Method and apparatus for authenticating a data carrier intended to enable a transaction or access to a service or a location, and corresponding carrier
First Claim
1. A method for authenticating a data carrier held by a user as being genuinely issued by an authorized organization, before allowing said user to perform transactions or to have access to a service or a location on the premises of an affiliated distributor of said organization, the organization having a file defining current rights attaching to said carrier, the method comprising:
- assigning to said carrier a specific number (Ns) enabling said carrier to be distinguished from among a set of carriers produced by said organization,entering said specific number in the carrier,initializing said carrier at the organization by assigning to said carrier information (I) that is a function of the contents of said file and defines current rights attaching to said carrier, and by calculating, from said specific number (Ns) and said information (I), a current authentication value (VA) using an asymmetrical algorithm (F) and a secret key (Ks), and entering said current authentication value in said carrier;
upon each use of said carrier, performing an authentication thereof by said affiliated distributor in a mode not coupled to the authorized organization, by performing a calculation, by applying an algorithm (G) correlated with said asymmetrical algorithm (F) to a public key (Kp) associated with said secret key (Ks) and to the current authentication value (VA) read from the carrier, to verify that the authentication value (VA) corresponds to the specific number (Ns) and the information (I) assigned to said carrier, and that the transaction or service requested is compatible with the information (I);
based on a predetermined condition defining when an authentication of the data carrier must be made in a mode in which the terminal is coupled to the authorized organization, selectively performing an authentication of the data carrier in said mode coupled to the authorized organization by performing first an authentication of the carrier by the distributor or the authorized organization, which verifies that the current authentication value (VA) read from the carrier corresponds to the specific number (Ns) and the information (I) assigned to said carrier, and if the authentication is positive, making confirmation by the authorized organization that the carrier still possesses the rights as a function of the current status of said file, and then if the confirmation is affirmative and if a change of the information (I) is necessary in order to translate the current state of the rights, calculating from the specific number (Ns) and from an updated information (I) an updated authentication value (VA'"'"'), by means of the asymmetrical algorithm (F) and the secret key (Ks), and entering this updated value in the carrier.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and an apparatus for authenticating a data carrier enables a transaction or access to a service or a location, and the corresponding carrier. The carrier (1) has a specific number (Ns) and an authentication value calculated from the specific number and from information (I) that defines the rights attaching to the carrier by means of an asymmetrical algorithm (F) and a secret key (Ks). Two types of authentication are provided. One is current, in a mode disconnected from the authorizing organization. The other is periodic, in a connected mode. In the disconnected mode, an algorithm (G) correlated with the asymmetrical algorithm (F) and using a public key (Kp) is applied to the authentication value (VA), read from the carrier, in order to verify that the authentication value (VA) is compatible with the specific number (Ns) and the information (I), and that the transaction or service requested is compatible with the information (I). In the connected mode, it is also possible to modify the authentication value of the carrier.
195 Citations
11 Claims
-
1. A method for authenticating a data carrier held by a user as being genuinely issued by an authorized organization, before allowing said user to perform transactions or to have access to a service or a location on the premises of an affiliated distributor of said organization, the organization having a file defining current rights attaching to said carrier, the method comprising:
-
assigning to said carrier a specific number (Ns) enabling said carrier to be distinguished from among a set of carriers produced by said organization, entering said specific number in the carrier, initializing said carrier at the organization by assigning to said carrier information (I) that is a function of the contents of said file and defines current rights attaching to said carrier, and by calculating, from said specific number (Ns) and said information (I), a current authentication value (VA) using an asymmetrical algorithm (F) and a secret key (Ks), and entering said current authentication value in said carrier; upon each use of said carrier, performing an authentication thereof by said affiliated distributor in a mode not coupled to the authorized organization, by performing a calculation, by applying an algorithm (G) correlated with said asymmetrical algorithm (F) to a public key (Kp) associated with said secret key (Ks) and to the current authentication value (VA) read from the carrier, to verify that the authentication value (VA) corresponds to the specific number (Ns) and the information (I) assigned to said carrier, and that the transaction or service requested is compatible with the information (I); based on a predetermined condition defining when an authentication of the data carrier must be made in a mode in which the terminal is coupled to the authorized organization, selectively performing an authentication of the data carrier in said mode coupled to the authorized organization by performing first an authentication of the carrier by the distributor or the authorized organization, which verifies that the current authentication value (VA) read from the carrier corresponds to the specific number (Ns) and the information (I) assigned to said carrier, and if the authentication is positive, making confirmation by the authorized organization that the carrier still possesses the rights as a function of the current status of said file, and then if the confirmation is affirmative and if a change of the information (I) is necessary in order to translate the current state of the rights, calculating from the specific number (Ns) and from an updated information (I) an updated authentication value (VA'"'"'), by means of the asymmetrical algorithm (F) and the secret key (Ks), and entering this updated value in the carrier. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A terminal for cooperating with a data carrier for providing a transaction or a service, said data carrier storing a specific number (Ns) enabling said data carrier to be distinguished from among a set of carriers produced by an authorized organization and a current authentication value (VA) calculated by an asymmetrical algorithm (F) from a secret key (Ks), said specific number (Ns), and an information (I) which is a function of contents of a file being in possession of said authorized organization and defining current rights attached to said data carrier, said terminal comprising:
-
means for memorizing an algorithm (G) correlated with said asymmetrical algorithm (F), a public key (Kp) associated with the secret key (Ks), and a predetermined condition defining when an authentication of the data carrier must be made in a mode in which the terminal is coupled to the authorized organization; means for performing a calculation using the algorithm (G), the public (Kp), and the current authentication value (VA) read from the data carrier, to verify that the current authentication value (VA) corresponds to the specific number (Ns) and the information (I), and that the transaction or service requested is compatible with the information (I); means for deciding, in view of said predetermined condition, whether authentication of the data carrier must be made in a mode in which the terminal is coupled to the authorized organization or not; and means for requesting to the authorized organization to check the current authentication value (VA) if the authentication must be made in said mode. - View Dependent Claims (8, 9)
-
-
10. A central computing apparatus of an authorized organization for cooperating with a data carrier having means for storing a specific number (Ns) enabling said data carrier to be distinguished from among a set of carriers produced by said authorized organization and an a current authentication value (VA) calculated by an asymmetrical algorithm (F) from a secret key (Ks), said specific number (Ns), and an information (I) which is a function of contents of a file being in possession of said authorized organization and defining current rights attached to said data carrier, said central computing apparatus comprising:
-
means for memorizing said file, said asymmetrical algorithm (F), and said secret key (Ks); means for checking whether the data carrier still possesses rights and whether said current authentication value (VA) on the data carrier must be updated or not, as a function of a current state of said file; means for calculating, from an updated information (I'"'"') read in said file and the specific number (Ns), an updated authentication value (VA'"'"') using the asymmetrical algorithm (F) and the secret key (Ks); and means for entering said updated authentication value (VA'"'"') into said data carrier. - View Dependent Claims (11)
-
Specification