US20140108265A1 - System and method of authenticating a network gateway - Google Patents

Abstract

A method of network gateway authenticating involves a network gateway receiving an authentication request from a communications terminal. The communications terminal is in communication with an identity token. The authentication request includes a token cryptogram generated from a cryptographic key stored on the identity token. The network gateway transmits the authentication request to a communications network, and receives an authentication response from the communications network in accordance with a validity of the token cryptogram. The authentication response includes a gateway authentication certificate. The gateway authentication certificate is configured to authenticate the network gateway to a network device of the communications network.

Description

RELATED APPLICATIONS
• This patent application claims the benefit of the filing date as a continuation of U.S. patent application Ser. No. 13/850,234 (soon to issue as U.S. Pat. No. 8,621,595), filed Mar. 25, 2013, entitled “System and Method for Authenticating a Network Gateway,” which claims priority to provisional U.S. patent application No. 61/615,168, filed Mar. 23, 2012, entitled “System and Method for Authenticating a Payment Terminal,” each of which are hereby incorporated by reference in their entirety.
FIELD
• This patent application relates to systems and methods for communications terminal authentication. In particular, this patent application describes systems and methods for authenticating a payment terminal and for completing a transaction with a payment terminal.
BACKGROUND
• Many merchants provide electronic payment terminals to allow customers to purchase goods and services by means other than cash payment. The payment terminals are connected to a secure payment (acquirer) network which interfaces with the merchants' respective financial institutions. The payment terminals are deployed with proprietary software that uses the acquirer network to securely process electronic payments via payment account information received from hardware tokens (e.g. credit cards, debit cards) that may be interfaced with the payment terminals.
• Merchants often locate inexpensive wares in close proximity to checkout lanes to increase the likelihood of impulse purchases. Dunstan (WO 2010/012094) expands upon this idea by using a central computer server as a trusted intermediary between the acquirer network and a second network to allow customers to use the payment terminals to access computer servers on the second network. The central server allows the computer servers of the second network to apply their security services on the acquirer network. The acquirer terminals are provided with a terminal application that supplements or replaces the existing proprietary software deployed on the acquirer terminals. The terminal applications allow the acquirer terminals to be used on the second network via the security services imposed by the central server. However, since the central server is controlled by a third party, and the terminal applications communicate with the acquirer network and the central server, the security of the acquirer network can become compromised by rogue software installed on the central server.
SUMMARY
• By way of overview, in a first aspect this disclosure relates to a method of authenticating a payment terminal. The first aspect of this disclosure also relates to a payment terminal, and a computer-readable medium having computer processing instructions stored thereon that implement the payment terminal and the method of authenticating a payment terminal.
• The method of the first aspect of this disclosure involves the payment terminal generating a terminal activation request from a private encryption key, and from at least one terminal credential that is uniquely associated with the payment terminal. The terminal activation request includes a public encryption key. The public encryption key and the private encryption key comprise an asymmetric encryption key pair.
• The payment terminal transmits the terminal activation request to a certificate server, and receives an activation response from the certificate server in response to the terminal activation request. The activation response includes a digital authentication certificate. The digital authentication certificate includes the public encryption key. The payment terminal authenticates to a computer server, distinct from the certificate server, using the digital authentication certificate.
• In a second aspect, this disclosure relates to a method of authenticating a payment terminal. The second aspect of this disclosure also relates to a certificate server, and a computer-readable medium having computer processing instructions stored thereon that implement the certificate server and the method of authenticating a payment terminal.
• The method of the second aspect of this disclosure involves a certificate server receiving a terminal activation request from a payment terminal. The terminal activation request includes a digital signature and a public encryption key. The certificate server determines a validity of the terminal activation request by verifying that the digital signature was generated from a private encryption key uniquely associated with the payment terminal and that the public encryption key and the private encryption key comprise an asymmetric encryption key pair.
• In accordance with the terminal activation request validity determining, the certificate server generates an activation response in response to the terminal activation request and transmits the activation response to the payment terminal. The activation response comprises a digital authentication certificate that includes the public encryption key and facilitates authentication of the payment terminal to a computer server, distinct from the certificate server.
• In a third aspect, this disclosure relates to a method of network gateway authenticating. The third aspect of this disclosure also relates to an authentication network, a network gateway, and a computer-readable medium having computer processing instructions stored thereon that implement the network gateway and the method of network gateway authenticating.
• The method of the third aspect of this disclosure involves a network gateway receiving an authentication request from a communications terminal. The communications terminal is in communication with an identity token. The authentication request includes a token cryptogram generated from a cryptographic key stored on the identity token. The network gateway transmits the authentication request to a communications network, and receives an authentication response from the communications network in accordance with a validity of the token cryptogram. The authentication response includes a gateway authentication certificate. The gateway authentication certificate is configured to authenticate the network gateway to a network device of the communications network.
• The authentication network of the third aspect of this disclosure, comprises a communications terminal and a network gateway. The communications terminal includes a token interface for interfacing an identity token with the communications terminal. The network gateway is in communication with the communications terminal, and is configured to (i) receive an authentication request from the communications terminal, and (ii) transmit the authentication request to a communications network. The authentication request includes a token cryptogram generated from a cryptographic key stored on the identity token. The network gateway receives an authentication response from the communications network in accordance with a validity of the token cryptogram. The authentication response includes a gateway authentication certificate that is configured to authenticate the network gateway to a network device of the communications network.
• In a fourth aspect, this disclosure relates to a method of completing a transaction with a payment terminal. The fourth aspect of this disclosure also relates to a payment terminal, and a computer-readable medium having computer processing instructions stored thereon that implement the payment terminal and the method of completing a transaction with a payment terminal.
• The method of the fourth aspect of this disclosure involves a payment terminal transmitting to a network gateway via a first communications network a transaction proposal identifying a proposed transaction with a network device, and receiving from the network gateway a transaction proposal response in response to the transaction proposal. The transaction proposal response specifies a pointer to the proposed transaction. The network gateway is configured to authenticate to the network device via a second communications network that comprises the network device.
• The payment terminal transmits over a payment network, distinct from the communications networks, payment particulars for effecting payment for the proposed transaction, and receives from the payment network a payment confirmation in response to the payment particulars. In accordance with the payment confirmation, the payment terminal initiates completion of the proposed transaction by generating a transaction completion request and transmitting the transaction completion request to the network device via the network gateway. The transaction completion request is generated from the transaction pointer, and requests completion of the proposed transaction with the network device.
