Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 1 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 1 of 67
`
`EXHIBIT O
`
`

`

`(21) International Application Number: PCT/US00/04819|(81) Designated States: AE, AL, AM, AT, AU, AZ, BA, BB, BG,
`BR, BY, CA, CH, CN, CR, CU, CZ, DE, DK, DM, EE,
`ES, FI, GB, GD, GE, GH, GM, HR, HU,ID,IL, IN, IS, JP,
`KE, KG, KP, KR, KZ, LC, LK, LR, LS, LT, LU, LV, MA,
`MD, MG, MK, MN, MW, MX, NO, NZ, PL, PT, RO, RU,
`SD, SE, SG, SI, SK, SL, TJ, TM, TR, TT, TZ, UA, UG,
`UZ, VN, YU, ZA, ZW, ARIPO patent (GH, GM, KE,LS,
`MW,SD,SL, SZ, TZ, UG, ZW), Eurasian patent (AM, AZ,
`BY, KG, KZ, MD, RU, TJ, TM), European patent (AT, BE,
`CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, IT, LU, MC,
`NL, PT, SE), OAPI patent (BF, BJ, CF, CG, CI, CM, GA,
`GN, GW, ML, MR, NE, SN, TD, TG).
`
`(22) International Filing Date:
`
`25 February 2000 (25.02.00)
`
`(30) Priority Data:
`09/260,384
`
`2 March 1999 (02.03.99)
`
`US
`
`(71) Applicant: ESIGN, INC. [US/US]; 50 Airport Parkway, San
`Jose, CA 95110 (US).
`
`;
`(72) Inventor: WANG, Ynjiun; 50 Airport Parkway, San Jose, CA
`95110 (US).
`
`(74) Agents: ASHBY, David, C. et al., Flehr, Hohbach, Test,
`Albritton & Herbert LLP, Suite 3400, 4 Embarcadero
`
`Published
`Without international search report and to be republished
`upon receipt of that report.
`
`(54) Title) PORTABLE ELECTRONIC CHARGE AND AUTHORIZATION DEVICES AND METHODS THEREFOR
`
`ELECTRONIC TRANSACTION SYSTEM
`
`(57) Abstract
`
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 2 of 67
`
`PCT
`
`WORLD INTELLECTUAL, PROPERTY ORGANIZATION
`International Bureau
`
`
`INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT)
`(51) International PatentClassification 7 :
`(11) International Publication Number:
`WO 00/52866
`H04K
`
`(43) International Publication Date:
`
`8 September 2000 (08.09.00)
`
`
`
`
`
`Center, San Francisco, CA 94111-4187 (US).
`
`
`A portable transaction arrangementfor permitting a user to conduct a charge card transaction vis-a-vis a charge card terminal of an
`electronic transaction system. The charge card terminal is configured to communicate with a charge card for the purpose of conducting the
`charge card transaction. The charge card is one of a magnetic stripe card and anelectronic smart card. The portable transaction arrangement
`includes an emulation card having an emulation card interface. The emulation card interface emulates an interface of the charge card.
`Theinterface of the charge card facilitates communication between the charge card and the charge card terminal. There is also included a
`portable emulation card configuring device arranged to be used in conjunction with the emulation card, which in turn includes a memory
`configured to store first charge card data pertaining to a first charge card of the user, and an authentication mechanism. The portable
`emulation card configuring device is configured to write from the memory the first charge card data to the emulation card if the user is
`authenticated through the authentication mechanism, thereby allowing the emulation card to appear through the emulation card interface,
`after writing and for the purpose of conducting the transaction,like the first charge card to the charge card terminal and enabling the charge
`card terminal to read the first charge card data from the emulation card to conduct the charge card transaction.
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 3 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 3 of 67
`
`FOR THE PURPOSES OF INFORMATION ONLY
`
`Spain
`Finland
`France
`Gabon
`United Kingdom
`Georgia
`Ghana
`Guinea
`Greece
`Hungary
`Treland
`Israel
`Iceland
`Italy
`Japan
`Kenya
`Kyrgyzstan
`Democratic People’s
`Republic of Korea
`Republic of Korea
`Kazakstan
`Saint Lucia
`Liechtenstein
`Sri Lanka
`Liberia
`
`KR
`KZ
`Lc
`LI
`LK
`LR
`
`Lesotho
`Lithuania
`Luxembourg
`Latvia
`Monaco
`Republic of Moldova
`Madagascar
`The former Yugoslav
`Republic of Macedonia
`Mali
`Mongolia
`Mauritania
`Malawi
`Mexico
`Niger
`Netherlands
`Norway
`New Zealand
`Poland
`Portugal
`Romania
`Russian Federation
`Sudan
`Sweden
`Singapore
`
`ML
`MN
`MR
`MW
`MX
`NE
`NL
`NO
`NZ
`PL
`PT
`RO
`RU
`SD
`SE
`SG
`
`Slovenia
`Slovakia
`Senegal
`Swaziland
`Chad
`Togo
`Tajikistan
`Turkmenistan
`Turkey
`Trinidad and Tobago
`Ukraine
`Uganda
`United States of America
`Uzbekistan
`Viet Nam
`Yugoslavia
`
`Zimbabwe
`
`Codes used to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT.
`Albania
`ES
`LS
`Armenia
`FI
`LT
`Austria
`FR
`LU
`LV
`GA
`Australia
`GB
`MC
`Azerbaijan
`GE
`MD
`Bosnia and Herzegovina
`Barbados
`GH
`MG
`GN
`MK
`Belgium
`Burkina Faso
`GR
`HU
`Bulgaria
`IE
`Benin
`Brazil
`IL
`Belarus
`IS
`Canada
`IT
`JP
`Central African Republic
`KE
`Congo
`Switzerland
`KG
`KP
`Céte d'Ivoire
`Cameroon
`China
`Cuba
`Czech Republic
`Germany
`Denmark
`Estonia
`
`SI
`SK
`SN
`SZ
`TD
`TG
`TJ
`
`™T
`
`R
`TT
`UA
`UG
`US
`UZ
`VN
`YU
`ZW
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 4 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 4 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`PORTABLE ELECTRONIC CHARGE AND
`
`AUTHORIZATION DEVICES AND METHODS THEREFOR
`
`Background of the Invention
`
`The present invention relates to methods and apparatus for conducting
`
`electronic transactions. Moreparticularly, the present inventionrelates to
`
`20
`
`portable electronic authorization devices (PEADs) which advantageously and
`substantially eliminate the security risks associated with prior art techniques of
`approving transactions between a user and an electronic transaction system.
`
`Electronic transaction systems are known. An electronic transaction
`
`system typically permits a user to conduct designated transactions
`
`25
`
`electronically, which substantially improves efficiency and convenienceto the
`
`user. Examplesof electronic transactions include transactions conducted via
`
`computer networks, automated teller machines (ATM’s), automated point-of-
`
`sale systems, automated library systems, and the like. Transactions conducted
`
`via computer networks may encompass a wide range of transactions, including
`
`30
`
`exchanging information and data via a computer network popularly known as
`
`the Internet, e.g., to make a purchase from a vendor on the network. ATM’s
`
`typically permit users to conduct financial transactions (such as withdrawals,
`
`transfers, deposits, and the like) vis-a-vis a financial institution in an electronic
`
`manner. Automated point-of-sale systems may be employed by merchants to
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 5 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 5 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`permit users to purchase productsor services using the users’ electronic
`
`account, and automated library systems may be employed to permit library
`
`users to check out and return library materials. Other examples ofelectronic
`
`transaction systemsare readily available in popularliterature and are not
`
`enumerated herein for brevity sake.
`
`10
`
`To enhancesecurity to the user’s account,electronic transaction
`
`systemstypically request the user to provide identification data to authenticate
`himself as the user authorized to approve the proposedtransaction or
`transactions. If the user fails to provide the requestedidentification data, the
`
`15
`
`20
`
`proposedtransactionor transactionsare not authorized and will not be
`processed. The identification data may be required with each transaction. By
`way of example, an automated point-of-sale system may require the user to
`approve a purchase transaction and will accept an approval message onlyifit
`is satisfied that the person approvingthe transaction has furnished adequate
`identifying data authenticating himself as the person authorized to perform the
`approval. Alternatively, the identification data may be entered by the user at
`the start of a session to authenticate himself and enable that user to
`
`subsequently perform any numberoftransactions without further
`
`authentication.
`
`In the priorart, users are typically required to manually enter the
`identification data into the electronic transaction system for authentication.
`
`25
`
`Typically, the entry of identification data involves typing in a password on a
`numeric keypad or ona keyboard. The identification data is then compared
`with data previously stored within the electronic transaction system, and
`authentication is satisfied when there is a match. As mentionedpreviously,
`
`30
`
`the transaction or transactions proposed will not be allowed to proceed if there
`
`is no match.
`
`Althoughprior art electronic transaction systems provide some
`protection from unauthorized access anduseofthe user’s account, there are
`disadvantages. Toillustrate certain disadvantages associated with prior art
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 6 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 6 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`electronic transaction systems, reference may be madeto Fig. | herein. Fig. 1
`
`shows an automated teller machine (ATM) 100, representing the requesting
`
`device of an electronic transaction system 102. Electronic transaction system
`102 may include, for example, a central database 104 which contains
`previously-stored identification data and account data of user 106.
`
`To initiate a typical transaction with ATM 100,user 106first inserts a
`
`data card 107, such as a bank card or a credit card, into a card reader 109.
`
`Data card 107 typically includes a magnetic stripe that contains the account
`
`numberand other information related to the user, which may then be read by
`
`card reader 109. The data stored in data card 107 enables electronic
`
`15
`
`transaction system 102to ascertain which account in database 104 user 106
`
`wishes to transact business.
`
`Via a keypad 108 on ATM 100, user 106 may then beableto enterhis
`identification data, e.g., his personal identification number (PIN), to
`
`authenticate himself. If the entered identification data matches the
`
`20
`
`identification data stored with the accountin database 104 that is identified by
`data card 107, the user is authenticated and granted access to his account. If
`there is no match, authentication fails. After authentication, user 106 may be
`able to, for example, employ a combination of keypad 108 anda screen 110 to
`withdraw cash from his account, whichresults in cash being dispensed from
`
`25
`
`ATM 100 andthebalancein his account within database 104 correspondingly
`
`reduced.
`
`Theoretically, the identification data entered into ATM 100 should be
`secure. In reality, there are manypotential security risks to the identification
`data in prior art authentication techniques. Since the identification data is not
`encrypted before being entered into ATM 100,the non-encrypted
`identification data is vulnerable to unauthorized access and procurement.
`
`30
`
`Encryption ofthe identification data is not practical in the prior art sinceit
`would have been too complicated and/or inconvenientfor the user to perform
`
`encryption or memorizethe encrypted identification data. Unauthorized
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 7 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 7 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`procurementofthe identification data in the prior art may occur, for example,
`upon entry if it is inadvertently seen by anotherparty,e.g., by another person
`behind user 106, either on screen 110 or morelikely at keypad 108.
`
`Even if encryption is employedonthe identification data in the prior
`art, e.g., prior to transmission from ATM 100to database 104, the encryption
`typically occurs within ATM 100 andstill requires the entry of non-encrypted
`identification data from user 106 andthe existence of the identification data
`
`for some duration of time in ATM 100. Unauthorized accessto the
`identification data may then occur if an unauthorized party is able to gain entry
`into ATM 100 andintercepts, e.g., via software or hardware implemented in
`ATM 100, the non-encrypted identification data therein.
`
`Furthermore,if public key cryptography is employed within ATM 100,
`the storage of the user’s private key within ATM 100 renders this private key
`vulnerable to theft, further exposing the user’s accountto risk. The stolen
`password and/orprivate key may then be employedto allow unauthorized
`personsto access the user’s accountto the user’s detriment.
`
`In view ofthe foregoing, there are desired apparatus and methodsfor
`conducting transactions with the electronic transaction system while
`substantially eliminate the risk of unauthorized access to the user’s account
`and unauthorized procurementofthe user identification data. Preferably, such
`an apparatus should beeasily portable to permit the user to conveniently and
`comfortably perform transaction authentication anywhere.
