Authentication system and method for smart card transactions
First Claim
1. A method for authenticating a transaction between a portable information device and a terminal, the portable information device storing a device-related certificate unique to the device and the terminal storing a terminal-related certificate unique to the terminal which includes information regarding a type of terminal, the method comprising the following steps:
- exchanging the device-related and terminal-related certificates between the portable information device and the terminal during a transaction;
authenticating the portable information device and the terminal to each other using the exchanged device-related and terminal-related certificates;
determining, at the portable information device, a security level for the terminal based on the terminal type information contained in the terminal-related certificate received from the terminal, the security level having an associated value limit for a value of the transaction conducted during the transactional session; and
restricting the value of the transaction to the value limit associated with the determined security level.
2 Assignments
0 Petitions
Accused Products
Abstract
An authentication system includes a portable information device, such as a smart card, that is configured to store and process multiple different applications. The smart card is assigned its own digital certificate which contains a digital signature from a trusted certifying authority and a unique public key. Each of the applications stored on the smart card is also assigned an associated certificate having the digital signature of the certifying authority. The system further includes a terminal that is capable of accessing the smart card. The terminal has at least one compatible application which operates in conjunction with an application on the smart card. The terminal is assigned its own certificate which also contains the digital signature from the trusted certifying authority and a unique public key. Similarly, the application on the terminal is given an associated digital certificate. During a transactional session, the smart card and terminal exchange their certificates to authenticate one another. Thereafter, a smart card application is selected and the related certificates for both the smart card application and the terminal application are exchanged between the smart card and terminal to authenticate the applications. Additionally, the cardholder enters a unique PIN into the terminal. The PIN is passed to the smart card for use in authenticating the cardholder. The three-tiered authentication system promotes security in smart card transactions.
1174 Citations
21 Claims
-
1. A method for authenticating a transaction between a portable information device and a terminal, the portable information device storing a device-related certificate unique to the device and the terminal storing a terminal-related certificate unique to the terminal which includes information regarding a type of terminal, the method comprising the following steps:
-
exchanging the device-related and terminal-related certificates between the portable information device and the terminal during a transaction; authenticating the portable information device and the terminal to each other using the exchanged device-related and terminal-related certificates; determining, at the portable information device, a security level for the terminal based on the terminal type information contained in the terminal-related certificate received from the terminal, the security level having an associated value limit for a value of the transaction conducted during the transactional session; and restricting the value of the transaction to the value limit associated with the determined security level. - View Dependent Claims (2, 3, 20)
-
-
4. A method for conducting a transaction between a smart card and multiple various types of terminals that are each capable of accessing the smart card during the transaction, each terminal having at least one resident application stored thereon, the method comprising the following steps:
-
storing multiple applications on the smart card, the applications being compatible target applications which operate in conjunction with a corresponding said resident application stored on each of the various terminals; establishing multiple security levels for corresponding types of terminals, the security levels having associated value limits for limiting a value of any transaction conducted on the corresponding terminal type; assigning a card-related certificate to the smart card, the card-related certificate having a digital signature of a certified authority and a public key unique to the smart card for use in data encryption; assigning terminal-related certificates to the various types of terminal, each terminal-related certificate having the digital signature of the certified authority and a public key unique to the terminal for use in data encryption, said each terminal-related certificate also having information regarding the type of terminal; assigning an application-related certificate to each application stored on the smart card and to the resident applications at the terminals, each application-related certificate having the digital signature of the certified authority and a public key unique to that application; commencing a transactional session between the smart card and a particular one of the terminals; exchanging the device-related and terminal-related certificates between the smart card and the particular terminal; authenticating the smart card and the particular terminal to each other using the exchanged device-related and terminal-related certificates; determining the security level for particular terminal, at the smart card, using the terminal type information contained in the terminal-related certificate received from the particular terminal; selecting a target application from among the multiple applications stored on the smart card that is compatible with the resident application stored at the particular terminal; exchanging, between the smart card and the particular terminal, the application-related certificates assigned to the selected target application stored on the smart card and the resident application stored at the particular terminal; authenticating the target and resident applications using their exchanged application-related certificates; conducting the transaction after the target application has been authenticated; and restricting the value of the transaction to the value limit associated with the security level determined for the particular terminal. - View Dependent Claims (5, 6, 7, 8, 9)
-
-
10. A system comprising:
-
a portable information device having a microprocessor capable of processing multiple applications, the portable information device having an associated device-related certificate; multiple terminals of various types capable of accessing the portable information device, the terminals having associated security levels wherein the security levels have associated value limits for a value of a transaction, each terminal having an associated terminal-related certificate which contains information pertaining to the terminal type; means for exchanging the device-related and terminal-related certificates between a particular terminal and the portable information device; and the portable information device having means for determining the security level for a particular terminal based upon the terminal type information contained in a terminal-related certificate associated with the particular terminal. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A portable information device for use in transactions with a terminal, the portable information device comprising:
-
a memory for storing at least one application; a processor programmed to;
(1) receive a terminal-related certificate from the terminal, the terminal-related certificate containing information pertaining to the type of terminal;
(2) authenticate the terminal using the received terminal-related certificate;
(3) analyze the terminal type from the information contained in the terminal-related certificate; and
(4) limit any transaction to a selected monetary amount based upon the the type of terminal. - View Dependent Claims (17, 18, 19)
-
-
21. In a system involving a transaction between a portable information device and a terminal, a computer-readable media provided at the portable information device having computer-executable instructions for performing the following steps:
-
receiving a certificate from the terminal, the certificate containing information pertaining to a type of terminal; analyzing the terminal type from the information contained in the certificate; and limiting any transaction with the terminal to a selected value based upon the type of terminal.
-
Specification