• In one variation, the method of completing a transaction involves a network gateway receiving from the payment terminal a transaction proposal identifying particulars of a proposed transaction with the network device, and transmitting to the payment terminal a transaction proposal response in response to the transaction proposal. The transaction proposal response specifies a pointer to the proposed transaction and includes an indication of the payment particulars for completion of the proposed transaction. The network gateway is configured to authenticate to the network device via a communications network that comprises the network device.
• The payment terminal uses the indication of payment particulars to effect payment for the proposed transaction, and then transmits a transaction completion request to the network gateway. The transaction completion request requests completion of the proposed transaction with the network device. The payment terminal generates the transaction completion request from the transaction pointer.
• The network gateway generates a transaction request message from the transaction completion request, and transmits the transaction request message to the network device via the communications network. The transaction completion request identifies the particulars of the proposed transaction.
BRIEF DESCRIPTION OF THE DRAWINGS
• The foregoing aspects of this disclosure will now be described, by way of example, with reference to the accompanying drawings, in which:
• FIG. 1 is a block diagram that illustrates the various components of the authentication network;
• FIG. 2 is a schematic view of the communications terminal of the authentication network;
• FIG. 3 is a schematic view of the certificate server of the authentication network;
• FIG. 4 is a schematic view of the network gateway of the authentication network;
• FIG. 5 is a message flow diagram that depicts, by way of overview, the communications terminal authenticating method implemented by the authentication network;
• FIG. 6 is a message flow diagram that depicts, by way of overview, the network gateway authenticating method implemented by the authentication network;
• FIG. 7 is a message flow diagram that depicts, by way of overview, the transaction completion method implemented by the authentication network;
• FIG. 8 is a is a detailed message flow diagram that depicts a sample embodiment of the terminal activation method implemented by the authentication network;
• FIG. 9 is a detailed message flow diagram that depicts a sample embodiment of the certificate renewal method implemented by the authentication network;
• FIG. 10 is a detailed message flow diagram that depicts a sample embodiment of the gateway setup method implemented by the authentication network;
• FIG. 11 is a detailed message flow diagram that depicts a sample embodiment of the terminal validation method implemented by the authentication network; and
• FIG. 12 is a detailed message flow diagram that depicts a sample embodiment of the transaction processing method implemented by the authentication network.
DETAILED DESCRIPTIONAuthentication Network—Overview
• Turning toFIG. 1, there is shown an authentication network, denoted generally byreference number100, that includes acommunications terminal200 and anetwork gateway400. Preferably, theauthentication network100 also includes acertificate server300 and aterminal management server350. Although theauthentication network100 is shown comprising only asingle communications terminal200, typically theauthentication network100 includes a plurality of thecommunications terminals200.
• Similarly, although theauthentication network100 is shown comprising only asingle certificate server300 and asingle network gateway400, theauthentication network100 may include a plurality ofcertificate servers300 and/or a plurality of thenetwork gateways400. Further, although thenetwork gateway400 is depicted as a monolithic network component, the functionality of thenetwork gateway400 may be split amongst multiple network components or servers.
• Thecommunications terminal200 typically comprises a wireless or wired communications device, such as a personal or tablet computer, a mobile phone, a smartphone or a personal digital assistant (PDA). Preferably, however, the communications device is implemented as a payment terminal and is configured to interface with anidentity token210 and/or to an electronic cash register (ECR). As non-limiting examples, the payment terminal may comprise an integrated point-of-sale (POS) terminal, or a pin-pad terminal that communicates with a POS terminal. Alternately, the payment terminal may comprise an automated teller machine (ATM), or automated banking machine (ABM). Thecommunications terminal200 and theidentity token210 will be discussed in further detail below.
• Thecertificate server300 may be implemented on one or more computer servers, and is configured to communicate with the communications terminal(s)200 via afirst communications network102. Typically, thefirst communications network102 comprises a wireline or wireless packet-switched (e.g. internet protocol or “IP”,3G,4G) or circuit-switched network (e.g. public switched telephone network or “PSTN”). Thecertificate server300 is also configured to facilitate authentication of the communications terminal(s)200 to thenetwork gateway400, by issuing terminal authentication certificates to thecommunications terminals200.
• Theterminal management server350 may include a database of records, each associated with arespective communications terminal200. As will be discussed below, thecertificate server300 may make use of theterminal management server350 to validate thecommunications terminals200.
• Thenetwork gateway400 may be implemented on one or more computer servers, and is configured to communicate with the communications terminal(s)200 via thefirst communications network102 and to authenticate the communications terminal(s)200. Preferably, thenetwork gateway400 is separate and distinct from thecertificate server300. If theauthentication network100 includes a plurality of thenetwork gateways400, eachnetwork gateway400 may communicate with a respective portion of the communications terminal(s)200 via a respectivefirst communications network102.
• As will be explained in further detail below, thenetwork gateway400 is also configured to authenticate itself to asecond communications network104, that is distinct from thefirst communications network104, and thereby allow users of thecommunications terminals200 to complete online transactions withnetwork devices500 of thesecond communications network104. Typically, thesecond communications network102 comprises a packet-switched network, and thenetwork device500 comprises a computer server.
• One of more of thecommunications terminals200 also be configured to communicate with asecure payment network106, that is distinct from thecommunications networks102,104, to thereby effect payment for the online transaction. As non-limiting examples, thesecure payment network106 may comprise VisaNet, the Mastercard Network, and/or the merchant's payment card acquirer network.
• As used herein, an “online transaction” is any e-commerce or other electronic transaction (e.g. purchase of goods/services, bill payment, funds transfer, bank account or credit card balance query) that is provided by a network device. In a preferred implementation, thecommunications terminal200 is a payment terminal, the network device is a computer server, and the online transaction involves using thepayment terminal200 to purchase lottery tickets from the computer server. It should be understood, however, that the invention described herein is not so limited to this particular implementation.
Communications Terminal/Identity Token
• As mentioned, thecommunications terminal200 is typically implemented as a wireless or wired payment terminal. As shown inFIG. 2, thecommunications terminal200 includes a user interface/input device202, adisplay device204, afirst network interface206a, asecond network interface206b, and acomputer processing unit208 that is coupled to theinput device202, thedisplay device204 and the network interfaces206a,206b. Preferably, theinput device202, thedisplay device204, the network interfaces206a,206band thecomputer processing unit208 are integrated together within a common housing. Thecommunications terminal200 may also include a contact/contactlesstoken interface209 that is coupled to thecomputer processing unit208 and is configured to communicate with theidentity token210.
