Method and system for activating a portable data carrier

US 9,411,981 B2
Filed: 09/01/2010
Issued: 08/09/2016
Est. Priority Date: 09/03/2009
Status: Active Grant

First Claim

Patent Images

1. A method for activating a first portable data carrier with the aid of a second portable data carrier, the method comprising the steps:

supplying the first portable data carrier to a user in an inactive state after the user has requested the first portable data carrier over a communication network from a central instance with the aid of the second portable data carrier, the inactive state being where intended use of the first portable data carrier is not possible, wherein the first portable data carrier is supplied to the user with first personalization data provided thereon, the first personalization data being data pertaining uniquely to the user, the first personalization data being provided on the first portable data carrier by the central instance;

setting up a direct communication connection between the first portable data carrier and the second portable data carrier, the direct communication connection being set up between the first portable data carrier and the second portable data carrier without an interposition of any device between the first portable data carrier and the second portable data carrier, wherein the first and the second portable data carriers mutually authenticate each other via the direct communication connection on the basis of authentication data and establish a cryptographically secured end-to-end connection, the authentication data being applied to the first portable data carrier which permit a mutual authentication directly and exclusively with the second portable data carrier by the direct communication connection; and

activating the first portable data carrier, wherein the second portable data carrier transmits activation data to the first portable data carrier via the cryptographically secured end-to-end connection, the activation data including second personal identification data pertaining uniquely to the user,wherein, within the framework of activating the first portable data carrier, all authorizations and functionalities present on the second portable data carrier are transferred from the second portable data carrier to the first portable data carrier through the cryptographically secured end-to-end connection and the first portable data carrier is immediately ready for use and usable with all functionalities after the conclusion of the activation,wherein the first portable data carrier and the second portable data carrier are each configured to establish a communication with a terminal and to be powered at least partially by said terminal,wherein the first portable data carrier is a first electronic identity document, and the second portable data carrier is a second electronic identity document, andwherein the first personalization data includes an optical personalization pertaining uniquely to the user and provided on the first portable data carrier by the central instance.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method for activating a portable data carrier (1) in which a first portable data carrier (1) is supplied in an inactive state to a user, after the user has requested the first data carrier (1) with the aid of a second portable data carrier (2) from a central instance, whereby the first and the second data carrier (1, 2) have access to authentication data for mutual authentication. In the method according to the invention a communication connection is set up between the first and the second data carrier (1, 2), via which the first and the second data carrier (1, 2) mutually authenticate each other on the basis of the authentication data and establish a cryptographically secured end-to-end connection. Via this end-to-end connection then the second data carrier (2) activates the first data carrier (1) by transmitting activation data to the first data carrier (1).

35 Citations

View as Search Results

20 Claims

1. A method for activating a first portable data carrier with the aid of a second portable data carrier, the method comprising the steps:
- supplying the first portable data carrier to a user in an inactive state after the user has requested the first portable data carrier over a communication network from a central instance with the aid of the second portable data carrier, the inactive state being where intended use of the first portable data carrier is not possible, wherein the first portable data carrier is supplied to the user with first personalization data provided thereon, the first personalization data being data pertaining uniquely to the user, the first personalization data being provided on the first portable data carrier by the central instance;
  
  setting up a direct communication connection between the first portable data carrier and the second portable data carrier, the direct communication connection being set up between the first portable data carrier and the second portable data carrier without an interposition of any device between the first portable data carrier and the second portable data carrier, wherein the first and the second portable data carriers mutually authenticate each other via the direct communication connection on the basis of authentication data and establish a cryptographically secured end-to-end connection, the authentication data being applied to the first portable data carrier which permit a mutual authentication directly and exclusively with the second portable data carrier by the direct communication connection; and
  
  activating the first portable data carrier, wherein the second portable data carrier transmits activation data to the first portable data carrier via the cryptographically secured end-to-end connection, the activation data including second personal identification data pertaining uniquely to the user,wherein, within the framework of activating the first portable data carrier, all authorizations and functionalities present on the second portable data carrier are transferred from the second portable data carrier to the first portable data carrier through the cryptographically secured end-to-end connection and the first portable data carrier is immediately ready for use and usable with all functionalities after the conclusion of the activation,wherein the first portable data carrier and the second portable data carrier are each configured to establish a communication with a terminal and to be powered at least partially by said terminal,wherein the first portable data carrier is a first electronic identity document, and the second portable data carrier is a second electronic identity document, andwherein the first personalization data includes an optical personalization pertaining uniquely to the user and provided on the first portable data carrier by the central instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, wherein at least one of the first and the second portable data carriers comprises at least one of:
    - an electronic identification document, an electronic visa, an electronic ticket, an electronic health card and an electronic bank card.
  - 3. The method according to claim 1, wherein the first portable data carrier is supplied on the basis of an online request by the user.
  - 4. The method according to claim 1, wherein the first portable data carrier in the inactive state is already personalized at least partly optically and/or electronically.
  - 5. The method according to claim 1, wherein the communication connection set up between the first and the second portable data carriers is a local communication connection in the area of influence of the user.
  - 6. The method according to claim 1, wherein the mutual authentication is a symmetric authentication with a symmetric key.
  - 7. The method according to claim 1, wherein the mutual authentication is an asymmetric authentication with an asymmetric pair of keys of a private and a public key.
  - 8. The method according claim 1, wherein the setup of the communication connection is preceded by a user authentication.
  - 9. The method according to claim 1, wherein the activation data comprise personalization data, to be stored on the first portable data carrier.
  - 10. The method according to claim 1, wherein the activation data comprise at least one of several cryptographic keys and electronic certificates.
  - 11. The method according to claim 1, wherein the activation data comprise a password to be input by the user.
  - 12. The method according to claim 1, wherein after the activation of the first portable data carrier the second portable data carrier becomes inactive.

