Trusted authorization device

US 7,028,191 B2
Filed: 04/01/2002
Issued: 04/11/2006
Est. Priority Date: 03/30/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method of providing for a trusted authorization of a transaction, comprising:

a. providing for communicating with a first computer;

b. providing for displaying first information to be authorized on a trusted display of a trusted authorization device, wherein said first information to be authorized is provided by said first computer;

c. providing for receiving an authorization command from a trusted keypad of said trusted authorization device, wherein said authorization command is related to said first information; and

d. if said authorization command provides for authorizing said first information, then providing for a set of operations by a trusted processor of said trusted authorization device, said set of operations comprising;

i. generating a random number;

ii. generating second information that is responsive to said first information to be authorized, wherein said second information further incorporates both said random number and a first identification code associated with said trusted authorization device, wherein said first identification code is stored on a trusted memory of said trusted authorization device;

iii. generating a signature of said second information, wherein said signature is generated by a first encryption process;

iv. generating a set of session keys by a second encryption process, wherein said second encryption process is responsive to said random number and to a set of stored working keys, and said set of stored working keys are stored on said trusted memory of said trusted authorization device;

v. generating third information by encrypting said second information and said signature using a third encryption process that is responsive to said set of session keys; and

vi. communicating to said first computer said random number, said first identification code, and said third information, wherein said random number and said first identification code are communicated in plaintext.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A trusted display (18) of a trusted authorization device (TAD) (10) displays on a trusted display (18) first information about a transaction to be authorized by a user (14) using a trusted keypad (20). The TAD (10) generates (208) a random number (R); generates (1210) second information from the first information, the random number (R) and a first identification code (TADID-A) of the TAD (10); generates (212) a signature of the second information using a first encryption process; egnerates (216) a set of session keys (Ks1, Ks2, Ks3) by a second encryption process responsive to the random number (R) and a set of stored working keys (K_w1, K_w2, K_w3); and generates (218) third information by encrypting the second information and the signature using a third encryption process responsive to the set of session keys (Ks1, Ks2, Ks3). A dat structure (42) is formed comprising the random numer (R), the first identification code (TADID-A), and the third information; and communicated (220) from the TAD (10) to the client (12) to a host server (28) for verification by a verification decryption server (32).

126 Citations

View as Search Results

40 Claims

1. A method of providing for a trusted authorization of a transaction, comprising:
- a. providing for communicating with a first computer;
  
  b. providing for displaying first information to be authorized on a trusted display of a trusted authorization device, wherein said first information to be authorized is provided by said first computer;
  
  c. providing for receiving an authorization command from a trusted keypad of said trusted authorization device, wherein said authorization command is related to said first information; and
  
  d. if said authorization command provides for authorizing said first information, then providing for a set of operations by a trusted processor of said trusted authorization device, said set of operations comprising;
  
  i. generating a random number;
  
  ii. generating second information that is responsive to said first information to be authorized, wherein said second information further incorporates both said random number and a first identification code associated with said trusted authorization device, wherein said first identification code is stored on a trusted memory of said trusted authorization device;
  
  iii. generating a signature of said second information, wherein said signature is generated by a first encryption process;
  
  iv. generating a set of session keys by a second encryption process, wherein said second encryption process is responsive to said random number and to a set of stored working keys, and said set of stored working keys are stored on said trusted memory of said trusted authorization device;
  
  v. generating third information by encrypting said second information and said signature using a third encryption process that is responsive to said set of session keys; and
  