• Theinput device202 may be implemented as a keyboard, touchpad, and/or touchscreen and/or other input device suitable for allowing an operator of the communications terminal200 to input data and/or commands into thecommunications terminal200. Thedisplay device204 may comprise a liquid crystal display (LCD) panel, cathode ray tube (CRT) display, plasma display panel, and/or paper printer and/or other output device suitable for displaying information to the operator of thecommunications terminal200.
• Thefirst network interface206ainterfaces the communications terminal200 with thefirst communications network102. Thesecond network interface206binterfaces the communications terminal200 with thesecure payment network106.
• Thecomputer processing unit208 may include amicroprocessor212 and computer-readable medium214. The computer-readable medium214 may be provided as electronic computer memory (e.g. FLASH memory) that may store one or more credentials (“terminal credentials”) that are uniquely associated with thecommunications terminal200. As non-limiting examples, the terminal credentials may comprise a terminal identifier (terminal ID) and/or a serial number of thecommunications terminal200. Thememory214 may also store computer processing instructions stored thereon which, when executed by themicroprocessor212, define an operating system (not shown) that allows the communications terminal200 to accept user input from theinput device202 and to control thedisplay device204 and thetoken interface209. Preferably, the computer processing instructions also define apayment processor216 which allows the operator of the communications terminal200 to use thepayment network106 to pay for a transaction.
• Theidentity token210 typically comprises a self-contained integrated circuit device that includes a built-in micro-controller and protected memory. The micro-controller and protected memory together provide a secure self-contained computing environment for running cryptographic (e.g. data encryption standard (DES), triple-DES, advanced encryption standard (AES)) algorithms.
• Theidentity token210 may have a contactless (e.g. NFC and/or ISO 14443 based) form factor, and may communicate with thecommunications terminal200 via a wireless protocol, such as ISO 14443. For example, theidentity token210 may be implemented as a contactless smartcard or integrated circuit card (e.g. credit card, debit card) or within a wireless telephone or wireless data messaging device, and thetoken interface209 may be configured to communicate with theidentity token210 using near-field communication or Bluetooth. Alternately, theidentity token210 may have a contact form factor, and may interface directly with thecommunications terminal200. For example, theidentity token210 may be implemented as a contact-style smartcard or integrated circuit card (e.g. credit card, debit card). Thetoken interface209 may be configured to communicate with theidentity token210 via a physical port (e.g. card reader) of thecommunications terminal200.
• Typically, the protected memory of theidentity token210 is configured with a cryptographic key (“token cryptographic key”) and one or more credentials (“administrator credentials”) that were uniquely assigned to the intended recipient of theidentity token210 by the issuer of theidentity token210. As non-limiting examples, the administrator credentials may comprise an administrator identifier (“sysID”) and/or an administrator passcode. The administrator credentials and token cryptographic key may be stored in the protected memory at the time theidentity token210 is manufactured or prior to delivery of theidentity token210 to the intended individual.
• Preferably, the administrator credentials and the stored token cryptographic key are uniquely associated with theidentity token210. Further, typically the stored token cryptographic key is a private cryptographic key that is not publicly available, but is either known or can be re-generated only by the issuer of theidentity token210. As will be discussed below, theidentity token210 may use the administrator sysID and the token cryptographic key in the cryptographic algorithms to generate cryptograms (“token cryptograms”) that are used by thesecond communications network104 to authenticate the communications terminal200 to thesecond communications network104.
• The computer processing instructions of thememory214 may define aterminal authentication processor218 that allows the communications terminal200 to authenticate to thenetwork gateway400, and atransaction processor220 that allows the communications terminal200 to complete a transaction with anetwork device500 of thesecond communications network104. Although theterminal authentication processor218 and thetransaction processor220 may be implemented as computer processing instructions, all or a portion of the functionality of theterminal authentication processor218 and thetransaction processor220 may be implemented instead in electronics hardware.
• Theterminal authentication processor218 is configured to generate a terminal activation request from a private encryption key (activation code) and from at least one of the terminal credentials (e.g. terminal ID, terminal serial number) that are uniquely associated with thecommunications terminal200. As will be discussed below, the administrator of thecommunications terminal200 may manually input the private encryption key (activation code) into thecommunications terminal200 via theinput device202. Alternately, the activation code may be stored on an identity token (e.g. identity token210), and the administrator may input the activation code into thecommunications terminal200 by interfacing the identity token with thecommunications terminal200.
• The terminal activation request includes a public encryption key. Preferably, the public encryption key and the activation code comprise an asymmetric encryption key pair. Theterminal authentication processor218 may implement a cryptographic (e.g. data encryption standard (DES), triple-DES, advanced encryption standard (AES)) algorithm, and may generate the public encryption key from the activation code. Preferably, the terminal activation request also includes at least one of the terminal credentials, and theterminal authentication processor218 uses the activation code and the cryptographic algorithm to digitally-sign the terminal activation request.
• Theterminal authentication processor218 is configured to transmit the terminal activation request to thecertificate server300, and to save in thememory214 an activation response that is received from thecertificate server300 in response to the terminal activation request. The activation response includes a digital terminal authentication certificate. The terminal authentication certificate includes the public encryption key that was included with the terminal activation request. Typically, the terminal authentication certificate is digitally-signed by thecertificate server300.
• Theterminal authentication processor218 is configured to authenticate the communications terminal200 to thecertificate server300 and/or to a computer server, distinct from thecertificate server300, using the saved terminal authentication certificate. In the embodiment described below, theterminal authentication processor218 uses the terminal authentication certificate to authenticate to thenetwork gateway400, and may also use the terminal authentication certificate to authenticate tocertificate server300 in order to renew the terminal authentication certificate. However, it should be understood that the terminal authentication certificate may be used to authenticate the communications terminal200 to any network device that is accessible, directly or indirectly, to thecommunications terminal200.
• Thetransaction processor220 is configured to generate a transaction proposal from one or more of the administrator credentials (e.g. sysID, administrator passcode), and to transmit the transaction proposal to thenetwork gateway400, via thefirst network interface206a. The transaction proposal identifies a proposed transaction that the operator of thecommunications terminal200 proposes to engage in with anetwork device500 of thesecond communications network104. Accordingly, the transaction proposal may also include payment particulars for the proposed transaction or include one or more predefined transaction identifiers which thenetwork gateway400 can use to calculate or otherwise determine the payment particulars.
• Thetransaction processor220 is configured to receive from the network gateway400 a transaction proposal response that is issued in response to the transaction proposal. The transaction proposal response specifies a pointer to the proposed transaction. As will be explained below, thenetwork gateway400 may generate the transaction pointer from the administrator credentials, payment particulars and/or transaction identifiers (if any) that were included in the transaction proposal. Alternately, or additionally, the transaction pointer may comprise a pseudo-random number generated by thenetwork gateway400. The transaction proposal response may also identify the payment particulars for the proposed transaction. Preferably, thetransaction processor220 saves the transaction proposal response in thememory214.