`
`20
`
`25
`
`-4-
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 8 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 8 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`Summary of the Invention
`
`The invention relates, in one embodiment, to a portable transaction
`
`arrangementfor permitting a user to conduct a charge card transaction vis-a-
`
`vis a charge card terminal ofan electronic transaction system. The charge card
`
`terminal is configured to communicate with a charge card for the purpose of
`
`conducting the charge card transaction. The charge card is one of a magnetic
`
`stripe card and an electronic smart card. The portable transaction arrangement
`includes an emulation card having an emulation card interface. The emulation
`
`card interface emulates an interface of the charge card. The interface of the
`
`15
`
`charge card facilitates communication between the charge card and the charge
`card terminal. There is also included a portable emulation card configuring
`
`device arrangedto be used in conjunction with the emulationcard, which in
`turn includes
`a memory configured to store first charge card data pertaining
`
`20
`
`25
`
`to a first charge card of the user, and an authentication mechanism. The
`portable emulation card configuring device is configured to write from the
`memorythe first charge card data to the emulation cardif the useris
`authenticated through the authentication mechanism,thereby allowing the
`emulation card to appear through the emulation card interface, after writing
`and for the purpose of conductingthe transaction,like the first charge card to
`the charge card terminal and enabling the charge card terminalto readthefirst
`charge card data from the emulation card to conductthe charge card
`
`transaction.
`
`In another embodiment, the invention relates to a method for
`
`permitting a user to conduct a charge card transaction vis-a-vis a charge card
`terminalofan electronic transaction system. The charge card terminalis
`
`30
`
`configured to interface with a charge card for the purpose of conducting the
`charge card transaction. The chargecard is one of a magnetic stripe card and
`an electronic smart card. The method includes providing an emulation card
`
`having an emulation card interface. The emulation card interface emulates an
`
`5-
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 9 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 9 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`10
`
`interface of the charge card. The interface of the chargecard facilitates
`communication between the charge card and the charge card terminal. There
`is included providing a portable emulation card configuring device configured
`to be used in conjunction with the emulation card, which includes a memory
`configured to store first charge card data pertainingto a first charge card of the
`user, and an authentication mechanism. The portable emulation card
`configuring device is configured to write from the memory the first charge
`card data to the emulation card if the user is authenticated through the
`authentication mechanism, thereby allowing the emulation card to appear
`through the emulation card interface, after writing and for the purpose of
`conducting the transaction,like the first charge cardto the charge card
`terminal and enabling the chargecard terminalto read thefirst charge card
`data from the emulation card to conduct the charge card transaction.
`
`20
`
`25
`
`30
`
`In yet another embodiment, the invention relates to a method for
`permitting a user to approve an internet transaction request vis-a-vis a user
`computer terminal coupledto the internet. The internet transaction requestis
`generated by a first computer coupled to the internet. The method includes
`sending first digital data from the first computer to the user computer terminal,
`the first digital data representing the internet transaction request. The method
`further includes receiving at a second computer coupled to the internet second
`digital data. The second digital data is manually entered by the user via the
`user computerterminal. The second digital data represents user-readable
`encrypted transaction approval data signifying the user’s approvalof the
`internet transaction request that is encrypted using a private key of the user by
`one of a portable electronic authorization device (PEAD)anda portable
`electronic charge and authorization device (PECAD) from information input
`by the user into the oneof the portable electronic authorization device (PEAD)
`and the portable electronic charge and authorization device (PECAD). The
`method additionally includes decrypting,after receiving, the second digital
`
`data using a public key ofthe user.
`
`-6-
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 10 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 10 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`In yet another embodiment, the invention relates to a computer-
`implemented method for registering a user of a specific electronic encryption
`device configured to encrypt data in accordance with a public key encryption
`
`scheme. The methodincludes providing a list of public keys and identification
`
`information pertainingto a plurality of electronic encryption devices in a
`computer database,individualonesofthelist of public keys being associated
`with individual ones of a plurality of electronic encryption devices. The
`
`method additionally includes receiving device identification data from the
`
`user. The device identification data identifies the specific electronic
`
`15
`
`20
`
`encryption device. There is also included receiving encrypted user
`identification data to ascertain an identity of the user. Additionally, there is
`includedassociating the device identification data with the specific electronic
`encryption device in the database, thereby ascertaining a specific public key
`associated with the specific electronic encryption device from the database.
`Further, there is included decrypting the encrypted user identification data
`using the specific public key, and associating the user with the specific
`electronic encryption device in the database if the decrypting is successful.
`
`These and other advantagesofthe present invention will become
`apparentuponreading the following detailed descriptions and studying the
`various figures of the drawings.
`
`WANGP004
`
`-7-
`
`Patent
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 11 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 11 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`Brief Description of the Drawings
`
`To facilitate discussion, Fig. 1 showsa priorart electronic transaction
`
`system, including an automatedteller machine (ATM).
`
`Fig. 2 illustrates, in accordance with one embodimentof the present
`
`10
`
`invention, a portable electronic authorization device (PEAD), representing the
`
`apparatus for securely approving transactions conducted vis-a-vis an electronic
`
`transaction system.
`
`Fig. 3A shows, in one embodiment ofthe present invention, a
`
`simplified schematic of the PEAD of Fig. 2.
`
`15
`
`Fig. 3B shows, in one embodiment, the format of representative
`
`transaction approval data.
`
`Fig.4 illustrates, in accordance with one embodimentof the present
`
`invention, a logic block schematic of the PEAD.
`
`Fig. 5A represents, in accordance with one embodimentof the present
`invention, a high level hardware implementation of the PEAD.
`
`20
`
`Fig. 5B illustrates one implementation of a PEAD wherein the PEAD
`
`circuitries are implemented on an IC.
`
`Fig. 5C represents an external view of the PEADofFig. 5B after being
`
`embeddedin a card-like package.
`
`25
`
`Fig. 6A illustrates an external view of the PEAD in accordance with a
`
`preferred embodiment ofthe present invention.
`
`Fig. 6B illustrates, in a simplified manner and in accordance with one
`aspectofthe present invention, the hardware for implementing the PEAD of
`
`Fig. 6A
`
`-8-
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 12 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 12 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`Fig. 7 is a flowchart illustrating, in accordance with one aspect of the
`present invention, the approval technique employing the inventive PEAD.
`
`Fig. 8 is a flowchart illustrating, in accordance with oneaspect ofthe
`present invention, steps involved in encrypting transaction approval data using
`apublic key cryptography technique.
`
`Fig. 9 illustrates, in accordance with one aspectof the present
`invention, a simplified block diagram ofa portable electronic charge and
`
`authorization device (PECAD).
`
`Fig. 10 is a simplified view of a PECAD,including an emulation card
`disposed therein, in accordance with one embodiment of the present invention.
`
`15
`
`Fig. 11 is a simplified flowchart, illustrating in accordance with one
`embodiment, how a transaction number may be employed in conjunction with
`a PECADsystem to improvetransaction security.
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 13 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 13 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`Detailed Description of the Preferred Embodiments
`
`Fig. 2 illustrates, in accordance with one embodimentofthe present
`
`invention, a portable electronic authorization device (PEAD) 200, representing
`the apparatus for securely approving transactions conducted vis-a-vis an
`electronic transaction system. With reference to Fig. 2, requesting device 202
`mayinitiate a transaction approval process with PEAD 200bytransmitting to
`PEAD 200, via communication port 204, a transaction request pertaining to a
`proposedtransaction. Requesting device 202 may represent, for example, an
`ATM machine, a computer terminal in a network, an automatedlibrary check-
`out terminal, or similar devices for permitting the user to transact business
`with the electronic transaction system. The proposed transaction may be, for
`example,a sale transaction ofa particular item for a certain amount of money.
`Thetransaction requestitself may include, for example, the transaction ID, the
`merchant’s name, the merchant’s ID, the time of the proposed purchase, and
`the like. In one embodiment, the transaction request from requesting device
`202 may be encrypted for enhanced security but this is not required. Data
`pertaining to the proposed transaction reaches PEAD 200 via path 206 in Fig.
`
`10
`
`20
`
`2.
`
`Port 204 may represent an infrared port to facilitate infrared
`
`25
`
`communication with PEAD 200. Alternatively, port 204 may represent a
`
`wireless port for facilitating wireless communication. Port 204 may even
`represent a contact-type connectionport, such as a magnetic read/write
`mechanism ora plug having electrical contacts for directly plugging PEAD
`200 into port 204 to facilitate communication. Other techniquesto facilitate
`communication between requesting device 202 and PEAD 200are readily
`
`30
`
`appreciableto those skilled.
`
`The data pertaining to proposed transaction(s) may then be reviewed
`by the user, either on a screen 208 of requesting device 202 or optionally on a
`
`-10-
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 14 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 14 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`display screen provided with PEAD 200 (not shown in Fig. 2). If the user
`
`approvesthe transaction,e.g., a purchase of an item for a given amount of
`
`money, the user may then signify his approval by activating a switch 210 on
`
`PEAD 200, which causes an approval message to be created with the user’s
`
`identification data, encrypted and transmitted back to requesting device 202
`
`via path 212. Ifthe transaction is not approved, the user may simply do
`
`nothing andlet the transaction request times out after an elapsed time or may
`
`activate another switch on PEAD 200 (not shownin Fig. 1), which causes a
`
`reject message, either encrypted or non-encrypted, to be transmitted back to
`
`the requesting device 202 via path 212.
`
`The present invention is different from the prior art technique ofFig. 1
`in that the user is required in thepriorart to enter his identification data into
`the electronic transaction system,e.g., into ATM 100,to authenticate himself.
`
`In contrast, the present invention keepsthe identification data related to the
`
`user secure within PEAD 200at all times. Transaction approval occurs within
`
`20
`
`PEAD 200, and the data representing such approvalis encrypted, again within
`
`PEAD 200,prior to being transmitted to the electronic transaction system,e.g.,
`
`to requesting device 202 in Fig. 2.
`
`25
`
`30
`
`Accordingly, even if the approval data is intercepted, its encryption
`would prevent unauthorized users from employing the identification data for
`illicit purposes. If public key cryptography is employed to encryptthe
`approvaldata, the user’s private key is also always kept within PEAD 200.
`Since the user’s private key is required for encryption and is unknown to
`
`others, even to the electronic transaction system in one embodiment, the
`
`encrypted approvaldata, if intercepted, would be useless to unauthorized third
`parties even if the approval data can be deciphered using the user’s public key.
`Again,this is different from prior art authentication techniques wherein
`
`encryption takes place within the electronic transaction system and requires
`the entry of the identification data and/or reading the user’s private key from
`
`the ID card such as an ATM card,a credit card, and the like. As mentioned
`
`35
`
`earlier, the fact that the prior art electronic transaction system requiresthis
`
`-ll-
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 15 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 15 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`identification data and/or user’s private key exposes these data to risks, e.g., if
`
`the requesting device is not secure or open to data interception via software or
`
`hardware.
`
`As another difference, the present invention employsthecircuitries
`within the portable electronic authorization device (PEAD)to perform the
`approval and encryption of the transaction approval data within the PEAD
`itself. In contrast, prior art data cards are essentially passive devices. For
`example,prior art ATM cardsorcredit cards only has a magnetic stripe for
`storing account information and do not have any facility to perform approval
`and/or encryption of the transaction approval data. While smart cards or IC
`cards, whichare currently being developed, may contain electronic circuitries,
`current standardsfor their implementationstill requires a reader associated
`with the requesting device to read out the identification data and/or user’s
`private key in order for the requesting device to perform any approval and/or
`encryption. As mentionedearlier, the transmission of these data to the
`requesting device unnecessarily exposes these data to risks of theft and/or
`unauthorized interception once transmitted.
`
`It should be borne in mindatthis pointthat although public key
`cryptographyis discussed throughoutthis disclosure to facilitate ease of
`understanding andto highlighta particular aspect of the invention, the overall
`invention is not limited to any particular cryptography algorithm and may be
`implemented using any conventional cryptography technique, including public
`key cryptographyalgorithms such as RSA,Diffie-Hellman,other discrete
`logarithm systems,elliptic curve systems,or the like. For additional
`information on someofthe different public key cryptography techniques,
`
`reference may be madeto, for example, the IEEE P1363/D8 Standard
`Specifications for Public Key Cryptography dated October 5, 1998, available
`from IEEE Standards Dept. 345 East 7™ Street, New York, New York 10017-
`
`2349.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`-12-
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 16 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 16 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`As mentioned, transaction approval in the prior art occurs within the
`
`electronic transaction system. In contrast, the present invention allows
`
`transaction approvals to occur within PEAD 200. The fact that transaction
`
`approvals occur entirely within PEAD 200 provides many advantages. By
`way of example,this feature eliminates the need to have, in one embodiment,
`the identification data and/or the user’s private key in the requesting device.
`
`The fact that transaction approvals occur entirely within PEAD 200 (using the
`
`user identification data and/orthe user’s private encryption key that are always
`
`kept secure within PEAD 200) substantially enhances the confidentiality of the
`user identification data and the user’s private key, as well as the integrity of
`
`the transaction approval process.
`
`|
`
`Since approval occurs entirely within PEAD 200,the user
`identification data that is employed to authenticate transactions may be more
`complicated and elaborate to ensure greater security. By way of example, the
`user identification data may be more elaborate than a simple password and
`may include anyof the user’s name,his birth date, his social security number,
`or other unique biometrics or unique identifying data such as fingerprint, DNA
`coding sequence, voiceprint, or the like. In contrast, prior art authentication
`techniques limit the user identification data to simple patterns, e.g., simple
`password of few characters, that are easily memorizedby the user since more
`elaborate identification data may be toodifficult to remember or too
`
`cumbersome to manually enter. Furthermore, even if the complicated ID data
`maybestored in the prior art data card,it is still required to be read into the
`requesting deviceof the electronic transaction system, again exposing this data
`
`to interception or theft once read.
`
`Additional safeguards, which will be described in detail herein, may
`also be provided to prevent access, whetherelectronically or by physical
`means,to the user identification data and/orthe user’s private key within
`PEAD 200. Since the identification data and/or the user’s private key are
`
`never exposed, security risks to the these data are substantially minimized.
`
`20
`
`25
`
`30
`
`-13-
`
`

`

`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 17 of 67
`Case 6:21-cv-01101-ADA Document 25-15 Filed 04/14/22 Page 17 of 67
`
`WO 00/52866
`
`PCT/US00/04819
`
`Fig. 3A shows, in one embodimentof the present invention, a
`
`simplified schematic of PEAD 200of Fig. 2, including switch 210. Data path
`
`206 is provided for receiving transaction requests from the electronic
`
`transaction system, and data path 212 is provided for transmitting transaction
`
`approval data backto the electronic transaction system. It should be borne in
`mind that although two data paths are discussed herein for ease of
`
`understanding, these data paths and other data paths herein may, in one
`
`embodiment, represent logical data paths and may be implemented via a single
`
`physical data connection. Likewise, the different ports herein may represent,
`in one embodiment,logical data ports for ease of understanding and may in
`fact be implemented using a single physical port.
`
`When a transaction request, e.g., a withdrawal transaction from an
`ATM machinein the amount of $200.00,is transmitted via data path 206 to
`
`PEAD200,this transaction is received by encryption logic 300. At this point,
`
`the user may review the proposedtransaction,e.g., via the display screen
`provided with the electronic transaction system and/or PEAD 200, and has a
`choiceto either approve or disapprove the proposedtransaction. If the user
`approvesthe transaction, he may, in one embodiment, activate a switch 210,
`which causes the transaction approval data to be created and then encrypted by
`encryption logic 300 prior to being transmitted back to the electronic
`
`15
`
`20
`
`25
`
`transaction system via path 212.
`
`Note that the user identification data block 302, which is employed in
`
`the transaction approvalprocess,is not directly coupled to paths 206 and 212.
`In other words, the memory portionstoring the user identification dat