  vi. communicating to said first computer said random number, said first identification code, and said third information, wherein said random number and said first identification code are communicated in plaintext.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 35)
- - 2. A method of providing for a trusted authorization of a transaction as recited in claim 1, further comprising providing for receiving a personal identification code from a user, wherein said personal identification code is incorporated in said second information.
  - 3. A method of providing for a trusted authorization of a transaction as recited in claim 2, wherein said personal information code comprises a code entered with a trusted keypad of said trusted authorization device.
  - 4. A method of providing for a trusted authorization of a transaction as recited in claim 2, wherein said personal information code is responsive to a biometric input from a user entered with a trusted biometric input device.
  - 5. A method of providing for a trusted authorization of a transaction as recited in claim 2, wherein said personal information code is responsive to a signature input from a user entered with a trusted signature input device.
  - 6. A method of providing for a trusted authorization of a transaction as recited in claim 2, wherein said personal information code is responsive to a voice input from a user entered with a trusted microphone.
  - 7. A method of providing for a trusted authorization of a transaction as recited in claim 2, wherein said personal information code comprises a digest of at least one of a biometric input from a user entered with a trusted biometric input device, a signature input from a user entered with a trusted signature input device, and a voice input from a user entered with a trusted microphone.
  - 8. A method of providing for a trusted authorization of a transaction as recited in claim 1, further comprising providing for receiving a personal identification code from a user, wherein the operation of providing for said set of operations by a trusted processor of said trusted authorization device is responsive to whether said personal identification code corresponds to a stored personal identification code, said stored personal identification code is stored in said trusted memory of said trusted authorization device, and said stored personal identification code is associated with an authentic user of said trusted authorization device.
  - 9. A method of providing for a trusted authorization of a transaction as recited in claim 8, wherein said personal information code comprises a code entered with a trusted keypad of said trusted authorization device.
  - 10. A method of providing for a trusted authorization of a transaction as recited in claim 8, wherein said personal information code is responsive to a biometric input from a user entered with a trusted biometric input device.
  - 11. A method of providing for a trusted authorization of a transaction as recited in claim 8, wherein said personal information code is responsive to a signature input from a user entered with a trusted signature input device.
  - 12. A method of providing for a trusted authorization of a transaction as recited in claim 8, wherein said personal information code is responsive to a voice input from a user entered with a trusted microphone.
  - 13. A method of providing for a trusted authorization of a transaction as recited in claim 8, wherein said personal information code is associated with said trusted authorization device.
  - 14. A method of providing for a trusted authorization of a transaction as recited in claim 8, wherein said personal information code comprises a digest of at least one of a biometric input from a user entered with a trusted biometric input device, a signature input from a user entered with a trusted signature input device, and a voice input from a user entered with a trusted microphone.
  - 15. A method of providing for a trusted authorization of a transaction as recited in claim 1, further comprising providing for receiving fourth information from a physical token in possession of a user and incorporating at least a portion of said fourth information in said second information.
  - 16. A method of providing for a trusted authorization of a transaction as recited in claim 15, wherein said physical token is selected from a credit card, a debit card, and a smart card.
  - 17. A method of providing for a trusted authorization of a transaction as recited in claim 16, wherein the operation of receiving fourth information from a physical token comprises reading said fourth information from said physical token using a trusted reader.
  - 18. A method of providing for a trusted authorization of a transaction as recited in claim 17, wherein said fourth information is stored on a magnetic strip of said physical token, and the operation of receiving fourth information from a physical token comprises reading said fourth information from said magnetic strip using a trusted magnetic card reader.
  - 19. A method of providing for a trusted authorization of a transaction as recited in claim 15, further comprising providing for receiving a personal identification code from a user, and incorporating said personal identification code in said second information, wherein said personal information code is associated with said physical token.
  - 20. A method of providing for a trusted authorization of a transaction as recited in claim 15, further comprising providing for receiving a personal identification code from a user, wherein said personal information code is associated with said physical token, the operation of providing for said set of operations by a trusted processor of said trusted authorization device is responsive to whether said personal identification code corresponds to a stored personal identification code stored in said physical token, and said stored personal identification code is associated with an authentic user of said physical token.
  - 21. A method of providing for a trusted authorization of a transaction as recited in claim 1, wherein said random number is a true random number, and said true random number is responsive to a physical process.
  - 22. A method of providing for a trusted authorization of a transaction as recited in claim 1, wherein said second information comprises at least a portion of said first information.
  - 23. A method of providing for a trusted authorization of a transaction as recited in claim 1, further comprising:
    - a. incrementing a transaction counter; and
      
      b. incorporating the value of said transaction counter in said second information.
  - 24. A method of providing for a trusted authorization of a transaction as recited in claim 23, further comprising communicating in plaintext to said first computer the value of said transaction counter.
  - 25. A method of providing for a trusted authorization of a transaction as recited in claim 1, further comprising providing for receiving location information from a trusted location device and incorporating said location information in said second information, wherein said location information is related to the location of said trusted authorization device.
  - 26. A method of providing for a trusted authorization of a transaction as recited in claim 25, wherein said trusted location device comprises a trusted GPS receiver.
  - 27. A method of providing for a trusted authorization of a transaction as recited in claim 1, wherein said first encryption process comprises a Data Encryption Standard (DES) cyclic block code (CBC) manipulation detection code (MDC) using said random number as an initial vector.
  - 28. A method of providing for a trusted authorization of a transaction as recited in claim 1, wherein said first encryption process comprises a digest algorithm selected from MD5 and SHA-1.
  - 29. A method of providing for a trusted authorization of a transaction as recited in claim 1, wherein said first encryption process comprises a Public Key Infrastructure (PKI) encryption algorithm using a private key that is associated with either said trusted authorization device or a physical token at least temporarily operatively connected to said trusted authorization device, wherein said first encryption process operates on a digest of said second information.
  - 30. A method of providing for a trusted authorization of a transaction as recited in claim 1, wherein said second encryption process comprises a symmetric encryption of said random number using said set of working keys that are stored in said trusted memory of said transaction authorization device.
  - 31. A method of providing for a trusted authorization of a transaction as recited in claim 30, wherein said working keys are generated by a fourth encryption process, and said fourth encryption process is responsive to a second identification code associated with said trusted authorization device, and to a set of rekeying keys stored in said trusted memory of said trusted authorization device.
  - 32. A method of providing for a trusted authorization of a transaction as recited in claim 1, further comprising communicating in plaintext to said first computer at least one encryption algorithm identification code associated with at least one of said first encryption process and said third encryption process.
  - 35. A method of providing for a trusted authorization of a transaction as recited in claim 25, further comprising providing for transmitting to a third computer said random number, a set of encrypted working keys for said third encryption process and said third information, and receiving from said third computer a result, wherein said set of encrypted working keys is responsive to said first identification code, said set of encrypted working keys are encrypted with a set of keys of said third computer, the operation of providing for acting upon said second information is responsive to said result and said third computer performs the operations of providing for generating said set of session keys, providing for generating said second information and said fifth information, providing for generating said signature of said second information, and providing for comparing said signature with said fifth information.

33. A method of providing for a trusted authorization of a transaction, comprising:
- a. providing for initiating a transaction on a first computer responsive to at least one input from a user;
  
  b. providing for communicating first information to a transaction authorization device, wherein said first information is related to said transaction, and said transaction authorization device is operatively connected to said first computer;
  
  c. providing for receiving a data structure from said transaction authorization device, wherein said data structure is responsive to said first information, said data structure comprises a random number, a first identification code, and third information, said third information comprises an encryption by a third encryption process of both second information and a signature responsive to said second information, a first portion of said second information is responsive to said first information, a second portion of said second information comprises said random number, a third portion of said second information comprises said first identification code, said random number is generated by said trusted authorization device, and said first identification code is associated with said trusted authorization device; and
  
  d. providing for communicating said data structure to a host server computer, wherein said data structure provides for a trusted authorization of said transaction.