13. A system for activating a portable data carrier, the system comprising a first portable data carrier and a second portable data carrier, which are configured so as to enable the following steps to be carried out:
- supplying the first portable data carrier to a user in an inactive state after the user has requested the first portable data carrier over a communication network from a central instance with the aid of the second portable data carrier, the inactive state being where intended use of the first portable data carrier is not possible, wherein the first portable data carrier is supplied to the user with first personalization data provided thereon, the first personalization data being data pertaining uniquely to the user, the first personalization data being provided on the first portable data carrier by the central instance;
  
  setting up a direct communication connection between the first and the second portable data carriers, the direct communication connection being set up between the first portable data carrier and the second portable data carrier without an interposition of any device between the first portable data carrier and the second portable data carrier, wherein the first and the second portable data carriers mutually authenticate each other via the direct communication connection on the basis of the authentication data and establish a cryptographically secured end-to-end connection the authentication data being applied to the first portable data carrier which permit a mutual authentication directly and exclusively with the second portable data carrier by the direct communication connection; and
  
  activating the first portable data carrier, wherein the second portable data carrier transmits activation data to the first portable data carrier via the cryptographically secured end-to-end connection, the activation data including second personal identification data pertaining uniquely to the user,wherein, within the framework of activating the first portable data carrier, all authorizations and functionalities present on the second portable data carrier are transferred from the second portable data carrier to the first portable data carrier through the cryptographically secured end-to-end connection and the first portable data carrier is immediately ready for use and usable with all functionalities after the conclusion of the activation,wherein the first portable data carrier and the second portable data carrier are each configured to establish a communication with a terminal and to be powered at least partially by said terminal,wherein the first portable data carrier is a first electronic identity document, and the second portable data carrier is a second electronic identity document, andwherein the first personalization data includes an optical personalization pertaining uniquely to the user and provided on the first portable data carrier by the central instance.

14. A method comprising:
- requesting, by a user, a replacement portable data carrier over a communication network from a central instance to replace an original portable data carrier, wherein the replacement portable data carrier is requested from the central instance with the aid of the second portable data carrier;
  
  producing, by the central instance, the replacement portable data carrier so that the replacement portable data carrier includes authentication data configured to permit a mutual authentication directly and exclusively with the original portable data carrier, wherein the replacement portable data carrier is produced to include first personalization data provided thereon, the first personalization data being data pertaining uniquely to the user, the first personalization data being provided on the first portable data carrier by the central instance;
  
  placing, by the central instance, the replacement portable data carrier in an inactive state in which an intended use of the replacement portable data carrier is not possible until the replacement portable data carrier is activated;
  
  delivering the inactive replacement portable data carrier to the user;
  
  setting up a direct communication connection between the original portable data carrier and the inactive replacement portable data carrier, the direct communication connection being set up between the original portable data carrier and the replacement portable data carrier without an interposition of any device between the original portable data carrier and the replacement portable data carrier, by which the original and replacement portable data carriers mutually authenticate each other via the direct communication connection on the basis of the authentication data and establish a cryptographically secured end-to-end connection through the direct communication connection;
  
  activating the replacement portable data carrier by transmitting activation data from the original portable data carrier to the inactive replacement portable data carrier via the cryptographically secured end-to-end connection to activate the replacement portable data carrier, the activation data including all authorizations and functionalities that allow the replacement portable data carrier to replace the original portable data carrier, the activation data including second personal identification data pertaining uniquely to the user,wherein the original portable data carrier and the replacement portable data carrier are each configured to establish a communication with a terminal and to be powered at least partially by said terminal,wherein the first portable data carrier is a first electronic identity document, and the second portable data carrier is a second electronic identity document, andwherein the first personalization data includes an optical personalization pertaining uniquely to the user and provided on the first portable data carrier by the central instance.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method according to claim 14, wherein requesting the replacement portable data carrier from the central instance is performed online.
  - 16. The method according to claim 14, wherein the activation data transmitted from the original portable data carrier to the inactive replacement portable data carrier comprises personalization data of the user.
  - 17. The method according to claim 16, wherein the first or the second personalization data comprises biometric data.
  - 18. The method according to claim 16, wherein the replacement portable data carrier is one of:
    - an electronic identification document, an electronic visa, an electronic passport, an electronic ticket, an electronic health card, and an electronic bank card.
  - 19. The method according to claim 16, wherein the communication connection set up between the replacement and original portable data carriers is a local communication connection in the area of influence of the user.
  - 20. The method according to claim 16, wherein after activation of the replacement portable data carrier the original portable data carrier becomes inactive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Giesecke + Devrient Mobile Security GmBH (Giesecke & Devrient GmbH)
Original Assignee
Giesecke & Devrient (Giesecke & Devrient GmbH)
Inventors
Daum, Henning, Eichholz, Jan, Meister, Gisela
Primary Examiner(s)
THIAW, CATHERINE B

Application Number

US13/394,006
Publication Number

US 20120159171A1
Time in Patent Office

2,169 Days
Field of Search

713/168, 713/169, 713/171, 713/183, 713/186, 455/41.1, 455/41.2, 235/380, 709/203, 709/219, 705 39- 44
US Class Current

1/1
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 21/606   by securing the transmissio...

G06F 21/6245   Protecting personal data, e...

G06F 21/77   in smart cards

G06Q 20/354   Card activation or deactiva...

G07C 2209/41   with means for the generati...

G07C 9/25   using biometric data, e.g. ...

G07F 7/1008   Active credit-cards provide...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

Method and system for activating a portable data carrier

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for activating a portable data carrier

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links