`
`FILE HISTORY
`US 5,949,880
`
`5,949,880
`PATENT:
`INVENTORS: Curry, Stephen M.
`Loomis, Donald W.
`Bolan, Michael L.
`
`TITLE:
`
`Transfer of valuable information between a
`secure module and another module
`
`APPLICATION
`NO:
`FILED:
`ISSUED:
`
`US1997978798A
`
`26 NOV 1997
`07 SEP 1999
`
`COMPILED:
`
`12 JAN 2012
`
`Page 1 of 191
`
`PNC-JP MORGAN EXHIBIT 1004
`
`

`

`.
`
`S
`
`:.....
`,
`
`.
`
`...
`
`....
`
`.
`
`.
`
`.
`
`lWvv
`
`.4Lo
`
`. I.:.:. i ...
`.........
`
`"t'
`
`... .
`
`: ~~,1".;:
`
`:
`
`"":,~,i :
`
`i,.ii.
`
`... ' .'"'"'
`I...
`
`i
`
`"i" !::', .. !i,.'"ii:: !'... ':;,'
`
`::,! ,,
`
`i
`.. . ... .....
`... .
`
`. .. .. .
`
`mm
`
`aB
`
`--
`
`BEST COPY
`
`94988 0
`
`
`
`. .,. ..
`
`.
`
`, . . .
`
`......
`
`..
`
`php Z Z
`
`?000
`
`2
`
`i: 1:
`
`
`
`<}:ili.:/ ii ,.:!./:ii;":!ii:
`
`U.S. DEPT. OF COMM./ PAT. & TM-PTO436L (Rev.12-94)
`..
`I &M
`
`1
`"!f
`
`(A-'
`
`it Examiner
`
`/
`
`Applications Examiner
`CLAIMS ALLOWED
`Total Claims
`Print Claim
`
`7.
`
`DRAWING
`
`.
`
`THOMAS HP TAPZA
`SUPERVISORY PATENTEXAMINER
`GROJUP?@()
`v ,
`
`Shee s Drwg. Figs. Drwg.
`(,
`6
`ISSUE
`BATCH
`N. Vz/ovL*
`..
`Primary Examiner NUMBER
`PREPARED FOR ISSUE
`
`.Print
`
`ig.
`
`G: The information disclosed herein may be restricted. Unaut
`rized disclosure may be prohibited
`by the United States Code Title 35, Sections 122, 181
`d 368. Possession outside the U.S.
`Patent &. Trademark Office is restricted to authorized mployees and contractors only.
`
`Form PTO-436A
`
`SYj q.
`
`7
`
`(FACE)
`
`Page 2 of 191
`
`

`

`5,949,880
`
`TRANFER OF VALUABLE INFORMATION BETWEEN A SECURE MODULE AND
`ANOTHER MODULE
`
`Transaction History
`
`Transaction Description
`Date
`11/26/1997 Preliminary Amendment
`11/26/1997
`Information Disclosure Statement (IDS) Filed
`Information Disclosure Statement (IDS) Filed
`11/26/1997
`1/21/1998
`Initial Exam Team nn
`3/3/1998
`IFW Scan & PACR Auto Security Review
`3/19/1998 Case DOcketed to Examiner in GAU
`8/10/1998 Notice Mailed--Application Incomplete--Filing Date Assigned
`8/10/1998 Preexamination Location Change
`9/30/1998 Case Docketed to Examiner in GAU
`10/16/1998 Mail Examiner!s Amendment
`:10/16/1998 Examiner's Amendment Communication
`10/16/1998 Mail Notice of Allowance
`10/16/1998 Notice of Allowance Data Verification Completed
`1/19/1999 Workflow - Drawings Finished
`1/19/1999 Workflow - Drawings Matched with File at Contractor
`1/19/1999 Workflow - Drawings Received at Contractor
`1/19/1999
`Issue Fee Payment Verified
`1/19/1999 Mailroom Date of Drawing(s)
`.1/28/1999 Drawing(s) Received at Publications
`2/5/1999 Drawing(s) Processing Completed
`2/5/1999 Drawing(s) Matched to Application
`2/24/1999 Workflow - File Sent to Contractor
`4/28/1999 Application Is Considered Ready for Issue
`8/30/1999
`Issue Notification Mailed
`9/7/1999 Recordation of.Patent Grant Mailed
`10/1/1999 Workflow - Complete WF Records for Drawings
`3/28/2000 Post Issue Communication - Certificate of Correction
`
`Page 3 of 191
`
`

