WO2000004513A1 - Theft deterrent repository for security controlled devices - Google Patents

Theft deterrent repository for security controlled devices Download PDF

Info

Publication number
WO2000004513A1
WO2000004513A1 PCT/US1999/016073 US9916073W WO0004513A1 WO 2000004513 A1 WO2000004513 A1 WO 2000004513A1 US 9916073 W US9916073 W US 9916073W WO 0004513 A1 WO0004513 A1 WO 0004513A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
repository
locking
controlled devices
original
Prior art date
Application number
PCT/US1999/016073
Other languages
French (fr)
Other versions
WO2000004513A9 (en
Inventor
Richard Leslie Bishop
Jay Raymond Slusher
Original Assignee
Amdahl Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Amdahl Corporation filed Critical Amdahl Corporation
Priority to AU51050/99A priority Critical patent/AU5105099A/en
Publication of WO2000004513A1 publication Critical patent/WO2000004513A1/en
Publication of WO2000004513A9 publication Critical patent/WO2000004513A9/en

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/10Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/363Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes with the personal data of a user
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/04Billing or invoicing
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0806Details of the card
    • G07F7/0813Specific details related to card security
    • G07F7/082Features insuring the integrity of the data on or in the card
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0806Details of the card
    • G07F7/0833Card having specific functional components
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0866Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means by active credit-cards adapted therefor
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1025Identification of user by a PIN code

Definitions

  • the present invention relates to the field of security in data processing and electronic commerce and particularly to methods and apparatus for secure storage and transfer of electronic funds and other valuable data.
  • Data processing systems have been used to store and transfer electronic funds, encryption codes and other valuable data.
  • data processing systems have employed devices having some form of security control (security controlled devices).
  • security controlled devices An example of such data processing systems are electronic funds systems where the security controlled devices are smart cards.
  • cryptographic systems Another example of such data processing systems are cryptographic systems where the security controlled devices are stores for encryption codes and algorithms for encrypting data. While cryptographic techniques have been used to protect communications to and from security controlled devices, cryptology alone does not protect against the theft of the security controlled devices themselves.
  • Electronic funds, encryption codes and other valuable data can be stolen from a data processing system by stealing the security controlled devices themselves thereby stealing the valuable data contained therein or associated therewith.
  • wire transfers are one electronic method for the transfer of value that involves the transfer of funds from one trusted party to another.
  • a wire transfer one party makes a debit book entry and the other party makes a credit book entry as a result of valuable data electronically sent from one party to another in accord with preestablished procedures agreed to by the parties.
  • the wire transfers are usually subject to clearing operations to verify that that the debit and credit entries have been made correctly and to reconcile the accounts between the parties.
  • the security of the wire transfer of funds is higher if the valuable data transfer that implements the wire transfer is encrypted using electronic encryption/decryption devices, codes or algorithms.
  • Electronic cash is another electronic method for the transfer of value that involves the transfer of funds from one party to another.
  • Electronic cash methods include two types of transfers, namely certificated value and net value transfers.
  • an issuer For the certificated value type of electronic cash, an issuer generates electronic value or transaction records, generally cryptographically encoded and signed, that represent distinct amounts of value. These electronic value or transaction records may be passed from one electronic cash device to another electronic cash device. For example, the transfer of funds occurs from a small portable electronic cash device (smart card) held by one party to an electronic cash device held by another party.
  • smart cards are portable cards similar in form and size to common credit or debit cards. In an alternate miniature form, the size is reduced to contain small contact area and internal electronics only.
  • a smart card is issued by the issuer and dispensed to a first party (for example, a purchaser) where the card is pre-loaded or subsequently loaded with stored electronic value or transaction records
  • the electronic value record (certificate) is passed by the first party to an electronic cash device of another party (for example, a merchant) and, eventually, the electronic value record (certificate) is returned to the issuer by the other party for redemption in the amount of the electronic value record (certificate).
  • electronic cash devices used by merchants, banks and other financial institutions are under the administrative and technical control of an issuer.
  • Electronic cash devices that contain electronic value records need to be security controlled devices since, if these devices are stolen, the amount of money represented by the electronic value record (certificate) can be permanently lost.
  • the electronic value is represented by the net amount stored in an electronic device without need for further external accounting.
  • the value is not represented by electronic certificates or transaction records that must be transferred and redeemed from an issuer.
  • the net value type of electronic devices are called value stores and each is capable of storing a net amount of value that reflects the accumulated aggregate of value transfers from and to that value store from other value stores.
  • Value stores can be implemented using cards (smart cards) that are similar to those used for the certificated value type of electronic cash except that the rules controlling the transfer of value are appropriate for the net value type of electronic cash.
  • issue value stores in the form of smart cards
  • the issuer retains value stores capable of performing transactions with the value stores of its customers and others.
  • An issuer may require tens or hundreds of value stores to conduct transactions with the value stores in the possession of its customers or correspondent institutions.
  • Electronic value stores need to be security controlled devices since, if these devices are stolen, the amount of money represented by the electronic net value stored can be permanently lost.
  • Physical security is a typical method of protecting security controlled devices.
  • the individual security controlled devices are small devices that are easily concealed and moved. If the security controlled devices are value stores in a bank or other institution, the value stores are frequently contained in locked and guarded vaults with stringent access controls to the vaults.
  • such physical security is increasingly difficult as security controlled devices are further miniaturized and as security controlled devices are distributed to remote locations and institutions without vaults.
  • a data key such as a Personal Identification Number (PIN).
  • PIN Personal Identification Number
  • a value store may be locked to inhibit the normal action of removing electronic funds so that restoration of the ability to remove electronic funds from the value store that is disabled or locked requires use of a previously determined PIN to unlock the value store.
  • the PIN number may or may not be changeable depending on the design of the value store. Procedures are required for creation and distribution of
  • a PIN number is required for the lock operation as well as for the unlock operation.
  • the lock and unlock PIN numbers may be the same or different and they each may be fixed or changeable.
  • transaction durations are increased in order to accommodate the lock and unlock operations and sustainable transaction rates to value stores are reduced because of the PIN operations that must be performed. Difficulties resulting from the distribution of and procedures for use of PIN numbers remain present in such implementations.
  • the value store requires the presentation of the PIN number before every occurrence of some or all operations, but the relocking is automatic after each operation.
  • the transaction duration is slightly decreased and the sustainable transaction rate to a value store is slightly increased because a manual lock operation is not required after each operation.
  • a first (primary) method of unlocking value stores employs an unlocking sequence in which a first unlocking key (primary unlocking key) is used to unlock locked value stores.
  • the unlocking key must be available from some source.
  • a second method of unlocking value stores used in addition to the first method, operates independently of any requirement for knowledge of the value of the primary unlocking key. This second method, sometimes called a backdoor method, may be used, for example, by a security manager to unlock a value store when the primary key to unlock that value store has been lost, intentionally erased, or never supplied.
  • a backdoor method may be required to unlock a value store where an security mechanism internal to the value store automatically locks the value store in response to an external security threat.
  • the knowledge of the methods for enabling and disabling the security controlled devices must be widespread among authorized agents. For example, if a large staff like that in the institutional environment of a bank requires access to security controlled devices, then the keys (PIN numbers) and the knowledge of how to enable and disable value stores must be imparted to or available to that large staff.
  • the process of generating, storing and distributing the keys makes the system susceptible to invasion for theft and hence reduces security.
  • the security processing can be time consuming. For example, the process of locking or unlocking a value store may require multiple manual operations.
  • Procedures become progressively more onerous as the number of security controlled devices in a system increases.
  • the use of manual key (PIN) operations causes a transaction duration to increase undesirably and causes the sustainable transaction rate to a security controlled device (value store) to be reduced undesirably.
  • PIN manual key
  • These increases and decreases result because, prior to valuable data transfer, an unlock operation must be performed, and subsequent to the valuable data transfer, a lock operation must be performed.
  • the prior and subsequent operations consume communications time and processing time including the time required to generate commands and perform the operations for validating and otherwise processing keys (PIN's).
  • the present invention is a secure repository for secure electronic storage, transfer and other processing of valuable data using security controlled devices.
  • the repository transfers data from or to the security controlled devices in response to a client request from a client system.
  • the repository includes a security enclosure containing the security controlled devices.
  • Each security controlled device includes a lock unit for electronically locking the security controlled device.
  • the repository includes a processor unit connecting a data transfer request from the client system to the security controlled devices and for transferring data from the security controlled devices.
  • the repository includes a security unit for sensing a security breach and for responsively initiating a locking sequence for locking the security controlled devices to inhibit transfers of data from the security controlled devices.
  • the present invention includes various embodiments wherein:
  • the locking sequence obtains locking keys from the processor unit and applies the locking keys to lock the security controlled devices.
  • the locking sequence includes discarding the locking keys after the security controlled device is locked so that the locking key does not remain in the security enclosure.
  • the locking sequence includes obtaining locking keys from the client system and applying the locking keys to lock the security controlled devices
  • the processor unit randomly generates the locking key and discards the locking key after the security controlled device is locked so that the locking key does not remain in the security enclosure.
  • the security controlled device includes means for sensing a security breach and for responsively automatically locking the secured controlled device.
  • the security controlled devices include unlocking means for unlocking the security controlled devices to permit transfers of data from the security controlled devices.
  • the unlocking means responds to an unlocking sequence for unlocking the security controlled devices.
  • the unlocking sequence includes a primary unlocking sequence and a backdoor unlocking sequence.
  • the locking sequence obtains locking keys from the processor unit, applies the locking keys to lock the security controlled devices and discards the locking keys after the security controlled devices are locked so that the locking keys do not remain in the security enclosure and wherein each of the security controlled devices includes unlocking means responsive to a backdoor sequence for unlocking the security controlled devices to permit transfers of data from the security controlled devices.
  • FIG. 1 depicts a block diagram of the repository of security controlled devices in accordance with the present invention.
  • FIG. 2 depicts a block diagram of the repository of FIG. 1 where the security controlled devices are value stores for storing electronic funds.
  • FIG. 3 depicts a block diagram representation of the phases of operation of the repository of FIG. 2.
  • FIG. 4 depicts a block diagram representation of the stopped phase of FIG. 3.
  • FIG. 5 depicts a block diagram representation of the working phase of FIG. 3.
  • FIG. 6 depicts a block diagram representation of the securing phase of FIG. 3.
  • FIG. 7 depicts a block diagram representation of the suspended phase of FIG. 3.
  • FIG. 8 through FIG. 16 depict schematic representations of the repository of FIG. 1.
  • FIG. 1 Repository for Security Controlled Devices — FIG. 1
  • a repository 2 contains one or more security controlled devices 3, a processor unit 4 and a security unit 5.
  • the security controlled devices 3 are available for storing, transferring or otherwise processing of valuable data.
  • the repository 2 is connected through network 12 to client system 11.
  • Client system
  • Network 11 typically includes a personal computer (PC) or computer server used for electronic commerce, encryption or other operations relating to transfers of valuable data.
  • Network 12 is any public or private network or other connection such as a local area network, dedicated direct connection, a telephone network or the Internet.
  • the security controlled devices 3 typically can be locked by the lock unit 28 to inhibit all or some kinds of valuable data transfer to or from the security controlled devices 3.
  • a key such as a PIN is required to unlock a security controlled device 3 by operation of the unlock unit 29 to permit valuable data transfers.
  • Security controlled devices 3 that contain no valuable data or that are locked so that valuable data cannot be accessed have low incentive for theft.
  • the processor unit 4 typically contains one or more microprocessors that operate to process normal transactions related to valuable data transfers and to process exceptional conditions related to the security of the system. Exceptional conditions include physical intrusion into the repository 2, power failure, tampering and unauthorized processor interrupts or other operations.
  • the processor unit 4 typically includes batteries, capacitors or similar power storage devices required to insure a supply of power and other necessities that are operable, after disconnection from an external power source, for a sufficient time to perform security and shutdown procedures.
  • the processor unit 4 may include fixed or loadable programs executed by programmed microprocessors, or may be implemented in fixed electronic components. The actions taken by the processor unit 4 in response to external signals may depend on previous signal inputs that change the internal state of the processor unit 4.
  • the security unit 5 includes control logic which functions in response to loss of power, communication disconnection, intrusion or other security-compromising events to provide security compromised or other signals to alert the processor unit 4 that a possible insecure condition exists.
  • control logic which functions in response to loss of power, communication disconnection, intrusion or other security-compromising events to provide security compromised or other signals to alert the processor unit 4 that a possible insecure condition exists.
  • processor unit 4 locks the all of the security controlled devices 3 to inhibit valuable data transfers and hence to provide a low incentive for theft of the security controlled devices 3.
  • FIG. 2 Repository for Security Controlled Devices — FIG. 2
  • FIG. 2 an embodiment of FIG. 1 is shown wherein a repository 2' (and additional repositories such as value store 2 which may or may not be of similar design to value store 2') contains one or more security controlled devices 3', a processor unit 4, and a security unit 5.
  • the security controlled devices 3 of FIG. 1 are value stores 3' that are typically smart cards loaded in card readers for reading and transferring of electronic funds.
  • electronic funds and electronic cash include money, frequent flyer miles or any other measure of value.
  • the value stores 3' may store multiple millions of dollars (or other currency or other valuable tokens) in electronic form and hence need to be secure.
  • the value stores 3' because of their small size, are even greater potential targets for theft or fraud than are more bulky cash deposits.
  • Client system 11 is typically a personal computer (PC), computer server or other computer system 7 connected through network 9 to funds clients 10 for electronic commerce.
  • Network 12 is any public or private network or other connection such as a local area network, dedicated direct connection, a telephone network or the Internet.
  • network 9 is any public or private network or other connection such as a local area network, dedicated direct connection, a telephone network or the Internet.
  • Network 12 may be distinct from or the same as network 9.
  • One or more funds clients 10 are correspondent entities for receiving or sending funds from or to the value store repository 2' and repository 2".
  • the computer system 7 typically is a computing system of a bank, retailer, or other entity needing simultaneous or secure access to value stores 3'.
  • the funds clients 10 typically are merchants or individuals dealing in electronics funds transfer with the owner or operator of the computer system 7. If the repository 2' contains funds for a financial institution like a bank, the funds clients 10 likely are customers of the bank or other financial institutions. If the repository 2' contains funds of an individual or a merchant, the funds clients 10 typically are other individuals or merchants, or financial institutions associated with the individuals or merchants associated with the repository 2'.
  • the computer system 7 may be capable of receiving advisory messages from the value store repository 2'. Although correct operation of the value store repository 2' does not depend on correct receipt of advisories by the computer system 7, the computer system 7 may use advisory messages to control operations of the client system 11.
  • the security unit 5 includes a tamper detect unit 22 and a power detect unit 23.
  • the tamper detect unit 22 functions to detect tampering with the repository 2' or of its contents including the value stores 3', the processing unit 4 and the security unit 5.
  • tamper detect unit 22 Upon detection of tampering, tamper detect unit 22 provides the security_compromised signal to the processor unit 4.
  • the power detect unit 23 functions to detect any loss of power to the repository 2' or to any of its contents including the value stores 3', the processing unit 4 or the security unit 5.
  • the power detect unit 23 includes, for example sensors which detect and signal normal operating power conditions and control logic which functions in response to loss of power or disconnection from an external power source to sense a power_fail_imminent condition. Upon detection of any power_fail_imminent condition, power detect unit 22 provides the security_compromised signal to the processor unit 4.
  • processor unit 4 In response to a security compromised signal, and internal security algorithms executed in processor unit 4 which may depend on the internal state of the value store repository or in response to external security commands from client system 11, processor unit 4 can lock all of the value stores 3' to inhibit electronic funds transfers and hence to provide a low incentive for theft of the value stores 3'.
  • an electronic commerce system contains multiple repositories of the repository 2' type for electronic funds transfers and a variable number of repositories (like repositories 2' and 2 in FIG. 2) may be in use at any time.
  • Repositories in normal operation in response to commands from the client system 11, move electronic funds into and out of the value stores 3'.
  • the movement of electronic funds is usually with the funds client 10 as a deposit to the repository 2', or a withdrawal from the repository 2'.
  • a special normal deactivate control sequence is sent to the repository 2' from the computer system 7 that conditions the repository for normal removal from service.
  • the computer system 7 will transfer all electronic funds out of the to-be-removed repository 2' into another repository 2.
  • the computing system 7 may explicitly lock the value stores 3' in the repository 2' to be removed. In either case, without access to any electronic funds in the repository 7 there is little incentive for theft of the repository 2' or value stores 3' conditioned for normal removal.
  • Repository 2' at a later time, can be reinstalled into the same or a different system and, after unlocking of the value stores if required with a normal reactivate control sequence, placed into operation.
  • repository 2' secures the value stores 3'.
  • securing may involve one or both of removing valuable data from all of the value stores 3' and locking the value stores
  • the process of securing may be accomplished solely by the processor unit 4, or in cooperation with the computer system 7 if the computer system 7 is available.
  • the process of removing valuable data typically requires cooperation of the computer system 7 to move the value to a different, possibly remote, location such as repository 2".
  • Locking each of the value stores 3' within that repository 2' prevents some or all further operations without exceptional intervention.
  • Either or both removing valuable data or locking the value stores 3' eliminates incentives for theft. Exceptional intervention is an administratively secure recovery procedure that is performed to recondition a repository for further use and for recovery of the electronic funds contained therein at the time of the intrusion.
  • Funds then may be recovered only by an exceptional secure recovery procedure (backdoor mechanism) under authorized control.
  • Each of the repositories such as repositories 2' and 2 may be designed to contain a PIN (or PINs) that function as a locking encryption key to lock the value stores 3' on intrusion.
  • the PIN can be stored only in the value store 3' or can be stored elsewhere in the repository 2' such as in memory that forms part of the processor unit 4.
  • security is improved by having the PIN erased in the repository 2' after its use.
  • the value stores 3' are locked with the PIN (or PINs) that function as locking encryption keys.
  • PINs In order to recover the electronic funds after an intrusion, PINs must be recovered. In practice, security is improved if PINs or the ability to generate PINs is not contained anywhere in the FIG 2 system. For example, the PIN's for each repository and can be stored in a physically secure and remote place. Alternatively, PIN's are generated using cryptographic techniques that depend on private knowledge of a security manager or require possession of a special security device used for restoring value stores to normal operating condition.
  • FIG. 3 the different phases of operation of the system of FIG. 2 are shown and include the STOPPED PHASE 2-1, the WORKING PHASE 2-2, the SECURING PHASE 2-3, and the SUSPENDED PHASE 2-4.
  • the value store repository 2' initiates processing in the STOPPED PHASE.
  • the STOPPED PHASE 2-1 determines the condition of the system and, if processing can proceed, the phase 2-1 processing sends a working advisory to computer system 7 and flows to the WORKING PHASE 2-2.
  • the WORKING PHASE supervises the processing that allows the funds transfer processing between the value store 3' and the funds client 10 to occur under normal secure circumstances as a result of operation of the computer 7 and the funds client 10. However, under any one or more possible security violations, the WORKING PHASE 2-2 flows control to the SECURING PHASE 2-3 after sending a SECURING advisory to the computer system 7.
  • the flow includes, for example, a SECURE_REQ test, an INTRUSION test, and a POWER_FAJ _IMMINENT test.
  • the SECURING PHASE 2-3 operates to secure and lock the value stores 3' so that no further funds transfers can occur. After locking the value stores 3', the SECURING PHASE 2-3 sends a VS_LOCKED advisory to computer system 7 to indicate that the value stores 3' have been locked and then sends a SUSPENDED advisory to computer system 7 and flows to the SUSPENDED PHASE 2-4.
  • the SUSPENDED PHASE 2-4 can also be entered by flows from the STOPPED PHASE 2-1 or the WORKING PHASE 2-2. In the suspended phase, the repository 3' is not responsive to some or all security threats, allowing removal or service of the repository.
  • the SUSPENDED PHASE 2-4 flows to the STOPPED PHASE 2-1 on receipt of a
  • the operation of the phases of FIG. 3 ensures that upon any detection of a potential security breach, either directly through tampering or indirectly through a power failure or loss of communications, operating value stores 3' are immediately locked so that funds transfer cannot be achieved until the value stores 3' are once again unlocked. In this manner, the system operates to thwart interference with the repository 2' and any unauthorized funds withdrawal from the value stores 3'.
  • the value stores 3' typically are smart cards (small credit-card size or smaller security controlled devices imbedded in plastic) which store electronic value in banks or other financial institutions.
  • the STOPPED PHASE 2-1 of FIG. 3 is shown in further detail in flow chart form in FIG. 4.
  • the STOPPED PHASE START state flows to the power fail imminent test (POWER_FAIL_IMMINENT).
  • POWER_FAIL_IMMINENT test gives a YES result if the power detect unit 23 determines a loss of connection to an external power source or a reduction in the voltage available from the external power source, and otherwise gives a NO result.
  • a YES result from the POWER_FATL_IMMINENT test returns to the beginning after the STOPPED PHASE START and prevents further processing until power failure ceases to be imminent.
  • a NO result flows to the power good test (POWER GOOD).
  • the power good test gives a YES result if the power detect unit 23 determines that power has been restored to an adequate operating level from a previous power failure condition, and otherwise gives a NO result.
  • a NO result flows to the POWER_FAJX_IMMINENT test after the STOPPED PHASE START and prevents further processing until a YES result occurs for the power good test.
  • a YES result for the POWER GOOD test flows to the system good test (SYSTEM_GOOD).
  • the system test may cause execution of internal diagnostic procedures.
  • S YSTEM GOOD test gives YES result if there are not internally detected failures in the value store repository 2', and there are not other failures of operation, and otherwise gives a NO result. Failures of operation may include deviations from established operation norms, repeatedly providing bad passwords for example. A NO result for the S YSTEM_GOOD test flows to the send system bad task (SEND
  • S YSTEM_BAD which sends a S YSTEM BAD advisory to computer system 7 and flows to the send suspended task (SEND SUSPENDED) which sends a SUSPENDED advisory to computer system 7 and flows to the SUSPENDED PHASE START of FIG. 7.
  • SEND SUSPENDED send suspended task
  • a YES result on the S YSTEM_GOOD test flows to the send working task
  • the WORKING PHASE 2-2 of FIG. 3 is shown in flow chart form in FIG. 5.
  • the WORKING STATE START of FIG. 5 flows to the suspend request test (SUSPEND_REQ).
  • the SUSPEND_REQ test gives a YES result if computer system 7 has delivered a suspend command to the value store repository 2' and otherwise gives a NO result.
  • a YES result of the SUSPEND_REQ test flows to the task that terminates normal processing (TERMINATE OUT- STANDING_REQUESTS).
  • the TERMINATE_OUTSTANDING_REQUESTS task cause the value store repository 2' to abort or otherwise stop all in process and pending transactions that may have been initiated by computer system 7.
  • the TERMINATE_ OUTSTANDING_REQUEST task flows to the SEND
  • a NO result of the SUSPEND REQ test flows to the SYSTEM_GOOD test.
  • a YES result from the SYSTEM_GOOD test flows to the POWER_FAIL_IMMINENT test.
  • POWER FAIL IMMINENT test flows to the communications availability test (COMMS_OK).
  • the COMMS_OK test gives a YES result if communications have not been lost to client system 11, and otherwise gives a NO result.
  • a YES result to the COMMS_OK test flows to the INTRUSION test.
  • a NO result from the S YSTEM GOOD test or a YES result from the POWER FAJX MMINENT test or a NO result to the COMMS_OK test or a YES result from the INTRUSION test flows to the SEND SYSTEM_BAD task which flows to the TERMINATE_OUTSTANDiNG_REQUESTS task which flows to the send securing task (SEND SECURING) which sends a security advisory to computer system 7.
  • the SEND SECURING task flows to the SECURING PHASE START of FIG. 6.
  • a NO result on the INTRUSION test flows to the secure request test (SECURE_REQ).
  • the SECURE_REQ test gives a YES result if computer system 7 has delivered a secure command to the value store repository 2' and otherwise gives a NO result.
  • a YES result of the SECURE_REQ test flows to the TERMINATE_ OUTSTANDING_REQUESTS task which in turn flows to the SEND SECURING task which in turns flows to the SECURING PHASE START of FIG. 6.
  • a NO result of the SECURE_REQ test flows to the test for other computer requests (OTHER COMPUTER REQUEST).
  • the OTHER COMPUTER REQUEST gives a YES result if a valid request has been received from the computer system 7 by the value store repository 2' and otherwise gives a NO result.
  • a NO result of the OTHER_COMPUTER_REQUEST test returns to the SUSPEND_REQ test after the WORKING PHASE START.
  • a YES result flows to the DISP ATCH REQUEST task which causes the initiation of the request received from computer system 7.
  • Possible requests include directives to transfer value between a value store 3 ' and a funds client 10, other directives necessary or desirable for the management of the repository 2', or a directive to lock or unlock one or more value stores 3'.
  • a lock directive may specify use of a key or keys included or otherwise associated with the directive, or may specify use of an key previously stored in the repository 2' or a random key generated in the repository
  • Locking directives may be part of a normal deactivate control sequence. After action specified by the lock directive is complete, the key or keys used, if any, may be deleted from storage in the repository 2', thus making the keys not available to an intruder by inspection or dismantling of the repository 2' .
  • An unlock directive may specify use of a key or keys included or associated with the directive, or may specify use of an key previously stored in the repository 2' or a random key generated by the processor unit 7. Locking directives may be part of a normal deactivate control sequence.
  • unlock directive may use that mechanism.
  • Unlocking directives may be part of a normal reactivate control sequence. After the DISPATCH REQUEST task, flow returns to the SUSPEND REQ test after the WORKING PHASE START. SECURING PHASE — FIG. 6
  • the securing phase starts with SECURING PHASE START which flows to the task which dispatches the directive to lock the value stores (DISPATCH LOCK_VALUE_STORES) .
  • the DISPATCH LOCK_VALUE_STORES The DISPATCH
  • LOCK VALUE STORES task has the function of immediately locking all value stores 3 ' so that any further access to the value stores 3 ' is prevented until the value stores 3' are again unlocked.
  • the DISPATCH LOCK_VALUE_STORES task flows to the send value stores locked task (SEND VS_LOCKED).
  • the SEND VS LOCKED task sends a value store locked advisory to computer system 7 and flows to the SEND SUSPENDED task which transfers to the SUSPENDED PHASE START of FIG. 7.
  • the DISPATCH LOCK VALUE STORES task can be carried out in a number of different ways.
  • a PIN is stored in the value stores 3' to be locked, then a simple lock command is all that is required to implement this task.
  • a PIN must be supplied together with the lock command in order for the value stores 3' to recognize the lock command.
  • the PIN is stored in the processor 4 of FIG. 1 and is accessed and used as part of the Dispatch LOCK VALUE STORES 3' task to effectuate the locking of the value stores 3'. Once the PIN has been accessed and used from the processor 4 to lock the value stores 3', the PIN is typically erased.
  • the task causes the multiple attempts and the value store 3' becomes locked by its own internal operation and is only unlockable by accessing the appropriate external unlocking codes.
  • processing in the suspend phase commences with SUSPENDED PHASE START.
  • the SUSPENDED PHASE START flows to the POWER_FAIL_IMMINENT test.
  • POWER_FAIL_IMMINENT test flows to the SEND S YSTEM B AD task which flows to the SEND STOPPED task which sends a stopped advisory to computer system 7 and which then returns to the STOPPED PHASE START of FIG. 4.
  • a NO result of the POWER_FAIL_IMMINENT test flows to the resume request test (RESUME_REQ).
  • the RESUME REQ test gives a YES result if a resume command has been received from computer system 7, and otherwise gives a NO result.
  • a YES result of the RESUME_REQ test flows to the SEND
  • OTHER_COMPUTER_REQUEST test flows to the DISPATCH_REQUEST task.
  • the SUSPENDED PHASE may honor only some of the possible requests. For example, directives to transfer value between a value store 3 ' and a funds client 10 or directives to unlock one or more value stores 3 ' may not be allowed. .
  • flow returns to the POWER FAK. MMINENT test after the SUSPENDED PHASE START.
  • the repository 2' includes the security and processor units 84, which correspond to the processor unit 4 and security unit 5 of FIG. 2, and a plurality of value stores 3'.
  • the value stores 3' are within a chamber 83 and physically and electrically engage the base 86.
  • a tray cover 85 engages the top of the value stores 3' which, under the contact pressure of a repository cover 82, forces the value stores 3' into engagement with the base 86.
  • the cover 82 is hinged to the base 84 and is rotatable as shown to the phantom position 82'. When the cover 82 is opened to position 82', the tray cover
  • the repository 2' includes electrical cables 80 for supplying power to and communications to and from the repository 2'.
  • FIG. 9 an end view of the repository 2' of FIG. 8 is shown.
  • the repository cover 82 in the closed position engages the tray cover 85 which in turn engages the value stores 3' to force the value stores 3' into electrical contact with the base 86 of the value store 2'.
  • the cover extension 78 engages a lock 79 which locks the cover 82 in the closed position.
  • Lock 79 has a securing mechanism 77 which has a slow release for unlocking the cover extension 78 and cover 82.
  • the securing mechamsm 77 is, for example, a fine threaded screw which, in normal operation, takes a delay time to unengage the repository cover extension 78.
  • the design pitch for the screw and the other mechanical design parameters give assurance that absent exceptional means that could cause visible physical damage, the delay time required to disengage the cover 78 is sufficient to allow the value stores 3' to be electronically locked. While a fine threaded mechanical screw is one preferred delay time embodiment, any conventional delay time mechanism can be employed. For example, hydraulic releases with pre-timed delays can be employed and electronic releases with delay counters can be employed.
  • the repository cover 82 is shown rotated to the phantom position 82' together with the repository cover extension in the position at 78'. The opening of the repository cover to 82' allows the tray cover 85 to be removed from the opening 83 and thereby to permit the value stores 3' to be removed from the base 86. In FIG.
  • FIG. 10 a top view of the repository 2' of FIG. 8 is shown.
  • the cover 82 in FIG. 8 is rotated to the vertical position 82 in FIG. 10 to reveal the base 86.
  • the base 86 includes 16 receiving positions 87 for receiving value stores 3' of FIG. 2.
  • Each of the receiving positions 87 of FIG. 10 includes six to eight pressure mounted contacts 88 for making electrical contact to value stores 3. The number of contacts depends on the design of the smart card chip.
  • FIG. 11 a top view of the tray cover 85 is shown. On the bottom side of the tray cover 85 are receiving positions 89 which are designed to engage value stores 3' when the tray cover 85 is superimposed over the corresponding positions 87 in the repository base 86 of FIG. 10.
  • FIG. 12 a top view of a positions 87, typical of all 16 of the positions
  • the slot 87 in FIG. 10 is shown.
  • the slot 87 includes the pressure actuated contacts 88.
  • FIG. 13 a side view of the position 87 of FIG. 12 is shown.
  • the position 87 includes the pressure actuated contacts 88 which are retractable into the openings 91 into the base 86.
  • the openings 91 include, for example, springs or other mechanisms for forcing the contacts 88 outwardly from the openings 91.
  • Any conventional spring mounted or otherwise pressure contact 88 can be employed.
  • FIG. 14 a value store 3', typical of the value stores 3' in FIG. 8 and FIG. 9, is shown.
  • the value store 3' includes the electrical contacts 90 which are located in a position adapted to engage the pressure contacts 88 in the slot 87 of base 86, as shown in FIG. 13.
  • FIG. 15 a top view of the value store 3' of FIG. 14 is shown, together with the six contacts 90.
  • the value store 3' of FIG. 14 is engaged with the slot 87 of base 86 in FIG. 13, so that the spring loaded contacts 88 engage the contacts 90 in the value store 3'.
  • the FIG. 16 representation of the value store 3' engaged with the slot 87 in base 86 is typical of the engagement that occurs with the cover closed in FIG. 8 and FIG. 9.
  • FIG. 8 through FIG. 16 represent the aspects of the engagement and disengagement of value stores 3' into and out of the repository 2'.
  • the mechanical robustness and corresponding resistance to intrusion of the repository 2' is a matter of design choice.
  • the security units 84 can, as a matter of design choice, include any number of sensing devices.
  • temperature sensing devices, motion sensing devices, tray cover position sensors, repository door position sensors and other conventional sensors may all be employed to sense either the normal condition of the repository 2' or to sense when security of the repository may be in jeopardy.
  • the lock 79 and the lock securing mechanism 77 may include a sensor which detects any unlock motion of the lock securing mechanism 77 to initiate the lockdown of the value stores 3'.
  • the securing mechanism 77 is designed to include a minimum unlock delay which exceeds the time required to lock the value stores 3', value stores 3' will be automatically locked in response to any unexpected movement of the securing mechanism 77.
  • the mechanical security imposed by the repository as described in connection with FIG. 8 through FIG. 16 guarantees to any level of mechanical design that the value stores 3' will be locked before an unauthorized intrusion can occur.