• Thetransaction processor220 may also be configured to transmit over thepayment network106, via thesecond network interface206b, payment particulars for effecting payment for the proposed transaction, and to receive from the payment network106 a payment confirmation in response to the payment particulars. After payment for the proposed transaction is confirmed, thetransaction processor220 generates a transaction completion request from the administrator credential and the transaction pointer, and transmits the transaction completion request to the network client via thefirst network interface206aand thenetwork gateway400. The transaction completion request requests completion of the proposed transaction with thenetwork device500.
Certificate Server/Terminal Management Server
• Thecertificate server300 is implemented as one or more networked computer servers. As shown inFIG. 3, thecertificate server300 includes aprimary network interface302, asecondary network interface304, and acomputer processing unit306 that is coupled to theprimary network interface302 and thesecondary network interface304. Theprimary network interface302 interfaces thecertificate server300 with thefirst communications network102 and allows thecertificate server300 to communicate with thecommunications terminals200. Thesecondary network interface304 interfaces thecertificate server300 with theterminal management server350.
• Thecomputer processing unit306 of thecertificate server300 may include amicroprocessor308 and a computer-readable medium310. The computer-readable medium310 may be provided as electronic computer memory (e.g. flash memory) or optical or magnetic memory (e.g. compact disc, hard disk) and may include computer processing instructions stored thereon which, when executed by themicroprocessor308, define an operating system (not shown) that controls the overall operation of thecertificate server300.
• The computer processing instructions may also implement acertificate generator314 that generates the terminal authentication certificates which allow thecommunications terminals200 to authenticate to thenetwork gateway400. Thecertificate generator314 also allows thecommunications terminals200 to renew their respective terminal authentication certificates. Although thecertificate generator314 may be implemented as computer processing instructions, all or a portion of the functionality of thecertificate generator314 may be implemented instead in electronics hardware.
• Thecertificate generator314 is configured to receive a terminal activation request from acommunications terminal200, and to determine a validity of the terminal activation request. The terminal activation request includes a digital signature and a public encryption key. Thecertificate generator314 determines the validity of the terminal activation request by verifying that the digital signature was generated from a private encryption key that is uniquely associated with thecommunications terminal200, and that the public encryption key and the private encryption key comprise an asymmetric encryption key pair.
• As discussed above, theterminal management server350 may include a database of records, each associated with arespective communications terminal200. Each database record may identify the terminal credentials (e.g. terminal ID, terminal serial number) that are uniquely associated with thecommunications terminal200. The terminal activation request may include the terminal credentials of thecommunications terminal200. Thecertificate generator314 may determine the validity of the terminal activation request by, before (or after) verifying the digital signature on the terminal activation request, using theterminal management server350 to verify that the terminal credentials included in the terminal activation request are associated with acommon communications terminal200.
• Thecertificate generator314 is configured to, in accordance with the terminal activation request validity determination, generate an activation response in response to the terminal activation request and transmit the activation response to thecommunications terminal200. The activation response comprises a digital authentication certificate that includes the public encryption key and facilitates authentication of the communications terminal200 to a computer server, distinct from thecertificate server300.
• Thecertificate generator314 may also be configured to receive from the communications terminal200 a certificate renewal request requesting renewal of the digital authentication certificate, and to determine a validity of the certificate renewal request. The certificate renewal request may include the public encryption key and a further digital signature. Thecertificate generator314 may determine the validity of the certificate renewal request by verifying that the digital signature of the certificate renewal request was generated from the private encryption key that is uniquely associated with the payment terminal and that the public encryption key and the private encryption key comprise an asymmetric encryption key pair.
• Thecertificate generator314 may be configured to, in accordance with the certificate renewal request validity determination, generate a renewal response in response to the certificate renewal request and transmit the renewal response to thecommunications terminal200. The renewal response may include a renewed digital authentication certificate that includes the public encryption key and facilitates authentication of the payment terminal to the computer server. Thecertificate generator314 may use the digital authentication certificate (that was included in the activation response) to establish an encrypted connection with thecommunications terminal200, and may receive the certificate renewal request from, and transmit the renewal response to, thecommunications terminal200 over the encrypted connection.
Network Gateway
• Thenetwork gateway400 is implemented as one or more networked computer servers. As shown inFIG. 4, thenetwork gateway400 includes aprimary network interface402, asecondary network interface404, and acomputer processing unit406 that is coupled to theprimary network interface402 and thesecondary network interface404. Theprimary network interface402 interfaces thenetwork gateway400 with thefirst communications network102 and allows thenetwork gateway400 to communicate with thecommunications terminals200. Thesecondary network interface404 interfaces thenetwork gateway400 with thesecond communications network104 and allows thenetwork gateway400 to communicate withnetwork devices500 of thesecond communications network104.
• Thecomputer processing unit406 may include amicroprocessor408 and a computer-readable medium410. The computer-readable medium410 may be provided as electronic computer memory (e.g. flash memory) or optical or magnetic memory (e.g. compact disc, hard disk) and may include computer processing instructions stored thereon which, when executed by themicroprocessor408, define an operating system (not shown) that controls the overall operation of thenetwork gateway400.
• The computer processing instructions may also implement agateway authenticator414 that is configured to receive an authentication request from acommunications terminal200, and to transmit the authentication request to a communications network. The authentication request typically includes a token cryptogram that is generated from a cryptographic key that is stored on anidentity token210 that is interfaced with thecommunications terminal200.
• Thegateway authenticator414 is also configured to receive an authentication response from the communications network in accordance with a validity of the token cryptogram. The authentication response includes a gateway authentication certificate which thenetwork gateway400 uses to authenticate to a network device of the communications network.
• In the embodiment described below, thenetwork gateway400 transmits the authentication request to, and receives the authentication response from thesecond communications network104, and uses the gateway authentication certificate to authenticate to anetwork device500 of thesecond communications network104. However, this configuration is not essential; thenetwork gateway400 may transmit the authentication request to any network device that can issue a gateway authentication certificate which thenetwork gateway400 may require to access a particular network.
Terminal Authentication Processing—Overview
• As discussed, the communications terminal200 implements a method of authenticating thecommunications terminals200. A sample embodiment of the communications terminal authenticating method is depicted inFIG. 5. In this embodiment, preferably thecommunications terminal200 is implemented as a payment terminal.
• At the outset of the method, thepayment terminal200 generates a terminal activation request from a private encryption key (activation code) that is input into or saved in thecommunications terminal200, and from at least one terminal credential that is uniquely associated with thepayment terminal200. The terminal activation request includes a public encryption key. Preferably, the public encryption key and the private encryption key comprise an asymmetric encryption key pair. Thepayment terminal200 transmits the terminal activation request to thecertificate server300, at step S500.
• At step S502, thepayment terminal200 receives an activation response from thecertificate server300 in response to the terminal activation request. The activation response comprises a digital authentication certificate that includes the public encryption key that was included with the terminal activation request.
• Preferably, thecertificate server300 signs the digital authentication certificate using the certificate server's private encryption key. Thecertificate server300 may determine the validity of the terminal credential, and may generate the digital authentication certificate after successfully validating the terminal credential. Alternately, thecertificate server300 may forward the activation request to a certificate signing authority for generation of the digital authentication certificate (preferably after thecertificate server300 validates the terminal credential), or may generate the digital authentication certificate after forwarding the activation request to another network device for credential validation.
• At step S504, thepayment terminal200 uses the digital authentication certificate to authenticate to a network device that is distinct from thecertificate server300. As discussed above, typically thepayment terminal200 uses the digital authentication certificate to authenticate to thenetwork gateway400. However, the digital authentication certificate may be used to authenticate to any network device that is accessible, directly or indirectly, to thepayment terminal200. Since conventional payment terminal authentication techniques only use the terminal serial number to authenticate the payment terminal, this solution offers a significant advantage over the state of the art.
Gateway Authentication Processing—Overview
• As discussed, thenetwork gateway400 implements a method of network gateway authenticating. A sample embodiment of the network gateway authenticating method is depicted inFIG. 6.
• As shown therein, at step S600 thenetwork gateway400 receives an authentication request from acommunications terminal200. In this embodiment, thecommunications terminal200 comprises a wireless or wired communications device, which could be, but is not necessarily, implemented as a payment terminal. The authentication request includes a token cryptogram that is generated from a cryptographic key that is stored on anidentity token210 that is interfaced with thecommunications terminal200. Optionally, the authentication request may include one or more of the administrator credentials.
• At step S602, thenetwork gateway400 transmits the authentication request to a communications network. At step S604, thenetwork gateway400 receives an authentication response from the communications network in accordance with a validity of the token cryptogram, and saves the authentication response. The authentication response includes a gateway authentication certificate which thenetwork gateway400 uses to authenticate to a network device of the communications network.
• A network device of the communications network may determine the validity of the token cryptogram (for example, by verifying that the token cryptogram was generated from a cryptographic key stored on the identity token210), and the authentication response may be transmitted to thenetwork gateway400 in accordance with the determined validity.
• Where the authentication request includes an administrator credential, optionally thenetwork gateway400 may associate the administrator credential with the gateway authentication certificate. Thereafter, if thenetwork gateway400 receives an administrator credential from thecommunications terminal200, thenetwork gateway400 may use the received administrator credential and the associated gateway authentication certificate to authenticate to the network device of the communications network.
• For example, as discussed above with reference to step S506, thecommunications terminal200 may receive a terminal authentication certificate that is configured to facilitate authentication of the communications terminal200 to thenetwork gateway400. After step S604, the operator of thecommunications terminal200 may transmit a validation request to thenetwork gateway400 requesting authentication of the communications terminal200 to a network device of the communications network (e.g. thenetwork device500 of the second communications network104). Thenetwork gateway400 may facilitate authentication of the communications terminal200 to the network device of the communications network via the gateway authentication certificate and the validation request.
• As a more detailed example, the validation request may include an administrator credential, and thecommunications terminal200 may transmit the validation request to thenetwork gateway400 after using the terminal authentication certificate to authenticate to thenetwork gateway400. Thenetwork gateway400 may use the validation request to locate the gateway authentication certificate that is associated with the administrator credential, and then use the located gateway authentication certificate to authenticate to the network device of the communications network.
Transaction Processing—Overview
• As discussed, thenetwork gateway400 also implements a method for completing a transaction with a network device. A sample embodiment of the transaction completion method is depicted inFIG. 7.
• As shown therein, at step S700 the communications terminal200 transmits a transaction proposal to thenetwork gateway400 via thefirst communications network102. In this embodiment, thecommunications terminal200 comprises a wireless or wired communications device, which could be, but is not necessarily, implemented as a payment terminal. The transaction proposal identifies a transaction that the operator of thecommunications terminal200 proposes to engage in with a network device.
• Thenetwork gateway400 is configured to authenticate to the network device via a communications network that comprises the network device. For example, as discussed above, at step S604 thenetwork gateway400 may receive a gateway authentication certificate which thenetwork gateway400 can use to authenticate to a network device of the communications network. Accordingly, the transaction proposal may identify a proposed transaction with thenetwork device500 of thesecond communications network104.
• At step S702, thecommunications terminal200 receives from the network gateway400 a transaction proposal response in response to the transaction proposal. The transaction proposal response specifies a pointer to the proposed transaction. Preferably, the transaction proposal response also identifies the payment particulars for the proposed transaction.
• At step S704, thecommunications terminal200 may transmit over thepayment network106 payment particulars for effecting payment for the proposed transaction. At step S706, thecommunications terminal200 may receive from the payment network106 a payment confirmation in response to the payment particulars. However, these latter two steps are not essential; the operator of thecommunications terminal200 may effect payment for the proposed transaction without engaging thepayment network106. For example, the operator may pay cash for the proposed transaction, or may use a payment terminal other than the communications terminal200 to effect payment for the proposed transaction.
• After payment is provided for the proposed transaction, at step S708 thecommunications terminal200 initiates completion of the proposed transaction by generating a transaction completion request and transmitting the transaction completion request to the network device via thenetwork gateway400. Thecommunications terminal200 generates the transaction completion request from the transaction pointer that was received at step S702. By virtue of the transaction completion request, the communications terminal200 requests completion of the proposed transaction with the network device.
• To complete the transaction, thenetwork gateway400 may generate a transaction request message from the transaction completion request, and transmit the transaction request message to the network device via thesecond communications network104, at step S710. The transaction request message may include the administrator credential and identify the particulars of the proposed transaction.