`

`t;70647 U 5,:PATENT
`
`APPLICATION
`
`APPROVED FOR LICENSED
`
`08978798
`
`CNTNT
`CNET
`
`papers.
`
`y l
`
`Date
`Entered
`'or
`Counted
`
`J
`
`________1.
`
`Application
`
`_______
`
`2.
`
`_______________________/s"
`
`_____
`
`Co/5:
`
`4.
`
`_ _ _ _ _ _ _ _wt6.
`_
`
`Ads,__
`
`___
`
`__ ___
`
`__
`
`_
`
`s.
`
`_
`
`_
`
`_
`
`_
`
`__
`
`_
`
`_
`
`_
`
`__
`
`_
`
`_
`
`_
`
`__
`
`_
`
`_
`
`_
`
`_
`
`________ _______
`
`8.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`Date,
`Received
`or
`Mailed
`
`/! /24/
`
`t "" N
`
`L47L,--,,
`
`I/-.cam
`
`\ r .
`
`___________12.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_____
`
`____
`
`____13.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_____
`
`____
`
`____14.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_____
`
`_____
`
`____15.
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_____ ____
`
`____16.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`'16.
`
`______________17.
`
`_____ ____
`
`____18.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_________22.
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`___
`
`___
`
`___
`
`___23.
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`__________
`
`,28.
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`________________29.
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`*31.
`
`32.
`
`_
`
`_
`
`_
`
`__
`
`_
`
`_
`
`__
`
`_
`
`_
`
`__
`
`_
`
`_
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`__
`
`_
`
`_
`
`_
`
`_
`
`_
`
`_
`
`(FROND)
`
`Page 4 of 191
`
`

`

`Claim
`
`Date
`
`Claim
`
`.
`
`Date
`
`I .
`
`1
`
`I
`I
`I
`
`I I
`
`1
`
`1
`
`1
`
`I
`
`I
`
`1
`
`I I
`
`I
`
`I
`
`0
`.O
`51
`52
`53
`54
`55
`56
`57
`58
`59
`60
`61
`62
`63
`64
`65
`66
`67
`68
`69
`70
`71
`72
`73
`74
`75
`76
`
`77
`78.
`. 79
`SYMBOLS
`80
`................... ....... Rejected
`.. .......
`Allowed
`..................................
`81
`(Through numberal) Canceled
`82'
`+ .......
`...
`............... Restricted
`N .... ..............
`... Non-elected
`83
`I .................................
`Interference
`84
`A ................................. Appeal
`0 ................................ Objected
`85
`86
`87
`88
`89
`90
`91
`92
`93
`94.
`95
`96
`I97I
`98
`I 99
`I l1001
`
`I
`
`(LEFT INSIDE)
`
`I
`I
`I I .
`I
`
`16
`17
`S18
`19
`20
`
`2 2
`
`2
`23
`24
`25.
`26
`27
`28
`29
`30
`31
`32
`33
`34
`35
`36
`37
`38
`39
`40
`41
`42
`43
`44
`45
`46
`47
`
`48
`
`4950
`
`Page 5 of 191
`
`

`

`SEARCH NOTES
`SEARCH NOTES I
`
`Date
`
`_.a
`
`r. .
`
`j
`) ,,%,~~ ~ E-8
`
`Exmr.
`
`1hc)
`
`.SEARCHED
`
`Class
`
`Sub.
`
`Date
`
`Exmr.
`
`,S
`
`Y/
`
`,
`
`.
`I
`
`.I
`
`
`
`ee
`
`/Nj
`
`.7
`
`rDb
`
`!t
`
`.
`
`7~
`
`rr.i..fz
`
`-1
`
`6
`
`h~ i
`
`r1 .
`
`;.
`
`i
`
`I
`
`INTERFERENCE SEARCHED
`Sub.
`Exmr.
`Class
`Date
`
`' .
`
`7T77
`
`*''
`
`)
`
`I
`
`I
`
`_
`
`I
`
`(RIGHT OUTSIDE)
`
`Page 6 of 191
`
`

`

`United States Patent [19]
`Curry et al.
`
`Allll l llIlll
`Illlllllllll UllllllI
`I llIllllllllllll4
`5,949,880
`Sep. 7, 1999
`
`[11] Patent Number:
`[45] Date of Patent:
`
`US005949880A
`
`[54] TRANSFER OF VALUABLE INFORMATION
`BETWEEN A SECURE MODULE AND
`ANOTHER MODULE
`
`[56]
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`[75]
`
`riventors: Stephen M. Curry, Dallas; Donald W.
`Loomis, Coppell; Michael L. Bolan,
`Dallas, all of Tex.
`
`[73] Assignee: Dallas Semiconductor Corporation,
`Dallas, Tex.
`
`5,003,594
`5,539,825
`5,546,463
`5,577,121
`5,621,796
`5,642,419
`5,671,280
`
`3/1991 Shinagawa ..............................
`380/24
`7/1996 Akiyama et al. ...................
`380/24
`8/1996 Caputo et al. ......................
`380/25
`11/1996 Davis et al. .......................
`380/24
`4/1997 D avis et al. ..............................
`380/24
`6/1997 Rosen ......................
`...........
`380/23
`9/1997 Rosen .......................................
`380/24
`
`[21] Appl. No.: 08/978,798
`
`[22] Filed:
`
`Nov. 26, 1997
`
`Related U.S. Application Data
`
`[62] Division of application No. 08/594,975, Jan. 31, 1996.
`
`[51]
`
`Int. C. 6 .. . ..........
`.
`
`..
`
`.
`
`..
`
`... .......
`.
`
`...
`
`..
`
`H04L 9/00
`
`[52]
`
`U.S. C
`
`..................................
`
`[58] Field of Search ...........
`
`380/24; 380/25; 705/39;
`705/42
`
`.............. 380/23, 24,'25;
`705/39, 40, 42
`
`Primary Examiner-Thomas H. Tarcza
`Assistant Examiner-Carmen D. White
`Attorney, Agent, or Firm-Jenkens & Gilchrist
`
`[57]
`
`.ABSTRACT
`
`.
`
`The present invention relates to system, apparatus and
`method for communicating valuable, data from a portable
`module to another module via an electronic device. More
`specifically, the disclosed system, apparatus and method are
`useful for enabling a user to fill a portable module with a
`cash equivalent and to spend the cash equivalent at a variety
`of locations. The disclosed system incorporates an
`encryption/decryption method.
`
`6 Claims, 8 Drawing Sheets
`
`100
`
`114
`
`1.1n
`
`119
`
`'
`
`1I
`U
`
`IU4
`
`I UD
`
`Page 7 of 191
`
`

`

`U.S. Patent
`" US Patent
`
`_"s¢p.7,;_9'99,"'_
`Sep. 7, 1999
`
`{sneemfg
`Sheet 1 of 8
`
`15,949,880
`5,949,880
`
`100
`
`"Oo 1
`
`114
`
`1.10
`uln
`
`~_,
`
`V.
`
`in 5"wm
`'
`119
`
`.
`
`v
`
`ACE/22%
`.
`
`,
`
`.
`
`'A‘fi‘ii‘é‘é‘c
`MAcmNE
`
`‘r-
`
`" —————+f*——
`
`
`
`
`
`
`
`102
`
`'
`
`2
`
`104
`1m_
`
`1% _
`
`FIG." '1 2
`FIG. 1
`
`-"Pag68(fi191"r
`
`.
`
`PORTABLEA
`MODULE:
`
`'
`
`-
`
`'
`
`,
`
`MICROPROCESSOR
`.>. BASED new El.
`|._..____
`
`l‘
`'SECURE
`MmROPROCESSOR
`
`
`BASED DEWCE
`
`_....
`
`
`
`
`L*___J
`
`Page 8 of 191
`
`

`

`US. Patent
`U.S. Patent
`
`_ _‘:Sep. 7,1999
`Sep. 7, 1999
`
`SheOtZ Of‘S
`Sheet 2 of 8
`
`'_
`
`>
`
`,
`
`in 5,949,880 "
`5,949,880
`
`‘
`
`,
`
`'
`
`.
`
`102
`
`9“
`
`19 NUMBER
`
`I
`
`21o:
`
`4 212 .
`
`~
`
`I.
`
`204
`
`»-j;;gji'<
`.
`..
`.\
`OUTPUT BUFFER _
`
`"INPUTVBUFFERi
`INPUT/OUTPUT
`ICONTROL A
`ONE—WIRE"
`INTERFACE"
`
`.
`
`_
`
`V.
`’
`
`'
`
`-
`
`.
`.
`MEMORY
`CONTROL
`;
`
`_
`
`A
`'_
`
`,
`
`:
`
`MEMORY
`~
`-
`SCRATCH BAD'
`MEMORY
`
`'9
`. 9"
`COUNTER.
`~
`‘
`
`'
`
`..
`
`-'
`
`206
`
`».
`
`f
`
`PQRTABLE MODULE
`
`:‘\='
`
`nj=
`
`..‘. 4.;
`
`1214.7
`
`‘
`
`.
`
`v:
`
`208
`
`FIG. 2
`
`Page 9 0f‘191.
`
`Page 9 of 191
`
`

`

`' US.Patént f
`U.S. Patent
`
`.'s'ep.'7,19'99
`Sep. 7, 1999
`
`T
`
`‘Sheetsofs:
`Sheet 3 of 8
`
`-~
`
`5,949,880"
`5,949,880
`
`.108
`
`
`
`12
`
`18
`
`28
`
`30
`
`26
`
`32
`
`FIG. 3
`
`’ Page 10 of 191
`
`Page 10 of 191
`
`

`

`U.S. Patent
`
`Sep. 7, 1999
`
`Sheet 4 of 8
`
`5,949,880
`
`PORTABLE MODULE
`
`.MICROPROCESSOR
`BASED DEVICE
`
`SECURE MODULE
`
`I
`
`n,, A .
`C A I-
`rIu UAIA-U N ANIU
`A FIRST AMOUNT OF
`VALUE TO REMOVE FROM
`THE PORTABLE MODULE
`
`___
`
`DECRYPT ENCRYPTED
`DATA USING A
`PUBLIC KEY
`
`I
`
`COMPARE SERIAL NUMBER
`RECEIVED IN DATA-ONE
`WITH SERIAL NUMBER
`IN DECRYPTED DATA
`
`IF THEY MATCH, THEN
`COMPARE TRANSACTION
`COUNTER RECEIVED
`IN
`DATA-ONE WITH THE
`TRANSACTION COUNT IN
`DECRYPTED DATA
`
`CONTAINS:
`O ID NUMBER
`® TRANSACTION COUNTER
`COUNT
`
`3 ENCRYPTED DATA PACKET
`A) ID NUMBER
`B) TRANSACTION COUNT
`C) MONETARY VALUE
`
`READ
`(SERIAL NUMBER,
`TRANSACTION COUNTER,
`AND ENCRYPTED DATA)
`AS DATA-ONE
`
`X2
`
`X1
`
`FIG. 4
`
`X3
`
`X4
`
`X5
`
`X6
`
`X7-
`
`X8
`
`-
`
`IF THEY MATCH SUBTRACT
`THE 1ST AMOUNT FROM
`THE MONETARY VALUE
`FOUND IN THE DECRYPTED
`DATA AND
`INCREMENT THE
`TRANSACTION COUNTER
`FOUND IN THE DECRYPTED
`DATA
`
`I
`
`r
`
`INCREASE THE VALUE REGISTER
`BY THE SAME AMOUNT THE
`MONEY VALUE FOUND IN THE
`DECRYPTED DATA WAS.
`DECREASED
`
`1
`
`Page 11 of 191
`
`

`

`U.S. Patent
`
`Sep. 7, 1999
`
`Sheet 5 of 8
`
`5,949,880
`
`PORTABLE MODULE
`
`MICROPROCESSOR
`BASED DEVICE
`
`SECURE MODULE
`
`X9 -
`
`X10
`
`CREATE DATA-TWO COMPRISING
`(THE PORTABLE MODULE'S
`SERIAL NUMBER,. INCREMENTED
`TRANSACTION COUNTER, AND
`REDUCED MONETARY VALUE)
`AND ENCRYPT DATA-TWO
`USING A PRIVATE KEY
`
`RECEIVE ENCRYPTED
`DATA-TWO
`
`I
`
`RECEIVE. ENCRYPTED
`DATA-TWO AND
`STORE IN MEMORY
`,
`
`1
`
`INCREMENT TRANSACTION
`COUNTER
`
`FIG. 4
`(CONTINUED)
`
`Page 12 of 191
`
`

`

`U.S. Patent
`
`Sep. 7, 1999
`
`Sheet 6 of 8
`
`5,949,880
`
`MICROPROCESSOR
`BASED DEVICE
`
`READ (SERIAL NUMBER,
`TRANSACTION COUNTER,
`AND ENCRYPTED DATA)
`AS DATA-ONE
`JI
`
`Y2/
`
`PORTABLE MODULE
`
`CONTAINS:
`Q ID NUMBER
`) TRANSACTION COUNTER
`COUNT
`Q ENCRYPTED DATA PACKET
`A) ID NUMBER
`B) TRANSACTION COUNT
`C) MONETARY VALUE
`
`H
`
`Y1.
`
`CREATE DATA-TWO COMPRISING
`(THE PORTABLE MODULE'S
`SERIAL NUMBER,
`INCREMENTED
`TRANSACTION COUNTER, AND
`INCREASED MONETARY VALUE).
`ENCRYPT DATA-TWO
`USINGA PRIVATE .KEY.
`
`RECEIVE ENCRYPTED
`DATA-TWO
`
`RECEIVE ENCRYPTED
`DATA-TWO AND
`STORE IN. MEMORY..
`
`1
`
`INCREMENT TRANSACTION
`COUNTER
`
`Y1
`
`Y11
`
`Y12
`
`Y13
`
`FIG. 5
`
`SECURE MODULE
`
`A
`
`' I IAIT
`
`r
`
`ILI
`
`AND A FIRST
`READ DATA-ONE
`AMUUNI uT VALU
`ITO AUUDD
`TO THE PORTABLE MODULE
`
`Ir T'
`
`nn
`
`J
`
`DECRYPT ENCRYPTED DATA
`USING A PUBLIC KEY
`
`I
`
`Ir
`
`COMPARE SERIAL NUMBER
`RECEIVED IN DATA-ONE WITH
`SERIAL NUMBER IN
`DECRYPTED DATA
`
`'
`
`•
`
`I
`
`IF THE SERIAL NUMBERS
`MATCH, THEN COMPARE THE
`TRANSACTION COUNTER IN
`DATA-ONE WITH THE
`DECRYPTED TRANSACTION
`COUNT
`
`IF THE TRANSACTION COUNTS
`MATCH, THEN ADD THE 1ST
`AMOUNT OF VALUE TO THE
`MONETARY VALUE FOUND IN
`THE DECRYPTED DATA
`
`INCREMENT THE TRANSACTION
`COUNTER FOUND IN THE
`DECRYPTED DATA
`
`ii'
`
`DECREASE A VALUE REGISTER
`BY THE SAME AMOUNT THE
`MONEY VALUE WAS
`INCREASED
`
`Y3
`
`Y4
`
`Y5-
`
`Y6
`
`Y7
`
`Y8~
`
`Y8
`
`Page 13 of 191
`
`

`

`‘ 1
`
`US.. Patent
`U.S. Patent
`
`.‘Sep.'7.,1'9'9:9'
`Sep. 7, 1999
`
`‘
`
`Sheet70f'8...‘
`Sheet 7 of 8
`
`5,949,880
`5,949,880
`
`,
`
`.MODUL
`193..
`.
`-.
`
`“
`
`.
`
`‘
`
`‘
`
`_
`
`1
`
`.
`
`-“
`
`I
`
`'.
`
`READ/WRITE OBJECT COMMANDS _
`.
`LOCKED
`TRANSACUON
`.GRQUP
`
`OPEN
`
`,
`
`.
`
`SCRIPTS
`
`.
`
`(L)
`
`“
`
`.7
`
`'.
`
`EWI‘RE.
`, 1/0
`
`.
`
`I
`
`,
`
`‘
`
`_
`
`COMMAND A
`'NTERPRETER
`
`~
`
`'
`
`.
`,
`
`'
`
`I READFONLY OBJECT COMMAND.
`' READ/WRITE OBJECT COMMANDS
`
`LOCKED
`TRANSACTION -
`
`GROUP
`
`.
`SCR'PTS
`
`'
`
`(0)
`
`OPEN
`OBJECTS
`PRIVATE
`OBJECTSW
`LOCKED
`OBJECTS (L)
`
`I
`
`'
`
`READ—ONLY OBJECT COMMAND '
`
`‘
`
`‘
`
`READ/WRITE OBJECT COMMANDS
`
`LOCKED i -
`TRANSACTION.
`GROUP
`'
`
`OPEN
`OBJECTS
`
`(
`
`0)
`
`PRIVATE
`OBJECTS (P)
`
`LOCKED
`OBJECTS (L)
`
`READ, ONLY OBJECT COMMAND
`
`. FIG.
`fl 6
`FIG. 6
`
`I Page 14’of 191
`
`t_
`
` '
`
`OBJECTS (0) I 42'
`IPRIVATE
`I
`1
`OBJECTS (P)
`42’
`42
`I LOCKED
`II
`OBJECTS
`I
`
`‘
`I
`
`.
`40
`40'
`I
`
`42
`
`~42
`42
`
`I
`
`‘
`
`>
`
`>
`
`,
`
`’40
`40
`
`-
`40
`4O.
`~
`
`.
`
`'
`
`Page 14 of 191
`
`

`

`U.S. Patent
`
`Sep. 7, .1999
`
`Sheet 8 of 8
`
`5,949,880
`
`.'.. . .
`I/O DATA BUFFERS
`
`.
`
`SYSTEM DATA
`.COMMON PIN, RANDOM
`NUMBER REGISTER, ETC...
`
`OUTPUT DATA OBJECT #1
`
`OUTPUT DATA OBJECT #2
`
`WORKING REGISTER-
`
`40
`
`40 -
`
`-
`
`TRANSACTION GROUP 1
`
`TRANSACTION GROUP 2
`
`TRANSACTION GROUP N
`
`AUDIT TRAIL*
`
`CIRCULAR BUFFER OF
`TRANSACTION RECORDS
`
`*THE AUDIT TRAIL DOES
`NOT EXIST UNTIL THE
`MICRO-IN-A-CAN
`HAS BEEN LOCKED
`
`ONCE LOCKED ALL
`UNUSED RAM IS
`ALLOCATED FOR
`THE AUDIT TRAIL
`
`TRANSACTION GROUP
`
`GROUP NAME,
`PASSWORD AND ATTRIBUTES
`OBJECT 1
`
`OBJECT 2
`
`42
`
`OBJECT N
`
`- 42
`
`///T/T
`
`N
`
`TRANSACTION RECORD
`
`GROUP. OBJECT
`ID
`ID
`
`DATE/TIME
`STAMP
`
`FIG. 7
`
`Page 15 of 191
`
`

`

`1
`TRANSFER OF VALUABLE INFORMATION
`BETWEEN A SECURE MODULE AND
`ANOTHER MODULE
`
`This application is a Divisional of application Ser. No.
`08/594,975 filed on Jan. 31, 1996.
`
`CROSS REFERENCE TO OTHER
`APPLICATIONS
`The following applications of common assignee contains
`related subject matter and is hereby incorporated by refer-
`ence:
`Ser. No. 'UNKNOWN,
`filed Jan. 31, 1996, entitled
`METHOD, APPARATUS,. SYSTEM AND FIRMWARE
`FOR SECURE TRANSACTIONS; and
`Ser. No. UNKNOWN,
`filed Jan. 31, 1996, entitled
`METHOD, APPARATUS AND SYSTEM FOR TRANS-
`FERRING UNITS OF VALUE.
`
`BACKGROUND OF THE INVENTION
`1. Technical Field of the Invention
`The present invention relates to a method and system for
`transferring valuable information securely between a secure
`module and another module. More particularly, the present
`invention relates to transferring units of value between a
`microprocessor based secure module and another module
`used for carrying, a monetary equivalent.
`2. Description of Related Art
`In the past the preferred means for paying for an item was
`cash. As our society has become more advanced, credit cards
`have become an accepted way to pay for merchandise or
`services. The payment is not a payment to the merchant, but
`instead is a credit given by a bank to the user that the
`merchant accepts as payment. The merchant collects money
`from the bank based on the credit. As time goes on, cash is
`used less and less, and money transfers between parties are
`becoming purely electronic.
`Present credit cards have magnetic strips to identify the
`owner of the card and the credit provider. Some credit cards
`have electronic circuitry installed that identifies the credit
`card owner and the credit or service provider (the bank).
`The magnetic strips installed in present credit cards do not
`enable the card to be used as cash. That is the modern credit
`card does not allow the consumer to buy something with the
`credit card and the merchant to receive cash at the time of
`the transaction. Instead, when the consumer buys something
`on credit, the merchant must later request that the bank pay
`for the item that the consumer bought. The bank then bills
`the consumer for the item that was bought.
`Thus, there is a'need for an electronic system that allows.
`a consumer to fill an electronic module with a cash equiva-
`lent in the same way a' consumer fills his'wallet with cash.
`When the consumer buys a product or service from a
`merchant, the consumer's module can be debited and the
`merchant's cash drawer can be credited without any further
`transactions with a bank or service provider.
`
`SUMMARY OF THE INVENTION
`The present invention is an apparatus, system and method
`for communicating' a cash. equivalent electronically to and
`from a portable module. The portable module can be used as
`a cash equivalent when buying'products and services in the
`market place.
`The present invention comprises a portable module that
`can communicate to a secure module via a microprocessor
`
`5,949,880
`
`based device. The portable module can be carried by- a
`consumer, filled with electronic money at an add-money
`station, and be debited by a merchant when a product or
`service is purchased by the consumer. As a result of a
`5 purchase, the merchant's cash drawer will indicate an
`increase in cash value.
`
`15
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`A more complete understanding of the method and appa-
`10 ratus of the present invention may be had by reference to the
`following Detailed Description when taken in conjunction
`with the accompanying Drawings wherein:
`FIG. 1 depicts an exemplary system for transferring
`valuable information between a module and a secure device;
`. FIG. 2 is a block diagram of an embodiment of a portable
`module;
`FIG. 3 is a block diagram of an embodiment of a
`microprocessor based module;
`FIG. 4 is an exemplary technique for transferring valuable
`2data securely into a portable module;
`FIG. 5 is an exemplary technique for transferring valuable
`data securely out of a portable module;
`FIG. 6 is an exemplary organization of the software and
`25 firmware within a secure microprocessor based device; and
`FIG. 7 is an exemplary configuration of software and
`firmware within a secure microprocessor based device.
`DETAILED DESCRIPTION OF A PRESENTLY
`PREFERRED EXEMPLARY EMBODIMENT
`FIG. 1 depicts a block diagram of an exemplary system
`100 for transferring 'valuable information to and from a
`portable module. A portable module* 102, which will be.
`described in more detail later, communicates to a micropro-
`35 cessor based device 104. The portable module 102 may
`contain' information that represents units of exchange or a'
`currency equivalent. The microprocessor based device 104
`can be any of an unlimited number of devices. For example,
`the microprocessor based device 104 could be a personal
`40 computer, an add-a-fare machine at a train or bus station
`(similar to those in today's, District of Columbia metro
`stations), a turn style, a toll booth, a bank's terminal, a ride
`at a carnival, a washing machine at a Laundromat, a locking
`device, a mail metering device or any device that controls
`45 access, or meters a monetary equivalent, etc.
`The means for communication 106 between the portable
`module 102 and the microprocessor based device 104 is
`preferably via a single wire or contact connection. The
`single wire connection 106 preferably incorporates a com-
`50 munication protocol that allows the portable module 102 and
`the microprocessor based device 104 to communicate in a
`bidirectional manner. Preferably the communication proto-
`col is a one-wire protocol developed by Dallas Semicon-
`ductor. It is understood that the means for communicating
`ss 106 is not limited to a single wire connection. The commu-
`nication means 106 could be multiple wires, a wireless
`communication system, infrared light, any electromagnetic
`means, a magnetic technique, or any other similar technique.
`The microprocessor based device 104 is electrically con-
`60 nected to another microprocessor based device, which is
`preferably a secure device 108. The term secure device
`means that the device is designed to contain a secret code
`and the secret code is extremely difficult to learn.:An
`example of a secure device 108 is explained later in this
`65 document.
`The microprocessor based device 104 can be connected to
`a variety of other devices. Such devices include, but are not
`
`Page 16 of 191
`
`

`

`5,949,880
`
`3
`limited to a cash acceptor 110, an automatic teller machine
`(ATM) 112, a credit card reader 114, and a phone line 116.
`The cash acceptor 110 is adapted to receive cash in the
`form of currency; such, as dollar bills or coins..The cash
`acceptor 110, preferably, determines
`the value of the
`accepted currency. The cash acceptor 110 communicates to
`the microprocessor based device 104 and informs the device
`104 of how much currency has been deposited in the cash
`acceptor 110.
`The cash acceptor 110 can also be a device which pro-
`vides currency. That is, the cash accepter 110 in response to
`a communication from the microprocessor based device
`104, may provide a metered amount of currency to a person.
`The credit card reader 114, and ATM 112 can also be
`attached to the microprocessor based device 104. The credit
`card reader114 could be used to read a user's credit card and
`then, when authorized, either communicate to the micropro-
`cessor based device 104 that units of exchange need to be
`added to the portable module or that units of exchange need
`to be extracted from the portable module to pay for. a good,
`service or credit card bill.
`The ATM 112 may also be connected to the micropro-
`cessor based device. Via communications from the ATM
`112, the microprocessor based device 104 can be informed
`that units of exchange need to be added or subtracted from
`the portable module 102.
`Furthermore, it is also possible that the microprocessor
`based device 104 is connected to a phone line 116. The
`phone line may be used for a variety of things. Most
`importantly, the. phone
`line may be used to allow the
`microprocessor based device 104 to communicate with a
`network of devices. Such telephonic communication may be
`for validating transactions or for aiding the accounting of
`transactions that are performed via the microprocessor based
`* device's 104 aid. It is further understood that the phone line
`may be any of a vast variety .of communication lines
`including wireless lines. Video, analog, or digital informa-
`tion may be communicated over the phone line 116.
`FIG. 2 depicts a preferred exemplary portable module
`* 102. The portable module 102 is preferably a rugged read/
`write data carrier that can act as a localized data base and be
`easily accessed with minimal hardware. The module can be
`incorporated
`in a vast variety of portable items which
`includes; but is not limited to a durable micro-can package
`that is highly resistant to environmental hazards such as dirt,
`moisture, and shock. The module can be incorporated into
`any object that can be articulated by a human or thing, such
`as a ring, bracelet, wallet, name tag, necklace, baggage,
`machine, robotic device, etc. Furthermore, the module 102
`could be attached to a stationary item and the microproces-
`sor based device 104 may be articulated to the portable
`module 102. For example, the module 102 may be attached
`to a piece of cargo and a module reader may be touched to
`or brought near the module 102. The module reader may be
`part of the microprocessdr based device 104.
`The portable module 102 comprises a memory 202 that is
`preferably, at least in part, nonvolatile memory for storing
`and retrieving vital information pertaining to the system to
`which the module 102 may become attached to. The
`memory 202 may contain a scratchpad memory which may
`act as a buffer when writing into memory. Data is first
`written to the scratchpad where it can be read back. After
`data has been verified, the data is transferred into the
`memory.
`The module 102 also comprises a counter 206 for keeping
`track of-the number of transactions the module has per-
`
`25
`
`10
`
`formed (the number of times certain data in the memory of
`the module has been changed). A timer 102 may be provided
`in the module to provide the ability to time stamp transac-
`tions performed by the module. A memory controller 204.
`5 controls the reading and writing of data into and out of the
`memory 202.
`The module also may comprise an identification number
`210. The identification number preferably uniquely identi-
`fies the portable module from any other portable module.
`An input/output control circuit 212 controls the data flow
`into and out of the.portable module 102. The input/output
`control ("I/O") 212 preferably has an input buffer and an
`output buffer and interface circuitry 214. As stated above,
`the interface circuitry 214 is preferably a one-wire interface.
`15 Again, it is. understood that a variety of technologies can be
`used to interface the portable module 102 to another elec-
`tronic device. A single wire or single connection is preferred
`because the mechanics of making a complete connection is
`simplified. It is envisioned that a proximity/wireless com-
`munication technique is also a technique for communicating
`20 between the. module 102 and another device. Thus, the
`interface circuit 214 can be a single wire, multiple wire,
`wireless, electromagnetic, magnetic, light, or proximity,
`interface circuit.
`FIG. 3 depicts a block diagram of an exemplary secure
`microprocessor based device ("secure. device") 108. The
`secure device circuitry can be a single integrated circuit. It
`is understood that the secure device 108 could also be a
`monolithic or multiple circuits .combined .together. The
`30 secure device 108 preferably comprises a microprocessor
`12, a real time clock 14, control circuitry 16, a math
`coprocessor 18, memory circuitry 20, input/output circuitry
`26, and an energy circuit 34.
`The secure device 108 could be made small enough to be
`35 incorporated into a variety of objects including, but not
`limited to a token, a card, a ring, a computer, a wallet, a key
`fob, a badge, jewelry, a stamp, or practically any object that
`can be grasped and/or articulated by a user of the object. In
`the present system 100, the secure device 108 is preferably
`40 adapted to be a trusted certifying authority. That is the secure
`device 108 is a trusted computer. The secure device 108
`comprises a .numeric coprocessor 18 optimized for math
`intensive encryption. The BIOS is immune to alteration and
`is specifically designed for secure transactions. This secure
`45 device 108 is preferably encased in a durable, dirt, moisture
`and shock resistant stainless steel enclosure, but could be
`encased in wide variety of structures so long as specific
`contents of the secure device 108 are extremely difficult to
`decipher. The secure device 108. The secure device 108 may
`50. have the ability to store or create a private/public key set,
`whereby the private key never leaves the secure device 108
`and is not revealed under almost any circumstance.
`Furthermore, the secure module 108 is 'preferably designed
`to prevent discovery of the private key by an active self-
`55 destruction of the key upon wrongful entry.
`The microprocessor 12
`is preferably an 8-bit
`microprocessor, but could be 16, 32, 64 or' any operable
`number of bits. The clock 14 provides timing for the module
`circuitry. There can also be separate clock circuitry 14 that
`60 provides a continuously running real time clock.
`The math coprocessor circuitry 18 is designed and used to
`handle very large numbers. In particular, the coprocessor
`will handle the complex mathematics of RSA encryption and
`decryption or other types of math intensive encryption or
`65 decryption techniques.
`The memory circuitry 20 may contain both. read-only-
`memory and non-volatile random-access-memory.
`
`Page 17 of 191
`
`

