Smartcards are essentially plastic cards with micro-electronic circuitry embedded therein. They are also known as "integrated circuit cards" and fail into three categories according to the degree of "intelligence" they possess.
At one end of the scale, a smartcard provide only memory is analogous to a card having a magnetic strip. Information may be stored within the memory but the card has no processing capability, and no ability to restrict access to that memory.
At the middle scale is a card that has memory controlled by a hard wired logic which can restrict access to any or all of the memory until a valid access code has been issued. The same scheme can be used to prevent unauthorised erasing of card memory. The access code can take the form of a personal identification number (PIN). Most sophisticated however is a smartcard in which the processor is able to perform complex functions, such as the performance of algorithms. It is those smartcards falling within the middle scale referred to above to which the present invention relates.
In practice information is transferred to and from the memory of the smartcard when the card is interfaced with a suitable reader/writer device. As such, the information provided on the smartcard may be constantly updated. Preferably, the use of the card should not always require communication with a control database. If the card provides stand-alone operation it will be more flexible in use.
It will be apparent that, in providing a system in which a smartcard is used as a cash substitute, a most important aspect is the provision of a tight security system. Early smartcards utilised a user-key/PIN similar to that used by credit cards or magnetic stripe cards. Access to the smartcard often relies upon the submission of the correct user-key/PIN. Furthermore, the data stored within the card may be encrypted. For a reasonable level of security in the system, two numbers must be managed, namely a user key and an encryption key. Management of these keys involves keeping them secret from potential unauthorised users, and with regular changes. The reason for regular changing of the keys is that, if the user key is intercepted by or revealed to an unauthorised user and access to the card is obtained, copying the card data becomes possible. Further, if the card data is not encrypted, then fraudulent alteration of the data is also possible. In the application of the smartcard as a cash substitute such operations pose serious problems.
A second type of smartcard security method was subsequently developed, using a "signature" or "certificate" to prove the integrity of the contents of the card. However this requires manual input of a further key, therefore this system also requires management of two keys. In this case, however, alteration of the card data without correct calculation of the new certificate may be detected when the card is next used. Moreover, copying the card is prevented since the card memory location which contains the certificate is erased upon access to the contents of the card. Therefore, if the user key alone is intercepted and the card is unlocked, a copy may be made onto a second card but without the encryption key a fresh certificate can not be calculated and the card, or copies, will be rejected when next used.
While an improvement over earlier approaches, these prior art systems still possess the disadvantage that multiple user keys must be managed, with the constant danger that the information will fall into the hands of unauthorised users.