Abstract

A secure repository for secure electronic storage, transfer and other processing of valuable data using security controlled devices. The repository transfers data from or to the security controlled devices in response to a client request from a client system. The repository includes a security enclosure containing the security controlled devices. Each security controlled device includes a lock unit for electronically locking the security controlled. The repository includes a processor unit connecting a data transfer request from the client system to the security controlled devices and for transferring data from the security controlled devices. The repository includes a security unit for sensing a security breach and for responsively initiating a locking sequence for locking the security controlled devices to inhibit transfers of data from the security controlled devices.

Description

TTTLE
THEFT DETERRENT REPOSITORY FOR SECURITY CONTROLLED
DEVICES
Background of the Invention Field of the Invention: The present invention relates to the field of security in data processing and electronic commerce and particularly to methods and apparatus for secure storage and transfer of electronic funds and other valuable data.
Data processing systems have been used to store and transfer electronic funds, encryption codes and other valuable data. To deter theft of the valuable data, data processing systems have employed devices having some form of security control (security controlled devices). An example of such data processing systems are electronic funds systems where the security controlled devices are smart cards. Another example of such data processing systems are cryptographic systems where the security controlled devices are stores for encryption codes and algorithms for encrypting data. While cryptographic techniques have been used to protect communications to and from security controlled devices, cryptology alone does not protect against the theft of the security controlled devices themselves. Electronic funds, encryption codes and other valuable data can be stolen from a data processing system by stealing the security controlled devices themselves thereby stealing the valuable data contained therein or associated therewith.
In the field of electronic commerce, wire transfers are one electronic method for the transfer of value that involves the transfer of funds from one trusted party to another. In a wire transfer, one party makes a debit book entry and the other party makes a credit book entry as a result of valuable data electronically sent from one party to another in accord with preestablished procedures agreed to by the parties. The wire transfers are usually subject to clearing operations to verify that that the debit and credit entries have been made correctly and to reconcile the accounts between the parties. The security of the wire transfer of funds is higher if the valuable data transfer that implements the wire transfer is encrypted using electronic encryption/decryption devices, codes or algorithms. Such electronic encryption/decryption devices or the devices that store the codes or algorithms need to be security controlled devices since, if these devices are stolen, the security of the wire transfers is compromised. In the field of electronic commerce, electronic cash is another electronic method for the transfer of value that involves the transfer of funds from one party to another. Electronic cash methods include two types of transfers, namely certificated value and net value transfers.
For the certificated value type of electronic cash, an issuer generates electronic value or transaction records, generally cryptographically encoded and signed, that represent distinct amounts of value. These electronic value or transaction records may be passed from one electronic cash device to another electronic cash device. For example, the transfer of funds occurs from a small portable electronic cash device (smart card) held by one party to an electronic cash device held by another party. In one form common to consumers, smart cards are portable cards similar in form and size to common credit or debit cards. In an alternate miniature form, the size is reduced to contain small contact area and internal electronics only. Typically, a smart card is issued by the issuer and dispensed to a first party (for example, a purchaser) where the card is pre-loaded or subsequently loaded with stored electronic value or transaction records
(certificates), the electronic value record (certificate) is passed by the first party to an electronic cash device of another party (for example, a merchant) and, eventually, the electronic value record (certificate) is returned to the issuer by the other party for redemption in the amount of the electronic value record (certificate). Usually, electronic cash devices used by merchants, banks and other financial institutions are under the administrative and technical control of an issuer. Electronic cash devices that contain electronic value records need to be security controlled devices since, if these devices are stolen, the amount of money represented by the electronic value record (certificate) can be permanently lost. For the net value type of electronic cash, the electronic value is represented by the net amount stored in an electronic device without need for further external accounting. Specifically, in the net value type of electronic cash, the value is not represented by electronic certificates or transaction records that must be transferred and redeemed from an issuer. The net value type of electronic devices are called value stores and each is capable of storing a net amount of value that reflects the accumulated aggregate of value transfers from and to that value store from other value stores.
Value stores can be implemented using cards (smart cards) that are similar to those used for the certificated value type of electronic cash except that the rules controlling the transfer of value are appropriate for the net value type of electronic cash. In an electronic funds system, merchants, banks or other institutions are the issuers that issue value stores (in the form of smart cards) to customers. The issuer in turn retains value stores capable of performing transactions with the value stores of its customers and others. An issuer may require tens or hundreds of value stores to conduct transactions with the value stores in the possession of its customers or correspondent institutions. Electronic value stores need to be security controlled devices since, if these devices are stolen, the amount of money represented by the electronic net value stored can be permanently lost.
Physical security is a typical method of protecting security controlled devices. In electronic funds environments, the individual security controlled devices are small devices that are easily concealed and moved. If the security controlled devices are value stores in a bank or other institution, the value stores are frequently contained in locked and guarded vaults with stringent access controls to the vaults. However, such physical security is increasingly difficult as security controlled devices are further miniaturized and as security controlled devices are distributed to remote locations and institutions without vaults.
Because of the limitations and high costs of physical security, various methods have been provided to electronically enable and disable security controlled devices so that in the disabled state, they offer a reduced value to potential thieves. Previous systems have reduced the incentive for theft by manually removing valuable data from security controlled devices or by using secure operating modes for transfers involving security controlled devices.
The secure operating modes for security controlled devices are frequently manually implemented and frequently employ a data key such as a Personal Identification Number (PIN). In one commonly used implementation, a value store may be locked to inhibit the normal action of removing electronic funds so that restoration of the ability to remove electronic funds from the value store that is disabled or locked requires use of a previously determined PIN to unlock the value store. The PIN number may or may not be changeable depending on the design of the value store. Procedures are required for creation and distribution of
PIN numbers, and of course the consequences of performing incorrect security procedures renders the value store not accessible by the ordinary means.
In another PIN implementation, a PIN number is required for the lock operation as well as for the unlock operation. The lock and unlock PIN numbers may be the same or different and they each may be fixed or changeable. In this variation, transaction durations are increased in order to accommodate the lock and unlock operations and sustainable transaction rates to value stores are reduced because of the PIN operations that must be performed. Difficulties resulting from the distribution of and procedures for use of PIN numbers remain present in such implementations.
In a high-security variation, a PIN number unique to the lock operation must be supplied with the lock operation and again to reverse the lock operation. In this variation, transaction duration is increased and sustainable transaction rate to a value store is reduced because of the additional restrictions on the PIN operations. This variation is sometimes called a single-use key method.
Difficulties from distribution of and procedures for use of PIN numbers are more complicated.
In another high-security variation, the value store requires the presentation of the PIN number before every occurrence of some or all operations, but the relocking is automatic after each operation. In this variation, compared to the previous high-security variation, the transaction duration is slightly decreased and the sustainable transaction rate to a value store is slightly increased because a manual lock operation is not required after each operation.
Methods of unlocking value stores are varied. A first (primary) method of unlocking value stores employs an unlocking sequence in which a first unlocking key (primary unlocking key) is used to unlock locked value stores. The unlocking key must be available from some source. A second method of unlocking value stores, used in addition to the first method, operates independently of any requirement for knowledge of the value of the primary unlocking key. This second method, sometimes called a backdoor method, may be used, for example, by a security manager to unlock a value store when the primary key to unlock that value store has been lost, intentionally erased, or never supplied. A backdoor method may be required to unlock a value store where an security mechanism internal to the value store automatically locks the value store in response to an external security threat. An example of such a security threat exists where repeated unsuccessful attempts to unlock a locked value store occurs and the repeated unsuccessful attempts are detected by the value store itself. While backdoor methods of unlocking provide flexibility, strong security is required to protect against fraudulent use of a backdoor method. The aforementioned security procedures have the following general disadvantages:
Methods which disable operation of security controlled devices generally are effective only for security controlled devices that are not in use since value stores that are locked cannot be used to dispense electronic funds. While conventional PIN methods can improve security for an individual value store, they do not protect other values stores that may be similarly situated and may soon come under attack. In order to be effective, rigorous training and discipline of staff is required. If the distribution of PIN numbers is not well controlled, PIN numbers will be unavailable when needed.
The knowledge of the methods for enabling and disabling the security controlled devices must be widespread among authorized agents. For example, if a large staff like that in the institutional environment of a bank requires access to security controlled devices, then the keys (PIN numbers) and the knowledge of how to enable and disable value stores must be imparted to or available to that large staff. The process of generating, storing and distributing the keys makes the system susceptible to invasion for theft and hence reduces security. The security processing can be time consuming. For example, the process of locking or unlocking a value store may require multiple manual operations.
Procedures become progressively more onerous as the number of security controlled devices in a system increases. The use of manual key (PIN) operations causes a transaction duration to increase undesirably and causes the sustainable transaction rate to a security controlled device (value store) to be reduced undesirably. These increases and decreases result because, prior to valuable data transfer, an unlock operation must be performed, and subsequent to the valuable data transfer, a lock operation must be performed. The prior and subsequent operations consume communications time and processing time including the time required to generate commands and perform the operations for validating and otherwise processing keys (PIN's).
While the forgoing disadvantages and limitations exist when the agents are individuals interacting with one or a small number of value stores, the problems are magnified in a setting where there are many agents sharing access to many value stores, particularly when the value stores are unattended.
In light of the problems of prior art systems, there is a need for improved methods and apparatus for secure electronic storage, transfer and other processing of valuable data using security controlled devices and particularly for secure repositories which remove incentives for theft.
Summary of the Invention The present invention is a secure repository for secure electronic storage, transfer and other processing of valuable data using security controlled devices. The repository transfers data from or to the security controlled devices in response to a client request from a client system. The repository includes a security enclosure containing the security controlled devices. Each security controlled device includes a lock unit for electronically locking the security controlled device. The repository includes a processor unit connecting a data transfer request from the client system to the security controlled devices and for transferring data from the security controlled devices. The repository includes a security unit for sensing a security breach and for responsively initiating a locking sequence for locking the security controlled devices to inhibit transfers of data from the security controlled devices. The present invention includes various embodiments wherein:
The locking sequence obtains locking keys from the processor unit and applies the locking keys to lock the security controlled devices.
The locking sequence includes discarding the locking keys after the security controlled device is locked so that the locking key does not remain in the security enclosure.
The locking sequence includes obtaining locking keys from the client system and applying the locking keys to lock the security controlled devices The processor unit randomly generates the locking key and discards the locking key after the security controlled device is locked so that the locking key does not remain in the security enclosure. The security controlled device includes means for sensing a security breach and for responsively automatically locking the secured controlled device.
The security controlled devices include unlocking means for unlocking the security controlled devices to permit transfers of data from the security controlled devices.
The unlocking means responds to an unlocking sequence for unlocking the security controlled devices.
The unlocking sequence includes a primary unlocking sequence and a backdoor unlocking sequence. The locking sequence obtains locking keys from the processor unit, applies the locking keys to lock the security controlled devices and discards the locking keys after the security controlled devices are locked so that the locking keys do not remain in the security enclosure and wherein each of the security controlled devices includes unlocking means responsive to a backdoor sequence for unlocking the security controlled devices to permit transfers of data from the security controlled devices. The forgoing and other objects, features and advantages of the invention will be apparent from the following detailed description in conjunction with the drawings.
Brief Description of the Drawings FIG. 1 depicts a block diagram of the repository of security controlled devices in accordance with the present invention.
FIG. 2 depicts a block diagram of the repository of FIG. 1 where the security controlled devices are value stores for storing electronic funds.
FIG. 3 depicts a block diagram representation of the phases of operation of the repository of FIG. 2. FIG. 4 depicts a block diagram representation of the stopped phase of FIG. 3.
FIG. 5 depicts a block diagram representation of the working phase of FIG. 3.
FIG. 6 depicts a block diagram representation of the securing phase of FIG. 3.
FIG. 7 depicts a block diagram representation of the suspended phase of FIG. 3.
FIG. 8 through FIG. 16 depict schematic representations of the repository of FIG. 1.
Detailed Description of the Invention
Repository for Security Controlled Devices — FIG. 1
In FIG. 1, a repository 2 contains one or more security controlled devices 3, a processor unit 4 and a security unit 5. The security controlled devices 3 are available for storing, transferring or otherwise processing of valuable data. The repository 2 is connected through network 12 to client system 11. Client system
11 typically includes a personal computer (PC) or computer server used for electronic commerce, encryption or other operations relating to transfers of valuable data. Network 12 is any public or private network or other connection such as a local area network, dedicated direct connection, a telephone network or the Internet.
In FIG. 1, the security controlled devices 3 typically can be locked by the lock unit 28 to inhibit all or some kinds of valuable data transfer to or from the security controlled devices 3. Typically, a key such as a PIN is required to unlock a security controlled device 3 by operation of the unlock unit 29 to permit valuable data transfers. Security controlled devices 3 that contain no valuable data or that are locked so that valuable data cannot be accessed have low incentive for theft. In FIG. 1, the processor unit 4 typically contains one or more microprocessors that operate to process normal transactions related to valuable data transfers and to process exceptional conditions related to the security of the system. Exceptional conditions include physical intrusion into the repository 2, power failure, tampering and unauthorized processor interrupts or other operations. The processor unit 4 typically includes batteries, capacitors or similar power storage devices required to insure a supply of power and other necessities that are operable, after disconnection from an external power source, for a sufficient time to perform security and shutdown procedures. The processor unit 4 may include fixed or loadable programs executed by programmed microprocessors, or may be implemented in fixed electronic components. The actions taken by the processor unit 4 in response to external signals may depend on previous signal inputs that change the internal state of the processor unit 4.
In FIG. 1, the security unit 5 includes control logic which functions in response to loss of power, communication disconnection, intrusion or other security-compromising events to provide security compromised or other signals to alert the processor unit 4 that a possible insecure condition exists. In response to a security compromised signal, in response to internal security algorithms executed in processor unit 4 or in response to external security commands from client system 11, processor unit 4 locks the all of the security controlled devices 3 to inhibit valuable data transfers and hence to provide a low incentive for theft of the security controlled devices 3.
Repository for Security Controlled Devices — FIG. 2
In FIG. 2 an embodiment of FIG. 1 is shown wherein a repository 2' (and additional repositories such as value store 2 which may or may not be of similar design to value store 2') contains one or more security controlled devices 3', a processor unit 4, and a security unit 5. In the FIG. 2 embodiment, the security controlled devices 3 of FIG. 1 are value stores 3' that are typically smart cards loaded in card readers for reading and transferring of electronic funds. The terms electronic funds and electronic cash include money, frequent flyer miles or any other measure of value. The value stores 3' may store multiple millions of dollars (or other currency or other valuable tokens) in electronic form and hence need to be secure. The value stores 3', because of their small size, are even greater potential targets for theft or fraud than are more bulky cash deposits.
Client system 11 is typically a personal computer (PC), computer server or other computer system 7 connected through network 9 to funds clients 10 for electronic commerce. Network 12 is any public or private network or other connection such as a local area network, dedicated direct connection, a telephone network or the Internet. Similarly, network 9 is any public or private network or other connection such as a local area network, dedicated direct connection, a telephone network or the Internet. Network 12 may be distinct from or the same as network 9. One or more funds clients 10 are correspondent entities for receiving or sending funds from or to the value store repository 2' and repository 2".
In FIG 2, the computer system 7 typically is a computing system of a bank, retailer, or other entity needing simultaneous or secure access to value stores 3'. The funds clients 10 typically are merchants or individuals dealing in electronics funds transfer with the owner or operator of the computer system 7. If the repository 2' contains funds for a financial institution like a bank, the funds clients 10 likely are customers of the bank or other financial institutions. If the repository 2' contains funds of an individual or a merchant, the funds clients 10 typically are other individuals or merchants, or financial institutions associated with the individuals or merchants associated with the repository 2'. The computer system 7 may be capable of receiving advisory messages from the value store repository 2'. Although correct operation of the value store repository 2' does not depend on correct receipt of advisories by the computer system 7, the computer system 7 may use advisory messages to control operations of the client system 11.
In FIG. 2, the security unit 5 includes a tamper detect unit 22 and a power detect unit 23. The tamper detect unit 22 functions to detect tampering with the repository 2' or of its contents including the value stores 3', the processing unit 4 and the security unit 5. The tamper detect unit 22, for example, senses any physical intrusion into the repository 2' and senses when attempts are being made to remove components from the system, especially attempts to remove value stores 3'. Upon detection of tampering, tamper detect unit 22 provides the security_compromised signal to the processor unit 4. The power detect unit 23 functions to detect any loss of power to the repository 2' or to any of its contents including the value stores 3', the processing unit 4 or the security unit 5. The power detect unit 23 includes, for example sensors which detect and signal normal operating power conditions and control logic which functions in response to loss of power or disconnection from an external power source to sense a power_fail_imminent condition. Upon detection of any power_fail_imminent condition, power detect unit 22 provides the security_compromised signal to the processor unit 4.
In response to a security compromised signal, and internal security algorithms executed in processor unit 4 which may depend on the internal state of the value store repository or in response to external security commands from client system 11, processor unit 4 can lock all of the value stores 3' to inhibit electronic funds transfers and hence to provide a low incentive for theft of the value stores 3'.
Normal Operation Typically an electronic commerce system contains multiple repositories of the repository 2' type for electronic funds transfers and a variable number of repositories (like repositories 2' and 2 in FIG. 2) may be in use at any time. Repositories in normal operation, in response to commands from the client system 11, move electronic funds into and out of the value stores 3'. The movement of electronic funds is usually with the funds client 10 as a deposit to the repository 2', or a withdrawal from the repository 2'. However, there may be movements of electronic funds from one repository to another repository as a part of the electronic funds management process of the electronic commerce system as a whole.
Normal Removal from Operation
When, for maintenance or other normal operational reasons, a repository 2' is to be removed from an installation, a special normal deactivate control sequence is sent to the repository 2' from the computer system 7 that conditions the repository for normal removal from service. Typically, but not necessarily, in preparation for removal, the computer system 7 will transfer all electronic funds out of the to-be-removed repository 2' into another repository 2. Alternatively, or additionally, the computing system 7 may explicitly lock the value stores 3' in the repository 2' to be removed. In either case, without access to any electronic funds in the repository 7 there is little incentive for theft of the repository 2' or value stores 3' conditioned for normal removal.
Repository 2', at a later time, can be reinstalled into the same or a different system and, after unlocking of the value stores if required with a normal reactivate control sequence, placed into operation.
Intrusion or Exceptional Removal
On detection of tampering, unexpected power loss, unexpected loss of connection to communications, or specific command from the computer system 7, repository 2' secures the value stores 3'. Depending on the specific design of the value stores 3' and of the processor unit 4, securing may involve one or both of removing valuable data from all of the value stores 3' and locking the value stores
3'. The process of securing may be accomplished solely by the processor unit 4, or in cooperation with the computer system 7 if the computer system 7 is available. The process of removing valuable data typically requires cooperation of the computer system 7 to move the value to a different, possibly remote, location such as repository 2". Locking each of the value stores 3' within that repository 2' prevents some or all further operations without exceptional intervention. Either or both removing valuable data or locking the value stores 3' eliminates incentives for theft. Exceptional intervention is an administratively secure recovery procedure that is performed to recondition a repository for further use and for recovery of the electronic funds contained therein at the time of the intrusion.
Methods of Locking
Many methods for locking value stores 3' are possible depending on the design of the value stores 3'. The present invention does not depend on any particular locking scheme. The following are examples of locking schemes. Some value stores 3' automatically lock-up through operation of lock unit
29 after a number of unsuccessful unlock attempts detected by unlock unit 28. Funds then may be recovered only by an exceptional secure recovery procedure (backdoor mechanism) under authorized control.
Each of the repositories such as repositories 2' and 2 may be designed to contain a PIN (or PINs) that function as a locking encryption key to lock the value stores 3' on intrusion. Depending on the design of the value store 3' and the processor unit 4, the PIN can be stored only in the value store 3' or can be stored elsewhere in the repository 2' such as in memory that forms part of the processor unit 4. In the second case, security is improved by having the PIN erased in the repository 2' after its use. In either case, the value stores 3' are locked with the PIN (or PINs) that function as locking encryption keys.
In order to recover the electronic funds after an intrusion, PINs must be recovered. In practice, security is improved if PINs or the ability to generate PINs is not contained anywhere in the FIG 2 system. For example, the PIN's for each repository and can be stored in a physically secure and remote place. Alternatively, PIN's are generated using cryptographic techniques that depend on private knowledge of a security manager or require possession of a special security device used for restoring value stores to normal operating condition.
Operation Phases — FIG. 3
In FIG. 3, the different phases of operation of the system of FIG. 2 are shown and include the STOPPED PHASE 2-1, the WORKING PHASE 2-2, the SECURING PHASE 2-3, and the SUSPENDED PHASE 2-4.
In response to applying power or a reset, the value store repository 2' initiates processing in the STOPPED PHASE. The STOPPED PHASE 2-1 determines the condition of the system and, if processing can proceed, the phase 2-1 processing sends a working advisory to computer system 7 and flows to the WORKING PHASE 2-2. The WORKING PHASE supervises the processing that allows the funds transfer processing between the value store 3' and the funds client 10 to occur under normal secure circumstances as a result of operation of the computer 7 and the funds client 10. However, under any one or more possible security violations, the WORKING PHASE 2-2 flows control to the SECURING PHASE 2-3 after sending a SECURING advisory to the computer system 7. The flow includes, for example, a SECURE_REQ test, an INTRUSION test, and a POWER_FAJ _IMMINENT test. The SECURING PHASE 2-3 operates to secure and lock the value stores 3' so that no further funds transfers can occur. After locking the value stores 3', the SECURING PHASE 2-3 sends a VS_LOCKED advisory to computer system 7 to indicate that the value stores 3' have been locked and then sends a SUSPENDED advisory to computer system 7 and flows to the SUSPENDED PHASE 2-4. The SUSPENDED PHASE 2-4 can also be entered by flows from the STOPPED PHASE 2-1 or the WORKING PHASE 2-2. In the suspended phase, the repository 3' is not responsive to some or all security threats, allowing removal or service of the repository. The SUSPENDED PHASE 2-4 flows to the STOPPED PHASE 2-1 on receipt of a
RESUME REQ command from computer system 7, as the result of a POWER_FATL_IMMINENT test, or as the result of a SYSTEM GOOD test.