`

`.5,949,880
`
`5
`Furthermore, one of ordinary skill in the art would under-
`stand that volatile memory, EPROM, SRAM and a variety of
`other types of memory circuitry might be used to create an
`equivalent device.
`Control circuitry 16 provides timing, latching and various
`necessary control functions for the entire circuit.
`An input/output circuit 26 enables bidirectional commu-
`nication with the secure module 108. The input/output
`circuitry 26 preferably comprises at least an output buffer
`and an input buffer. For communication via a one-wire bus,
`one-wire interface circuitry can be included with the input/
`output circuitry 26. It is understood that the input/output
`circuitry 26 of the secure device 108 can be designed to
`operate on a single wire, a plurality of wires or any means
`for communicating is information between the secure mod-
`ule 108 and the microprocessor based device 104.
`An energy circuit 34 may be necessary to maintain stored
`information in the memory circuitry 20 and/or aid in pow-
`ering the other circuitry in the module 108. The energy
`circuit 34 could consist of a battery, capacitor, R/C circuit,
`photo-voltaic cell, or any other equivalent energy producing
`circuit or means.
`The firmware architecture of the secure module 108 and
`how it operates within the exemplary system for transferring
`valuable information, such as units of exchange or currency,
`between the secure module 108 and.a portable module 102
`will now be discussed. The secure module 108 provides
`encryption and decryption services 'for confidential data
`transfer through the microprocessor based device -104. The
`following examples are intended to illustrate a preferred
`feature set of the secure module 108 and to explain the
`services that the exemplary system 100 can offer. These
`applications and examples by no means limit the capabilities
`of the invention, but instead bring to light a sampling of its
`capabilities.
`I. Overview of the Preferred Secure Module 108 and its
`Firmware Design
`Referring to FIG. 3 again, the secure module 108 prefer-
`ably contains a general-purpose, 8051-compatible micro
`controller 12 or a reasonably similar product, a continuously
`running real-time clock 14, a high-speed modular exponen-
`tiation accelerator for large integers (math coprocessor) 18,
`input and output buffers 28, 30 with a one-wire interface 32
`.for sending and receiving data, 32 Kbytes of ROM memory
`22 with preprogrammed firmware, 8 Kbytes of NVRAM
`(non-volatile RAM) 24 for storage. of critical data, and
`control circuitry 16 that enables the micro controller 12 to be
`powered up to interpret and act on the data placed in an input
`data.object. The module 108 draws its operating power from
`a single. wire, one-wire communication
`line. The micro
`controller 12, clock 14, memory 20, buffers 28, 30, one-wire
`front-end 32, modular exponentiation accelerator 18, and
`control circuitry 16 are preferably. integrated on a single
`silicon chip and packaged in a stainless steel micro can using
`packaging techniques which make it virtually impossible to
`probe the data in the NVRAM 24 without destroying. the
`data. Initially, most of the NVRAM 24 is available for use
`to support applications such as those described below. One
`of ordinary skill will understand that there are many com-
`parable variations of the module 'design. For example,
`volatile memory might be Used, or an interface other than a
`one-wire interface could be used.
`The secure module 108 is preferably intended to be used
`first by a Service Provider who loads the secure module 108
`with data to enable it to perform useful functions, and
`second by an End User who issues commands to the secure
`module 108 to perform operations on behalf of the Service
`
`Provider for the benefit of the End User. 'For this reason, the
`secure module 108 offers functions to support the Service
`Provider in setting up the module for an intended applica-
`tion. It also offers functions to allow the End User to invoke
`5 the services offered by the Service Provider.
`Each Service Provider can reserve a block of NVRAM
`memory to support its services by creating a transaction
`group 40 (refer to FIGS. 6 and 7). A transaction group 40 is
`simply a set of software objects 42 that are defined by the
`10o Service Provider. These objects 42 include both data objects
`(encryption keys, transaction counts, money amounts, date/
`time stamps, etc.) and transaction scripts 44 which specify
`how to combine
`the data objects in useful ways. Each
`Service Provider creates his own transaction group 40,
`15 which is independent of every other .transaction group 40.
`Hence, multiple Service Providers can offer different ser-
`vices in the same module 108. The number of independent
`Service Providers that can be supported depends on the
`number and complexity of the objects 42 defined in each
`transaction group 40. Examples of some of the objects 42
`that can be defined within a transaction group 40 are the
`following:
`
`20
`
`25
`
`30
`
`RSA Modulus
`RSA Exponent
`Transaction Script
`Transaction Counter
`Money Register
`Destructor
`
`Clock Offset
`Random SALT
`.Configuration Data
`Input Data
`Output Data
`
`Within each transaction group 40 the secure module 108
`will initially accept certain commands which have an irre-
`versible effect. Once any of these irreversible commands are
`executed in a transaction group 40, they remain in effect
`35 until the end of the module's useful life or until the trans-
`action group 40, to which it applies,, is deleted from the
`secure module 108. In addition, there are certain commands
`which have an irreversible effect until the end of the mod-
`ule's life or until a master erase command is issued to erase
`40 the entire contents of the secure module 108. These com-
`mands will be discussed further below. These commands are
`essential to give the Service Provider the necessary control
`over the operations that c