The invention relates to a method for protecting a chip card from unauthorized use, to a chip card and to a chip card terminal.
To enable a chip card function, prior user identification to the chip card may be necessary, as is known per se from the prior art. The most frequent user identification is the input of a secret identifier, which is generally referred to as a PIN (Personal Identification Number) or as CHV (Card Holder Verification). Such identifiers generally comprise a numeric or alphanumeric character string. For the purpose of user identification, the identifier is input by the user on the keypad of a chip card terminal or a computer to which a chip card reader is connected, and is then sent to the chip card. The latter compares the input identifier with the stored identifier and notifies the terminal or the computer of the result by outputting an appropriate signal.
For the PINs, a distinction can be drawn between static PINs and changeable PINs. A static PIN cannot be altered by the user and needs to be memorized by him. If it has been revealed, the card user needs to destroy his chip card in order to prevent misuse by unauthorized parties, and needs to obtain a new chip card with a different static PIN. Similarly, the user requires a new chip card if he or she has forgotten the static PIN.
A changeable PIN can be changed by the user as desired. To change the PIN, for security reasons it is always necessary to provide the currently valid PIN at the same time, since otherwise any current PIN could be replaced by a hacker's own PIN.
The situation is different with what are known as Super PINs or PUKs (Personal Unlocking Key). These usually have more places than the actual PIN and are used to reset a PIN's incorrect input counter (also called “incorrect operation counter”) that is at its maximum value. With the PUK, a new PIN is also transferred to the chip card at the same time because a reset incorrect operation counter is of little use if the PIN has been forgotten. Moreover, this is usually the case, of course, when the incorrect operation counter has reached its maximum value.
There are also applications which use transport PINs. The chip card is personalized using a random PIN which the card user received in a PIN letter. When it is first input, however, the chip card asks the card user to replace the personalized PIN with his own. In a similar method, called the “zero PIN method”, the chip card is preassigned a trivial PIN, such as “0000”, and the chip card likewise forces a change when it is first used (in this regard, cf. also DE 35 23 237 A1, DE 195 07 043 A1, DE 195 07 044 C2, DE 198 50 307 C2, EP 0 730 253 B1). Such methods provide what is known as a first user function, which provides the authorized user with the certainty that no unauthorized use of the chip card by a third party has taken place before he uses it for the first time.
DE 198 50 307 C2 discloses a method for protecting against misuse in chip cards. The chip card has a first user function which, when the data and/or functions of the chip card are used for the first time, demands that a personal secret number (PIN) which can be selected arbitrarily by the user be prescribed, wherein the input of the personal secret number sets data and/or functions of the chip card to a used status. A later change to the personal secret number is made possible by means of a superordinate unlock code.
The prior art has already disclosed methods for checking an identifier in which it is not necessary to transmit the identifier itself, such as Strong Password Only Authentication Key Exchange (SPEKE), Diffie-Hellman Encrypted Key Exchange (DH-EKE), Bellovin-Merritt protocol or Password Authenticated Connection Establishment (PACE). The SPEKE protocol is known from www.jablon.org/speke97.html, U.S. Pat. No. 6,792,533 B2 and U.S. Pat. No. 7,139,917 B2, for example. The DH-EKE protocol is likewise known from www.jablon.org/speke97.html, inter alia. The Bellovin-Merritt protocol is known from U.S. Pat. No. 5,241,599, inter alia. The PACE protocol, which is particularly suitable for elliptic curve cryptography, is known from www.heise.de/security/news/meldung/85024.