Online Transaction Processing Method—Detailed Discussion
• A preferred implementation of theauthentication network100 will now be discussed with reference toFIGS. 8 to 12. In this implementation, thesecond communications network104 comprises a wide area network, such as the Internet, and thenetwork device500 is implemented as computer (lottery) server that facilitates online lottery ticket sales via thesecond communications network104. Eachcommunications terminal200 is configured as a payment terminal that is connected to a respective electronic cash register (ECR) and is deployed in a respective checkout lane of the merchant's store. Thesecure payment network106 comprises the merchants' respective acquirer networks, and customers in the merchants' stores use thecommunications terminals200 to purchase lottery tickets from thelottery server500. Although in the following example method, thecommunications terminals200 are used to purchase lottery tickets, it should be understood that the method could be used to complete online transactions other than lottery ticket sales, including the purchase of goods/services, bill payment, funds transfer, and/or bank account or credit card balance query. Further, although in the following example method, thecommunications terminals200 are implemented as payment terminals, it should be understood that thecommunications terminals200 could be implemented as communications devices other than a payment terminals.
• The operator of the lottery provides each merchant with asmartcard210 that is configured with the unique administrator credentials (sysID and administrator passcode). Thelottery server500 is in communication with a token database that saves the administrator credentials and public cryptographic key associated with eachsmartcard210.
• The administrator of theterminal management server350 provides each merchant with a physical document that specifies the terminal credentials (unique terminal ID and terminal serial number) and activation code for each of the merchant'spayment terminals200. The database of theterminal management server350 stores the terminal credentials of eachpayment terminal200. Thememory214 of eachpayment terminal200 is pre-configured with a terminal serial number and with the authentication certificate of thecertificate server300.
1. Terminal Activation
• To allow the merchant to use thepayment terminals200 within theauthentication network100, the merchant executes the terminal activation method, depicted inFIG. 8, to thereby provide eachpayment terminal200 with a respective terminal authentication certificate that thepayment terminal200 can use to authenticate to thenetwork gateway400.
• At step S800, the merchant applies power to the payment terminal200 (by connecting thepayment terminal200 to the associated electronic cash register, for example), and thepayment terminal200 establishes an encrypted channel with thecertificate server300. Typically, thepayment terminal200 uses the authentication certificate of thecertificate server300 to establish a server-side SSL connection with thecertificate server300.
• The merchant may use thedata input device202 to select the terminal activation method from a menu of available methods. Theterminal authentication processor218 of thepayment terminal200 then prompts the merchant to input the terminal credentials (terminal ID, terminal serial number) and activation code (private cryptographic key) into thepayment terminal200. The merchant manually inputs the required terminal credentials into thepayment terminal200 via thedata input device202.
• In response, theterminal authentication processor218 generates a terminal activation request message from the terminal credentials and the activation code. The terminal activation request message includes a public cryptographic key which theterminal authentication processor218 generates from the activation code. The public cryptographic key and the activation code comprise an asymmetric encryption key pair.
• Preferably, the terminal activation request comprises a certificate signing request (CSR) that theterminal authentication processor218 generates from the terminal credentials. More preferably, the certificate signing request includes the terminal ID and the public cryptographic key and is digitally-signed using the activation code. The terminal activation request may also include an encrypted message authentication code (e.g. HMAC) that is generated from the terminal serial number and the certificate signing request.
• At step S802, thepayment terminal200 transmits the terminal activation request to thecertificate server300. Thecertificate server300 then determines the validity of the terminal activation request. To do so, at step S804 thecertificate generator314 may transmit the terminal activation request to theterminal management server350, requesting that theterminal management server350 validate the terminal credentials included in the terminal activation request. In response, theterminal management server350 may query its database with the terminal credentials to verify that the terminal credentials are associated with a common payment terminal200 (i.e. the terminal credentials are associated with a legitimate payment terminal200). Theterminal management server350 may respond to thecertificate server300 with a validation response, at step S806.
• Thecertificate server300 may also determine the validity of the terminal activation request by verifying the digital signature on the terminal activation request. To do so, thecertificate generator314 uses the public cryptographic key that was included with the certificate signing request to verify that the certificate signing request was signed using the activation code (and, therefore, verify that the public cryptographic key was generated from the activation code, and the activation code and public cryptographic key comprise an asymmetric encryption key pair).
• If thecertificate server300 determines that the terminal activation request is valid, thecertificate generator314 generates an activation response message that includes a terminal authentication certificate that thepayment terminal200 can use to authenticate to thenetwork gateway400. Thecertificate generator314 generates the terminal authentication certificate from the public cryptographic key of the certificate signing request, and signs the terminal authentication certificate with the private encryption key assigned to thecertificate server300. Preferably, the terminal authentication certificate is a X.509 digital certificate and, therefore, specifies an expiry date that is a predetermined number of days after the current date. Thecertificate generator314 may insert, into the activation response message, the (renewal) network address (e.g. IP address and/or port number) of thecertificate server300 at which thepayment terminal200 can transmit certificate renewal requests. Otherwise, thecertificate server300 generates an activation response message that indicates that the terminal activation request is invalid.
• Thecertificate server300 transmits the activation response message to thepayment terminal200, in response to the activation request message, at step S808. In response, theterminal authentication processor218 may verify that the terminal authentication certificate was digitally-signed by thecertificate server300, and then saves the terminal authentication certificate in thememory214, together with the terminal ID, the activation code, and the renewal network address. Thereafter, thepayment terminal200 may use the terminal authentication certificate to authenticate to thenetwork gateway400.
2. Terminal Certificate Renewal
• Preferably, thepayment terminals200 authenticate to thenetwork gateway400 whenever customers attempt to use thepayment terminals200 to purchase lottery tickets from thelottery server500. Preferably, thepayment terminals200 also authenticate to thenetwork gateway400 in order to set up thenetwork gateway400 and, optionally, to register thepayment terminals200 with thelottery server500. Therefore, preferably thepayment terminal200 periodically executes the certificate renewal method, depicted inFIG. 9, to ensure that the terminal authentication certificate remains valid. As will become apparent, thepayment terminal200 may use the digital authentication certificate to establish an encrypted connection with thecertificate server300 and/or thenetwork gateway400 based on the validity of the terminal authentication certificate. Unlike the terminal activation method, the gateway setup method, the terminal registration method and the transaction request method described herein, preferably thepayment terminals200 executes the certificate renewal method automatically (i.e. without being invoked by the merchant) and transparently (i.e. without notification to the merchant).
• At the outset of the certificate renewal method, theterminal authentication processor218 determines the expiry date of the terminal authentication certificate. If the expiry date reveals that the terminal authentication certificate has expired, the certificate renewal method terminates and thepayment terminal200 will thereafter not re-attempt to authenticate to or otherwise communicate with thenetwork gateway400, at least until the merchant re-executes the terminal activation method with a new activation code.
