Method and system for secure transactions in a computer system

US 6,092,202 A
Filed: 05/22/1998
Issued: 07/18/2000
Est. Priority Date: 05/22/1998
Status: Expired due to Term

First Claim

Patent Images

1. A system for secure transactions in a host computer, comprising:

a security co-processor; and

an interface for interfacing the security co-processor to the host computer, the interface including an interface communication protocol for restricting access by the host computer to data passing through the security co-processor, wherein secure transaction processing is performed locally in the security co-processor and non-secure transaction processing is performed in the host computer system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for secure transactions. The method and system comprise a security co-processor and an interface for interfacing the security co-processor to a host computer system. The method and system wherein secure transaction processing is performed locally in the security co-processor and non-secure transaction processing is performed in the host computer system. The method and system further include means for providing trusted input coupled to the security co-processor. In addition, the method and system include a second interface coupled to the security co-processor for receiving sensitive data from a smart card, and a trusted display coupled to the security co-processor for providing true transaction information. One advantage of the method and system in accordance with the present invention is that transactions are protected from unauthorized intrusion and, in addition, participation is proven so that transactions cannot be repudiated. Another advantage is that the method and system maintain compatibility with smart cards technology. Yet another advantage is that, because the security co-processor has functionality, smart cards require built-in functionality only for storing sensitive data including account number and private-key and for providing digital signatures to prove participation. Moreover, smart cards can carry biometric data to be recognized by the method and system for an even more reliable proof of participation and card-holder verification. With less built-in functionality, the smart cards are less complex and less expensive. Finally, the method and system are easily implemented with current technology, and the overall cost of the system is reduced.

Citations

36 Claims

1. A system for secure transactions in a host computer, comprising:
- a security co-processor; and
  
  an interface for interfacing the security co-processor to the host computer, the interface including an interface communication protocol for restricting access by the host computer to data passing through the security co-processor, wherein secure transaction processing is performed locally in the security co-processor and non-secure transaction processing is performed in the host computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the sensitive data includes personal data and personal identification data.
  - 3. The system of claim 2, wherein the interface communication protocol is implemented in an application programming interface.
  - 4. The system of claim 1, wherein the system further includes means for providing trusted input coupled to the security co-processor.
  - 5. The system of claim 4, wherein the trusted input means comprises one of a keyboard and a keypad.
  - 6. The system of claim 5, wherein the trusted input means includes a secure mode indicator for indicating a secure mode in response to requests from the host computer for keyboard entries of the sensitive data including the personal identification data.
  - 7. The system of claim 6, wherein the secure mode indicator includes a LED.
  - 8. The system of claim 4, wherein the system further includes a smart card interface coupled to the security co-processor, the smart card interface for interfacing with smart cards which include the personal data and a private key.
  - 9. The system of claim 8, wherein the system further includes a trusted display coupled to the security co-processor for providing a visual feedback and true transaction information.
  - 10. The system of claim 9, in which the security co-processor includes:
    - a microprocessor;
      
      a microprocessor support coupled to the microprocessor;
      
      a display interface coupled to the microprocessor, the display interface for providing the visual feedback and the true transaction information to the trusted display;
      
      first means interfacing between the microprocessor and the trusted input means;
      
      second means interfacing between the microprocessor and the smart card interface;
      
      a memory coupled to the microprocessor;
      
      an external memory interface coupled to the microprocessor;
      
      the external memory interface for interfacing with an external memory;
      
      a cryptographic controller unit coupled to the microprocessor, the cryptographic controller unit for providing data in encrypted form; and
      
      third means for interfacing between the microprocessor and a plurality of computer systems.
  - 11. The system of claim 10, in which a two tier memory comprises the memory and the external memory, wherein the memory is for storing a transaction application and data including the sensitive data and the external memory is for storing temporary variables and a certificate cache.
  - 12. The system of claim 10, in which the cryptographic unit performs an asymmetric or symmetric encryption of the sensitive data in order to provide the sensitive data in encrypted form.
  - 13. The system of claim 12, in which the sensitive data in the encrypted form is wrapped in unencrypted non-sensitive data to form a message, wherein the message is signed in the smart card with the private-key and is then handed to one of the plurality of computer systems for further transmission to a transaction party.

