Method and system for activating a portable data carrier
First Claim
1. A method for activating a first portable data carrier with the aid of a second portable data carrier, the method comprising the steps:
- supplying the first portable data carrier to a user in an inactive state after the user has requested the first portable data carrier over a communication network from a central instance with the aid of the second portable data carrier, the inactive state being where intended use of the first portable data carrier is not possible, wherein the first portable data carrier is supplied to the user with first personalization data provided thereon, the first personalization data being data pertaining uniquely to the user, the first personalization data being provided on the first portable data carrier by the central instance;
setting up a direct communication connection between the first portable data carrier and the second portable data carrier, the direct communication connection being set up between the first portable data carrier and the second portable data carrier without an interposition of any device between the first portable data carrier and the second portable data carrier, wherein the first and the second portable data carriers mutually authenticate each other via the direct communication connection on the basis of authentication data and establish a cryptographically secured end-to-end connection, the authentication data being applied to the first portable data carrier which permit a mutual authentication directly and exclusively with the second portable data carrier by the direct communication connection; and
activating the first portable data carrier, wherein the second portable data carrier transmits activation data to the first portable data carrier via the cryptographically secured end-to-end connection, the activation data including second personal identification data pertaining uniquely to the user,wherein, within the framework of activating the first portable data carrier, all authorizations and functionalities present on the second portable data carrier are transferred from the second portable data carrier to the first portable data carrier through the cryptographically secured end-to-end connection and the first portable data carrier is immediately ready for use and usable with all functionalities after the conclusion of the activation,wherein the first portable data carrier and the second portable data carrier are each configured to establish a communication with a terminal and to be powered at least partially by said terminal,wherein the first portable data carrier is a first electronic identity document, and the second portable data carrier is a second electronic identity document, andwherein the first personalization data includes an optical personalization pertaining uniquely to the user and provided on the first portable data carrier by the central instance.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a method for activating a portable data carrier (1) in which a first portable data carrier (1) is supplied in an inactive state to a user, after the user has requested the first data carrier (1) with the aid of a second portable data carrier (2) from a central instance, whereby the first and the second data carrier (1, 2) have access to authentication data for mutual authentication. In the method according to the invention a communication connection is set up between the first and the second data carrier (1, 2), via which the first and the second data carrier (1, 2) mutually authenticate each other on the basis of the authentication data and establish a cryptographically secured end-to-end connection. Via this end-to-end connection then the second data carrier (2) activates the first data carrier (1) by transmitting activation data to the first data carrier (1).
35 Citations
20 Claims
-
1. A method for activating a first portable data carrier with the aid of a second portable data carrier, the method comprising the steps:
-
supplying the first portable data carrier to a user in an inactive state after the user has requested the first portable data carrier over a communication network from a central instance with the aid of the second portable data carrier, the inactive state being where intended use of the first portable data carrier is not possible, wherein the first portable data carrier is supplied to the user with first personalization data provided thereon, the first personalization data being data pertaining uniquely to the user, the first personalization data being provided on the first portable data carrier by the central instance; setting up a direct communication connection between the first portable data carrier and the second portable data carrier, the direct communication connection being set up between the first portable data carrier and the second portable data carrier without an interposition of any device between the first portable data carrier and the second portable data carrier, wherein the first and the second portable data carriers mutually authenticate each other via the direct communication connection on the basis of authentication data and establish a cryptographically secured end-to-end connection, the authentication data being applied to the first portable data carrier which permit a mutual authentication directly and exclusively with the second portable data carrier by the direct communication connection; and activating the first portable data carrier, wherein the second portable data carrier transmits activation data to the first portable data carrier via the cryptographically secured end-to-end connection, the activation data including second personal identification data pertaining uniquely to the user, wherein, within the framework of activating the first portable data carrier, all authorizations and functionalities present on the second portable data carrier are transferred from the second portable data carrier to the first portable data carrier through the cryptographically secured end-to-end connection and the first portable data carrier is immediately ready for use and usable with all functionalities after the conclusion of the activation, wherein the first portable data carrier and the second portable data carrier are each configured to establish a communication with a terminal and to be powered at least partially by said terminal, wherein the first portable data carrier is a first electronic identity document, and the second portable data carrier is a second electronic identity document, and wherein the first personalization data includes an optical personalization pertaining uniquely to the user and provided on the first portable data carrier by the central instance. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for activating a portable data carrier, the system comprising a first portable data carrier and a second portable data carrier, which are configured so as to enable the following steps to be carried out:
