United States Patent 1
`
`Deo et al.
`
`CANAAA
`
`US005721781A
`[it] Patent Number:
`[45] Date of Patent:
`
`5,721,781
`Feb. 24, 1998
`
`[54] AUTHENTICATION SYSTEM AND METHOD
`FOR SMART CARD TRANSACTIONS
`
`[75]
`
`Inventors: Vinay Deo, Redmond; Robert B.
`Seidensticker, Woodinville; Daniel R.
`Simon, Redmond, all of Wash.
`
`[73] Assignee: Microsoft Corporation, Redmond,
`Wash.
`
`[21] Appl. No.: 531,567
`
`6
`
`Sep. 13, 1995
`[22] Filed:
`ONOmeDenmananonesesesROSeheneeenenEraaseanesessaneseues H04K 1/00
`(51]
`Int. Cl.
`
`[52] U.S. C1. neesscsssenee
`380/25; 380/23
`[58] Field of Search ou...cesses 380/23, 24, 25
`
`[56]
`
`References Cited
`
`_ U.S. PATENT DOCUMENTS
`4,969,189
`11/1990 Ohta et ab. eersecssemsensentsteen 380725
`
`.cscsssssssccssseescecnnees 380/23
`5,140,634
`8/1992 Guillow et al.
`
`1/1994 Hennige ..........000
`ve 235/380
`5,276,311
`
`cccssenee 380/24
`5,473,690 12/1995 Grimonprez et al...
`8/1996 Mandelbaum et al. ......eee 380/24
`5,544.246
`
`Primary Examiner—David C. Cain
`Attorney, Agent, or Firm—Lee & Hayes, PLLC
`
`_[57]
`
`ABSTRACT
`.
`.
`.
`Lo
`An authentication system includes a portable information
`device, such as a smart card, that is configured to store and
`process multiple different applications. The smart card is
`assigned its own digital certificate which contains a digital
`signature from a trusted certifying authority and a unique
`public key. Each of the applications stored on the smart card
`is also assigned an associated certificate having the digital
`signature of the certifying authority. The system further
`includes a terminal that is capable of accessing the smart
`card. The terminal has at least one compatible application
`which operates in conjunction with an application on the
`smart card. The terminal is assigned its own certificate
`which also contains the digital signature from the trusted
`certifying authority and a unique public key. Similarly, the
`application on the terminal is given an associated digital
`certificate. During a transactional session, the smart card and
`terminal exchange their certificates to authenticate one
`another. Thereafter, a smart card application is selected and
`the related certificates for both the smart card application
`and the terminal application are exchanged between the
`smart card and terminal to authenticate the applications.
`Additionally, the cardholder enters a unique PIN into the
`terminal. The PIN is passed to the smart card for use in
`authenticating the cardholder. The three-tiered authentica-
`tion system promotes security in smart card transactions.
`
`21 Claims, 6 Drawing Sheets
`
`CARD CERTIFICATE
`
`OC
`
`UNSECURED CHANNEL
`
`a
`
`42
`
`TERMINAL
`CERTIFICATE
`
`1
`
`SAMSUNG 1019
`
`SAMSUNG 1019
`
`1
`
`

`

`U.S. Patent
`
`Feb. 24, 1998
`
`Sheet 1 of 6
`
`5,721,781
`
`12 |
`
`
`||
`
`
`
`
`
`2
`
`

`

`U.S. Patent
`
`Feb. 24, 1998
`
`Sheet 2 of 6
`
`5,721,781
`
`
`
`3
`
`

`

`U.S. Patent
`
`Feb. 24, 1998
`
`Sheet 3 of 6
`
`5,721,781
`
`CARD CERTIFICATE
`
`LO ~~ oo, “a
`
`10
`
`UNSECURED CHANNEL
`
`
`
`TERMINAL
`CERTIFICATE
`
`ir,
`LY Y
`
`
`
`4
`
`

`

`US. Patent
`
`Feb. 24, 1998
`
`Sheet 4 of 6
`
`5,721,781
`
`ASSIGN CERTIFICATE TO SMART CARD
`
`100
`
`ASSIGN CERTIFICATE TO TERMINAL
`
`102
`
`ASSIGN CERTIFICATE TO EACH APPLICATION
`_
`STORED ON SMART CARD
`
`104
`
`ASSIGN PIN TO CARDHOLDER
`
`106
`
`COMMENCE TRANSACTIONAL SESSION
`
`108
`
`PASS CARD-RELATED CERTIFICATE
`FROM SMART CARD TO TERMINAL
`
`PASS TERMINAL—RELATED CERTIFICATE
`FROM TERMINAL TO SMART CARD
`
`110
`
`112
`
`AUTHENTICATE SMART CARD AT TERMINAL
`
`114
`
`TO 716
`
`Ny 7
`
`5
`
`