34. A method of providing for a trusted authorization of a transaction, comprising:
- a. providing for receiving by a first computer a data structure from a second computer, wherein said data structure is responsive to first information, said first information is related to a transaction to be authorized, said data structure comprises a random number, a first identification code, and third information, said third information comprises an encryption by a third encryption process of both second information and a signature by a first encryption process responsive to said second information, a first portion of said second information is responsive to said first information, a second portion of said second information comprises said random number, a third portion of said second information comprises said first identification code;
  
  b. providing for retrieving a set of stored working keys, wherein said operation of retrieving is responsive to said first identification code;
  
  c. providing for generating a set of session keys by a second encryption process, wherein said second encryption process is responsive to said random number and to said set of stored working keys;
  
  d. providing for generating second information and fifth information by decrypting said third information using said third encryption process that is responsive to said set of session keys;
  
  e. providing for generating a signature of said second information, wherein said signature is generated by said first encryption process;
  
  f. providing for comparing said signature with said fifth information; and
  
  g. if said signature matches said fifth information, then providing for acting upon said second information.

36. A method of authorizing a transaction responsive to a data structure, comprising:
- a. receiving said data structure, wherein said data structure is responsive to first information, said first information is related to a transaction to be authorized, said data structure comprises a random number, a first identification code, and third information, said third information comprises an encryption by a third encryption process of both second information and a signature by a first encryption process responsive to said second information, a first portion of said second information is responsive to said first information, a second portion of said second information comprises said random number, a third portion of said second information comprises said first identification code;
  
  b. retrieving or receiving a set of stored working keys, wherein said operation of retrieving is responsive to said first identification code;
  
  c. generating a set of session keys by a second encryption process, wherein said second encryption process is responsive to said random number and to said set of stored working keys;
  
  d. generating second information and fifth information by decrypting said third information using said third encryption process that is responsive to said set of session keys;
  
  e. generating a signature of said second information, wherein said signature is generated by said first encryption process;
  
  f. comparing said signature with said fifth information; and
  
  g. transmitting a result of the operation of comparing said signature with said fifth information.
- View Dependent Claims (37)
- - 37. A method of authorizing a transaction responsive to a data structure as recited in claim 36, wherein said set of stored working keys are encrypted, further comprising decrypting said set of stored working keys prior to the operation of generating a set of session keys.

38. A memory for storing data for access by an application program being executed on a computer, comprising a data structure stored in said memory, wherein said data structure is responsive to first information, said first information is related to a transaction to be authorized, and said data structure comprisesa. a first data object comprising a random number;
- b. a second data object comprising a first identification code; and
  
  c. a third data object comprising third information, wherein said third information comprises an encryption by a third encryption process of both second information and a signature by a first encryption process responsive to said second information, said third encryption process is responsive to a set of session keys that are responsive to said random number, a first portion of said second information is responsive to said first information, a second portion of said second information comprises said random number, a third portion of said second information comprises said first identification code.
- View Dependent Claims (39, 40)
- - 39. A memory for storing data for access by an application program being executed on a computer as recited in claim 38, wherein said data structure further comprises a fourth data object comprising a value of a transaction counter.
  - 40. A memory for storing data for access by an application program being executed on a computer as recited in claim 38, wherein said second information incorporates a value of a transaction counter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John R. Michener, Paul F. Ryan
Original Assignee
John R. Michener, Paul F. Ryan
Inventors
Michener, John R., Ryan, Paul F.
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US10/473,842
Publication Number

US 20050010786A1
Time in Patent Office

1,471 Days
Field of Search

713/182, 713/168, 713/200, 713/201
US Class Current

713/182
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/72   in cryptographic circuits

G06F 21/73   by creating or determining ...

G06F 21/86   Secure or tamper-resistant ...

G06Q 20/02   involving a neutral party, ...

G06Q 20/04   Payment circuits

G06Q 20/382   insuring higher security of...

G06Q 20/3823   combining multiple encrypti...

G06Q 20/3829   involving key management

G06Q 20/40   Authorisation, e.g. identif...

H04L 2209/56   Financial cryptography, e.g...

H04L 2463/102   applying security measure f...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

H04L 9/0891   Revocation or update of sec...

H04L 9/3231 : Biological data, e.g. finge...

H04L 9/3247 : involving digital signatures

View All

Trusted authorization device

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

126 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted authorization device

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

126 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links