The operation of the phases of FIG. 3 ensures that upon any detection of a potential security breach, either directly through tampering or indirectly through a power failure or loss of communications, operating value stores 3' are immediately locked so that funds transfer cannot be achieved until the value stores 3' are once again unlocked. In this manner, the system operates to thwart interference with the repository 2' and any unauthorized funds withdrawal from the value stores 3'. The value stores 3' typically are smart cards (small credit-card size or smaller security controlled devices imbedded in plastic) which store electronic value in banks or other financial institutions.
STOPPED PHASE — FIG. 4
The STOPPED PHASE 2-1 of FIG. 3 is shown in further detail in flow chart form in FIG. 4. In FIG. 4, the STOPPED PHASE START state flows to the power fail imminent test (POWER_FAIL_IMMINENT). The
POWER_FAIL_IMMINENT test gives a YES result if the power detect unit 23 determines a loss of connection to an external power source or a reduction in the voltage available from the external power source, and otherwise gives a NO result. A YES result from the POWER_FATL_IMMINENT test returns to the beginning after the STOPPED PHASE START and prevents further processing until power failure ceases to be imminent. A NO result flows to the power good test (POWER GOOD). The power good test gives a YES result if the power detect unit 23 determines that power has been restored to an adequate operating level from a previous power failure condition, and otherwise gives a NO result. A NO result flows to the POWER_FAJX_IMMINENT test after the STOPPED PHASE START and prevents further processing until a YES result occurs for the power good test. A YES result for the POWER GOOD test flows to the system good test (SYSTEM_GOOD). Depending on the internal state of the repository 2, the system test may cause execution of internal diagnostic procedures. The
S YSTEM GOOD test gives YES result if there are not internally detected failures in the value store repository 2', and there are not other failures of operation, and otherwise gives a NO result. Failures of operation may include deviations from established operation norms, repeatedly providing bad passwords for example. A NO result for the S YSTEM_GOOD test flows to the send system bad task (SEND
S YSTEM_BAD) which sends a S YSTEM BAD advisory to computer system 7 and flows to the send suspended task (SEND SUSPENDED) which sends a SUSPENDED advisory to computer system 7 and flows to the SUSPENDED PHASE START of FIG. 7. A YES result on the S YSTEM_GOOD test flows to the send working task
(SEND WORKING) which sends a WORKING advisory to computer system 7 and flows to the WORKING PHASE START of FIG. 5.
WORKING PHASE — FI 5
The WORKING PHASE 2-2 of FIG. 3 is shown in flow chart form in FIG. 5. The WORKING STATE START of FIG. 5 flows to the suspend request test (SUSPEND_REQ). The SUSPEND_REQ test gives a YES result if computer system 7 has delivered a suspend command to the value store repository 2' and otherwise gives a NO result. A YES result of the SUSPEND_REQ test flows to the task that terminates normal processing (TERMINATE OUT- STANDING_REQUESTS). The TERMINATE_OUTSTANDING_REQUESTS task cause the value store repository 2' to abort or otherwise stop all in process and pending transactions that may have been initiated by computer system 7. The TERMINATE_ OUTSTANDING_REQUEST task flows to the SEND
SUSPENDED task which flows to the SUSPENDED PHASE START state of FIG. 7.
A NO result of the SUSPEND REQ test flows to the SYSTEM_GOOD test. A YES result from the SYSTEM_GOOD test flows to the POWER_FAIL_IMMINENT test. A NO result from the
POWER FAIL IMMINENT test flows to the communications availability test (COMMS_OK). The COMMS_OK test gives a YES result if communications have not been lost to client system 11, and otherwise gives a NO result. A YES result to the COMMS_OK test flows to the INTRUSION test. A NO result from the S YSTEM GOOD test or a YES result from the POWER FAJX MMINENT test or a NO result to the COMMS_OK test or a YES result from the INTRUSION test flows to the SEND SYSTEM_BAD task which flows to the TERMINATE_OUTSTANDiNG_REQUESTS task which flows to the send securing task (SEND SECURING) which sends a security advisory to computer system 7. The SEND SECURING task flows to the SECURING PHASE START of FIG. 6.
A NO result on the INTRUSION test flows to the secure request test (SECURE_REQ). The SECURE_REQ test gives a YES result if computer system 7 has delivered a secure command to the value store repository 2' and otherwise gives a NO result. A YES result of the SECURE_REQ test flows to the TERMINATE_ OUTSTANDING_REQUESTS task which in turn flows to the SEND SECURING task which in turns flows to the SECURING PHASE START of FIG. 6. A NO result of the SECURE_REQ test flows to the test for other computer requests (OTHER COMPUTER REQUEST). The OTHER COMPUTER REQUEST gives a YES result if a valid request has been received from the computer system 7 by the value store repository 2' and otherwise gives a NO result. A NO result of the OTHER_COMPUTER_REQUEST test returns to the SUSPEND_REQ test after the WORKING PHASE START. A YES result flows to the DISP ATCH REQUEST task which causes the initiation of the request received from computer system 7. Possible requests include directives to transfer value between a value store 3 ' and a funds client 10, other directives necessary or desirable for the management of the repository 2', or a directive to lock or unlock one or more value stores 3'. A lock directive may specify use of a key or keys included or otherwise associated with the directive, or may specify use of an key previously stored in the repository 2' or a random key generated in the repository
2'. If the value store 3' has an internal generated locking mechanism, the lock directive may specify activation of that mechanism. Locking directives may be part of a normal deactivate control sequence. After action specified by the lock directive is complete, the key or keys used, if any, may be deleted from storage in the repository 2', thus making the keys not available to an intruder by inspection or dismantling of the repository 2' . An unlock directive may specify use of a key or keys included or associated with the directive, or may specify use of an key previously stored in the repository 2' or a random key generated by the processor unit 7. Locking directives may be part of a normal deactivate control sequence. If the value store 3 ' has an internal unlocking mechanism that depends on the use of a backdoor, the unlock directive may use that mechanism. Unlocking directives may be part of a normal reactivate control sequence. After the DISPATCH REQUEST task, flow returns to the SUSPEND REQ test after the WORKING PHASE START. SECURING PHASE — FIG. 6
In FIG. 6, the securing phase starts with SECURING PHASE START which flows to the task which dispatches the directive to lock the value stores (DISPATCH LOCK_VALUE_STORES) . The DISPATCH
LOCK VALUE STORES task has the function of immediately locking all value stores 3 ' so that any further access to the value stores 3 ' is prevented until the value stores 3' are again unlocked. The DISPATCH LOCK_VALUE_STORES task flows to the send value stores locked task (SEND VS_LOCKED). The SEND VS LOCKED task sends a value store locked advisory to computer system 7 and flows to the SEND SUSPENDED task which transfers to the SUSPENDED PHASE START of FIG. 7.
The DISPATCH LOCK VALUE STORES task can be carried out in a number of different ways. In one example, if a PIN is stored in the value stores 3' to be locked, then a simple lock command is all that is required to implement this task. In other embodiments of value stores 3', a PIN must be supplied together with the lock command in order for the value stores 3' to recognize the lock command. In such an embodiment, the PIN is stored in the processor 4 of FIG. 1 and is accessed and used as part of the Dispatch LOCK VALUE STORES 3' task to effectuate the locking of the value stores 3'. Once the PIN has been accessed and used from the processor 4 to lock the value stores 3', the PIN is typically erased.
In another embodiment where the value stores 3' react to multiple attempts to lock the value store 3' by executing an internal sequence to lock the value store 3', the task causes the multiple attempts and the value store 3' becomes locked by its own internal operation and is only unlockable by accessing the appropriate external unlocking codes. SUSPENDED PHASE — FIG. 7
In FIG. 7, processing in the suspend phase commences with SUSPENDED PHASE START. The SUSPENDED PHASE START flows to the POWER_FAIL_IMMINENT test. A YES result of the
POWER_FAIL_IMMINENT test flows to the SEND S YSTEM B AD task which flows to the SEND STOPPED task which sends a stopped advisory to computer system 7 and which then returns to the STOPPED PHASE START of FIG. 4.
A NO result of the POWER_FAIL_IMMINENT test flows to the resume request test (RESUME_REQ). The RESUME REQ test gives a YES result if a resume command has been received from computer system 7, and otherwise gives a NO result. A YES result of the RESUME_REQ test flows to the SEND
WORKING task which sends a working advisory to computer system 7 and then flows to the STOPPED PHASE START of FIG. 5 for reinitialization of the repository 2'.
A NO result of the RESUME_REQ test flows to the OTHER COMPUTER REQUE S T test . A YE S result of the
OTHER_COMPUTER_REQUEST test flows to the DISPATCH_REQUEST task. Depending on the implementation, the SUSPENDED PHASE may honor only some of the possible requests. For example, directives to transfer value between a value store 3 ' and a funds client 10 or directives to unlock one or more value stores 3 ' may not be allowed. . After the DISPATCH REQUEST task, flow returns to the POWER FAK. MMINENT test after the SUSPENDED PHASE START.
A NO result of the OTHER COMPUTER REQUEST test returns to the POWER_FAILJMvflNENT test after the SUSPENDED PHASE START.
Repository - FIG. 8 - FIG. 16
In FIG. 8, further details of the repository 2' of FIG. 2 are shown. The repository 2' includes the security and processor units 84, which correspond to the processor unit 4 and security unit 5 of FIG. 2, and a plurality of value stores 3'. The value stores 3' are within a chamber 83 and physically and electrically engage the base 86. A tray cover 85 engages the top of the value stores 3' which, under the contact pressure of a repository cover 82, forces the value stores 3' into engagement with the base 86.
The cover 82 is hinged to the base 84 and is rotatable as shown to the phantom position 82'. When the cover 82 is opened to position 82', the tray cover
85 can be removed to allow removal of the value stores 3'. The repository 2' includes electrical cables 80 for supplying power to and communications to and from the repository 2'.
In FIG. 9, an end view of the repository 2' of FIG. 8 is shown. The repository cover 82 in the closed position engages the tray cover 85 which in turn engages the value stores 3' to force the value stores 3' into electrical contact with the base 86 of the value store 2'. When the cover 82 is in the closed position, the cover extension 78 engages a lock 79 which locks the cover 82 in the closed position. Lock 79 has a securing mechanism 77 which has a slow release for unlocking the cover extension 78 and cover 82. The securing mechamsm 77 is, for example, a fine threaded screw which, in normal operation, takes a delay time to unengage the repository cover extension 78. The design pitch for the screw and the other mechanical design parameters give assurance that absent exceptional means that could cause visible physical damage, the delay time required to disengage the cover 78 is sufficient to allow the value stores 3' to be electronically locked. While a fine threaded mechanical screw is one preferred delay time embodiment, any conventional delay time mechanism can be employed. For example, hydraulic releases with pre-timed delays can be employed and electronic releases with delay counters can be employed. In FIG. 9, the repository cover 82 is shown rotated to the phantom position 82' together with the repository cover extension in the position at 78'. The opening of the repository cover to 82' allows the tray cover 85 to be removed from the opening 83 and thereby to permit the value stores 3' to be removed from the base 86. In FIG. 10, a top view of the repository 2' of FIG. 8 is shown. The cover 82 in FIG. 8 is rotated to the vertical position 82 in FIG. 10 to reveal the base 86. The base 86 includes 16 receiving positions 87 for receiving value stores 3' of FIG. 2. Each of the receiving positions 87 of FIG. 10 includes six to eight pressure mounted contacts 88 for making electrical contact to value stores 3. The number of contacts depends on the design of the smart card chip.
In FIG. 11, a top view of the tray cover 85 is shown. On the bottom side of the tray cover 85 are receiving positions 89 which are designed to engage value stores 3' when the tray cover 85 is superimposed over the corresponding positions 87 in the repository base 86 of FIG. 10. In FIG. 12, a top view of a positions 87, typical of all 16 of the positions
87 in FIG. 10, is shown. The slot 87 includes the pressure actuated contacts 88.
In FIG. 13, a side view of the position 87 of FIG. 12 is shown. The position 87 includes the pressure actuated contacts 88 which are retractable into the openings 91 into the base 86. The openings 91 include, for example, springs or other mechanisms for forcing the contacts 88 outwardly from the openings 91.
Any conventional spring mounted or otherwise pressure contact 88 can be employed.
In FIG. 14, a value store 3', typical of the value stores 3' in FIG. 8 and FIG. 9, is shown. The value store 3' includes the electrical contacts 90 which are located in a position adapted to engage the pressure contacts 88 in the slot 87 of base 86, as shown in FIG. 13.
In FIG. 15, a top view of the value store 3' of FIG. 14 is shown, together with the six contacts 90. In FIG. 16, the value store 3' of FIG. 14 is engaged with the slot 87 of base 86 in FIG. 13, so that the spring loaded contacts 88 engage the contacts 90 in the value store 3'. The FIG. 16 representation of the value store 3' engaged with the slot 87 in base 86 is typical of the engagement that occurs with the cover closed in FIG. 8 and FIG. 9.
By way of summary, FIG. 8 through FIG. 16 represent the aspects of the engagement and disengagement of value stores 3' into and out of the repository 2'. The mechanical robustness and corresponding resistance to intrusion of the repository 2' is a matter of design choice. The security units 84 can, as a matter of design choice, include any number of sensing devices. For example, temperature sensing devices, motion sensing devices, tray cover position sensors, repository door position sensors and other conventional sensors may all be employed to sense either the normal condition of the repository 2' or to sense when security of the repository may be in jeopardy. For example, the lock 79 and the lock securing mechanism 77 may include a sensor which detects any unlock motion of the lock securing mechanism 77 to initiate the lockdown of the value stores 3'. Since the securing mechanism 77 is designed to include a minimum unlock delay which exceeds the time required to lock the value stores 3', value stores 3' will be automatically locked in response to any unexpected movement of the securing mechanism 77. In this manner, the mechanical security imposed by the repository as described in connection with FIG. 8 through FIG. 16, guarantees to any level of mechanical design that the value stores 3' will be locked before an unauthorized intrusion can occur.
While the invention has been particularly shown and described with reference to preferred embodiments thereof it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention.