`

`USS. Patent
`
`Feb. 24, 1998
`
`Sheet 5 of 6
`
`5,721,781
`
`FROM 114
`
`BETWEEN SMART CARD AND TERMINAL
`
`. &
`
`6
`
`

`

`U.S. Patent
`
`Feb. 24, 1998
`
`Sheet 6 of 6
`
`5,721,781
`
`rg!
`
`OL1
`
`9Z1
`
`OSt>LINIT
`
`GILINITLON
`
`GiLINITLON
`
`C9!
`
`891
`
`PL
`
`081
`
`
`
`AVOAGHYIDGIdldXINNAG
`
`
`
`TWNINATLFLVOLINFHINY
`
`
`
`FVAALAFDGIdtdXINNAG
`
`TWNINGGLFLVOLNIHLAY
`
`NidONY
`
`
`
`HVOAIMYIDGIdldXINNAG
`
`TWNINGFLFLVOLNFIHLAV
`
`NidGNV
`
`Gt>LINIT
`
`
`
`ILVIIAULAIDGIGIdXINNAG
`
`TWNINAALFLVOLLNFHINV
`
`SAA
`
`SAA
`
`SAA
`
`SAA
`
`09!
`
`ON
`
`
`
`ébTAITALYNIIS
`
`(INI7-440)
`
`991
`
`ON
`
`éfTINTALYNIIS
`
`(INIT-NO)
`
`CL
`
`ON
`
`
`
`é£TIF)AUMNIIS
`
`(INIT-440)
`
`BLI
`
`
`
`ékTWITALUYNIIS
`
`(INIT-NO)
`
`(JN1VAON)
`
`8G
`
`9S!
`
`NOLLVNGOINIDITENd
`
`NOLLVOUNFHLINVON
`
`SAA
`
`PS
`
`ON
`
`
`
`é0THAT)ALYNIIS
`
`(QFdNIISNN)
`
`OG!
`
`cSt
`
`HSITEVIST
`OYVDLYVWSLV79A97ALIMNDFSININAWIG‘NOISSISINNA
`
`
`
`
`
`TYNINGFLJOFdALNOG3SVESTIATTALYNIIS
`
`
`
`7
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`5,721,781
`
`1
`AUTHENTICATION SYSTEM AND METHOD
`FOR SMART CARD TRANSACTIONS
`
`TECHNICAL FIELD
`
`This invention relates to portable information devices,
`such as smart cards, personal digital assistants, pagers, and
`other personal information managers, and the mechanisms
`used to access these devices. This invention is particularly
`well suited for smart card systems, including the smart cards
`themselves, cardholders, and terminals into which the smart
`cardsare inserted for various transactions. More particularly,
`this invention relates to systems and methods for authenti-
`cating smart cards, applications, cardholders, and terminals
`to protect against fraudulent transactions.
`
`BACKGROUND OF THE INVENTION
`
`Authentication systems are used for security purposes to
`verify the authenticity of one or more parties during a
`transaction. Traditionally, authentication systems have been
`manual,
`involving simple personal recognition or quick
`verification of the party via some form of additional iden-
`tification. One very familiar authentication process occurs
`when purchasing an item with a personal check. The sales
`clerk will process the check only if he/she recognizes the
`person writing the check or if the person presents another
`piece ofidentification (e.g., a credit card, or driver’s license)
`to verify the authenticity of that person whois offering the
`check. Another common manual authentication process
`might occur in an apartment building or at work where a
`person is authenticated by a security guard or receptionist
`through visual recognition.
`Some authenticating systems are electronic. A familiar
`electronic authentication system is used in a common ATM
`(Automated Teller Machine). Bank members are issued
`special ATM cards for use in the ATMsto permit automated
`access to the member’s account. The ATM cards that are
`primarily in use today consist of magnetic-stripe memory
`cards that have a single magnetic stripe on one side. The
`magnetic stripe contains information regarding the bank, the
`member, andhis/her account. To guard against unauthorized
`access, the member is also given a multi-digit password or
`PIN (Personal Identification Number). The member inserts
`the mag-stripe card into the ATM and enters a four digit
`password or PIN (Personal Identification Number). The PIN
`authenticates for the ATM that the person standing at the
`ATM is the member who ownsthe inserted ATM card (or an
`authorized person representing that member).
`Mag-stripe cards are limited, however, in that they are
`single purpose cards. For instance, one mag-stripe ATM card
`is used solely for interfacing with a bank ATM, while
`another mag-stripe card is used solely for frequent fiyer
`mileage, while another mag-stripe card is used solely for
`making long distance telephonecalls.
`Today, there is a movement toward use of “smart cards”
`instead of mag-stripe cards. A “smart card” is a credit card
`that has a built-in microcontroller (MCU) which enables the
`card to modify, or even create, data in response to external
`stimuli. The microcontroller is a single-wafer integrated
`circuit (IC) which is mounted on an otherwise plastic credit
`card,
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`45
`
`50
`
`35
`
`Byvirtue of the resident on-chip processor, smart cards
`are self-validating and can authenticate various passwords
`off-line without connection to a back end computer. Some
`conventional smart cards perform an authentication proce-
`dure during each “session”, which is the period of time that
`the smart card is inside of a compatible terminal. The session
`
`65
`
`2
`commences with a system startup phase. Since the card has
`no power supply of its own,
`the system startup phase
`consists of supplying power to the card and performing a
`“cold” boot to establish communication between the card
`and terminal. Thereafter, the card and terminal enter an
`authentication phase where the terminal verifies that it is
`communicating with an authorized card. This usually entails
`the smart card forwarding its own access code to the
`terminal for verification. Following authentication, one or
`more transactions are conducted and the card is removed
`from the terminal, ending the session.
`Tn conventional smart card systems, however, the cards
`have been designed to hold just one application. One smart
`card might be used for a banking/financial application, while
`another smart card might be dedicated to a security appli-
`cation for entry to a building or workplace, while yet another
`smart card might be dedicated to a health related application.
`In these conventional systems,
`the authentication phase
`consists only of verifying that the card is suitable to talk to
`the terminal,
`typically via the internal access code.
`Unfortunately, there is little or no standardization in the
`smart card arena, and thus many different non-compatible
`systems are in existence today. This lack of standardization
`has impeded efforts to produce a smart card capable of
`handling multiple applications.
`As smart cards evolve, however, they are expected to
`carry multiple applications—such as banking,travel, retail,
`security, identification, health care, and electronic benefits
`transfer——on the same card. The same smart card will be
`used to deposit or withdrawal money from an AIM, keep
`track of frequent flyer mileage, permit entry into buildings,
`store the cardholder’s health information, and enable pur-
`chase of goods and services. With multiple applications, the
`number and complexity of security issues rise. For instance,
`the cardholder does not want his/her employer’s entrance
`security system which interfaces with a security application
`on the smart card to gain access to sensitive health care
`information stored on the same health card, nor does the
`cardholder wish for his/her a doctor to use the health care
`application to gain access to personal financial information.
`It is therefore one object of this invention to provide an
`authentication system for ensuring the security of the smart
`card and the applications contained thereon.
`Because all smart card transactions are conducted
`electronically, there is an additional need to ensure for the
`smart card that the terminal asking for the information is
`authenticate, and not a fraudulent machine. In other words,
`there is a need for an authentication system that enables a
`smart card and terminal to trust each other, as well as
`verifying that the present cardholder is authenticate. It is
`another object of this invention to provide such an authen-
`tication system.
`SUMMARYOF THE INVENTION
`
`This invention provides a smart card authentication sys-
`tem that verifies the user, smart card, application, and
`terminal.
`
`In one preferred implementation, the system has a smart
`card that is configured to store and process multiple different
`applications. The smart card is assigned its own digital
`certificate which contains a unique public key and a digital
`signature from a trusted certifying authority. Each of the
`applications stored on the smart card is also assigned an
`associated certificate having the digital signature of the
`certifying authority.
`The system also includes a terminal that is capable of
`accessing the smart card. The terminal has at least one
`
`8
`
`8
`
`

`

`5,721,781
`
`3
`compatible application which operates in conjunction with
`at least one corresponding application stored on the smart
`card. The terminal is assigned its own certificate which
`contains a unique public key andthe digital signature from
`the trusted certifying authority. Similarly, the application on
`the terminal is given an associated digital certificate.
`During a transactional session, the smart card and termi-
`nal exchangetheir certificates over an unsecured communi-
`cation path. The path is unsecured in the sense that any party
`can intercept and decipher the message. Following this
`exchange, the smart card and terminal each process the
`other’s certificate to verify the authenticity of the other. After
`this initial authentication, a secure communication path is
`established between the smart card and terminal using
`encryption techniques and each others’ public keys. While
`third parties might still be able to intercept the encrypted
`messages,
`they would not be able to decipher them.
`Thereafter, an application is selected and the application-
`related certificates of the smart card application and terminal
`application are encrypted and then exchanged over the
`secre communication path. The smart card and terminal
`then authenticate the application using the exchanged cer-
`tificates.
`
`Asa further level of security, a unique PIN is assigned to
`the cardholder. During the transactional session, the card-
`holder enters the PIN into the terminal, which then passes
`the PIN to the smart card. The smart card compares this PIN
`with the correct PIN kept in its memory to authenticate the
`cardholder.
`
`According to another aspect of this invention, a multi-
`level security protocol is established based upon the types
`and inherent security of different terminals. The security
`protocol enables the smart card to be used in many diverse
`applications, from transferring large sums of money
`between bank accounts to purchasing a fifty cent soda pop.
`According to the protocol, security levels are assigned to
`different types of terminals. The security levels have asso-
`ciated value limits that are imposed for any transaction
`occurring at the respective terminal. The certificate assigned
`to a particular terminal contains information pertainingtoits
`type. From this information, the smart card can determine
`the security level for that particular terminal. The smart card.
`then limits the value of the transaction in accordance with
`the guidelines associated with the security level.
`According to another aspectof this invention, a smart card
`that is specially configured to operate in the authentication
`system is described. It is noted that although the smart card
`embodiment is preferred, aspects of this invention can be
`implemented in other embodiments of portable information
`devices, such as personal digital assistants, pages, and
`electronic programmable watches.
`According to another aspect of this invention, a method
`for authenticating a transaction between a smart card and
`terminal is also disclosed.
`
`According to yet another aspect of this invention, a
`method for conducting a smart card transaction using a
`multi-level security protocol is described.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a diagrammaticillustration of a smart card.
`FIG. 2 is a block diagram of a microcontroller integrated.
`circuit used in the FIG. 1 smart card.
`
`FIG. 3 is a diagrammatic illustration of an authentication
`system in the context of an ATM banking system according
`to an example embodimentof this invention.
`
`4
`FIG.4 is a diagrammatic illustration of an initial step of
`an authentication process of this invention involving the
`exchange of digital certificates between a smart card and
`terminal.
`
`FIG. 5 is a diagrammatic illustration of another step of the
`authentication process involving the exchange of
`application-related digital certificates between a smart card
`and terminal.
`FIG.6 is a diagrammatic illustration of another step of the
`authentication process involving the authentication of a
`cardholder via his or her PIN.
`FIGS. 7 and 8 present a flow diagram of a method for
`authenticating a transaction between a smart card and a
`terminal.
`FIG. 9 is a flow diagram of a method for conducting a
`smart card transaction using a multi-level security protocol
`according to another aspect of this invention.
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`This invention concerns authentication schemes and is
`described in the preferred context of smart cards. However,
`this invention may be used in conjunction with other small
`programmable portable information devices, in place of
`smart cards. Such portable information devices include
`pagers, personal digital assistants, personal
`information
`managers, and programmable watches. One notable watch
`that can be used in the context of this invention is the
`commercially available Timex® Data-Link® watch. As
`used herein, “portable information device” means a small,
`portable, electronic apparatus that has limited processing
`capabilities, limited or no power resources, limited rewrit-
`able memory capacity, and is designed to interface with
`external read/write equipment.
`FIG. 1 shows a smart card 10. It is the size of a credit card
`and has a built-in microcontroller (MCU) 12 which enables
`the card to modify, or even create, data in response to
`external stimuli. Microcontroller 12 is a single wafer inte-
`grated circuit (IC) which is mounted on an otherwiseplastic
`credit card. Conductive contacts 14 are shown formedon the
`IC to enable interfacing to external read/write equipment. In
`other embodiments, however, the smart card can be config-
`ured without physical contacts. Such contactless cards
`receive information via proximity couplings (e.g., magnetic
`coupling) or via remote coupling (e.g., radio
`communication). A smart card is physically constructed in
`accordance with the international standard ISO-7816 which
`governs size and bendable limits of the plastic card, as well
`as size and location of the silicon integrated circuit.
`FIG. 2 shows smart card microcontroller IC 12 in more
`detail. It includes a CPU 20, a volatile rewritable RAM
`(Random Access Memory) 22, a ROM (Read Only
`Memory) 24, and an EEPROM (Electrically Erasable Pro-
`grammable ROM) 26. A set of I/O ports 28 are internally
`coupled to CPU 20 to supply data and control information
`that are received from the external accessing equipment. As
`an example, clock, reset, power, data I/O, and ground are
`provided at I/O ports 28. One suitable microcontroller-based
`single-wafer IC that can be used in smart cards is available
`from Motorola Corporation under model number
`MC68HCO05SC21. In this chip, the data I/O is serial.
`In this invention, smart card 10 contains multiple different
`applications and can be concurrently used in manydifferent
`domains. For instance, smart cards can be used to store
`financial data for banking purposes, maintain medical infor-
`mation for use by health care providers, track frequent flyer
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`45
`
`50
`
`55
`
`65
`
`9
`
`9
`
`

