At present, prepaid cards are open to various types of fraud. A first type of fraud consists in unauthorized duplication of the card, often known as “cloning”. A second type of fraud consists in modifying the data associated with a card, in particular the amount of credit registered in the card. Cryptography is used to combat these kinds of fraud, firstly by authenticating the card and/or data by means of a digital signature, and secondly by using encryption when it is necessary to protect the confidentiality of the data. Cryptography, which can be either symmetrical or asymmetrical, uses two entities, which in the case of authentication comprise a verifier and an object to be verified. When cryptography is symmetrical (or of the “secret key” type, these two terms being interchangeable), the two entities share exactly the same information, in particular a secret key. When cryptography is asymmetrical (or of the “public key” type, these two terms being interchangeable), one of the two entities has a pair of keys of which one is secret and the other is public; there is no shared secret key. Many systems use only symmetrical cryptography for prepaid cards, especially when the chip is of the “hard-wired logic” type, because asymmetrical cryptography is still slow and costly. The first authentication mechanisms developed for symmetrical cryptography comprises calculating once and for all an authentication value that is different for each card, storing it in the memory of the card, reading it during each transaction, and verifying it by interrogating an application of the network supporting the transaction and in which authentication values that have already been assigned are either stored or recalculated. Those mechanisms provide insufficient protection, since the authentication value can be misappropriated, reproduced, and played back fraudulently, because it is always the same for a given card, enabling the card to be cloned. To combat cloning, passive card authentication mechanisms are replaced by active authentication mechanisms that can also assure data integrity.
The general principle of active symmetrical authentication mechanisms is as follows: during authentication, the electronic chip and the application calculate an authentication value by applying a function to a list of arguments determined at the time of each authentication; the list of arguments can include, firstly, a random number, which is an item of data determined by the application at the time of each authentication, secondly, an item of data contained in the electronic chip, and, thirdly, a secret key known to the electronic chip and to the application. If the authentication value calculated by the electronic chip is identical to the authentication value calculated by the application, the electronic chip is deemed to be authentic and the transaction between the electronic chip and the application is authorized.
Authentication mechanisms of the above kind are well known in the art, but most of them demand calculation capacities at least equal to those of a microprocessor. Those mechanisms are therefore suitable for microprocessor-based cards, but are rarely suitable for hard-wired logic chips, which have calculation capabilities that are much more rudimentary.
A first step forward was achieved when it became possible to integrate active symmetrical authentication mechanisms into hard-wired logic chips. For example, French Patent Application No. FR 2 826 531 published on Dec. 27, 2002 describes a method of specifying such mechanisms. It should be observed that, as taught by the above-mentioned French Patent Application, the authentication value produced by those mechanisms can also be interpreted as a sequence of pseudo-random bits and, by varying at least one of the input parameters, the method of calculating the authentication value becomes a method of generating pseudo-random bits.
However, secret key mechanisms require the verification device responsible for authenticating the chip, such as a device in a public telephone, an electronic payment terminal, or a public transport gate, to know the secret key held by said chip. This is a major drawback in that, if said device is required to be able to authenticate any chip issued in relation to the application, it must store either the secret keys of all the chips or a basic key, or master key, or mother key as it is otherwise known, enabling it to determine the secret key of any chip. In both cases, each device stores sufficient information to be able to determine the secret keys of all the chips issued, and therefore stores sufficient information for cloning any of them. It follows that successful hacking into any of the verification devices would negate the security of the entire application.