-
supplying the first portable data carrier to a user in an inactive state after the user has requested the first portable data carrier over a communication network from a central instance with the aid of the second portable data carrier, the inactive state being where intended use of the first portable data carrier is not possible, wherein the first portable data carrier is supplied to the user with first personalization data provided thereon, the first personalization data being data pertaining uniquely to the user, the first personalization data being provided on the first portable data carrier by the central instance; setting up a direct communication connection between the first and the second portable data carriers, the direct communication connection being set up between the first portable data carrier and the second portable data carrier without an interposition of any device between the first portable data carrier and the second portable data carrier, wherein the first and the second portable data carriers mutually authenticate each other via the direct communication connection on the basis of the authentication data and establish a cryptographically secured end-to-end connection the authentication data being applied to the first portable data carrier which permit a mutual authentication directly and exclusively with the second portable data carrier by the direct communication connection; and activating the first portable data carrier, wherein the second portable data carrier transmits activation data to the first portable data carrier via the cryptographically secured end-to-end connection, the activation data including second personal identification data pertaining uniquely to the user, wherein, within the framework of activating the first portable data carrier, all authorizations and functionalities present on the second portable data carrier are transferred from the second portable data carrier to the first portable data carrier through the cryptographically secured end-to-end connection and the first portable data carrier is immediately ready for use and usable with all functionalities after the conclusion of the activation, wherein the first portable data carrier and the second portable data carrier are each configured to establish a communication with a terminal and to be powered at least partially by said terminal, wherein the first portable data carrier is a first electronic identity document, and the second portable data carrier is a second electronic identity document, and wherein the first personalization data includes an optical personalization pertaining uniquely to the user and provided on the first portable data carrier by the central instance.
-
-
14. A method comprising:
-
requesting, by a user, a replacement portable data carrier over a communication network from a central instance to replace an original portable data carrier, wherein the replacement portable data carrier is requested from the central instance with the aid of the second portable data carrier; producing, by the central instance, the replacement portable data carrier so that the replacement portable data carrier includes authentication data configured to permit a mutual authentication directly and exclusively with the original portable data carrier, wherein the replacement portable data carrier is produced to include first personalization data provided thereon, the first personalization data being data pertaining uniquely to the user, the first personalization data being provided on the first portable data carrier by the central instance; placing, by the central instance, the replacement portable data carrier in an inactive state in which an intended use of the replacement portable data carrier is not possible until the replacement portable data carrier is activated; delivering the inactive replacement portable data carrier to the user; setting up a direct communication connection between the original portable data carrier and the inactive replacement portable data carrier, the direct communication connection being set up between the original portable data carrier and the replacement portable data carrier without an interposition of any device between the original portable data carrier and the replacement portable data carrier, by which the original and replacement portable data carriers mutually authenticate each other via the direct communication connection on the basis of the authentication data and establish a cryptographically secured end-to-end connection through the direct communication connection; activating the replacement portable data carrier by transmitting activation data from the original portable data carrier to the inactive replacement portable data carrier via the cryptographically secured end-to-end connection to activate the replacement portable data carrier, the activation data including all authorizations and functionalities that allow the replacement portable data carrier to replace the original portable data carrier, the activation data including second personal identification data pertaining uniquely to the user, wherein the original portable data carrier and the replacement portable data carrier are each configured to establish a communication with a terminal and to be powered at least partially by said terminal, wherein the first portable data carrier is a first electronic identity document, and the second portable data carrier is a second electronic identity document, and wherein the first personalization data includes an optical personalization pertaining uniquely to the user and provided on the first portable data carrier by the central instance. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification