`
`FILE HISTORY
`US 5,940,510
`
`5,940,510
`PATENT:
`INVENTORS: Curry, Stephen M.
`Loomis, Donald W.
`Bolan, Michael L.
`
`TITLE:
`
`Transfer of valuable information between a
`secure module and another module
`
`APPLICATION
`NO:
`FILED:
`ISSUED:
`
`US1996594975A
`
`31 JAN 1996
`17 AUG 1999
`
`COMPILED:
`
`12 JAN 2012
`
`Page 1 of 242
`
`PNC-JP MORGAN EXHIBIT 1003
`
`

`

`LI
`
`~
`
`940$
`
`JTILITY
`
`q IMBR 8/5 94975
`
`PATENT DATE
`
`[IWD 17 $9S
`1FILNG DATE ICLASS
`
`SERIAL NUMBER
`
`Cv)
`
`PATENT
`NUMBER
`
`SUBCLS G?Up! EXMIE
`
`27
`
`WA t e
`
`'I
`
`Z 9 vtt,r
`
`Cv
`
`cOMwICA*t
`Fri 2 17o
`OF CORRECTION
`
`Foreign priority claimed
`S6SUSC 119 conditionsmet
`Verified and~ 9
`At?knnavviedgedI
`
`Dyes 0 rno
`esl o
`
`STATE OR ISHEETS
`ITOTAL
`AS~
`FILED COUNTRY
`DRVVGS. CLAIMS
`
`IINDER.
`CLAIMS
`
`I FILNG FEE
`RECEIVED
`
`ATTORNEY'S
`DOCKET NO.
`
`PARTS OF APPLICATIONI
`FILED eEPARATELY
`NOTICE OF ALLOWANCE MAILED
`
`Assistant Examine r
`
`44
`
`IApplications Examiner
`CLAIMS ALLOWED
`Print Claim
`Total Claims
`
`2Sheets
`4SLVTR CANIALOV
`PRIMARY EXAMVIE
`ISSUE
`AI uriTl A
`,Z',
`BATCH
`Thar;lexaminer NUMBER>
`PREPARED FOR ISSUE
`
`DRAWING
`Drwg. Figs. Drwg.
`
`PrintF,16
`
`(JJk
`
`ISSUE FEE
`Date Paid
`Amount Due
`
`A,21 0
`
`Label
`Area
`
`WARNING: The information disclosed herein may be restricted. Unauthorized disclosure may be prohibited
`by the United States Code Title 35, Sections 122, 181 and 368. Possession outside th' J.S.
`Patent & Trademaric Officoe is restricted to authorized employees and contractors only.
`
`Form, P1rO04MA
`(Rev. W/2)
`
`'.
`
`~SUE FEE IN FILE
`
`iffA r'r\
`
`Page 2 of 242
`
`

`

`5,940,510 
`
`TRANSFER OF VALUABLE INFORMATION BETWEEN A SECURE MODULE AND 
`ANOTHER MODULE 
`
`Transaction History 
`
`Transaction Description 
`Date  
`Initial Exam Team nn 
`2/23/1996 
`4/1/1996  Notice Mailed‐‐Application Incomplete‐‐Filing Date Assigned 
`5/21/1996  Application Is Now Complete 
`6/27/1996  Application Captured on Microfilm 
`7/10/1996  Case Docketed to Examiner in GAU 
`8/18/1997  Non‐Final Rejection 
`8/19/1997  Mail Non‐Final Rejection 
`12/1/1997  Response after Non‐Final Action 
`12/1/1997  Request for Extension of Time ‐ Granted 
`12/10/1997  Date Forwarded to Examiner 
`2/17/1998  Final Rejection 
`2/19/1998  Mail Final Rejection (PTOL ‐ 326) 
`6/11/1998  Request for Extension of Time ‐ Granted 
`6/11/1998  Continuing Prosecution Application ‐ Continuation (ACPA) 
`6/11/1998  Mail Express Abandonment (During Examination) 
`6/11/1998  Express Abandonment (during Examination) 
`6/11/1998  Amendment after Final Rejection 
`6/24/1998  Date Forwarded to Examiner 
`6/26/1998  Advisory Action (PTOL‐303) 
`6/29/1998  Mail Advisory Action (PTOL ‐ 303) 
`7/22/1998  Date Forwarded to Examiner 
`8/3/1998  Non‐Final Rejection 
`8/10/1998  Mail Non‐Final Rejection 
`11/16/1998  Response after Non‐Final Action 
`11/20/1998  Date Forwarded to Examiner 
`11/25/1998  Case Docketed to Examiner in GAU 
`1/29/1999  Mail Notice of Allowance 
`1/29/1999  Notice of Allowance Data Verification Completed 
`1/29/1999  Mail Examiner's Amendment 
`1/29/1999  Examiner's Amendment Communication 
`2/11/1999  Preexamination Location Change 
`4/16/1999  Workflow ‐ Drawings Finished 
`4/16/1999  Workflow ‐ Drawings Matched with File at Contractor 
`
`Page 3 of 242
`
`

`

`Issue Fee Payment Verified 
`4/16/1999 
`4/16/1999  Workflow ‐ Drawings Received at Contractor 
`4/16/1999  Workflow ‐ Drawings Sent to Contractor 
`4/21/1999  Workflow ‐ File Sent to Contractor 
`7/20/1999  Workflow ‐ Complete WF Records for Drawings 
`7/26/1999  Application Is Considered Ready for Issue 
`8/9/1999 
`Issue Notification Mailed 
`8/17/1999  Recordation of Patent Grant Mailed 
`1/27/2000  Post Issue Communication ‐ Certificate of Correction 
` 
`
`Page 4 of 242
`
`

`

`08/59497'5
`
`APPROVED FOR LICENSE
`P Eq
`IL
`PAETAPPLICA-otINWW
`
`Date
`Entered
`or
`Counted
`
`-
`
`CONI1Lm-4
`
`11/ f IJ ~g
`jI ~Date
`8594 9?s5
`
`lID
`
`Rie
`o
`Mailed
`
`1 . Apfco
`
`Q 6.I
`
`______________
`
`_______
`
`_______
`
`7.
`8.
`
`_
`
`_
`
`t
`
`9. (i
`
`t
`
`_
`
`_
`
`R< y f/
`
`10.
`
`Ar$.
`
`$jQ
`
`12./
`
`zf~~tzl~3.Pv\C
`14.
`15./>L-
`~9~O.r ir.~
`17. Kth2%-
`
`c
`
`-
`
`_
`
`_
`
`_
`
`_
`
`-5L
`471- ZI'
`
`4-N
`'ft
`
`b/
`
`i'?
`
`_____ ____
`
`____18.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_____ ____
`
`____19.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`20.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`
`
`____ ___
`
`____
`
`___21.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`
`
`____ ____
`
`____
`
`___22.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`
`
`____ ___
`
`____
`
`___23.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_____ _____
`
`____24.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`
`
`____ ___
`
`____
`
`___25.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_____ _____
`
`____26.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_____ _____
`
`____27.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`28.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`
`
`____ ___
`
`____
`
`___29.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_____ _____
`
`____30.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_____ ____
`
`____3'.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`-32.
`
`(FRONT)
`
`Page 5 of 242
`
`

`

`____SEARCHED
`
`Class
`
`Sub.
`
`Date
`
`IExmr.
`
`41
`
`1147/f
`
`AW
`
`-t
`
`INTERFERENCE SEARCHED
`Class
`Sub.
`Date
`Exmr.
`
`SEARCH NOTES
`
`AP5$~~f %r4
`
`3/111(/i-7
`
`(RIGHT OUTSIDE)
`
`Page 6 of 242
`
`

`

`C
`
`I PATEMTUNIft
`
`APPLICATION SERIAL NUMBER
`
`STAPLE
`eo
`
`*
`
`AREA
`
`U S GPO 1986-152-960
`
`o o
`
`0
`
`ORIGINAL CLASSIFICATION
`7Bows
`
`?
`
`I
`
`)-
`
`NAME (PLEASE PAWTj.
`
`jAPPLICANT'S
`I IF
`
`REISSUE, ORIGINAL PATENT NUMBER
`
`INTERNATIONAL CLASSIFICATIO
`
`)N JINT CL.'
`
`4 PT0270
`
`(10-84
`
`ISSUE CLASSIFICATION SLIP
`
`U S. DEPARTMENT OF COMMERCE
`PATENT AND TRADEMARK~ OFFICE
`
`GU.WYP
`
`ASSISTANT EXAMINER (PLEASE STAMP OR PRINT PULL NAME)
`
`PRMr2EAMNE
`
`(PLEASE STAMP OR PRINT PULL NAMEI
`
`SYMAOLS
`.... .. .-... Rejeted
`.
`.
`Allowed
`-(Throgh numbuera) Camcld
`7................
`olft
`....... .. Reet61
`+........
`.~Interammc
`A.......Appeal
`o.....
`.... Objeclad
`
`.r-r
`
`*&Iamrwr,
`
`Page 7 of 242
`
`

`

`United States Patent [19]
`Curry et aL
`
`
`
`
`
`
`
`11 11111 11111 ~11111 111111 lIN 11111 11111 111111 ill 11111
`11111111111
`liii
`5,940,510
`*Aug. 17, 1999
`
`U005940510A
`[ill Patent Number:
`[45] Date of Patent:
`
`[54] TRANSFER OF VALUABLE INFORMATION
`BETWEEN A SECURE MODULE AND
`ANOTHER MODULE
`
`[75]
`
`Inventors: Stephen M. Curry, Dallas; Donald W.
`Loomis, Coppell; Michael L. Bolan,
`Dallas, all of Tex.
`
`[73] Assignee: Dallas Semiconductor Corporation,
`Dallas, Tex.
`
`[]Notice:
`
`Thbis patent issued on a continued pros-
`ecution application filed under 37 CFR
`1.53(d), and is subject to the twenty year
`term provisions of 35 U.S.C.
`patent
`154(a)X2).
`
`[21] Appl. No.: 08/594,975
`
`Jan. 31, 1996
`[22] Filed:
`
`Int. C1.6 ................... . . . . . . . . . . . . . . . . . . . . H04L 9/00
`[51]
`[52] U.S. Cl ...................................
`380/25; 380/49
`[58] Field of Search........................ 380/49, 24, 23,
`380/25
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`3/1991 Shinagawa ......................
`380/24
`9/1992 Chan...............................
`380/4
`2/1993 Biandsord....................... 380/23
`380121
`8/1993 Bellovin et al
`..................
`7/1996 Akiyania et al
`.................
`380/24
`380/50
`7/1996 Davis.............................
`380/25
`8/1996 Caputo et al ..................
`.....................
`380/24
`11/1996 Davis et al
`4/1997 Davis et a...................... 380/24
`380/23
`7/1998
`lTtule.............................
`
`5,003,594
`S,150,407
`5,189,700
`5,241,599
`5,539,825
`5,539,828
`5,546,463
`5,577,121
`5,621,796
`5,787,174
`
`Primary Examiner-S alvatore Cangialosi
`Attorney, Agent, or Firm-Jenkens & Gilchrist
`ABSTRACT
`[571
`
`invention rotates to system, apparatus and
`The present
`method for communicating valuable data from a portable
`module to another module via an electronic device. More
`specifically, the disclosed system, apparatus and method are
`useful for enabling a user to fill a portable module with a
`cash equivalent and to spend the cash equivalent at a variety
`of locations. The disclosed system incorporates an
`encryption/decryption methiod.
`
`6 Claims, 8 Drawing Sheets
`
`Page 8 of 242
`
`

`

`U.S. Patent
`
`Aug. 17, 1999
`
`Sheet 1 of 8
`
`5,940,510
`
`"O v
`
`114,
`
`110,
`
`112
`
`'q
`
`1002106
`
`104
`
`'108
`
`FIG. I
`
`Page 9 of 242
`
`

`

`U.S. Patent
`
`Ag 7 99
`Aug. 17,1999
`
`Set2o
`Sheet 2 of 8
`
`59940,510
`
`102
`
`FIG. 2
`
`Page 10 of 242
`
`

`

`U.S. Patent
`
`Ag 7 99
`Aug. 17,1999
`
`Set3o
`Sheet 3 of 8
`
`5,940,510
`
`"O
`
`FIG. 3
`
`Page 11 of 242
`
`

`

`U.S. Patent
`
`Aug. 17, 1999
`
`Sheet 4 of 8
`
`5,940,510
`
`PORTABLE MODULE
`
`MICROPROCESSOR
`-BASED DEVICE
`
`SECURE MODULE
`
`CONTAINS:
`
`®10 NUMBER
`©2 TRANSACTION COUNTER
`COUNT
`(© ENCRYPTED DATA PACKET
`A~ ID NUMBER
`BTRANSACTION COUNT
`CMONETARY VALUE
`
`(SERIAL NUMBER.
`READ
`TRANSACTION COUNTER.
`AND ENCRYPTED DATA)
`AS DATA-ONE
`
`X2
`
`'- X1
`
`FIG. 4
`
`X3
`
`X4
`
`K5
`
`X6
`
`X7
`
`.nkir Ahifl
`DCAN MT
`A FIRST AMOUNT OF
`VALUE TO REMOVE FROM
`THE PORTABLE MODULE
`
`zzrrt
`
`DECRYPT ENCRYPTED
`DATA USING A
`PUBLIC KEY
`
`COMPARE SERIAL NUMBER
`IN DATA-ONE
`RECEIVED
`WITH SERIAL NUMBER
`IN DECRYPTED DATA
`
`IF THEY MATCH, THEN
`COMPARE TRANSACTION
`IN
`COUNTER RECEIVED
`DATA-ONE WITH THE
`TRANSACTION COUNT IN
`DECRYPTED DATA
`
`IF THEY MATCH SUBTRACT
`THE 1ST AMOUNT FROM
`THE MONETARY VALUE
`FOUND IN THE DECRYPTED
`DATA AND
`INCREMENT THE
`TRANSACTION COUNTER
`FOUND IN THE DECRYPTED
`DATA
`
`BY THE SAME AMOUNT THE
`MONEY VALUE FOUND IN THE
`DECRYPTED DATA WAS
`DECREASED
`
`KB
`
`Page 12 of 242
`
`

`

`U.S. Patent
`
`Aug. 17, 1999
`
`Sheet 5 of 8
`
`59940,510
`
`PORTABLE MODULE
`
`MICROPROCESSOR
`BASED DEVICE
`
`SECURE MODULE
`
`CREATE DATA-TWO COMPRISING
`(THE PORTABLE MODULE'S
`INCREMENTED
`SERIAL NUMBER,
`TRANSACTION COUNTER, AND
`REDUCED MONETARY VALUE)
`AND ENCRYPT DATA-TWO
`USING A PRIVATE KEY
`
`RECEIVE ENCRYPTED
`DATA-TWO
`
`RECEIVE ENCRYPTED
`DATA-IWO AND
`STORE IN MEMORY
`
`INCREMENT TRANSACTION
`COUNTER
`
`X9
`
`x10
`
`xli
`
`X12
`
`FIG. 4
`(CONTINUED)
`
`Page 13 of 242
`
`

`

`U.S. Patent
`
`Aug. 17, 1999
`
`Sheet 6 of 8
`
`5,940,510
`
`SECURE MODULE
`
`MICROPROCESSOR
`BASED DEVICE
`
`READ (SERIAL NUMBER,
`T TRANSACTION COUNTER,
`A CDND7ENNCRYPTED DATA)
`SAS DATA-ONE
`
`Y3
`
`Y4
`
`Y5
`
`READ DATA-ONE AND A FIRST
`AMOUNT OF VALUE TO ADD
`TO THE PORTABLE MODUI E
`f
`DECRYPT ENCRYPTED DATA
`USING A PUBLIC KEY
`
`COMPARE SERIAL NUMBER
`RECEIVED IN DATA-ONE WITH
`SERIAL NUMBER IN
`DECRYPTED DATA
`
`YB 2
`
`IF THE SERIAL NUMBERS
`MATCH, THEN COMPARE THE
`TRANSACTION COUNTER IN
`DATA-ONE WITH THE
`DECRYPTED TRANSACTION
`COUNT
`
`IF THE TRANSACTION COUNTS
`MATCH, TH-EN ADD THE 1 ST
`AMOUNT OF VALUE TO THE
`MONETARY VALUE FOUND IN
`THE DECRYPTED DATA
`
`INCREMENT THE TRANSACTION
`IN THE
`COUNTER FOUND
`DECRYPTED DATA
`
`DECREASE A VALUE REGISTER]
`BY THE SAME AMOUNI H
`MONEY VALUE WAS INCRASD
`
`Y7
`
`Y,
`
`Y8
`
`PORTABLE MODULE
`
`CONTAINS:
`
`G)ID NUMBER
`(2) TRANSACTION COUNTER
`COUNT
`®ENCRYPTED DATA PACKET
`A) ID NUMBER
`B) TRANSACTION COUNT
`C) MONETARY VALUE
`
`Y2
`
`Yl
`
`CREATE DATA-TWO COMPRISING
`(THE PORTABLE MODULE'S
`SERIAL NUMBER,
`INCREMENTED
`TRANSACTION COUNTER. AND
`INCREASED MONETARY VALUE).
`ENCRYPT DATA-TWO
`USING A PRIVATE KEY.
`
`RECEIVE ENCRYPTED
`DATA- TWO
`
`zzrzzI
`
`RECEIVE ENCRYPTEDF
`DATA-TWO AND
`STORE IN MEMORY
`
`rztzrz
`
`INCREMENT TRANSACTION
`COUNTER
`
`lo
`
`YIll
`
`Y1 2
`
`Y13
`
`FIG. 5
`
`Page 14 of 242
`
`

`

`U.S. Patent
`
`Aug. 17, 1999
`
`Sheet 7 of 8
`
`5,940,510
`
`IAANDS
`
`,_40
`
`(0) 142
`
`rs 0(P) -42
`
`TOf-42
`
`MIMAND
`AMANDS
`
`_40
`
`& S L)
`
`MMAND
`
`MMANDS
`
`-40
`
`DA]
`TRANS
`
`-WIRE --
`
`FIG. 6
`
`Page 15 of 242
`
`

`

`U.S. Patent
`
`Aug. 17, 1999
`
`Sheet 8 of 8
`
`5,9409510
`
`I /O DATA BUFFERS
`
`I
`
`SYSTEM DATA
`COMMON PIN. RANDOM
`NUMBER REGISTER, ETC...
`
`OUTPUT DATA OBJECT #1
`
`OUTPUT DATA OBJECT #2
`
`WORKING REGISTER
`
`40
`
`40
`
`TRANSACTION GROUP 1
`TRANSACTION GROUP 2
`
`TRANSACTION GROUP N
`
`AUDIT TRAIL*
`
`CIRCULAR BUFFER OF
`TRANSACTION RECORDS
`
`*THE AUDIT TRAIL DOES
`NOT EXIST UNTIL THE
`MICRO-IN-A-CAN
`HAS BEEN LOCKED
`
`ONCE LOCKED ALL
`UNUSED RAM IS
`ALLOCATED FOR
`THE AUDIT TRAIL
`
`FIG. 7
`
`TRANSACTION GROUP
`
`GROUP NAME,
`PASSWORD AND ATTRIBUTES
`OBJECT 1
`
`OBJECT 2
`
`42
`
`OBJECT N
`
`*-42
`
`TRANSACTION RECORD
`
`GROUP IOBJECT IDATE/TIME
`ID
`ID
`STAMP
`
`Page 16 of 242
`
`

`

`5,940,510
`
`2
`station, and be debited by a merchant when a product or
`is purchased by the consumer. As a result of a
`service
`the merchant's cash drawer will indicate an
`purchase,
`increase in cash value.
`
`1
`TRANSFER OF VALUABLE INFORMATION
`BETWEEN A SECURE MODULE AND
`ANOTHER MODULE
`
`CROSS REFERENCE TO OTHER
`APPLICATIONS
`The following applications of common assignee contains
`related subject matter and is hereby incorporated by refer-
`ence:
`SeL. No. 08/594,983,
`filed Jan. 31, 1996, entitled
`METHOD, APPARATUS, SYSTEM AND FIRMWARE
`FOR SECURE TRANSACTIONS; and
`Ser. No. 08/595,014,
`filed Jan. 31, 1996, entitled
`METHOD, APPARATUS AND SYSTEM FOR TRANS-
`FERRING UNITS OF VALUE.
`
`BACKGROUND OF THE INVENTION
`
`1. 'technical Field of the Invention
`The present invention relates to a method and system for
`transferring valuable information securely between a secure
`module and another module. More particularly, the present
`invention relates to transferring units of value between a
`microprocessor based secure module and another module
`used for carrying a monetary equivalent.
`2. Description of Related Art
`In the past the preferred means for paying for an item was
`cash. As our society has become more advanced, credit cards
`have become an accepted way to pay for merchandise or
`services. The payment is not a payment to the merchant, but
`instead is a credit given by a bank to the user that
`the
`merchant accepts as payment. The merchant collects money
`from the bank based on the credit. As time goes on, cash is
`used less and less, and money transfers between parties are
`becoming purely electronic.
`Present credit cards have magnetic strips to identify the
`owner of the card and the credit provider. Some credit cards
`have electronic circuitry installed that identifies the credit
`card owner and the credit or service provider (the bank).
`The magnetic strips installed in present credit cards do not
`enable the card to be used as cash. That is the modem credit
`card does not allow the consumer to buy something with the
`credit card and the merchant to receive cash at the time of
`the transaction. Instead, when the consumer buys something
`on credit, the merchant must later request that the bank pay
`for the item that the consumer bought. The bank then bills
`the consumer for the item that was bought.
`Thus, there is a need for an electronic system that allows
`a consumer to fill an electronic module with a cash equiva-
`lent in the same way a consumer fills his wallet with cash.
`When
`the consumer buys a product or service from a
`merchant, the consumer's module can be debited and the
`merchant's cash drawer can be credited without any further
`transactions with a bank or service provider.
`
`SUMMARY OF THE INVENTION
`The present invention is an apparatus, system and method
`for communicating a cash equivalent electronically to anid
`from a portable module. The portable module can be used as
`a cash equivalent when buying products and services in the
`market place.
`The present invention comprises a portable module that
`can communicate to a secure module via a microprocessor
`based device. The portable module can be cardied by a
`consumer, filled with electronic money at an add-money
`
`5
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`A more complete understanding of the method and appa-
`ratus of the present invention may be had by reference to the
`10 following Detailed Description when taken in conjunction
`with the accompanying Drawings wherein:
`FIG. 1 depicts an exemplary system for transferring
`valuable information between a module and a secure device;
`FIG. 2 is a block diagram of an embodiment of a portable
`15 module;
`FIG. 3
`is a block diagram of an embodiment of a
`microprocessor based module;
`FIG. 4 is an exemplary technique for transferring valuable
`data securely into a portable module;
`FIG. 5 is an exemplary technique for transferring valuable
`data securely out of a portable module;
`FIG. 6 is an exemplary organization of the software and
`firmware within a secure microprocessor based device; and
`FIG. 7 is an exemplary configuration of software and
`firmware within a secure microprocessor based device,
`
`20
`
`25
`
`DETAILED DESCRIPTION OF A PRESENTLY
`PREFERRED EXEMPLARY EMBODIMENT
`30o FIG. 1 depicts a block diagram of an exemplary system
`100 for transferring valuable information to and from a
`portable module. A portable module 102, which will be
`described in more detail later, communicates to a micropro-
`cessor based device 104. The portable module 102 may
`35contain information that represents units of exchange or a
`currency equivalent. The microprocessor based device 104
`can be any of an unlimited number of devices. For example,
`the microprocessor based device 104 could be a personal
`computer, an add-a-fare machine at a train or bus station
`40 (similar to those in today's District of Columbia metro
`stations), a turn style, a toll booth, a bank's terminal, a ride
`at a carnival, a washing machine at a Laundromat, a locking
`device, a mail metering device or any device that controls
`access, or meters a monetary equivalent, etc.
`45 The means for communication 106 between the portable
`module 102 and the microprocessor based device 104 is
`preferably via a single wire or contact connection. The
`single wire connection 106 preferably incorporates a com-
`50 munication protocol that allows the portable module 102 and
`the microprocessor based device 104 to communicate in a
`bidirectional manner. Preferably the communication proto-
`col is a one-wire protocol developed by Dallas Semicon-
`ductor. It is understood that the means for communicating
`55106 is not limited to a single wire connection. The commu-
`nication means 106 could be multiple wires, a wireless
`communication system, infrared light, any electromagnetic
`means, a magnetic technique, or any other similar technique.
`The microprocessor based device 104 is electrically con-
`60 nected to another microprocessor based device, which is
`preferably a secure device 108. The term secure device
`means that the device is designed to contain a secret code
`to learn. An
`and the secret code is extremely difficult
`example of a secure device 108 is explained later in this
`65 document.
`The microprocessor based device 104 can be connected to
`a variety of other devices. Such devices include, but are not
`
`Page 17 of 242
`
`

