1. Field of the Invention
The present invention relates to a method for checking the authorization of a person, in his/her capacity as user of a system such as a payment system or a data system.
2. Description of the Related Art
Systems now in existence are used to check the authorization of a person in connection with payment. One such system is used within the Swedish Postal Service for payments made via postgiro. In accordance with this system, the customer receives a so-called SmartCard and a card reader for it. An encryption key is stored on the SmartCard, and it can be read by a microprocessor on the SmartCard after a PIN code has been entered.
The encryption key is stored hot only on the SmartCard, but also at the Swedish Postal Service postgiro department where it is linked to a specific person.
When a payment is to be made, the user keys in the PIN code, the number of the account to, which the payment is to be sent and the amount in question. The microprocessor performs a calculation based on the amount, the account number and the encryption key in accordance with the so-called DES (Data Encryption Standard) algorithm, wherewith a signature is generated by the calculation. After this is done, the amount, the account number and the signature are transferred to the postgiro department in a suitable manner, via data, mail or fax, for example.
The postgiro department receives the information and then performs the same calculation as set forth above and compares the result with the signature that was transferred. If the comparison results in a match, an authorized person, i.e., the holder of the SmartCard, is deemed to have ordered the transaction, wherewith the transaction is executed. The transaction is executed by transferring money from the postgiro account of the SmartCard holder to the specified postgiro account to which the payment is to be made.
This payment system is automatic, and it can be used to make payments at any time of day or night.
Desirably, it should be possible for the described system to be used by a person to show authorization for use of a system other than a postgiro or bank payment system. For example, it should be possible for a person to show authorization for accessing a data system by entering his/her PIN code and two numbers other than an amount and account number, and then transferring them together with the signature to the data system. If the data system contains the encryption key the signature can be calculated, and if a match is found the person to whom the SmartCard has been issued can be deemed to be the person who entered the items of information and is therefore authorized to access the data system.
However, a significant disadvantage of the described system is that the user must have access to a SmartCard and a special card reader in order make a payment.
The present invention solves this problem.
The present invention thus relates to a method for checking authorization that incorporates a way to impart to a so-called smart card (SmartCard) an encryption key or equivalent key, and incorporates a way to have a microprocessor, using the encryption key and at least one identifying number, perform a calculation whose result comprises a signature. The signature together with the identifying number is transferred to a system for which authorization is to be shown. The system includes a computer in which the encryption key is stored, and the computer performs the calculation in order to obtain the signature. The system-computer-obtained signature is compared by the computer with the previously mentioned transmitted signature to verify authorization of the user. The smart card is a so-called SIM-card (Subscriber Identity Module) telephony. A memory included on the SIM-card is, in a first step, provided with unique information containing a unique identity in order to communicate telephonically using a mobile telephone. In in a second step, the SIM-card memory is provided with the encryption key. A system for which authorization is to be shown is provided with the same encryption key linked to the unique identity carried on the SIM-card, and in response to the entry of an appropriate code and at least the identifying number via the keyboard on the mobile telephone, a microprocessor on the SIM-card is induced to perform the calculation resulting in the signature.
The present invention is not limited to any special field with regard to showing authorization. Instead, it is applicable for all kinds of systems such as payment systems, data systems, systems that check authorization before allowing entrance etc.
The description of the present invention that follows, however, is for a system that provides payment via postgiro.