Apparatus and method for cryptographic identity verification
First Claim
1. An apparatus for identity verification using a data card with protection against misuse of said card by unauthorized users, comprising in combination:
- (a) a terminal containing(a1) a first central processing unit having a first memory for storage of a program, of a public network key, and of variables;
(a2) a card reader for reading data from said personal data card and for introducing said data into said first memory, said data including sensitive data;
(a3) input means for introducing personal identification information into said first memory;
(a4) a first crypto module connected to said first centeral processing unit, said first module being adapted to encrypt and decrypt data received from said first memory under the control of said first central processing unit;
(b) a security service station containing(b1) a second central processing unit having a second memory for storage of a program, of a secret network key, and of variables;
(b2) a second crypto module connected to said second central processing unit, said second crypto module being adapted to encrypt and decrypt data received from said second memory under the control of said second central processing unit;
(b3) a comparator connected to said second central processing unit for comparing transmitted personal identification information with transmitted reference personal identification information, and(c) a communication system connecting said terminal to said security service station, said communication system transmitting digital data from said terminal to said security service station, and vice versa, including said personal identification information and said reference personal identification information.
1 Assignment
0 Petitions
Accused Products
Abstract
The apparatus for identity verification using a data card contains at least one terminal and a security service station. The terminal(s) and the station are connected to each other via a communication system. The terminal is provided with a central processing unit including a memory, a card reader for reading data from the data card, a sensor or number input device for introducing personal identification information, and a crypto module. The crypto module encrypts and decrypts data received from the memory under the control of the central processing unit. The security service station likewise also contains a central processing unit including a memory, and a crypto module. This station also contains a comparator for comparing personal identification information with reference personal identification information. Both kinds of information are transmitted to the station from the terminal.
-
Citations
8 Claims
-
1. An apparatus for identity verification using a data card with protection against misuse of said card by unauthorized users, comprising in combination:
-
(a) a terminal containing (a1) a first central processing unit having a first memory for storage of a program, of a public network key, and of variables; (a2) a card reader for reading data from said personal data card and for introducing said data into said first memory, said data including sensitive data; (a3) input means for introducing personal identification information into said first memory; (a4) a first crypto module connected to said first centeral processing unit, said first module being adapted to encrypt and decrypt data received from said first memory under the control of said first central processing unit; (b) a security service station containing (b1) a second central processing unit having a second memory for storage of a program, of a secret network key, and of variables; (b2) a second crypto module connected to said second central processing unit, said second crypto module being adapted to encrypt and decrypt data received from said second memory under the control of said second central processing unit; (b3) a comparator connected to said second central processing unit for comparing transmitted personal identification information with transmitted reference personal identification information, and (c) a communication system connecting said terminal to said security service station, said communication system transmitting digital data from said terminal to said security service station, and vice versa, including said personal identification information and said reference personal identification information. - View Dependent Claims (2, 3, 4)
-
3. The apparatus according to claim 2, wherein said symmetrical system is the DES system, wherein said first key is a DES key, and wherein said temporary second key is a temporary DES key.
-
4. The apparatus according to claim 2, further comprising a random number generator for generating said temporary second key, said temporary second key being transmitted in an encrypted form to said security service station.
-
-
5. A method for cryptographic identity verification, comprising the following steps:
-
(a) reading card information from a personal data card and entering personal feature data into a terminal, said card information comprising reference feature data as well as a first key, said reference feature data and said first key both being encrypted with a public network key, thereby forming a first cryptogram; (b) generating a temporary key and a message number in said terminal; (c) encrypting said personal feature data, said first cryptogram contained in said card information, said message number and said temporary key with a public key in said terminal, thereby forming a first message; (d) sending said first message to a security service station via a communication system; (e) decrypting said first message including said first cryptogram with a secret network key in said security service station, thus obtaining said first key, said message number, said feature data, said reference feature data, and said temporary key, whereby said secret network key is correlated to said public network key; (f) comparing said feature data and said reference feature data with each other in said security service station; (g) generating a modified message number by applying a publicly known function to said message number in said security service station; (h) encrypting said modified message number and said first key with said temporary key in said security service station, thereby forming a second message; (i) sending said second message to said terminal via said communication system; (j) decrypting said second message with said temporary key in said terminal, thereby obtaining said modified message number; and (k) comparing said modified message number with a generated modified message number in said terminal, said generated modified message number being self-generated in said terminal by applying said publicly known function to said message number.
-
-
6. A method for detection of a disconnection between a terminal and a communication system, said terminal having a first crypto module which works as a public crypto system and which is adapted to encrypt thereby using a public network key and which is adapted to decrypt thereby using a secret key of its own, said terminal providing a public key of its own and being provided with a predetermined function, a terminal address, and a station address, comprising the following steps:
-
(a) forming a first message in said terminal, said first message comprising (a1) said address of said terminal (a2) a unique message number, and (a3) said public key of said terminal; (b) encrypting said first message under said public network key, (c) sending said encrypted first message to a security service station, said station address being assigned to said station; (d) decrypting said first message with a secret network key in said security service station, said secret network key being correlated to said public network key unambiquously, thereby identifying said address, said unique message number and said public key of said terminal, (e) modifying said identified message number by using said predetermined function, thereby obtaining a modified message number, (f) forming a second message in said security service station, said second message comprising; (f1) said address of said security service station and (f2) said modified message number, (g) encrypting said second message under said public key of said terminal; (h) sending said encrypted second message to said terminal, thereby using said address of said terminal for addressing said terminal; (i) decrypting said encrypted second message in said terminal with said secret key of said terminal, thereby identifying an address and a modified message number, (j) modifying said unique message number according to said predetermined function; and (k) comparing said identified modified message number with said modified unique message number, thereby authenticating said security service station and confirming the presence of a connection between said terminal and said communication system. - View Dependent Claims (7, 8)
-
Specification