CA1264855A - Offline pin validation with des - Google Patents

Offline pin validation with des

Info

Publication number
CA1264855A
CA1264855A CA000498312A CA498312A CA1264855A CA 1264855 A CA1264855 A CA 1264855A CA 000498312 A CA000498312 A CA 000498312A CA 498312 A CA498312 A CA 498312A CA 1264855 A CA1264855 A CA 1264855A
Authority
CA
Canada
Prior art keywords
authentication
user
card
tree
values
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CA000498312A
Other languages
French (fr)
Inventor
Stephen M. Matyas
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Application granted granted Critical
Publication of CA1264855A publication Critical patent/CA1264855A/en
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1016Devices or methods for securing the PIN and other transaction-data, e.g. by encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4012Verifying personal identification numbers [PIN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Abstract

ABSTRACT

A method of offline personal authentication in a multi-terminal system uses a secret user PIN, a secret key and other nonsecret data stored on a customer memory card and a nonsecret validation value stored in each terminal connected in a network. The technique of "tree authentication" is used which employs an authentication tree with an authentication tree function comprising a one-way function.
An authentication parameter is calculated as a function of a personal key and a user identifier read from the user's card and the PIN entered by the user. The calculated authentication parameter is mapped to a verification value using the one-way function to the root of the authentication tree. The verification value obtained by mapping the calculated authentication parameter is then compared with a global verification value stored at the terminal. If the comparison is favorable, the system is enabled for the user;
otherwise, the user is rejected.

Description

s .

OFFLINE PIN VALIDATION WITH DES

Background of the Invention This invention is directed to a method of offline personal authentication involving a secret user personal 5 identification number (PIN), a secret key and other nonsecret data stored on a customer memory card, and a nonsecret va~idation value stored in each terminal connected in a network. Typically, the terminals are connected to a bank which issues the memory card and the terminals are lO automated teller machines (ATM) or point of sale (P~S) terminals. By memory card, what is meant is a card which stores more binary data than currently used magnetic stripe cards but is distinguished from so-called "smart" cards in that it does not incorporate a microprocessor on the card.
The problem solved by the subject invention is that of authenticating a user of a memory card for electronic funds transfer (EFT) systems or point of sale (POS) terminals.
The subject invention is based on a technique of "tree authentication" first suggested by Ralph Merkle. See, for 20 example, the following publications:
Ralph C. Merkle, Secrecy, Authentication, and Public ~ey Systems, UMI Research Press, Ann Arbor, Michigan, 1982.
Ralph C. Merkle, Secrecy, Authentication, and Public Xey Systems, Technical Report No. 1979-1, Information
2~ Systems Laboratory, S~anford University, June 1979.
Ralph C. Merkle, Protocols for Public Key Cryptosystems, Technical Report, BNR, Palo Alto, CA, January 1980.
Ralph C. Merkle, "Protocols for Public Key 30 Cryptosystems," Proceedings of the 1980 Symposium on Security and Privacy, 122-13~, (April 14-16, 1980).
-.. ` ~2~ S~

U.S. Patent NoO 4,309,569 ~o Ralph C. Merkle for "Method of Providing Digital Signatures" discloses a method of providing a digital signature for purposes of authentication of a message. This method utilizes an 5 authentication tree function or a one-way function of a secret number. More specifically, the method according to Merkle provides a digital signature of the type which generates a secret number Xi, where Xi = xil, xi2, xi3, ., xin, computes Yi = F~Xi) and transmits part of Xi to lO the receiver as the digital signature. Merkle characterizes his invention as providing an authentication tree with an authentication tree function comprising a one-way function Of Yi. The root of the authentication tree and the authentication tree function are authenticated at ~he 15 receiver. The Yi and the corresponding authentication path values of the authentication tree are transmitted from the transmitter to the receiver. Finally, the Yi are authenticated at the receiver by computing the authentication path of the authentication tree between the 20 Yi and the rest of the authentication tree.
The Merkle method is specifically intended to be an improvement over a public key cryptosystem proposed by Diffie et al. in "New Directions in Cryptography," IEEE
Transactions on Information Theory, vol. IT-22, no. 6, 25 November 1976, pages 644 to 654, as a means to implement a digital signature and authenticate the true content of a message. In the Diffie et al. scheme, to sign a message m whose size is s bits, it is necessary to compute F(xl) = Yl~
F(x2) = Y2, . O ., F~xs) = y . The transmitter and receiver 30 would agree on the vector Y = y , y , ~ . ., y . If the jth bit of m was a 1, the transmitter would reveal x ; but if the jth bit of m was a 0, the transmitter would not reveal Xj. In essence, each bit of m would be individually signed.
To avoid the possibility of altering m by the receiver, 35 Diffie et al. signed a new message m' that was twice as long 6~85~

as m and computed by concactenating m with the bitwise complement of m. This meant that each bit Tn in the original message was represented by two bits, one of which would not be altered by the receiver.
A major problem of the Diffie et al. method addressed by Merkle was that it was only practical between a single ~air of users. Acc`ordingly-, MerkLels approach provided a signature system of more general application and which rested on the security of a conventional cryptographic lO function. Moreover, Merkle's authentication tree re~uired less storage than the Diffie et al. method. Merkle showed that n values of m bits each could be authenticated on the basis of only m x log2(n) bits of nonsecret information, where "x" denotes multiplication. The one-way function that 15 Merkle ~nvisioned called for-a value-of m = 100, although that is not significant in terms of the raw algorithm. The present invention adapts Merkle's idea of tree authentication to the area of offline EFT/POS banking. I

Summary of the Inventlon It-is therefore an object of the present inventio~ to provide an improved offline PIN authentication technique which is particularly adapted for use in EFT/POS terminals.
It is another object of the invention to provide an of1ine PIN validation technique with the data encryption 25 standard (DES) using a memory card.
According to the invention, there is provi~ed a method of oEfline personal authentication in a multi-terminal system using an improved authentication tree function t cornprising a one-way function. A person to be authen~:icated 30 enters his or her PIN and the tnemory card in a terminal in the multi-terminal syst~m. The information read Er~m the memory card and the PIN are used to calculate an authentica~ion pararneter, 'rhe calculated authentication paratneter is ~hen mapped to a verification value or root of .

the authentication tree using the one-way function. The verification value obtained by mapping the calculated authentication parameter is then compared with a global verification value stored at the terminal.
In the present invention, a secure method of tree authentication is realized with a value of m = 56 with the data encryption standard (DES), i.e., by making the work factor to break the system e~uivalent to that of DES key exhaustion. More specifically, if Yl, Y2, . ' n lO represents n values to be authenticated by the algorithm, then the global nonsecret verification value is calculated via an algorithm that involves all of these n values. With a public key approach, once ~he public and pr~vate key pair ha~ been produced, the secret key can be used to generate 15 the appropriate quantity to ~tore on a memory card without any dependency on the parameters stored on other memory cards That is, if an n+lst user is to be added to the list, the public and secret key pair need not be recalculated; rather, they can be used as is to generate the 20 appropriate quantity to be stored on that new user's memory card. But with the DES solution used in the subject invention, an n+lst user cannot be added to the list without recalculating a new global verification value.
There are ways around this problem. If a bank, for 25 example, is willing to assign a new ID to a customer in cases when his or her PIN and bank card have been compromised, then the original list of n values to be authenticated could include 10 or 20 percent extra IDs and associated values of Y to be authenticated. In that case, 30 when a card and PIN are compromised, the ID is invalidated and a new ID is assigned to the customer and a new PIN and card are issued using one of the precalculated values already available. The old ID is then stored in a "hot list" at each terminal, and in the course of authenticating 35 a user at a terminal, this 'Ihot list" is checked to make :.

31 ~648SS

sure that the ID being used in not invalid. On the other hand, if the bank cannot assign a new ID to a customer, i.e.
the ID remains fixed for the life of that customer, then there can be provided two or more sets of n values and two 5 or more global verification values are stored in the terminal. A user would be assigned a new PIN and a new card to work-off the second-verification value only if the PIN
and card for the first verification value have been compromised. In turn, the user could get a PIN and card to lO work off a third verification value i the PIN and card for the first two verification values have been compromised.
Again, a "hot list" i9 checked to make sure that the PIN
b~lng u~ed and a calculated authenti~ation paratneter are not ~nvalid, Yet anoth~r po~sibility is to have only two sets 15 of values, one primary and one secondary. S$nce there are apt to be very few customers that would be issued ~ore than two cards, these cases could be handled on an exception basis with an authentication table at each EFT/POS terminal.
The table, which might contain a few hundred entries, would 20 consist of the user's ID and his authentication parameter, the latter of which would be calculated from the user's PIN, personal key and nonsecret data stored on the card, and the global secret key in the terminal.
The method according to the invention also requires a 25 large amount o~ storage on the card to store nonsecret data required by the authentication algorithm. Roughly, if there are 2 customers that require offline authentication, then each card must store 56 x n bits of nonsecret data required ; by the authentication algorithm. The card must also store a 30 56 bit secret key and an n-bit number representing the "path" of the calculation. Note that the amount of data stored on the card depends on the number of customers (i.e., it is dependent on n rather than being independent of it).
For example, if there are one million customers in tne bank 35 (roughly equal to 2 ), then there are 56 x 20 = 1120 bits ~64~55 plus a 56-bit key plus a 20-bit "path" required to be stored on the card. However, the algorithm has the property that the number of bits on the card grows only as the log2 of the number of customers. Thus, if a bank wan1:s to service two 5 million customers, it is only necessary to store an additional 56 bits on the card. With a memory card having sufficient storage, the DES approach can be used almost as easily as a public key approach. The Rivest, Shamir and Adleman tRSA) public key algorithm, for example, would lO require a 400-bit value to be stored on the card. This is less than the 1200 or 1300 bits called for by the method according to the present invention, but it is large enough to also require a memory card. In other words, the public key approach can not use the present magnetic stripe card 15 ~ither. The approach taken by the present invention ha~ the adv?ntage oE o~erlng an al~ernative to public key and is based on the proven strengh of the DES.

Brief Description of the Drawing The foregoing and other objects, aspects and advantages 20 of the invention will be better understood from the following detailed description of a preferred embodiment of the invention w.ith reference to the accompanying drawings, in which:
Figure 1 is a block diayram illustrating the one-way 25 function mapping of two 56-bit values to one 56-bit value;
Figure 2 is a simple illustrative example of three tables of authentication parameters;
Figure 3 is similar to Figure 2 but shows the manner in which values are selected from the three tables to be stored 30 on a customer's memory card; and Figure 4 is a flow diagram illustrating the operation of the offline PIN validation according to the invention.
:
;

~Z64~SS

Detailed Description of the Invention Consider first the question of PIN secrecy. Let the encrypted PIN (denoted EPIN) be calculatecl as in Equation 1.
- EPIN = EKGbl tEPIN~ID) ) (1) 5 where PIN is the-entered PIN, ID is the user identifier, and KGbl.is a global-secret key stored in-each EFT/POS terminal.
Let the authentication parameter AP be calculated as in Equation 2.
K P ~9 E P I N ( 2 ) 10 where KP is the user's personal key stored on the card,.the ~ymbol "~" represents an Exclusive OR operation, and "RightS6" is a unction that extracts the rightmost 56 bit~
in the binary variable denoted by.the argument of the function. Equation 2 uses EPIN instead of PIN so that the lS PIN cannot be derived via trial and error at electronic speeds from a lost or stolen card using the public verification value in the EFT/POS terminal. From Equation 2, it is apparent that a new PIN can be issued merely by . calculating a new EPIN using Eguation 1, calculating a new 20 KP via the Equation KP = EPIN 0 KP 0 EPIN , and new new old old reissuing a new card with the new value of KP, i.e., KP
written on the card.
The method of tree authentication makes use of a binary ~ tree. In a tree with 2 final elements or "leaves", there 2~ are 2 different "paths" from the root of the tree to each .~ final leaf and therefore n transitions between levels. A
; tree with n = 3 is shown below:

level 3 X . X X X X X X X
level 2 X X X X
level 1 X X
level 0 X

~ ~6~

If the left branch is denoted by "0" and the right branch by "1", then the tree looks like this:

Index Position 000 001 010 011 100 101 110 111 level 3 0 1 0 1 0 1 0 level 2 0 1 0 level 1 0 level 0 0 The "path" followed in the tree can be represented as a string of "l's" and "0's". For example, starting from the lO root, if we go up to a left branch, then to a right branch, and then to a right branch again, the path is giVerl by the number 011. If, on th~ otheF hand, w0 9O up to a ~i~ht branch, and ~hen up ~o a right branch again, and then up to a left branch, the path is given by the number 110. Thus, 15 the numbers 000, 001, . . ., 111 describe the eight paths in this binary tree.- It should be apparent that these path numbers also represent the index positions, in binary numbers, of the values at the highest level of the tree.
The index position always starts from level zero.
Now, it is assumed that the problem to be resolved is to calculate a single non-secret verification value V from a set of n predefined authentication parameters AP0, APl, AP2, . . ., AP . Suppose for the sake of20this example that log~(n) - 20, i.e., that there are 2 = 1,058,576 25 customers. Note that one can always fill in the tree with dummy entries if need be; that is, where the number of customers is not equal to 2 for some integer i. The n values of AP are mapped to a single root value using a one-way function that involves log2(n) iterations~ At the 30 first iteration, the n = 1,048,576 values are mapped to 524,288 values, the second iteration maps 524,288 values to 262,144 values, and so on until the 20th iteration maps two values to one value. Each application of the one-way ~264~355 function maps two 56-bit values (denoted Yl ~ and Y i h to a single 56-bit vaIue denoted Y as illustrated in new ? Figure 1. A suitable one-way function that maps Yl f and Y - - -to Y is given by Equation 3.
rlght new Right56LY ~ E (Y )I = U
left Right56[Ci] left Right56[Y ~ E ~Y )] = Y
right U rignt new where Ci is a 64-bit variable computed using EquatiOn 4 given hereinafter. At the first iteration, Equation 3 is used to map AP0, APl and a unique codeword C to Y ; i.e., ~ t 0 right is APl. Thi9 output y may be denoted ~P~ 1- Then~ AP2, AP3 and a diEferent codeword C
are mapped to AP using Equation 3, and so forth. At the second iteration, AP0 1' AP2 and yet a different codeword C are mapped to AP0 using Equation 3, and so forth.
15 The operations are ~airIy simple and straightforward. In all, there ~re n-1 calculations involving Equation 3. The final 56-bit value so produced is stored in each EFT/POS
terminal and is used as a global verification value V.
In the example where n = 2 , the 1,048,576 values of 20 AP, namely AP0, APl, . . ., APl 048,575 table designated Table 20, in t~at order~ The 524,288 0,1 2~3 524286,524287 produced at the flrst iteration in that order, are stored in a table at a next level designated Table 19; the 262,144 25 values AP0 1,2,3' 4,5,6,7 262140 262l4l~262l42~262l43~ which are produced at the second l~eration in that order, are stored in a table at a next level designated Table 18; and so on. Thus, the values in Table 20 are processed sequentially using the mapping in 30 Equation 3 to produce the values in Table 19, the values in Table 19 are processed sequentially also using the mapping ln Equation 3 to produce the values in Table 18, and so on.

_.

In a simple example where n = 3, only three tables would be required. The values AP0, APl, . . ., AP7 would be stored in Table 3; the values AP0 1' AP2 3, AP4 5, and AP6 7 would be stored in the table at the next level, namely, 0,1,2,3 4,5,6,7 stored in the table at the next level, namely Table 1, as shown in Figure 2.
Each customer is issued a PIN and a bank card on which is recorded a user identifier ID, a unique secret personal lO key KP, and other information including information that allows a verification value V to be calculated from that customer's authentication parameter AP~ The customer's AP
value i9 a function o~ PIN, ~P, ID, and KGbl as deelcribed above, and is calculat~d via Equations 1 and 2. In the 15 example ~iven in Figure 2 where n - 3, the other information stored on the bank card necessary to allow a veri~ication value V to be calculated would consist of a 56-bit value selected from each of the three tables, i.e. Table 1, Table 2 and Table 3, and a 3-bit index position of the customer's 20 AP value in Table 3.
The rule for determining which 56-bit values must be selected from Tables 1, 2 and 3 for storage on the bank card depends on the index position of ~P in Table 3. If, for example, AP2 is the authentication parameter to be 25 authenticated, then the 3-bit index position equals 010 in binary, and the values AP3, AP0 l' AP4 5 6 7~ and 010, represent the necessary information that must be stored on ; the bank card to allow the verification value V to be calculated. Referring now to Figure 3, there is a diagram 30 illustrating the selected path for obtaining the root or verification value for this tree. The diagram shows the value of the index positions for Tables 1, 2 and 3 and the associated AP value at each such position in each table.
Thus, for the given example, the starting index position is 35 010 and the value of AP is AP . The path traced through the ~LZ~ S;5 tree is represented by the AP values en~losed in triangles whereas the AP values stored on the bank card are enclosed in rectangles. The rule for selecting the three values AP3, AP0 1' and AP4 5 6 7 is as follows. Starting with the index 5 posltion of AP2, i.e. 010, the rightmost bit is inverted and this 3-bit number 011 is used as the index position of the AP value selected from Table 3. This results in selecting AP3/ since the index position of AP2 in Table 3 is just 011.
For convenience~ let the value AP3 selected from Tahle 3 be lO denot~d by Y3 where the subscript on Y is the number oE the table. The number 011 i9 now ghited one bit to ~he righ~, thus producing 01, and the rightmo~t bit is a~ain inve~ted, and this 2-bit number 00 is used as the index position of the AP value selected from Table 2. This results in 15 selecting AP0 1 since the index position of AP0,1 in Table 2 is just 00. For convenience, let the value AP0 1 selected from Table 2 be denoted by Y . The number 00 is now shifted one more bit to the right, thus producing 0, and the rightmost bit is again inverted, and this l-bit number 1 is 20 used as the index position of the AP value selected from Table 1. This results in selecting AP4 5 6 7 since the index position of AP~ 5 6 7 in Table 1 is just 1. For convenience, let the va~ue AP4 5 6 7 selected from Table 1 be denoted by Yl. Thus, the values Y3, Y2, Yl, and the 2~ index position 010 are the values which would be written on the bank card ~or the example where the associated AP value is AP2. In the case where n = 20 described above, iOe.
where 1,048,576 bank cards are issued to customers, each card would have stored on it the values Y20, Ylg, . . ~ 1' 30 and a 20-bit index position in Table 20 of the AP value to be authen~icated. Thus, the amount of information stored on the bank card is variable and depends on the number of customer AP values to be authenticated and therefore on the - size of the authentication tree so produced.
3~ Referring again to Figure 3, the calculation of the 41~55 verification value V from AP, Y3~ 2~
position number (010 in the example) is as follows. This is the calculation performed in the EFT/POS terminal to authenticate a cardholder. The information on the card is, 5 of course, first read into the EFT/POS terminal. If the rightmost bit of the index position is 0, then Y is new calculated with Equation 3 using as inputs Yl f = AP and Y i ht = Y3. This is the calculation performed in the present example, since the rightmost bit of 010 i9 0. On lO the other hand, if the rightmost bit of the index position number is 1, then Yne is calculated with Equation 3 using left Y3 and Yright = AP; that is, the assignment of values is reversed~ Now the index position number ls shi~ted one bit to the right, which in the example 15 illu~trated in Figure 3, produces the value 01. ~f the rightmost bit of thl~ shifted number is 0, then Y is calculated with Equation 3 using as inputs Yl f ~ Y ld and right Y2, where Yold is the value of YneW produced in the previous step. On the other hand, if the rightmost bit in 20 the shifted number is 1, then Y is calculated with Equation 3 using as inputs Yleft = Y2 and Yright old This is the calculation performed in our present example, since the rightmost bit in the shifted number al is just 1.
The shifted number is again shifted one bit to the right, 2~ which in the example illustrated in Figure 3, produces the value 0. If the rightmost bit of the shifted number is 0, then Y is calculated with Equation 3 using as inputs left Yold and Yright = Yl, where Yol~ is again the value of Y produced in ~he previous step. This is the 30 calculation performed in our present example, since the rightmost bit in the shifted number is 0. On the other hand, if the rightmost bit of the shifted number is 1, then Y is calculated with Equation 3 using as inputs Yl ft =
Yl and Y i ht = Y ld. Thus, the index position number 35 stored on the card defines how each value of Yi, also stored on the card, is to be used in the calculation of Y using Equation 3; i.e., whether it is substituted for Yl f or for Y i ht in Equation 3. Moreover, once this order of substitution has been determined, either AP or the value of 5 Y produced at the previous step is substituted for the left or Yright. The value of AP is used o~ly at the first step in the calculat'ion of V whereas a value of Y is used in all subsequent steps in the new calculation of V.
The value of C in Æquation 3 is derived from the index postion number stored on the ban~ card using the following algorithm. Let Q be a 64-bit constant and K~ and ICB two constant, nonsecret cryptographic keys. Q, K~ and ~B are stored in each EFT/POS terminal and are universal constants 1~ whose'values are e~tablished by the card issuer. I~ Xl, X2, X , ~ . ., X denotes the index position number on the card, 3 m represented in binary, then these m bits are used to calculate the following m values of C: Cl, C2, . . ., C , using Equation 4.
i KiEKi-l -- EKl(Q) for i - 1,2,...... , where K = KA if X = 0 m m KB if X = 1 m K = KA if X ='0 m-l m-l KB if X = 1 m-l Kl = KA if Xl = 0 KB if Xl = 1 ~LZ~ 35~

For example, if the index position number is 10110 01101 10001 11010, then ~he following 20 values of C ars calculated and used with Equation 3 to calculate V:
Cl = EKB(Q) C2 = EKAEKB(Q) = EKA(Cl) C3 = EKBEKAEKB(Q) = EKB(C2) C19 = KB KA KB -- EKBEKAEKB(Q) = EKB(C18) C20 = E E E E . . . E E E (Q) = E (Cl9) KA KB KA KB KB KA KB KA
Twenty encryptions are reauired to calcuate the 20 values of C for a particular 20-bit index position number. C'20 is used with Equation 3 to make the transition ~rom level 20 to 15 level 1~ ln tho tr~e, Clg is used with Equation 3 to make the transition from level 19 to level 18 in the tree, and so forthr there being a different value of C used at each fork iD the tree. The reason for using different values of C is because of security. If a constant value of C were used at 20 each fork in the tree, then an adversary could launch a birthday type of attack in which a set of Y values is calculated by chaining one value after the other until there is a match with one of the actual Y values in the tree.
By opening several accounts, an adversary could collect a 25 fairly large set of such actual values and thus reduce his work factor by using the mentioned attack. However, by forcing different values of C, the attack is thwarted.
For the authentication step at the EFT/POS terminal, assume that the information on the bank card is as follows:
30 ID - User Identifier KP - Secret Personal Key 56 bits IPN - Nonsecret Index Position No. 20 bits 0~yl9~ yl- Nonsecret Data to Calculate Y 1120 bits VS - Verification Selection Number r ~2~ 3SS

The difference between secret and nonsecret with regard to card data refers to how that data is treated when it resides somewhere off the card. By definition, the card must be protecte3 if any data stored on the card ;s defined as 5 secret. Other nonsecret data on the card receives the same degree of protection as the secret data. It may be desirable to store a number of verification values and a positive file of AP values in each EFT/POS terminal and to authenticate a card-holder using one of these verification lO values which is selected on the basis of a verification selection number stored on the card-holder's card or to authenticate the card-holder on the basis of a positive file o~ AP values. To account for the possibility that some customers will }os~ their cards or a compromise of either 15 their card or PIN may occur, which will require a new card with a new AP value to be reissued to the card-holder, it may be desirable to authenticate an AP value associated with a reissued card on the basis of a different verification value V. Each EFT/POS terminal therefore stores a value T, 20 which is interpreted as follows. If the verification selection number VS is less than or equal to T, then the value of VS is used by the terminal to select the verification value V to be used to authenticate the card-holder's AP value.
Assume that the EFT/POS terminal stores the followiny:
Q - Nonsecret Constant 64 bits KA - Nonsecret Cryptographic Key 56 bits - KB - Nonsecret Cryptographic Xey 56 bits V - Verification Value 56 bits KGbl - Secret Global Cryptographic Key 56 bits T - Number of Yerification Values Stored in Terminal It should be noted that there may be multiple verification values depending on the particular implementation.
The steps involved in the authentication process are 35 illustrated in Figure 4. First, the card-holder enters his ~64!35~i or her PIN into the EFT/POS terminal. The card-holder also submits his or her bank card to the EFT/POS terminal as depicted in block 1. Then, in block 2, the terminal reads the quantities stored on the card. Before proceding with 5 any calculations, a "hot list" is checked in block 3 to determine if the ID read from the card is invalid. In decision block 4, a determination is made as to whether the ID is valid, and if it is not, then the reject indicator is set in block 5. An ID is invalid if a value equal to the 10 value of the ID is found in the ~hot list". Otherwise, the process continues to block 6. At this point, the EPIN is calculated from the ID, PIN and secret KGbl key using Equation 1. In addition AP is calculated rom EPIN, KP and ID using Equation 2. A "hot list", which ma~ be the same 15 "hot list" mentioned above, is also checked to determine i the ~P is invalid. The ~P ig invalid if a value equal to the value of AP is found in the "hot list". If the AP is invalid, then the reject indicator is set in block 5.
Otherwise, the process continues to decision block 8 where a 20 determination is made as to whether the verification selection number VS is greater than the value of T stored in the EFT/POS terminal. If it is, then the card-holder is authenticated on the basis of a positive file in block 9 instead of on the basis of a verification value V. Such a 25 file can be implemented by storing in the positive file the values of ID and AP for each such user to be authenticated by the positive file. In decision block 10, a determination is made as to whether a positive authentication is made from the fi]e, and if not, then a reject indicator is set in 30 block 5. More particularly, the card-holder's ID is first used to access and obtain a corresponding AP value stored in the positive file, and the cardholder is then authenticated by comparing this AP of reference value for equality with the AP value calculated in block 6.
Returning to block 8, if the verification selection ~L26~855 number is less than or equal to T, then t:he constants C , C , . . ., C20 are calculated, in that order using Equation
4, from Q, KA, Ks, and the index position number (IPN) read from the card, and these generated quanti.ties are stored in S a table and later accessed when calculati.ng V. Once the constants Ci have all been calculated, V is calculated from 20' 19' ~ Yl~ C20/ cl9t , Cl, and the 20-bit index position n~mber, represented by IPN = Xl, X2, . . ..
X20, using Equation 3 repeatedly, as follows:
Right56[Y ~ E (Y )] = U
left RightS6[C20] left 20 RightS6[Y ~ E (Y )] = Y
right U20 right newl9 - where Y ~ AP and Y ~ Y if X = 0 left right 20 20 or Y ~ Y and y ~ AP i~ X ~ 1 let 20 right 20 RightS6[Y ~ E (Y)] = U
left Right56[Cl9] left 19 lS RightS6[Y ~ E (Y )] = Y
right Ul9 right . newl8 where Y = Y and Y = Y if X = 0 left newl9 right 19 19 left 19 right newl9 19 left Right56[C18]( left)] 18 - Right56[Y ~ E (Y )] = Y
right U18 right newl7 where Y = Y and Y .= Y if X = 0 left newl8 rlght 18 18 or Y = Y and Y = Y if X = 1 left 18 right newl8 18 12~;41!35~

Right56[Y ~ E (Y )] '= Ul left Right56[Cl] left Right56[y i ht ~ EUl(Y i ht)] = V

where Y = y and Y , = Y if X = 0 left newl rlght or Y = Y and Y = y if X = 1 left 1 right newl The ~oregoing calculations are made~in block 12. The veriflcation s~lection number is decoded at block l3 to 9elect a p~rticular one o the T global reEerence value~
lO storod at the terminal. Then in declsion block 1~ a determination is made as to whether the calculated value of V is equal to the particular selected global reference value stored in the terminal. If it is not, then the reject indicator is set in block 5. Otherwise, the accept 15 indicator is set in block 11.
Returning briefly to decision block 13, by way of example, let T = 2. Then if the verification selection number is 1, a first global reference value is used in making the determination to authenticate the user. However, 2~ if the veriication selection number is 2, then a second ,global reference value is used. As already described with reference to decision block 8, if the verification selection number is greater than 2, the user is authenticated on the basis of a positive file in block 9. Obviously, the numbers 25 chosen here are goverened by practical consid(rations, and those skilled in the art will recognize that modifications can be made without departing from the spirit of the invention.

1;~64855 Summarizing, the method acording to the present invention has the following security properties: First, compromising a card does not compromise the PIN. Second, compromising the global secret key does not compromise the
5 PIN nor does it allow someone to forge cards and defraud the system. The process of personal authentication is based on a nonsecret global value stored in each EFT/POS teLminal.
Added PIN protection is achieved through the use of the global secret key also-stored in each EFT/POS terminal.
lO Compromising this key does not by itself compromise PINs.
The justification for employing a global secret key is that with short PINs, there is no way to maintain PIN secrecy if a user's card i5 compromised and the EFT~POS terminal stores only nonsecret quantities. Although a global secret key has lS a decided disadvan~age, it is better to employ such a key wheu there is no othe~ alternative to strengthen PIN
secrecy, especialIy when it can be anticipated that many user cards will be lost and thus fall into the hands of potential adversaries. As long as the integrity of the 20 global nonsecret verification value in the EFT/POS terminal is maintained, there is no global attack against the system.
Even if the integrity of a terminal is compromised, then only that one terminal can be attacked. Since the global secret key does not lead to a global attack against the 25 system, there is less motivation for an opponent to go after it. - -As described, a "hot list" is required with theprocedure according to the invention. This is no different than what would be required with a public key solution or 30 with a DES solution involving only a global secret key for user authentication. The "hot list" is needed because the bank has to have a way to invalidate an account. For example, an opponent could cpen an account under a phony name and then proceed to duplicate his card and sell the 35 cards and PINs for profit.

i4855 KIg-84-010 A user's PIN can be changed, but this invloves reissuing the customer's bank card. Basically, when the PIN
is changed, compensating changes must be made on the bank card which involves recalculation of an offset or certain 5 nonsecret parameters on the card. If a user's card and PIN
have been compromised, then a new card and PIN must be issued. In this case, an entry on the '~Hot List" must be made to effectively invalidiate the authentication information stored on that card and the user's PIN. This lO does not necessarily mean that the ID is invalidated. The method is such that a customer's assigned ID can remain the same even if a new card and PIN are issued, although it is more efficient if a new ID is issued.
While the invention has been described in terms of a 15 preerred embodiment in the environment of a banking multi-terminal network, those skilled in the art will recognize that the principles of the invention can be practiced in other environments where it is desired to provide for the offline personal authentication of users of a system. For ~ example, the invention could be used in a security system that would allow access to secure areas only to users of the system who are properly authenticated at a terminal. The important feature of the invention is the use of an authentication tree with an authentication tree function 2~ comprising a one way function.

Claims (15)

The embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows:
1. In a multi-terminal system, a method of offline personal authentication using an authentication tree with an authentication tree function comprising a one-way function, said method employing memory cards issued to users of the system and each user being issued a personal identification number, each of said memory cards having stored thereon a personal key and an index position number representing the tree path for the user to which the card is issued, said method comprising the steps of:

calculating an authentication parameter as a function of a personal key read from a user's card, a personal identification number entered by a user at a terminal being used, and a global secret key stored in the terminal being used, mapping the calculated authentication parameter to a verification value using said index position number in said one-way function to the root of said authentication tree, comparing the verification value obtained by mapping the calculated authentication parameter with a global verification value of reference stored at the terminal, and enabling said system if the comparison of the verification value obtained by mapping with the global verification value of reference is favourable.
2. In a multi-terminal system, a method of offline personal authentication using an authentication tree with an authentication tree function comprising a one-way function, said method employing memory cards issued to users of the system and each user being issued a personal identification number, each of said memory cards having stored thereon a personal key and an index position number representing the tree path for the user to which the card is issued, said method comprising the steps of:
calculating an authentication parameter as a function of a personal key read from a user's card, a personal identification number entered by a user at a terminal being used, and a global secret key stored in the terminal being used, said calculating an authentication parameter step further comprising the steps of:
calculating an encrypted personal identification number (PIN), denoted EPIN by the equation EPIN = EKGb1(EPIN(ID)), where KGb1 is a global secret key stored in each terminal and ID is a user identifier, and calculating an authentication parameter AP by the equation AP=RightN[EKp?EPIN(IN) ? ID], where the symbol ? is the Exclusive OR operation and "RigntN' is a function that extracts the rightmost N bits in the binary variable denoted by the argument of the function, mapping the calculated authentication parameter to a verification value using said index position number in said one-way function to the root of said authentication tree, comparing the verification value obtained by mapping the calculated authentication parameter with a global verification value of reference stored at the terminal, and enabling said system if the comparison of the verification value obtained by mapping with the global verification value of reference is favourable.
3. The method of offline personal authentication as recited in claim 1 wherein the step of mapping is performed by first calculating a different codeword for each node of said authentication tree and then using the different codewords at the iteration of each node.
4. The method of offline personal authentication as recited in claim 2 wherein the step of mapping is performed by first calculating a different codeword for each node of said authentication tree and then using the different codewords at the iteration of each node.
5. The method of offline personal authentication as recited in claim 3 further comprising the step of storing in each terminal values of Q, an m-bit constant, and KA and KB, two nonsecret cryptographic keys, the calculation of a different codeword for each node being a function of Q, KA
and KB and said index position number stored on the user's card.
6. The method of offline personal authentication as recited in claim 4 further comprising the step of storing in each terminal values of Q, an m-bit constant, and KA and KB, two nonsecret cryptographic keys, the calculation of a different codeword for each node being a function of Q, KA
and KB and said index position number stored on the user's card.
7. The method of offline personal authentication as recited in claim 5 wherein the step of calculating an authentication parameter is performed by the steps of calculating an encrypted personal identification number (PIN), denoted EPIN, by the equation EPIN = EKGb1(EPIN(ID)), where KGb1 is a global secret key stored in each terminal and ID is a user identifier, and calculating an authentication parameter AP by the equation AP=Right56[EKP?EPIN(ID)? ID], where the symbol ? is the Exclusive OR operation and "Right56" is a function that extracts the rightmost 56 bits in the binary variable denoted by the argument of the function.
8. The method of offline personal authentication as recited in claim 2 wherein there is further stored on the card m values Y1,Y2,..Ym to be authenticated and the step of mapping is performed by the step of calculating said verification value V from AP, said m values and said tree function by the equation Right56[yleft? Right56[Ci](Yleft)]=U

Right56[Yright ? EU(Yright)] =Ynew, where Yleft and Yright are two values in said tree path and are different values of said codeword calculated for each iteration at each node of the tree function and the last Y in the iteration is said verification value V.
new
9. The method of offline personal authentication as recited in claim 7 wherein there is further stored on the card m values Y1, Y2,...,Ym to be authenticated and the step of mapping is performed by the step of calculating said verification value V from AP, said m values and said tree function by the equation Right56[Yleft ? Right56[Ci] (Yleft)] =U
Right56[Yright ? Eu(Yright)] =Ynew, where Yleft and Yright are two values in said tree path and are different values of said codeword calculated for each iteration at each node of the tree function and the last Y in the iteration is said verification value V.
new
10. The method of offline personal authentication as recited in claim 8 wherein the values of Ci are calculated by the equation Ci EKiEKi-1... EK1(Q) for i = 1,2,...,m where Ki = KA if Xi = 0 and Ki = KB if Xi = 1 and X1, X2, X3,...,Xm denote binary bits stored on the user's card which represent said index position number.
11. The method of offline personal authentication as recited in claim 9 wherein the values of Ci are calculated by the equation Ci= EKiEKi-1 ... EK1(Q) for i = 1,2,...,m where Ki = KA if Xi = 0 and Ki = 1 and X1, X2, X3,...,Xm denote binary bits stored on the user's card which represent said index position number.
12. The method of offline personal authentication as recited in claim 2 wherein said user identifier ID is additionally stored on the user's card, said method further comprising the step of checking the user identifier ID read from the user's card against a list to determine if the ID
is invalid, and if it is, rejecting the user.
13. The method of offline personal authentication as recited in claim 7 wherein said user identifier ID is additionally store on the user's card, said method further comprising the step of checking the user identifier ID read from the user's card against a list to determine if the ID
is invalid, and if it is, rejecting the user.
14. The method of offline personal authentication as recited in claim 12 or 13 wherein after calculating the authentication parameter AP, performing the steps of checking a list to determine if the authentication parameter is invalid and, if it is, rejecting the user.
15. A method according to Claim 2 wherein N equals 56.
CA000498312A 1985-02-12 1985-12-20 Offline pin validation with des Expired - Fee Related CA1264855A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US700,897 1985-02-12
US06/700,897 US4661658A (en) 1985-02-12 1985-02-12 Offline PIN validation with DES

Publications (1)

Publication Number Publication Date
CA1264855A true CA1264855A (en) 1990-01-23

Family

ID=24815286

Family Applications (1)

Application Number Title Priority Date Filing Date
CA000498312A Expired - Fee Related CA1264855A (en) 1985-02-12 1985-12-20 Offline pin validation with des

Country Status (5)

Country Link
US (1) US4661658A (en)
EP (1) EP0191324B1 (en)
JP (1) JPS61188666A (en)
CA (1) CA1264855A (en)
DE (1) DE3686659T2 (en)

Families Citing this family (66)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4887296A (en) * 1984-10-26 1989-12-12 Ricoh Co., Ltd. Cryptographic system for direct broadcast satellite system
GB8621333D0 (en) * 1986-09-04 1986-10-15 Manitoba Telephone System Key management system
US4807287A (en) * 1987-04-06 1989-02-21 Light Signatures, Inc. Document authentication method
US4881264A (en) * 1987-07-30 1989-11-14 Merkle Ralph C Digital signature system and method based on a conventional encryption function
US4853962A (en) * 1987-12-07 1989-08-01 Universal Computer Consulting, Inc. Encryption system
US4876398A (en) * 1988-06-10 1989-10-24 China Petrochemical Development Corporation Preparation of ortho-alkylated phenols in the presence of a catalyst prepared by co-precipitation process
US5093861A (en) * 1990-10-12 1992-03-03 Cardkey Systems, Inc. Recognition apparatus and method for security systems
US5263164A (en) 1991-01-09 1993-11-16 Verifone, Inc. Method and structure for determining transaction system hardware and software configurations
US5224162A (en) * 1991-06-14 1993-06-29 Nippon Telegraph And Telephone Corporation Electronic cash system
US5231666A (en) * 1992-04-20 1993-07-27 International Business Machines Corporation Cryptographic method for updating financial records
FR2696567B1 (en) * 1992-10-02 1994-11-25 Gemplus Card Int Method for cryptography of messages transmitted by an information medium to a processing system.
US5544322A (en) * 1994-05-09 1996-08-06 International Business Machines Corporation System and method for policy-based inter-realm authentication within a distributed processing system
DE19511298B4 (en) * 1995-03-28 2005-08-18 Deutsche Telekom Ag Procedure for issuing and revoking the authorization to receive broadcasts and decoders
AU706247B2 (en) * 1995-07-27 1999-06-10 Nextlevel Systems, Inc. Cryptographic system with concealed work factor
FR2747208B1 (en) * 1996-04-09 1998-05-15 Clemot Olivier METHOD OF CONCEALING A SECRET CODE IN A COMPUTER AUTHENTICATION DEVICE
US6901509B1 (en) 1996-05-14 2005-05-31 Tumbleweed Communications Corp. Apparatus and method for demonstrating and confirming the status of a digital certificates and other data
US5903651A (en) 1996-05-14 1999-05-11 Valicert, Inc. Apparatus and method for demonstrating and confirming the status of a digital certificates and other data
US8229844B2 (en) 1996-06-05 2012-07-24 Fraud Control Systems.Com Corporation Method of billing a purchase made over a computer network
US7555458B1 (en) 1996-06-05 2009-06-30 Fraud Control System.Com Corporation Method of billing a purchase made over a computer network
US20030195847A1 (en) 1996-06-05 2003-10-16 David Felger Method of billing a purchase made over a computer network
DE19708755A1 (en) * 1997-03-04 1998-09-17 Michael Tasler Flexible interface
WO1998040982A1 (en) 1997-03-12 1998-09-17 Visa International Secure electronic commerce employing integrated circuit cards
DK0992025T3 (en) * 1997-06-27 2002-10-28 Swisscom Mobile Ag Transaction method with a portable identification element
EP1050133B2 (en) * 1998-01-02 2009-05-27 Cryptography Research Inc. Leak-resistant cryptographic method and apparatus
US7587044B2 (en) 1998-01-02 2009-09-08 Cryptography Research, Inc. Differential power analysis method and apparatus
JP4496440B2 (en) * 1998-01-12 2010-07-07 ソニー株式会社 Encrypted content transmission device
US6848050B1 (en) 1998-04-16 2005-01-25 Citicorp Development Center, Inc. System and method for alternative encryption techniques
PT1080415T (en) * 1998-05-21 2017-05-02 Equifax Inc System and method for authentication of network users
WO1999060481A1 (en) * 1998-05-21 1999-11-25 Equifax Inc. System and method for authentication of network users with preprocessing
CA2357003C (en) 1998-05-21 2002-04-09 Equifax Inc. System and method for authentication of network users and issuing a digital certificate
CA2333095C (en) * 1998-06-03 2005-05-10 Cryptography Research, Inc. Improved des and other cryptographic processes with leak minimization for smartcards and other cryptosystems
AU5458199A (en) * 1998-07-02 2000-01-24 Cryptography Research, Inc. Leak-resistant cryptographic indexed key update
DE19847941A1 (en) 1998-10-09 2000-04-13 Deutsche Telekom Ag Common cryptographic key establishment method for subscribers involves successively combining two known secret values into a new common value throughout using Diffie-Hellmann technique
AU763571B2 (en) 1998-12-23 2003-07-24 Chase Manhattan Bank, The System and method for integrating trading operations including the generation, processing and tracking of and trade documents
US7376583B1 (en) 1999-08-10 2008-05-20 Gofigure, L.L.C. Device for making a transaction via a communications link
US8793160B2 (en) 1999-12-07 2014-07-29 Steve Sorem System and method for processing transactions
AU2133801A (en) * 1999-12-10 2001-06-18 Mosaid Technologies Incorporated Method and apparatus for longest match address lookup
US6555511B2 (en) * 2000-06-19 2003-04-29 Lance L. Renfrow Stable hydrotropic surfactants comprising alkylamino propionate
US6880064B1 (en) * 2000-06-21 2005-04-12 Mosaid Technologies, Inc. Method and apparatus for physical width expansion of a longest prefix match lookup table
US7831467B1 (en) 2000-10-17 2010-11-09 Jpmorgan Chase Bank, N.A. Method and system for retaining customer loyalty
CN1720578A (en) 2000-12-07 2006-01-11 三因迪斯克公司 System, method and device for playing back recorded audio, video or other content from non-volatile memory cards, compact disks or other media
US8849716B1 (en) 2001-04-20 2014-09-30 Jpmorgan Chase Bank, N.A. System and method for preventing identity theft or misuse by restricting access
WO2002099598A2 (en) 2001-06-07 2002-12-12 First Usa Bank, N.A. System and method for rapid updating of credit information
US7266839B2 (en) 2001-07-12 2007-09-04 J P Morgan Chase Bank System and method for providing discriminated content to network users
US8020754B2 (en) 2001-08-13 2011-09-20 Jpmorgan Chase Bank, N.A. System and method for funding a collective account by use of an electronic tag
US7987501B2 (en) 2001-12-04 2011-07-26 Jpmorgan Chase Bank, N.A. System and method for single session sign-on
US7231657B2 (en) * 2002-02-14 2007-06-12 American Management Systems, Inc. User authentication system and methods thereof
US20040122736A1 (en) 2002-10-11 2004-06-24 Bank One, Delaware, N.A. System and method for granting promotional rewards to credit account holders
US8301493B2 (en) 2002-11-05 2012-10-30 Jpmorgan Chase Bank, N.A. System and method for providing incentives to consumers to share information
US20050021954A1 (en) * 2003-05-23 2005-01-27 Hsiang-Tsung Kung Personal authentication device and system and method thereof
US7694330B2 (en) * 2003-05-23 2010-04-06 Industrial Technology Research Institute Personal authentication device and system and method thereof
US8306907B2 (en) 2003-05-30 2012-11-06 Jpmorgan Chase Bank N.A. System and method for offering risk-based interest rates in a credit instrument
US8175908B1 (en) 2003-09-04 2012-05-08 Jpmorgan Chase Bank, N.A. Systems and methods for constructing and utilizing a merchant database derived from customer purchase transactions data
US7607576B2 (en) * 2004-02-27 2009-10-27 Gilbarco, Inc. Local zone security architecture for retail environments
US7401731B1 (en) 2005-05-27 2008-07-22 Jpmorgan Chase Bank, Na Method and system for implementing a card product with multiple customized relationships
US7925578B1 (en) 2005-08-26 2011-04-12 Jpmorgan Chase Bank, N.A. Systems and methods for performing scoring optimization
US8239677B2 (en) * 2006-10-10 2012-08-07 Equifax Inc. Verification and authentication systems and methods
US8622308B1 (en) 2007-12-31 2014-01-07 Jpmorgan Chase Bank, N.A. System and method for processing transactions using a multi-account transactions device
JP4496506B2 (en) * 2008-05-07 2010-07-07 ソニー株式会社 Encrypted content transmission device
US8554631B1 (en) 2010-07-02 2013-10-08 Jpmorgan Chase Bank, N.A. Method and system for determining point of sale authorization
US8775794B2 (en) 2010-11-15 2014-07-08 Jpmorgan Chase Bank, N.A. System and method for end to end encryption
US9058626B1 (en) 2013-11-13 2015-06-16 Jpmorgan Chase Bank, N.A. System and method for financial services device usage
US9922322B2 (en) 2013-12-19 2018-03-20 Visa International Service Association Cloud-based transactions with magnetic secure transmission
CN106465112A (en) * 2014-05-21 2017-02-22 维萨国际服务协会 Offline authentication
US9584489B2 (en) 2015-01-29 2017-02-28 Google Inc. Controlling access to resource functions at a control point of the resource via a user device
EP3530602B1 (en) 2018-02-23 2020-06-17 Otis Elevator Company Safety circuit for an elevator system, device and method of updating such a safety circuit

