Secure access module for integrated circuit card applications

US 8,322,610 B2
Filed: 03/15/2010
Issued: 12/04/2012
Est. Priority Date: 03/13/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

initiating a transaction between a card-accessing device and a portable card;

determining that a portion of the transaction between the card-accessing device and the portable card involves the use of sensitive data; and

invoking a Secure Access Module contained within the card-accessing device to carry out the portion of the transaction involving the use of sensitive data, wherein the Secure Access Module comprises functionality sufficient to carry out the portion of the transaction involving the use of sensitive data;

determining that the portion of the transaction involving the use of sensitive data is completed; and

after the portion of the transaction involving the use of sensitive data is determined to be completed, relinquishing control of the transaction from the Secure Access Module to an unsecure environment of the card-accessing device such that the transaction is completed by a processor residing within the unsecure environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms are provided for executing security-sensitive applications with a general-purpose computing device. In particular, the general-purpose computing device includes an unsecure computing environment and a secure computing environment. The secure computing environment is established with a secure access module that includes data and functions for executing the security-sensitive application on behalf of the unsecure computing environment.

Citations

25 Claims

1. A method comprising:
- initiating a transaction between a card-accessing device and a portable card;
  
  determining that a portion of the transaction between the card-accessing device and the portable card involves the use of sensitive data; and
  
  invoking a Secure Access Module contained within the card-accessing device to carry out the portion of the transaction involving the use of sensitive data, wherein the Secure Access Module comprises functionality sufficient to carry out the portion of the transaction involving the use of sensitive data;
  
  determining that the portion of the transaction involving the use of sensitive data is completed; and
  
  after the portion of the transaction involving the use of sensitive data is determined to be completed, relinquishing control of the transaction from the Secure Access Module to an unsecure environment of the card-accessing device such that the transaction is completed by a processor residing within the unsecure environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the processor residing within the unsecure environment performs additional steps in the transaction after obtaining control of the transaction from the Secure Access Module, wherein the additional steps include one or more of physically printing an image on the portable card, physically printing one or more characters on the portable card, verifying that data has been accurately written to the portable card, writing non-sensitive data to the portable card, and reading non-sensitive data from the portable card.
  - 3. The method of claim 1, wherein the Secure Access Module comprises an Integrated Circuit card having at least one application programmed thereon, wherein the application comprises the functionality sufficient to carry out the portion of the transaction involving the use of sensitive data and wherein the Secure Access Module functionality carries out the portion of the transaction in a secure manner.
  - 4. The method of claim 3, wherein the sensitive data is also contained within the Integrated Circuit card.
  - 5. The method of claim 1, wherein the Secure Access Module comprises an Application Specific Integrated Circuit containing instructions which, when executed, provide the functionality sufficient to carry out the portion of the transaction involving the use of sensitive data.
  - 6. The method of claim 1, wherein physical and logical security capabilities of the Secure Access Module operating within the card-accessing device are at least as secure as physical and logical security capabilities of the portable card.
  - 7. The method of claim 6, wherein the portable card comprises an Integrated Circuit card and wherein the Secure Access Module comprises an Integrated Circuit card.
  - 8. The method of claim 7, wherein a card interface of the card-accessing device is utilized by the Secure Access Module to communicate with the portable card and wherein a secure communication channel is established between the Secure Access Module and the portable card through the card interface of the card-accessing device.
  - 9. The method of claim 8, wherein communications between the Secure Access Module and the portable card used to carry out the portion of the transaction involving the use of sensitive data bypass a processor residing in an unsecure environment of the card-accessing device.
  - 10. The method of claim 1, wherein the portion of the transaction involving the use of sensitive data includes one or more of writing sensitive data from the Secure Access Module to the portable card and reading sensitive data from the portable card onto the Secure Access Module.
  - 11. The method of claim 10, wherein the sensitive data comprises one or more of a cryptographic algorithm, a cryptographic key, a personal identification number, a social security number, an account number, and a password.
  - 12. The method of claim 1, further comprising:
    - authenticating the Secure Access Module with the portable card;
      
      after the authenticating step, establishing a secure communication channel between the Secure Access Module and the portable card; and
      
      utilizing the secure communication channel to share the sensitive data between the Secure Access Module and the portable card.