• However, if the expiry date indicates that the terminal authentication certificate has not expired, and the expiry date of the terminal authentication certificate falls within a predetermined time frame after the current date, at step S900 theterminal authentication processor218 establishes an encrypted communications channel with thecertificate server300 at the renewal network address (e.g. IP address and/or port number) specified in the activation response message. Typically, theterminal authentication processor218 uses the terminal authentication certificate to establish a mutually-authenticated SSL connection with thecertificate server300. Thecertificate server300 may refuse the connection if the terminal authentication certificate has expired.
• Theterminal authentication processor218 then generates a certificate renewal request message from the terminal credentials and the activation code. Preferably, the certificate renewal request message includes the public cryptographic key and the terminal credentials. More preferably, the certificate renewal request comprises a certificate signing request (CSR) that includes the terminal ID and the public cryptographic key and is digitally-signed using the activation code that was saved in thememory214.
• At step S902, thepayment terminal200 transmits the certificate renewal request to thecertificate server300 over the encrypted channel. Thecertificate server300 then determines the validity of the certificate renewal request. To do so, at step S904, thecertificate generator314 may transmit the certificate renewal request to theterminal management server350, requesting that theterminal management server350 to validate the terminal credentials included in the certificate renewal request. In response, theterminal management server350 may query its database with the terminal credentials to verify that the terminal credentials are associated with a common payment terminal200 (i.e. the terminal credentials are associated with a legitimate payment terminal200).
• As will be discussed below, suspicious or fraudulent activity involving thepayment terminal200 may have been reported to the operator of theterminal management server350. Accordingly, theterminal management server350 may also query its database with the terminal credentials to verify that the terminal authentication certificate has not been revoked.
• If theterminal management server350 determines that the terminal credentials are associated with alegitimate payment terminal200, and that the terminal authentication certificate has not been revoked, theterminal management server350 responds to thecertificate server300 with a validation response, at step S906, indicating that the terminal credentials were successfully validated. Otherwise, theterminal management server350 responds to thecertificate server300 with a validation response indicating that validation of the terminal credentials failed.
• Thecertificate server300 may also determine the validity of the certificate renewal request by verifying the digital signature on the certificate renewal request. To do so, thecertificate generator314 uses the public cryptographic key that was included with the certificate signing request to verify that the certificate signing request was signed using the activation code (and, therefore, verify that the public cryptographic key was generated from the activation code, and the activation code and public cryptographic key comprise an asymmetric encryption key pair).
• If thecertificate server300 determines that the certificate renewal request (and the terminal credentials included therein) are valid, thecertificate generator314 generates a certificate renewal response message that includes a renewed terminal authentication certificate. Thecertificate generator314 generates the renewed terminal authentication certificate from the public cryptographic key of the certificate signing request, and signs the terminal authentication certificate with the private encryption key assigned to thecertificate server300. Preferably, the renewed terminal authentication certificate is a X.509 digital certificate and, therefore, specifies an expiry date that is a predetermined number of days after the current date. Otherwise, thecertificate server300 generates a certificate renewal response message that indicates that the certificate renewal request is invalid.
• Thecertificate server300 transmits the certificate renewal response message to thepayment terminal200, in response to the certificate renewal request, at step S908. In response, theterminal authentication processor218 verifies that the renewed terminal authentication certificate was signed by thecertificate server300, and then replaces the terminal authentication certificate in thememory214 with the renewed terminal authentication certificate. Thereafter, thepayment terminal200 uses the renewed terminal authentication certificate to authenticate to thenetwork gateway400. Since thepayment terminal200 preferably verifies that the (renewed) terminal authentication certificate was signed by thecertificate server300 upon receipt of same from thecertificate server300, and periodically determines the expiry date of the (renewed) terminal authentication certificate prior to transmitting a certificate renewal request to thecertificate server300, in effect thepayment terminal200 renews the terminal authentication certificate in accordance with the outcome of the digital signature verification and the expiry date verification.
3. Gateway Setup
• After activating thepayment terminal200, the merchant executes the gateway setup method, depicted inFIG. 10, to thereby provide thenetwork gateway400 with a gateway authentication certificate that thenetwork gateway400 can use to authenticate to thelottery server500 of thesecond communications network104. Optionally, the gateway setup method also installs in the network gateway400 a gateway credential which thepayment terminal200 can use to allow the merchant to access and configure thenetwork gateway400.
• The merchant may use thedata input device202 to select the gateway setup method from the menu of available methods. If theterminal authentication processor218 determines that the terminal authentication certificate is valid, theterminal authentication processor218 establishes an encrypted channel with thenetwork gateway400, at step S1000. Typically, theterminal authentication processor218 uses the terminal authentication certificate to establish a mutually-authenticated SSL connection with thenetwork gateway400. Thenetwork gateway400 may refuse the connection if the terminal authentication certificate has expired.
• Theterminal authentication processor218 of thepayment terminal200 then prompts the merchant to interface an identity token with thepayment terminal200 and to input one or more administrator credentials (e.g. sysID, administrator passcode) into thepayment terminal200. The merchant interfaces the suppliedsmartcard210 with thetoken interface209 of thepayment terminal200, and then uses thedata input device202 to input the required administrator credentials into thepayment terminal200. In response, theterminal authentication processor218 generates a credential validation request message that includes the administrator credential(s). Theterminal authentication processor218 transmits the credential validation request to thesmartcard210, at step S1002.
• In response, thesmartcard210 may compare the administrator credentials that were received in the credential validation request with the administrator credentials that are saved in the protected memory of thesmartcard210. If the received administrator credentials match the saved administrator credentials, thesmartcard210 may generate a token cryptogram from the administrator credentials and the private cryptographic key saved in thesmartcard210. Alternately, thesmartcard210 may generate the token cryptogram without comparing the administrator credentials with the saved administrator credentials.
• Thesmartcard210 then generates a credential validation response that includes the token cryptogram. Otherwise, thesmartcard210 may generate a credential validation response that indicates that the received administrator credentials are invalid. Thesmartcard210 transmits the credential validation response to thepayment terminal200, in response to the credential validation request, at step S1004.
• If the credential validation response includes a token cryptogram, theterminal authentication processor218 generates a card authentication request message that includes the administrator credentials and the token cryptogram. Theterminal authentication processor218 then transmits the card authentication request to thenetwork gateway400 over the encrypted channel, at step S1006. Preferably, thesmartcard210 generates the token cryptogram from the administrator sysID and the token private cryptographic key and, therefore, the card authentication request includes the administrator sysID and the token cryptogram.
