   Details of the card reader

G07F 7/1025   Identification of user by a...

SMART CARD READER WITH A SECURE LOGGING FEATURE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

SMART CARD READER WITH A SECURE LOGGING FEATURE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links