`

`5,940,510
`
`3
`limited to a cash acceptor 110, an automatic teller machine
`(ATM) 112, a credit card reader 114, and a phone tine U6.
`The cash acceptor 110 is adapted to receive cash in the
`form of currency, such as dollar bills or coins. The cash
`acceptor 119, preferably, determines
`the value of the
`accepted currency. The cash acceptor 110 communicates to
`the microprocessor based device 104 and informs the device
`104 of how much currency has been deposited in the cash
`acceptor 110.
`The cash acceptor 110 can also be a device which pro-
`vides currency. That is, the cash accepter 110 in response to
`a communication from the microprocessor based device
`104, may provide a metered amount of currency to a person.
`The credit card reader 114, and ATM 112 can also be
`attached to the microprocessor based device 104. The credit
`card reader 114 could be used to read a user's credit card and
`then, when authorized, either communicate to the micropro-
`cessor based device 104 that units of exchange need to be
`added to the portable module or that units of exchange need
`to be extracted from the portable module to pay for a good,
`service or credit card bill.
`The ATM 112 may also be connected to the micropro-
`cessor based device. Via communications from the ATM
`112, the microprocessor based device 194 can be informed
`that units of exchange need to be added or subtracted from
`the portable module 102.
`Furthermore, it is also possible that the microprocessor
`based device 104 is connected to a phone line 116. The
`phone line may be used for a variety of things. Most
`the phone line may be used to allow the
`importantly,
`microprocessor based device 104 to communicate with a
`network of devices. Such telephonic communication may be
`for validating transactions or for aiding the accounting of
`transactions that are performed via the microprocessor based
`device's 104 aid. It is further understood that the phone line
`may be any of a vast variety of communication
`lines
`including wireless lines, Video, analog, or digital informns-
`tion may be communicated over the phone line 116.
`FIG. 2 depicts a preferred exemplary portable module
`102. The portable module 192 is preferably a rugged read/
`write data carrier that can act as a localized data base and be
`easily accessed with minimal hardware. The module can be
`incorporated
`in a vast variety of portable items which
`includes, but is not limited to a durable micro-can package
`that is highly resistant to environmental hazards such as dirt,
`moisture, and shock. The module can be incorporated into
`any object that can be articulated by a human or thing, such
`as a ring, bracelet, wallet, name tag, necklace, baggage.
`machine, robotic device, etc. Furthermore, the module 102
`could be attached to a stationary item and the microproces-
`sor based device 104 may be articulated
`to the portable
`module 192. For example, the module 102 may be attached
`to a piece of cargo and a module reader may be touched to
`or brought near the module 102. The module reader may be
`part of the microprocessor based device 104.
`The portable module 102 comprises a memory 202 that is
`preferably, at least in part, nonvolatile memory for storing
`and retrieving vital information pertaining to the system to
`which the module 102 may become attached
`to. The
`memory 202 may contain a scratchpad memory which may
`act as a buffer when writing into memory. Data is first
`written to the scratchpad where it can be read back. After
`data has been verified,
`the data is transferred into the
`memory.
`The module 102 also comprises a counter 206 for keeping
`track of the number of transactions the module has per-
`
`25
`
`10
`
`formed (the number of times certain data in the memory of
`the module has been changed). A timer 102 may be provided
`in the module to provide the ability to time stamp transac-
`tions performed by the module. A memory controller 204
`5 controls the reading and writing of data into and out of the
`memory 202.
`The module also may comprise an identification number
`210. The identification number preferably uniquely identi-
`fies the portable module from any other portable module.
`An input/output control circuit 212 controls the data flow
`into and out of the portable module 102. The input/output
`control C"1/0") 212 preferably has an input buffer and an
`output buffIer and interface circuitry 214. As stated above,
`the interface circuitry 214 is preferably a one-wire interface.
`15 Again, it is understood that a variety of technologies can be
`used to interface the portable module 102 to another elec-
`tronic device. A single wire or single connection is preferred
`because the mechanics of making a complete connection is
`simplified. It is envisioned that a proximity/wireless com-
`munication technique is also a technique for communicating
`20 between
`the module 102 and another device. Thus, the
`interface circuit 214 can be a single wire, multiple wire,
`wireless, electromagnetic, magnetic, light, or proximity,
`interface circuit.
`FIG. 3 depicts a block diagram of an exemplary secure
`microprocessor based device ("secure device") 108. The
`secure device circuitry can be a single integrated circuit. It
`is understood that the secure device 108 could also be a
`together. The
`monolithic or multiple circuits combined
`30 secure device 108 preferably comprises a microprocessor
`12, a real time clock 14, control circuitry 16, a math
`coprocessor 18, memory circuitry 20, input/output circuitry
`26, and an energy circuit 34.
`The secure device 108 could be made small enough to be
`35 incorporated into a variety of objects including, but not
`limited to a token, a card, a ring, a computer, a wallet, a key
`fob, a badge, jewelry, a stamp, or practically any object that
`can be grasped and/or articulated by a user of the object. In
`the present system 100, the secure device 108 is preferably
`40 adapted to be a trusted certifying authority. That is the secure
`device 108 is a trusted computer. The secure device 108
`comprises a numeric coprocessor 18 optimized for math
`intensive encryption. The BIOS is immune to alteration and
`is specifically designed for secure transactions. This secure
`45device 108 is preferably encased in a durable, dirt, moisture
`and shock resistant stainless steel enclosure, but could be
`encased in wide variety of structures so long as specific
`contents of the secure device 108 are extremely difficult to
`decipher. The secure device 108. The secure device 108 may
`50have the ability to store or create a private/public key set,
`whereby the private key never leaves the secure device 108
`is not revealed under almost any circumnstance.
`and
`Furthermore, the secure module 108 is preferably designed
`to prevent discovery of the private key by an active self-
`55 destruction of the key upon wrongful entry.
`is preferably an 8-bit
`The microprocessor 12
`microprocessor, but could be 16, 32, 64 or any operable
`number of bits. 'The clock 14 provides timing for the module
`circuitry. There can also be separate clock circuitry 14 that
`60 provides a continuously running real time clock.
`The math coprocessor circuitry 18 is designed and used to
`handle very large numbers. In particular, the coproccssor
`will handle the complex mathematics of RSA encryption and
`decryption or other types of math intensive encryption or
`65 decryption techniques.
`The memory circuitry 20 may contain both read-only-
`random -access-memory.
`memory and non-volatile
`
`Page 18 of 242
`
`

`

`5 ,9
`
`5
`Furthermore, one of ordinary skill in the art would under-
`stand that volatile memory, EPROM, SRAM and a variety of
`other types of memory circuitry might be used to create an
`equivalent device.
`Control circuitry 16 provides timing, latching and various
`necessary control functions for the entire circuit.
`An input/output circuit 26 enables bidirectional commu-
`the secure module 108. The
`input/output
`nication with
`circuitry 26 preferably comprises at least an output buffer
`and an input buffer. For communication via a one-wire bus,
`one-wire interface circuitry can be included with the input/
`output circuitry 26. It is understood that the input/output
`circuitry 26 of the secure device 108 can be designed to
`operate on a single wire, a plurality of wires or any means
`for communicating information between the secure module
`108 and the microprocessor based device 104.
`An energy circuit 34 may be necessary to maintain stored
`information in the memory circuitry 20 and/or aid in pow-
`ering the other circuitry in the module 108. The energy
`circuit 34 could consist of a battery, capacitor, R/C circuit,
`photo-voltaic cell, or any other equivalent energy producing
`circuit or means.
`The firmware architecture of the Secure module 108 and
`how it operates within the exemplary system for transferring
`valuable information, such as units of exchange or currency,
`between the secure module 108 and a portable module 102
`will now be discussed. The Secure module 108 provides
`encryption and decryption services for confidential data
`transfer through the microprocessor based device 104. The
`following examples are intended to illustrate a preferred
`feature set of the secure module 108 and to explain the
`services that the exemplary system 100 can offer. Thbese
`applications and examples by no means limit the capabilities
`of the invention, but instead bring to light a sampling of its
`capabilities.
`1. OVERVIEW OF THE PREFERRED SECURE MODULE
`108 ANT) ITIS FIRMWARE DESIGN
`Referring to FIG. 3 again, the secure module 108 prefer-
`ably contains a general-purpose, 8051-compatible micro
`controller 12 or a reasonably similar product, a continuously
`running real-time clock 14, a high-speed modular exponen-.
`tiation accelerator for large integers (math coprocessor) 18,
`input and output buffers 28, 30 with a one-wire interface 32
`for sending and receiving data, 32 Kbytes of ROM memory
`22 with preprogrammed firmware, 8 Kbytes of NVRAM
`(non-volatile RAM) 24 for storage of critical data, and
`control circuitry 16 that enables the micro controller 12 to be
`powered up to interpret and act on the data placed in an input
`t module 108 draws its operating power from
`data object.
`a single wire, one-wire communication
`line. The micro
`controller 12, clock 14, memory 20, buffers 28,30, one-wire
`front-enid 32, modular exponentiation accelerator 18, and
`control circuitry 16 are preferably integrated on a single
`silicon chip and packaged in a stainless steel micro can using
`packaging techniques which make it virtually impossible to
`probe the data in the NVRAMv 24 without destroying the
`data. Initially, most of the NVRAM 24 is available for use
`to Support applications such as those described below. One
`of ordinary skill will understand that there are many com-
`parable variations of the module design. For example,
`volatile memory might be used, or an interface other than a
`one-wire interface could be used.
`The Secure module 108 is preferably intended to be used
`first by a Service Provider who loads the Secure module 108
`with data to enable it to perform useful functions, and
`second by an End User who issues commands to the Secure
`module 108 to perform operations on behalf of the Service
`
`Provider for the benefit of the End User. For this reason, the
`secure module 108 offers functions to support the Service
`Provider in Setting up the module for an intended applica-
`tion. It also offers functions to allow the End User to invoke
`5the services offered by the Service Provider.
`Each Service Provider can reserve a block of NVRAM
`memory to support its services by creating a transaction
`group 40 (refer to FIGS. 6 and 7). A transaction group 40 is
`simply a set of software objects 42 that are defined by the
`io Service Provider. These objects 42 include both data objects
`(encryption keys, transaction counts, money amounts, date!
`time stamps. etc.) and transaction scripts 44 which specify
`how to combine the data objects in useful ways. Each
`Service Provider creates his own transaction group 40,
`15 which is independent of every other transaction group 40.
`Hence, multiple Service Providers can offer different ser-
`vices in the same module 108. The numbeur of independent
`Service Providers that can be supported depends on the
`number and complexity of the objects 42 defined in each
`20 transaction group 40. Examples of Some of the objects 42
`that can be defined within a transaction group 40 are the
`following:
`
`25
`25
`
`RSA Modulus
`RSA Exponent
`Transaction Script
`Transaction Counter
`Money Registei
`Destmucor
`
`Clock Offset
`Random SALT'
`Configlurationt Data
`Input Data
`Output Data
`
`30
`
`Within each transaction group 40 the Secure module 108
`will initially accept certain commands which have an irre-
`versible effect. once any of these irreversible commands are
`executed in a transaction group 40, they remain in effect
`35 until the end of the module's useful life or until the trans-
`action group 40, to which it applies, is deleted from the
`secure module 108. In addition, there are certain commands
`which have an irreversible effect until the end of the mod-
`ule's life or until a master erase command is issued to erase
`the entire contents of the secure module 108, These com-
`mands will be discussed further below These commands are
`essential to give the Service Provider the necessary control
`over the operations that can be performed by the End User.
`Examples of Some of the irreversible commands are:
`
`40
`
`45
`
`PrdVati=e Object
`I,ock Transaiction Group
`
`Luck Object
`Lock Mcno--Can
`
`50
`
`Since much of the module's utility centers on its ability to
`keep a secret, the Privatize command is a very important
`irreversible command.
`Once the secure module 108, as a whole, is locked, the
`remaining NVRAM memory 24 is allocated for a circular
`55 buffer for holding an audit trail of previous transactions,
`Each of the transactions are identified by the number of the
`transaction group, the number of objects 42 within the
`specified group, and the date/time stamp.
`The fundamental concept implemented by the firmware is
`that the Service Provider can store transaction scripts 44 in
`a transaction group 40 to perform only those operations
`among objects that he wishes the End User to be able to
`perform. The Service Provider can also store