`

`5,721,781
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`5
`mileage for the cardholder or airline, permit selective
`entrance into secure facilities, manage electronic benefits, or
`organize account information for routinely paid services
`such as cable TV. ROM 24 stores the multiple applications.
`This invention concerns an authentication system which
`verifies the authenticity of the interested componentsprior to
`conducting a transaction. For purposes of continuing
`discussion, aspects of this invention will be described in the
`context of employing smart cards to manage financial data.
`In this context, one of the applications stored on the smart
`cards relates to managing banking and otherfinancial data.
`FIG. 3 showsa smart card authentication system 30 in the
`context of an ATM banking system. Smart card authentica-
`tion system 30 includes smart card 10 and a smart card
`terminal 32, which is embodied as an ATM. The ATM has a
`card reading slot 34, a keypad 36, and a display 38. The
`terminal has software resident thereon, or on a remote
`on-line computer, which consists of at least one application
`that is compatible, and operates in conjunction, with the
`correspondingfinancial application stored on the smart card.
`When the cardholder wishes to make a financial
`transaction, the cardholder begins a transactional session by
`inserting smart card 10 into a card reading slot 34 of the
`ATM.A “session”is the period of time that the smart card
`is inside terminal 32. The session commences with a system
`startup phase. Since smart card 10 has no power supply of
`its own, the system startup phase consists of supplying |
`powerto the card and performing a “cold” bootto establish
`communication between the card and terminal. The terminal
`sends a reset signal and the card respondsto the reset signal
`to establish communication modes and options.
`Since the smart card 10 stores multiple applications, a
`target application is selected from among the multiple appli-
`cations. In the continuing example, the target application is
`the financial application. The target application might be
`selected in a number of ways, including both manual and
`automated techniques. For example, the smart card itself
`might select the target application that is suited for the
`particular terminal. Alternatively, the terminal might decide
`which of the applications stored on the smart card is com-
`patible with the application resident at the terminal. As
`another example,
`the user might select the appropriate
`application at the beginning of a session.
`Thereafter, the smart card and terminal enter the authen-
`tication phase which is the primary subject of the this
`invention. During the authentication phase,
`the terminal
`verifies that it is communicating with an authorized smart
`card, and the smart card verifies that it is talking to an
`authorized terminal. According to an aspect of this
`invention, the authentication phase further authenticates the
`selected target application that is resident on the smart card
`as well as the compatible application resident on the termi-
`nal. Moreover,the authentication techniqueof this invention
`authenticates the cardholder to the smart card. This mullti-
`level authentication promotes highly secure transactions.
`To enable such high security authentication, the authen-
`tication schemeof this invention involves assigning unique
`identifications to the smart card, terminal, cardholder, and
`each application on the card. At their simplest form, the
`unique identifications might consist of special passwords
`assigned to each of these participants. In the preferred
`implementation, however,digital certificates are assigned to
`the smart card, terminal, cardholder, each application on the
`card, and the application(s) stored on the terminal. A digital
`certificate is a packet of unique information in digital data
`form that is used for identification of a party in the encryp-
`
`45
`
`50
`
`55
`
`65
`
`6
`tion arena. The certificate is issued by an independent and
`trusted third party, known as the “certifying authority”.
`Every participant, including the smart card, the terminal, and
`the cardholder, trust the certifying authority. Example cer-
`tifying authorities in the financial environment include the
`federal reserve or a bank.
`
`Eachassigned certificate contains an expiration date, the
`holder’s serial number, a public encryption key unique to the
`holder,information pertaining to the domain or environment
`within which the holder may operate (e.g., financial, fre-
`quent flyer, health, etc.), and any other information appro-
`priate to establish communication. Thus, the smart card has
`its own unique public key, as does the terminal and each
`application.
`Before continuing discussion on the authentication
`system, it would be beneficial to briefly discuss encryption
`techniques, and how the digital certificates are used. There
`are different encryption techniques available and in use
`today. This invention can be used with any type of encryp-
`tion technique. For the sake of explanation, the basics of one
`common encryption technique known as “RSA” (ap acro-
`nym based on the initials of the creators of the encryption
`algorithm) are described below.
`RSAencryption makes use of special mathematical func-
`tions referred to as “one-way” functions. According to
`one-way functions, one or more starting parameters can
`undergo a function to yield an intelligible result, but the
`inverse function operating on this result will not produce the
`starting parameters. In mathematical terms, a one-way func-
`tion is represented as follows:
`
`F(a)=b, but F71(byza.
`
`Such functions are used to produce private and public
`keys which are assigned to every party that wishes to
`participate in encrypting messages. The key set is unique
`and has the property that if one knowsthe public key K,,,,,-5
`one cannot guess the private key K_,,,are- The public key
`K,sie is published for everyone to use, while the private
`key K,,ivae is kept secret by the holder.
`For a message M that is encrypted via an encryption
`function E using one of the keys K, the following holds for
`this function:
`
`E(Rpatio M)=Menerypred_a
`
`E(Kprivater Mencrypted_1
`
`but,
`
`E(Kyatio Mencrypred_a)#M
`
`Additionally,
`
`E(Korivates M)=Mencrypted_2
`
`E(Kpustic Menerypred_2-M
`
`but,
`
`E(Kyrivater Menceyped_2)#M
`
`Accordingly, in the context of our ATM example, if the
`smart card encrypts a message using the terminal’s public
`key, only the terminal can decrypt it. Conversely, if the smart
`card encrypts a message using its private key (which only
`the smart card can do since no one else has access to this
`private key), any other party can decrypt the text using the
`smart card’s public key which is widely known.
`
`10
`
`10
`
`