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4200770A (en) * 1977-09-06 1980-04-29 Stanford University Cryptographic apparatus and method
US4218738A (en) * 1978-05-05 1980-08-19 International Business Machines Corporation Method for authenticating the identity of a user of an information system
US4309569A (en) * 1979-09-05 1982-01-05 The Board Of Trustees Of The Leland Stanford Junior University Method of providing digital signatures
US4438824A (en) * 1981-04-22 1984-03-27 Siemens Corporation Apparatus and method for cryptographic identity verification

Also Published As

Publication number Publication date
JPS61188666A (en) 1986-08-22
DE3686659T2 (en) 1993-04-08
JPH0375913B2 (en) 1991-12-03
US4661658A (en) 1987-04-28
EP0191324B1 (en) 1992-09-09
EP0191324A3 (en) 1989-04-26
EP0191324A2 (en) 1986-08-20
DE3686659D1 (en) 1992-10-15

Similar Documents

Publication Publication Date Title
CA1264855A (en) Offline pin validation with des
US4736423A (en) Technique for reducing RSA Crypto variable storage
US5231666A (en) Cryptographic method for updating financial records
US4924514A (en) Personal identification number processing using control vectors
US5910989A (en) Method for the generation of electronic signatures, in particular for smart cards
CA2196356C (en) Transaction verification protocol for smart cards
JP3456993B2 (en) Method and identification device and verification device for performing identification and / or digital signature
Simmons A survey of information authentication
Horn et al. Authentication and payment in future mobile systems
US4309569A (en) Method of providing digital signatures
CA2073065C (en) Method and system for personal identification using proofs of legitimacy
US5029208A (en) Cipher-key distribution system
US4625076A (en) Signed document transmission system
US20130168450A1 (en) Format preserving cipher system and method
EP1873963A1 (en) Authentication method for IC cards
US20200106600A1 (en) Progressive key encryption algorithm
JPH0218512B2 (en)
IE68507B1 (en) A method of transferring data and a system for transferring data
Taylor An integrity check value algorithm for stream ciphers
US7991151B2 (en) Method for secure delegation of calculation of a bilinear application
CN110675265A (en) Method for realizing block chain double-key hiding address protocol without temporary key leakage
Knudsen et al. MacDES: a new MAC algorithm based on DES
Preneel et al. Key recovery attack on ANSI X9. 19 retail MAC
Tapiador et al. Cryptanalysis of Song's advanced smart card based password authentication protocol
Tewari et al. Reusable off-line electronic cash using secret splitting

Legal Events

Date Code Title Description
MKLA Lapsed