14. A system for secure transactions in a host computer, comprising:
- a security co-processor;
  
  an interface for interfacing the security co-processor to the host computer, the interface including an interface communication protocol for restricting access by the host computer to data passing through the security co-processor; and
  
  means for providing trusted input coupled to the security co-processor, wherein secure transaction processing is performed locally in the security co-processor and non-secure transaction processing is performed in the host computer system.
- View Dependent Claims (15, 16)
- - 15. The system of claim 14, wherein the system further includes a smart card interface coupled to the security co-processor for interfacing with smart cards.
  - 16. The system of claim 15, wherein the system further includes a trusted display coupled to the security co-processor for providing a visual feedback and true transaction information.

17. A system for secure transactions in a host computer, comprising:
- a security co-processor, the security co-processor including a processor, a processor support coupled to the processor;
  
  a display interface coupled to the processor, first interface means for receiving trusted input, the first interface means being coupled to the processor, smart card interface means coupled to the processor, a memory coupled to the processor, an external memory interface coupled to the processor, a cryptographic unit coupled to the processor, and second interface means coupled to the processor, the second interfacing means for interfacing with a plurality of computer systems;
  
  an interface for interfacing between the security co-processor and the host computer, the interface including an interface communication protocol for restricting access by the host computer to data passing through the security co-processor, wherein the interface is coupled to the second interface means;
  
  means for providing trusted input coupled to the security co-processor via the first interface means;
  
  a smart card interface coupled to the smart card interface means of the security co-processor, the smart card interface for interfacing between the security co-processor and smart cards; and
  
  a trusted display coupled to the display interface of the security co-processor for providing a visual feedback and true transaction information, wherein secure transaction processing is performed locally in the security co-processor and non-secure transaction processing is performed in the host computer system.

18. A method for secure transactions in a host computer, the method comprising the steps of:
- a) providing a security co-processor; and
  
  b) providing a interface for interfacing the security co-processor to the host computer, the interface including an interface communication protocol for restricting access by the host computer to data passing through the security co-processor, wherein secure transaction processing is performed locally in the security co-processor and non-secure transaction processing is performed in the host computer system.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 19. The method of claim 18, wherein the interface communication protocol is implemented in an application programming interface.
  - 20. The method of claim 18, wherein the method further includes the step of:
    - c) providing means for providing trusted input coupled to the security co-processor.
  - 21. The method of claim 20, wherein the method further includes the step of:
    - d) providing a second interface coupled to the security co-processor for receiving sensitive data from a smart card.
  - 22. The method of claim 21, wherein the method further includes the step of:
    - e) providing a trusted display coupled to the security co-processor for providing a visual feedback and true transaction information.
  - 23. The method of claim 22, wherein the security co-processor includes:
    - a processor;
      
      a processor support coupled to the processor;
      
      a display interface coupled to the processor;
      
      first interfacing means for interfacing with one of a keyboard and a keypad, the first interfacing means being coupled to the processor;
      
      a smart card interface coupled to the processor;
      
      a memory coupled to the processor;
      
      an external memory interface coupled to the processor;
      
      a cryptographic unit coupled to the processor; and
      
      second interfacing means for interfacing with a plurality of computer systems, the second interfacing means being coupled to the processor.
  - 24. The method of claim 23, wherein the method further includes the step of:
    - f) executing a transaction application via the processor, wherein the transaction application is responsive to communications from the host computer that is conducted via a firewall, wherein the transaction application performs locally the secure transaction processing.
  - 25. The method of claim 24, wherein the executing step f) further includes the step of:
    - f1) indicating a secure mode in response to the communications from the host computer wherein keyboard entry of sensitive data is requested.
  - 26. The method of claim 25, wherein the processor indicates a secure mode by turning on a LED.
  - 27. The method of claim 25, wherein the executing step f) further includes the step of:
    - f2) providing data to the trusted display in order to provide a visual feedback during the keyboard entry of sensitive data and for displaying the true transaction information.
  - 28. The method of claim 27, wherein the executing step f) further includes the step of:
    - f3) performing a encryption of the sensitive data in the cryptographic unit in order to provide the sensitive data in encrypted form.
  - 29. The method of claim 28, wherein the encryption is a symmetric or asymmetric encryption operation of the sensitive data.
  - 30. The system of claim 28, wherein the executing step f) further includes the steps of:
    - f4) transferring the message to a smart card via the smart card interface for signing;
      