`

`5,721,781
`
`7
`the smart card uses the
`To establish communication,
`terminal’s public key that it received in the terminal’s
`certificate to send a message. Only the terminal can decrypt
`the message usingits private key. Similarly, the terminal can
`encrypt a reply message using the smart card’s public key
`and only the smart card can decrypt the message. This raises
`a new issue. When the terminal or smart card receives an
`encrypted message that is supposedly from the other, how
`does the receiving party really know if it came from the
`other?.
`To solve this dilemma, encryption algorithms introduce
`“digital signatures” which are employed to ensure that the
`appropriate parties are communicating with each other.
`Thus, when the smart card encrypts a message using the
`terminal’s public key,it tags a personalized digital signature
`onto the message. The smart card encrypts the combined
`message using its own private key. The resulting commu-
`nication is represented as follows:
`
`E(Ksc_private: E(Ke_pubtier M)+SC Signature)
`
`The terminal receives the communication and decrypts it
`using the smart card’s public key. This decryption yields a
`scrambled part that contains the encrypted message and a
`legible part that consists of the smart card’s signature. Since
`the communication was decrypted using the smart card’s
`public key, it follows from the above discussion of the
`one-way encryption function E that only the smart card
`(using its private key} could have encrypted the entire
`communication. Thus, upon seeing the smart card’s digital
`signature, the terminal is assured that the communication
`truly came from the smart card. The terminal discards the
`digital signature and then decrypts the other part using its
`own private key to obtain the original message M.
`Note that any party can intercept the communication
`betweenthe smart card and terminal and use the smart card’s
`public key to determine that the communication came from
`the smart card. However,
`that intercepting party cannot
`decipher the encrypted message because they do not know
`the terminal’s private key.
`This encryption scheme therefore ensures for the receiv-
`ing party (ie., the terminal in this example) that the com-
`munication is from the desired sending party (i.e., the smart
`card) and that only the receiving party can read the original
`message.
`The encryption scheme only works, however, if the ter-
`minal and smart card trust each other’s identity.
`Accordingly, the “certifying authority” is introduced as a
`trusted third party to the transaction. The terminal and smart
`card each prove their identity to the satisfaction of the
`certifying authority and deposit their public keys with this
`authority. In turn, the certifying authority issues a digital
`certificate that contains an expiration date, the holder’s serial
`number, a public encryption key unique to the holder,
`information pertaining to the domain or environment within
`which the holder may operate(e.g., financial, frequentflyer,
`health,etc.), and any other information appropriate to estab-
`lish communication. The identification information is
`encrypted using the certifying authority’s private key, as
`follows:
`
`Certificate=E(Ke4_privare: “Expiration, Card Serial#, Kse_pubtics
`etc”)
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`45
`
`50
`
`55
`
`During the initial communication in the authentication
`phase, the smart card and terminal exchange their certifi-
`cates. Both the smart card and terminal decipher the other’s
`certificate using the certifying authority’s public key. The
`
`65
`
`8
`smart card and terminal can be assured that it is the other
`legitimate party if the certificate deciphers into intelligible
`information. It is practically impossible for either the ter-
`minal or smart card to construct a fraudulent certificate