13. A card-accessing device, comprising:
- an unsecure environment including memory and a processor, the memory including instructions for executing one or more applications and instructions for executing an operating system, wherein the processor is configured to execute the instructions stored in memory;
  
  a card interface configured to provide a communication channel between the processor and a portable card thereby facilitating a data transaction between the card-accessing device and the portable card; and
  
  a Secure Access Module configured carry out a portion of the data transaction involving the use of sensitive data and during the portion of the data transaction involving the use of sensitive data utilize the card interface to communicate with the portable card, determine that the portion of the data transaction involving the use of sensitive data is completed, and then, after determining that the portion of the data transaction involving the use of sensitive data has completed, relinquish control of the transaction to the unsecure environment such that the transaction is completed by the processor of the unsecure environment.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The device of claim 13, wherein the Secure Access Module comprises an Integrated Circuit card having at least one application programmed thereon, wherein the application comprises the functionality sufficient to carry out the portion of the transaction involving the use of sensitive data.
  - 15. The device of claim 14, wherein the sensitive data is also contained within the Integrated Circuit card.
  - 16. The device of claim 13, wherein the Secure Access Module comprises an Application Specific Integrated Circuit containing instructions which, when executed, provide the functionality sufficient to carry out the portion of the transaction involving the use of sensitive data.
  - 17. The device of claim 13, wherein physical and logical security capabilities of the Secure Access Module operating within the card-accessing device are at least as secure as physical and logical security capabilities of the portable card.
  - 18. The device of claim 17, wherein the portable card comprises an Integrated Circuit card and wherein the Secure Access Module comprises an Integrated Circuit card.
  - 19. The device of claim 18, wherein a secure communication channel is established between the Secure Access Module and the portable card through the card interface of the card-accessing device.
  - 20. The device of claim 19, wherein communications between the Secure Access Module and the portable card used to carry out the portion of the transaction involving the use of sensitive data bypass the processor residing in the unsecure environment of the card-accessing device.
  - 21. The device of claim 13, wherein the portion of the transaction involving the use of sensitive data includes one or more of writing sensitive data from the Secure Access Module to the portable card and reading sensitive data from the portable card onto the Secure Access Module.
  - 22. The device of claim 21, wherein the sensitive data comprises one or more of a cryptographic algorithm, a cryptographic key, a personal identification number, a social security number, an account number, and a password.

23. A system, comprising:
- a portable card; and
  
  a card-accessing device configured to execute a data exchange transaction with the portable card, wherein a first portion of the data exchange transaction involving the use of sensitive data is executed by a Secure Access Module contained within the card-accessing device and wherein a second portion of the data exchange transaction not involving the use of sensitive data is executed after the first portion of the data exchange transaction is completed, the second portion of the data exchange transaction being executed by a processor residing in an unsecure environment of the card-accessing device, wherein the Secure Access Module is further configured to determine that the first portion of the data exchange transaction involving the use of sensitive data is completed and, in response thereto, invoke the second portion of the data exchange transaction to be executed.
- View Dependent Claims (24, 25)
- - 24. The system of claim 23, wherein the processor also executes an operating system for the card-accessing device.
  - 25. The system of claim 23, wherein the Secure Access Module comprises an Integrated Circuit card and wherein the portable card also comprises an Integrated Circuit card.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assa Abloy AB
Original Assignee
Assa Abloy AB
Inventors
Guthery, Scott B.
Primary Examiner(s)
WALSH, DANIEL I

Application Number

US12/724,081
Publication Number

US 20100230490A1
Time in Patent Office

995 Days
Field of Search

235/382, 235/382.5, 235/487, 235/492, 235/435
US Class Current

235/382
CPC Class Codes

G06F 21/606 by securing the transmissio...

G06F 21/74 operating in dual or compar...

Secure access module for integrated circuit card applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Secure access module for integrated circuit card applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links