      f5) signing the message in the smart card with a private-key; and
      
      f6) handing the message to one of the plurality of computer systems for further transmission to a transaction party.
  - 31. The method of claim 30, wherein the executing step f) further includes the step of:
    - f7) building a certificate cache with pre-verified and validated certificates indicating identities belonging to sources of messages, wherein the certificate cache is included in one of the memory and an external memory, and wherein the external memory is coupled to the processor via the external memory interface.
  - 32. The method of claim 31, wherein the certificate cache building step f7) further includes the steps of:
    - f7a) determining if the certificate exists in the certificate cache as a pre-verified certificate;
      
      f7b) determining if an issuer certificate within the certificate exists in the certificate cache if the certificate does not exists in the certificate cache;
      
      f7c) verifying the validity of the issuer certificate if the issuer certificate exist in the certificate cache and the certificate does not exists in the certificate cache;
      
      f7d) rejecting the message if the issuer certificate is invalid; and
      
      f7e) waiting for a new certificate.
  - 33. The method of claim 31, wherein the certificate cache building step f7) further includes the steps of:
    - f7a) determining if the certificate exists in the certificate cache as a pre-verified certificate;
      
      f7b) determining if an issuer certificate within the certificate exists in the certificate cache if the certificate does not exists in the certificate cache;
      
      f7c) verifying the validity of the issuer certificate if the issuer certificate exists in the certificate cache and the certificate does not exists in the certificate cache;
      
      f7d) verifying validity of certificate extensions if the certificate does not exist in the certificate cache and the issuer certificate is valid;
      
      f7e) storing the certificate in the certificate cache if the certificate extensions are valid, the issuer certificate is valid, and the certificate does not exists in the certificate cache; and
      
      f7f) waiting for a new certificate.
  - 34. The method of claim 31, wherein the certificate cache building step f7) further includes the steps of:
    - f7a) determining if the certificate exists in the certificate cache as a pre-verified certificate;
      
      f7d) verifying validity of certificate extensions if the certificate exists in the certificate cache;
      
      f7e) storing the certificate in the certificate cache if the certificate extensions are valid and the certificate exists in the certificate cache; and
      
      f7f) waiting for a new certificate.
  - 35. The method of claim 31, wherein the executing step f) further includes the step of:
    - f8) processing a first biometric data provided to the security co-processor and a second biometric data resident on the smart card, wherein the first biometric data can be verified against the second biometric data.

36. A computer readable medium including program instructions for secure encrypted and authenticated transactions, the program instructions being executed via a security co-processor, the security co-processor communicating with a host computer via a host interface including a firewall, the firewall having functionality being enforced by an interface communication protocol for restricting access by the host computer to data passing through the security co-processor, the program instructions for:
- a) indicating a secure mode in response to communications from the host computer wherein a keyboard entry of sensitive data is requested;
  
  b) providing data to a trusted display in order to provide a visual feedback during the keyboard entry of the sensitive data and for displaying true transaction information;
  
  c) performing an encryption of the sensitive data in a cryptographic unit within the security co-processor in order to provide the sensitive data in an encrypted form;
  
  d) computing a hash of a message in order to form a mechanism for signature;
  
  e) transferring the hash to a smart card for signing;
  
  f) signing the message in the smart card with a private-key;
  
  g) handing the message to the host computer for further transmission to a transaction party; and
  
  h) building a certificate cache with pre-verified and validated certificates indicating identities belonging to sources of messages received by the security co-processor, wherein secure transaction processing is performed locally in the security co-processor and non-secure transaction processing is performed in the host computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ESW Holdings, Inc. (ESW Capital, LLC)
Original Assignee
N-able Technologies Incorporated (SolarWinds Corp.)
Inventors
Veil, Leonard Scott, Ward, Gary Paul, Murray, Eric Alan, Weiss, Richard Alan
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US09/084,078
Time in Patent Office

788 Days
Field of Search

713/200, 713/201, 713/150, 713/151, 713/152, 713/153, 713/154, 708/135, 705/44, 705/64, 380/4, 709/220, 709/227, 709/228
US Class Current

726/27
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/52   during program execution, e...

G06F 21/72   in cryptographic circuits

G06F 21/85   interconnection devices, e....

G06F 2207/7219   Countermeasures against sid...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2107   File encryption

G06Q 20/00   Payment architectures, sche...

G06Q 20/363   with the personal data of a...

G06Q 20/382   insuring higher security of...

G07F 7/0866   by active credit-cards adap...

G07F 7/1016   Devices or methods for secu...

Method and system for secure transactions in a computer system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for secure transactions in a computer system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links