`because neither knows the private key of the certifying
`authority.
`To continue discussion of the authentication process of
`this invention, please refer to FIGS. 4-6 which diagram-
`matically illustrate authenticating a financial transaction at
`an ATM smart card terminal. Following the startup phase,
`smart card 10 and terminal 32 exchange their respective
`certificates as shown in FIG.4. More particularly, smart card
`10 sends its card-related certificate 40 to terminal 32 and the
`terminal sends its terminal-relates certificate 42 to smart
`card 10. These initial certificates are sent over an open,
`unsecured channel.
`It is noted that the communication channel in an ATM is
`likely to be a direct or proximal coupling between the smart
`card and terminal. However, in another implementation, a
`terminal might be communicating remotely with a personal
`digital assistance or watch via radio or optical communica-
`tion. Accordingly, this invention contemplates various elec-
`tronic and communication meansfor exchanging certificates
`over an unsecured communication path, including direct and
`remote coupling. An example direct exchanging means
`includes hardware and software in the terminal’s and smart
`card’s CPUsfor coordinating digital transfer of certificates
`over physical conductors present in both the terminal and
`smart card. Example remote exchanging means include
`components (hardware, software,
`transmitters, receivers,
`etc.) used to enable the swapping ofcertificate using optical
`transmission, radio transmission, magnetic transmission, or
`infrared transmission.
`As shown in FIG.5, terminal 32 and smart card 10 use the
`certificates to establish the authenticity of each to the other.
`The smart card, for example, has decryption firmware
`loadedin its CPU to decipherthe certificate from terminal 32
`using the certifying authority’s public key in the manner
`described above. The smart card CPU learns the identity of
`the terminal from the decipheredcertificate. This permits the
`smart card to verify the authenticity of the terminal. The
`terminal has a similar intelligence to verify the authenticity
`of the smart card.
`The smart card and terminal also use each others’ public
`keys obtained from the certificates to create an encrypted
`communication channel 44 that
`is secure to outsiders.
`Although outsiderscanstill intercept messages, they will not
`be able to decipher them for the reasons given above during
`discussion of basic encryption schemes.
`FIG.5 also shows a second authentication level according
`to this invention. Once communication between the smart
`card and terminal is established, one of the many applica-
`tions stored on the smart card is selected. In our continuing
`example, the financial/banking application on the card is
`selected from among other applications (such as frequent
`flyer mileage, health care, etc.) to interface with the com-
`patible financial/banking application resident at the ATM
`terminal. The application-related certificates 46 and 48 asso-
`ciated with the selected application are then exchanged
`between terminal 32 and smart card 10 over encrypted
`channel 44. These application-related certificates 46 and 48
`are used to authenticate the applications resident at the
`terminal and smart card. That is, the decryption and verifi-
`cation firmware in the smart card CPU and similar software
`at the terminal use the identification information in the
`exchangedapplication-related certificates to authenticate the
`selected card application and the compatible terminal appli-
`cation.
`
`11
`
`11
`
`

`

`5,721,781
`
`9
`The additional, application level of authentication
`enhances security by preventing an unscrupulousparty from
`placing a fake application on an otherwise authenticated
`terminal or smart card. For instance, a high-tech thief might
`try to program a smart card with an imitation application
`