Claims

Claims 1 (Original). A repository for transferring data in response to client requests from a client system comprising: a security enclosure containing, one or more security controlled devices for providing data, each of said security controlled devices including locking means for electronically locking the security controlled device, a processor unit for connecting a data transfer request from the client system to said one or more security controlled devices and for transferring data from said one or more security controlled devices, a security unit for sensing a security breach and for responsively initiating a locking sequence for locking said one or more security controlled devices to inhibit transfers of data from said one or more security controlled devices.
2 (Original). The repository of Claim 1 wherein said locking sequence includes obtaining one or more locking keys from said processor unit and applying said one or more locking keys to lock said one or more security controlled devices.
3 (Original). The repository of Claim 2 wherein said locking sequence includes discarding said one or more locking keys after said one or more security controlled devices is locked so that said one or more locking keys does not remain in said security enclosure.
4 (Original). The repository of Claim 1 wherein said locking sequence includes obtaining one or more locking keys from said client system and applying said one or more locking keys to lock said one or more security controlled devices. 5 (Original). The repository of Claim 2 wherein locking sequence includes said processor unit randomly generating said one or more locking keys and discarding said one or more locking keys after said one or more security controlled devices is locked so that said one or more locking keys does not remain in said security enclosure.
6 (Original). The repository of Claim 1 wherein each of said security controlled devices includes means for sensing a security breach and for responsively automatically locking.
7 (Original). The repository of Claim 1 wherein each of said one or more security controlled devices includes unlocking means for unlocking said one or more security controlled devices to permit transfers of data from said one or more security controlled devices.
8 (Original). The repository of Claim 7 wherein said unlocking means respond to one or more unlocking sequences for unlocking said one or more security controlled devices.
9 (Original). The repository of Claim 8 wherein said unlocking sequences includes a backdoor unlocking sequence.
10 (Original). The repository of Claim 1 wherein said locking sequence includes obtaining one or more locking keys from said processor unit, applying said one or more locking keys to lock said one or more security controlled devices and discarding said one or more locking keys after said one or more security controlled devices is locked so that said one or more locking keys does not remain in said security enclosure and wherein each of said one or more security controlled devices includes unlocking means responsive to a backdoor sequence for unlocking said one or more security controlled devices to permit transfers of data from said one or more security controlled devices.
11 (Original). The repository of Claim 1 wherein said locking sequence includes obtaining one or more locking keys randomly generated by said processor unit, applying said one or more locking keys to lock said one or more security controlled devices and discarding said one or more locking keys after said one or more security controlled devices is locked so that said one or more locking keys does not remain in said security enclosure and wherein each of said one or more security controlled devices includes unlocking means responsive to a backdoor sequence for unlocking said one or more security controlled devices to permit transfers of data from said one or more security controlled devices.
12 (Original). The repository of Claim 1 wherein said security controlled devices are mounted in said security enclosure under restraint of a retaining device movable to permit removal of the security controlled devices.
13 (Original). The repository of Claim 12 wherein said retaining device includes a retaining lock having a delay time for generating a lock signal for initiating said locking sequence when said retaining device is moved so as to enable said security controlled devices to be locked before said security controlled devices are removed. 14 (Original). The repository of Claim 13 wherein said retaining device is a cover.
15 (Original). The repository of Claim 1 wherein said security unit detects tampering with said repository as a security breach.
16 (Original). The repository of Claim 1 wherein said security unit detects power loss as a security breach.
17 (Original). The repository of Claim 1 wherein said locking sequence is generated in response to a command from said client system.
18 (Original). The repository of Claim 1 wherein said security controlled devices store electronic funds.
19 (Original). The repository of Claim 18 wherein said electronic funds are wire transfers.
20 (Original). The repository of Claim 18 wherein said electronic funds are electronic cash.
21 (Original). The repository of Claim 20 wherein said electronic funds are certificated value electronic cash.
22 (Original) . The repository of Claim 20 wherein said electronic funds are net value electronic cash. 23 (Original). A repository for transferring electronic funds in response to client requests from a client system comprising: a security enclosure containing, one or more value stores for providing electronic funds, each of said value stores for storing net value electronic cash including locking means for electronically locking said value stores, a processor unit for connecting an electronic funds transfer request from the client system to said one or more value stores and for transferring electronic funds from said one or more value stores, a security unit for sensing a security breach and for responsively initiating a locking sequence for locking said one or more value stores to inhibit transfers of electronic funds from said one or more value stores.
24 (Original). The repository of Claim 23 wherein said locking sequence includes obtaining one or more locking keys from said processor unit and applying said one or more locking keys to lock said one or more value stores.
25 (Original). The repository of Claim 24 wherein said locking sequence includes discarding said one or more locking keys after said one or more value stores is locked so that said one or more locking keys does not remain in said security enclosure.
26 (Original). The repository of Claim 23 wherein said locking sequence includes obtaining one or more locking keys from said client system and applying said one or more locking keys to lock said one or more value stores. 27 (Original). The repository of Claim 24 wherein locking sequence includes said processor unit randomly generating said one or more locking keys and discarding said one or more locking keys after said one or more value stores is locked so that said one or more locking keys does not remain in said security enclosure.
28 (Original). The repository of Claim 23 wherein each of said value stores includes means for sensing a security breach and for responsively automatically locking.
29 (Original). The repository of Claim 23 wherein each of said one or more value stores includes unlocking means for unlocking said one or more value stores to permit transfers of data from said one or more value stores.
30 (Original). The repository of Claim 29 wherein said unlocking means respond to one or more unlocking sequences for unlocking said one or more value stores.
31 (Original). The repository of Claim 30 wherein said unlocking sequences includes a backdoor unlocking sequence.
32 (Original). The repository of Claim 23 wherein said locking sequence includes obtaining one or more locking keys from said processor unit, applying said one or more locking keys to lock said one or more value stores and discarding said one or more locking keys after said one or more value stores is locked so that said one or more locking keys does not remain in said security enclosure and wherein each of said one or more value stores includes unlocking means responsive to a backdoor sequence for unlocking said one or more value stores to permit transfers of data from said one or more value stores. 33 (Original). The repository of Claim 23 wherein said locking sequence includes obtaining one or more locking keys randomly generated by said processor unit, applying said one or more locking keys to lock said one or more value stores and discarding said one or more locking keys after said one or more value stores is locked so that said one or more locking keys does not remain in said security enclosure and wherein each of said one or more value stores includes unlocking means responsive to a backdoor sequence for unlocking said one or more value stores to permit transfers of data from said one or more value stores.
34 (Original). The repository of Claim 23 wherein said value stores are removably mounted in said security enclosure under a repository cover that can be opened.
35 (Original). The repository of Claim 34 wherein said repository cover includes a cover lock means having a delay time for generating a lock signal for initiating said locking sequence when said repository cover is opened so as to enable said value stores to be locked before said repository cover is opened.
36 (Original). The repository of Claim 23 wherein said security unit detects tampering with said repository as a security breach.
37 (Original). The repository of Claim 23 whereinsaid security unit detects power loss as a security breach.
38 (Original). The repository of Claim 23 wherein said locking sequence is generated in response to a command from said client system. 39 (Original). In a repository having a security enclosure for transferring data in response to client requests from a client system the method comprising: providing data from one or more security controlled devices, each of said security controlled devices including locking means for electronically locking the security controlled device, connecting a data transfer request from the client system through a processor unit to said one or more security controlled devices and transferring data from said one or more security controlled devices, sensing a security breach in a security unit and responsively initiating a locking sequence for locking said one or more security controlled devices to inhibit transfers of data from said one or more security controlled devices.
40 (Original). In the repository of Claim 39 wherein said locking sequence includes obtaining one or more locking keys from said processor unit and applying said one or more locking keys to lock said one or more security controlled devices.
41 (Original). In the repository of Claim 40 wherein said locking sequence includes discarding said one or more locking keys after said one or more security controlled devices is locked so that said one or more locking keys does not remain in said security enclosure.
42 (Original). In the repository of Claim 39 wherein said locking sequence includes obtaining one or more locking keys from said client system and applying said one or more locking keys to lock said one or more security controlled devices. 43 (Original). In the repository of Claim 40 wherein locking sequence includes said processor unit randomly generating said one or more locking keys and discarding said one or more locking keys after said one or more security controlled devices is locked so that said one or more locking keys does not remain in said security enclosure.
44 (Original). In the repository of Claim 39 wherein each of said security controlled devices includes means for sensing a security breach and for responsively automatically locking.
45 (Original). In the repository of Claim 39 wherein each of said one or more security controlled devices includes unlocking means for unlocking said one or more security controlled devices to permit transfers of data from said one or more security controlled devices.
46 (Original). In the repository of Claim 45 wherein said unlocking means respond to one or more unlocking sequences for unlocking said one or more security controlled devices.
47 (Original). In the repository of Claim 46 wherein said unlocking sequences includes a backdoor unlocking sequence.
48 (Original). In the repository of Claim 39 wherein said locking sequence includes obtaining one or more locking keys from said processor unit, applying said one or more locking keys to lock said one or more security controlled devices and discarding said one or more locking keys after said one or more security controlled devices is locked so that said one or more locking keys does not remain in said security enclosure and wherein each of said one or more security controlled devices includes unlocking means responsive to a backdoor sequence for unlocking said one or more security controlled devices to permit transfers of data from said one or more security controlled devices.
49 (Original) . In the repository of Claim 39 wherein said locking sequence includes obtaining one or more locking keys randomly generated by said processor unit, applying said one or more locking keys to lock said one or more security controlled devices and discarding said one or more locking keys after said one or more security controlled devices is locked so that said one or more locking keys does not remain in said security enclosure and wherein each of said one or more security controlled devices includes unlocking means responsive to a backdoor sequence for unlocking said one or more security controlled devices to permit transfers of data from said one or more security controlled devices.
50 (Original). In the repository of Claim 39 wherein said security controlled devices are mounted in said security enclosure under restraint of a retaining device movable to permit removal of the security controlled devices.
51 (Original). In the repository of Claim 50 wherein said retaining device includes a retaining lock having a delay time for generating a lock signal for initiating said locking sequence when said retaining device is moved so as to enable said security controlled devices to be locked before said security controlled devices are removed.
52 (Original). In the repository of Claim 51 wherein said retaining device is a cover.
53 (Original). In the repository of Claim 39 wherein said security unit detects tampering with said repository as a security breach. 54 (Original). In the repository of Claim 39 wherein said security unit detects power loss as a security breach.
55 (Original) . In the repository of Claim 39 wherein said locking sequence is generated in response to a command from said client system.
56 (Original). In the repository of Claim 39 wherein said security controlled devices store electronic funds.
57 (Original). In the repository of Claim 56 wherein said electronic funds are wire transfers.
58 (Original). In the repository of Claim 56 wherein said electronic funds are electronic cash.
59 (Original). In the repository of Claim 58 wherein said electronic funds are certificated value electronic cash.
60 (Original). In the repository of Claim 58 wherein said electronic funds are net value electronic cash.
PCT/US1999/016073 1998-07-17 1999-07-16 Theft deterrent repository for security controlled devices WO2000004513A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU51050/99A AU5105099A (en) 1998-07-17 1999-07-16 Theft deterrent repository for security controlled devices

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11849398A 1998-07-17 1998-07-17
US09/118,493 1998-07-17

Publications (2)

Publication Number Publication Date
WO2000004513A1 true WO2000004513A1 (en) 2000-01-27
WO2000004513A9 WO2000004513A9 (en) 2000-11-16

Family

ID=22378944

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1999/016073 WO2000004513A1 (en) 1998-07-17 1999-07-16 Theft deterrent repository for security controlled devices

Country Status (2)

Country Link
AU (1) AU5105099A (en)
WO (1) WO2000004513A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112489309A (en) * 2020-11-30 2021-03-12 佛山市顺德区美的电子科技有限公司 Household appliance leasing control method and device, household appliance and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1989000318A1 (en) * 1987-07-06 1989-01-12 Carlson Steven R Point-of-sale mechanism
US5038023A (en) * 1989-06-28 1991-08-06 C. Itoh Information Systems Development, Inc. System for storing and monitoring bar coded articles such as keys in a drawer
EP0668579A2 (en) * 1994-02-08 1995-08-23 AT&T Corp. Secure money transfer techniques using smart cards
EP0778550A2 (en) * 1995-12-08 1997-06-11 Hitachi, Ltd. Holding apparatus of electronic money
US5644638A (en) * 1994-02-11 1997-07-01 Solaic (Societe Anonyme) Process for protecting components of smart or chip cards from fraudulent use
EP0923057A2 (en) * 1997-12-05 1999-06-16 Fujitsu Limited Electronic money safe

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1989000318A1 (en) * 1987-07-06 1989-01-12 Carlson Steven R Point-of-sale mechanism
US5038023A (en) * 1989-06-28 1991-08-06 C. Itoh Information Systems Development, Inc. System for storing and monitoring bar coded articles such as keys in a drawer
EP0668579A2 (en) * 1994-02-08 1995-08-23 AT&T Corp. Secure money transfer techniques using smart cards
US5644638A (en) * 1994-02-11 1997-07-01 Solaic (Societe Anonyme) Process for protecting components of smart or chip cards from fraudulent use
EP0778550A2 (en) * 1995-12-08 1997-06-11 Hitachi, Ltd. Holding apparatus of electronic money
EP0923057A2 (en) * 1997-12-05 1999-06-16 Fujitsu Limited Electronic money safe

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112489309A (en) * 2020-11-30 2021-03-12 佛山市顺德区美的电子科技有限公司 Household appliance leasing control method and device, household appliance and storage medium
CN112489309B (en) * 2020-11-30 2023-04-21 佛山市顺德区美的电子科技有限公司 Household appliance leasing control method and device, household appliance and storage medium

Also Published As

Publication number Publication date
AU5105099A (en) 2000-02-07
WO2000004513A9 (en) 2000-11-16

Similar Documents

Publication Publication Date Title
US6068184A (en) Security card and system for use thereof
US4390968A (en) Automated bank transaction security system
JP4095680B2 (en) Security management method for card type storage device and card type storage device
CA2010345C (en) Multilevel security apparatus and method with personal key
KR100389229B1 (en) Transaction Processing System and Transaction Processing Method
KR100259458B1 (en) Electronic money storage device and ic card control method
EP2143028B1 (en) Secure pin management
CA2617901C (en) System and method for selective encryption of input data during a retail transaction
US20180091503A1 (en) Networked storage system and method
US6289457B1 (en) Value data system having containers for theft deterrent repositories
JPH07152837A (en) Smart card
NL9120015A (en) Intelligent card validation device and method
US20020139844A1 (en) Method for enabling credit cards and device therefor
IL193251A (en) Method and system for the secure processing of sensitive information
EP0769767A2 (en) Secure money transfer techniques using smart cards
WO2000004513A1 (en) Theft deterrent repository for security controlled devices
JPH0822517A (en) Forgery preventing system for hybrid card
JP4843919B2 (en) IC card stacker and electronic money system
JPH0620117A (en) Ic card
KR100468154B1 (en) System and method for business of electronic finance bases of smart card
JP3629891B2 (en) Electronic money control apparatus and control method thereof
JP2000268137A (en) Recording medium backup method and its execution device
JPWO2002075676A1 (en) Automatic transaction apparatus and transaction method therefor
JP4020939B2 (en) Electronic money handling apparatus and control method thereof
JP2005150925A (en) Security system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: C2

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: C2

Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

COP Corrected version of pamphlet

Free format text: PAGES 1/5-5/5, DRAWINGS, REPLACED BY NEW PAGES 1/5-5/5; DUE TO LATE TRANSMITTAL BY THE RECEIVING OFFICE

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase