Key management technique for establishing a secure channel
First Claim
1. A method for establishing a secure channel through an indeterminate number of nodes in a network comprising:
- enrolling a smart card with a unique key per smart card, the unique key derived from a private key that is assigned and distinctive to systems and a card base of a card issuer, an enrolled smart card containing a stored public entity-identifier and the unique key;
transacting at a point of entry to the network, the transaction creating a PIN encryption key by hashing a keying code that is derived from the smart card unique key and a transaction identifier that uniquely identifies the point of entry and a transaction sequence number;
communicating a PIN point-to-point in encrypted form through a plurality of nodes in the network; and
recovering the PIN at a card issuer server using the PIN encryption key and the card issuer private key.
10 Assignments
0 Petitions
Accused Products
Abstract
A key management technique establishes a secure channel through an indeterminate number of nodes in a network. The technique comprises enrolling a smart card with a unique key per smart card. The unique key is derived from a private key that is assigned and distinctive to systems and a card base of a card issuer. An enrolled smart card contains a stored public entity-identifier and the secret unique key. The technique further comprises transacting at a point of entry to the network. The transaction creates a PIN encryption key derived from the smart card unique key and a transaction identifier that uniquely identifies the point of entry and transaction sequence number. The technique also comprises communicating the PIN encryption key point-to-point in encrypted form through a plurality of nodes in the network, and recovering the PIN at a card issuer server from the PIN encryption key using the card issuer private key.
27 Citations
28 Claims
-
1. A method for establishing a secure channel through an indeterminate number of nodes in a network comprising:
-
enrolling a smart card with a unique key per smart card, the unique key derived from a private key that is assigned and distinctive to systems and a card base of a card issuer, an enrolled smart card containing a stored public entity-identifier and the unique key; transacting at a point of entry to the network, the transaction creating a PIN encryption key by hashing a keying code that is derived from the smart card unique key and a transaction identifier that uniquely identifies the point of entry and a transaction sequence number; communicating a PIN point-to-point in encrypted form through a plurality of nodes in the network; and recovering the PIN at a card issuer server using the PIN encryption key and the card issuer private key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A data security apparatus comprising:
a smart card that establishes a secure channel through an indeterminate number of nodes in a network comprising; an interface for communicating with a card reader and/or writer; a processor coupled to the interface; and a memory coupled to the processor that stores a public entity-identifier and a secret unique key derived from a private key that is assigned and distinctive to systems and a card base of a card issuer, the memory further comprising; a computable readable program code embodied therein that creates a PIN encryption key derived from the smart card unique key and a transaction identifier that uniquely identifies a point of entry and transaction sequence number; a computable readable program code causing the processor to receive an entity-entered Personal Identification Number (PIN); a computable readable program code causing the processor to compute an equation of the form;
K=u·
TSNH(mod N),where K is a keying code, u is a secret key, TSN is a transaction sequence identifier that identifies the point of entry and a sequence number for a transaction originating at the terminal, H is a hash of transaction data elements, and N is a modulus in an RSA (Rivest, Shamir, and Adelman Public Key Cryptosystem) system; and a computable readable program code causing the processor to hash the keying code K to form the PIN encryption key KPE according to an equation of the form;
KPE=h(k),where h( ) is a hashing algorithm. - View Dependent Claims (14, 15, 16, 17)
-
18. A data security apparatus comprising:
-
an enrollment system that establishes a secure channel through an indeterminate number of nodes in a network, the enrollment system comprising; a communication interface for communicating with a writer configured to accept a smart card; a processor coupled to the communication interface; and a memory coupled to the processor and having a computable readable program code embodied therein causing the processor to initialize and personalize the smart card with a unique key per smart card, the unique key derived from a private key that is assigned and distinctive to systems and a card base of a card issuer, the unique key for usage by the smart card to create a PIN encryption key computed by an equation of the form
K=u·
TSNH(mod N),where K is a keying code, u is a secret key, TSN is a transaction sequence identifier that identifies a terminal and a sequence number for a transaction originating at the terminal, H is a hash of transaction data elements, and N is a modulus in an RSA (Rivest, Shamir, and Adelman Public Key Cryptosystem) system; and the smart card hashes the keying code K to form the PIN encryption key KPE according to an equation of the form;
KPE=h(k),where h( ) is a hashing algorithm. - View Dependent Claims (19, 20)
-
-
21. A data security apparatus comprising:
a card issuer server that establishes a secure channel through an indeterminate number of nodes in a network, the card issuer server comprising; a communication interface for communicating with the network; a processor coupled to the communication interface; and a memory coupled to the processor and having a computable readable program code embodied therein causing the processor to recover a Personal Identification Number (PIN) from an encrypted PIN received via the network using a card issuer private key and a transaction PIN encryption key, the transaction PIN encryption key created by hashing a keying code that is derived from a smart card unique key initialized and personalized to the smart card and derived from the card issuer private key, and a transaction identifier that uniquely identifies a point of entry and a transaction sequence number. - View Dependent Claims (22, 23, 24, 25)
-
26. A transaction system comprising:
-
a network; a plurality of servers and/or hosts mutually coupling to the network; a plurality of terminals coupled to the servers and/or hosts via the network and available for transacting; a plurality of smart cards enrolled in the transaction system and adapted for insertion into the terminals and transacting via the servers and/or hosts; and a plurality of processors distributed among the smart cards, the servers and/or hosts, and/or the terminals, at least one of the processors establishing a secure channel through an indeterminate number of nodes in the network by communicating, and decrypting a PIN encrypted using a PIN encryption key created by hashing a keying code that is derived from a smart card unique key and a transaction identifier that uniquely identifies a point of entry terminal and a transaction sequence number, the smart card unique key being derived from a private key that is assigned and distinctive to systems and a card base of a card issuer.
-
-
27. A transaction system comprising:
-
a network; a plurality of servers and/or hosts mutually coupling to the network; a plurality of terminals coupled to the servers and/or hosts via the network and available for transacting; a plurality of smart cards enrolled in the transaction system and adapted for insertion into the terminals and transacting via the servers and/or hosts; and a plurality of processors distributed among the smart cards, the servers and/or hosts, and/or the terminals, at least one of the processors establishing a secure channel through an indeterminate number of nodes in the network by communicating, and decrypting a PIN encrypted using a PIN encryption key creating by hashing a keying code that is derived from a smart card unique key and a hash of transaction data elements.
-
-
28. A transaction system establishing a secure channel through an indeterminate number of nodes in a network comprising:
-
means for enrolling a smart card with a unique key per smart card, the unique key being derived from a private key that is assigned and distinctive to systems and a card base of a card issuer, an enrolled smart card containing a stored public entity-identifier and the unique key; means for transacting at a point of entry to the network, the transaction creating a PIN encryption key by hashing a keying code that is derived from the smart card unique key and a transaction identifier that uniquely identifies the point of entry and a transaction sequence number; means for communicating a PIN point-to-point in encrypted form through a plurality of nodes in the network; and means for recovering the PIN at a card issuer server using the PIN encryption key and the card issuer private key.
-
Specification