• Thegateway authenticator414 of thenetwork gateway400 generates a certificate request message that includes the token cryptogram and associated administrator credential(s), and transmits the certificate request message to a network device (lottery server)500 of the second communications network, at step S1008. In response, the lottery server uses the administrator credential(s) of the certificate request message to locate the public cryptographic key that is associated with thesmartcard210. The lottery server then validates the token cryptogram of the certificate request message using the located public cryptographic key, thereby verifying that the token cryptogram was generated from the administrator credentials and from the private cryptographic key that is associated with thesmartcard210.
• If the lottery server determines that the token cryptogram is valid, the lottery server generates a certificate response message that includes a gateway authentication certificate that thenetwork gateway400 can use to authenticate to the lottery server. The lottery server signs the gateway authentication certificate with the private encryption key assigned to the lottery server, and may also associate the gateway authentication certificate with the administrator credential(s) that were included with the certificate request message. Otherwise, the lottery server generates a certificate response message that indicates that the token cryptogram is invalid. The lottery server transmits the certificate response message to thenetwork gateway400, in response to the certificate request message, at step S1010.
• Thegateway authenticator414 may verify that the gateway authentication certificate was digitally-signed by the lottery server, and then saves the gateway authentication certificate, together with the administrator credentials that were included in the card validation request. Preferably, thegateway authenticator414 associates the gateway authentication certificate with the administrator sysID. Thereafter, thenetwork gateway400 can use the gateway authentication certificate to authenticate to the lottery server.
• Thegateway authenticator414 then generates a card authentication response, indicative of the validity of the token cryptogram. Thegateway authenticator414 transmits the card validation response to thepayment terminal200, in response to the card authentication request, at step S1012.
• Optionally, theterminal authentication processor218 of thepayment terminal200 may then prompt the merchant to input into the payment terminal200 a new credential (e.g. a gateway passcode) which the merchant would like to use to access and configure thenetwork gateway400. The merchant uses thedata input device202 to input the new credential (gateway passcode) into thepayment terminal200. In response, theterminal authentication processor218 computes a hash code from the gateway passcode, and generates a security setup request message that includes the administrator sysID and hashed gateway passcode. Theterminal authentication processor218 transmits the security setup request to thenetwork gateway400, at step S1014.
• Thegateway authenticator414 validates the security setup request by verifying that thenetwork gateway400 has already associated the administrator sysID (included in the security setup request message) with a gateway authentication certificate. If thegateway authenticator414 is able to locate a corresponding gateway authentication certificate, thegateway authenticator414 associates the hashed gateway passcode with the saved administrator sysID and the associated gateway authentication certificate, and generates a security setup response message, indicative of the validity of the administrator sysID. Otherwise, thegateway authenticator414 generates a security setup response message that indicates that the security setup request failed.
• Thegateway authenticator414 transmits the security setup response message to thepayment terminal200, in response to the security setup request, at step S1016. If the security setup request was successfully validated, the merchant may thereafter use the administrator sysID and associated gateway passcode to access and configure thenetwork gateway400, as will be explained in the next section.
4. Terminal Validation—Optional
• The merchant may optionally execute the terminal validation method, depicted inFIG. 11, which registers thepayment terminals200 with the lottery server. Registering thepayment terminals200 allows the lottery server to subsequently verify the validity of thepayment terminal200.
• The merchant may use thedata input device202 to select the terminal validation method from the menu of available methods. If theterminal authentication processor218 determines that the terminal authentication certificate is valid, theterminal authentication processor218 establishes an encrypted channel with thenetwork gateway400, at step S1100. Typically, theterminal authentication processor218 uses the terminal authentication certificate to establish a mutually-authenticated SSL connection with thenetwork gateway400. Thenetwork gateway400 may refuse the connection if the terminal authentication certificate has expired.
• Theterminal authentication processor218 of thepayment terminal200 then prompts the merchant to an input one or more credentials (e.g. administrator sysID and gateway passcode) into thepayment terminal200. The merchant uses thedata input device202 to input the requested credentials into thepayment terminal200. In response, theterminal authentication processor218 computes a hash code from the gateway passcode, and generates an administrator authentication request message that includes the administrator sysID and hashed gateway passcode. Theterminal authentication processor218 transmits the administrator authentication request to thenetwork gateway400 over the encrypted channel, at step S1102.
• Thegateway authenticator414 validates the administrator authentication request by verifying that thenetwork gateway400 has already associated the administrator sysID and hashed gateway passcode with a gateway authentication certificate. If thegateway authenticator414 is able to locate a corresponding gateway authentication certificate, thegateway authenticator414 generates an administrator authentication response message, indicative of the validity of the credentials. Otherwise, thegateway authenticator414 generates an administrator authentication response message that indicates that the administrator authentication request failed.
• If the administrator authentication request was successfully validated, theterminal authentication processor218 prompts the merchant to input into the payment terminal200 a “local terminal credential” which the merchant would like to use to identify thisparticular payment terminal200. As used herein, a “local terminal credential” is a terminal credential that a merchant may use to uniquely identify one of the merchant's payment terminals but which, in contrast to other terminal credentials (e.g. terminal serial numbers), are not necessarily unique amongst all merchants of thenetwork gateway400.
• As discussed above, eachpayment terminal200 may be deployed in a respective checkout lane of the merchant's store. Accordingly, the merchant may use thedata input device202 to input the lane number (local terminal credential) into thepayment terminal200. In response, theterminal authentication processor218 generates a terminal validation request message that includes the administrator sysID and lane number. Theterminal authentication processor218 transmits the terminal validation request to thenetwork gateway400 over the encrypted channel, at step S1104.
• Thegateway authenticator414 uses the administrator sysID (included in the terminal validation request message) to locate the corresponding gateway authentication certificate. If thegateway authenticator414 is able to locate the corresponding gateway authentication certificate, thegateway authenticator414 uses the located gateway authentication certificate to establish an encrypted communications channel with the lottery server via thesecond communications network104, at step S1108. Typically, thegateway authenticator414 uses the located gateway authentication certificate to establish a mutually-authenticated SSL connection with the lottery server. Otherwise, thegateway authenticator414 generates a terminal validation response message that indicates that the terminal validation request failed.
• If thegateway authenticator414 is able to validate the terminal validation request, at step S1110 thegateway authenticator414 transmits the terminal validation request to the lottery server over the encrypted channel that is established between thenetwork gateway400 and the lottery server. The lottery server may validate the terminal validation request by verifying that the lottery server has already associated the administrator sysID with the gateway authentication certificate (e.g. after step S1008 of the gateway setup method).
• If the lottery server is able to validate the terminal validation request, the lottery server associates the administrator sysID with the specified lane number, and then generates a terminal validation response message, confirming successful validation of the terminal validation request. Otherwise, the lottery server generates a terminal validation response message that indicates that the a terminal validation request failed. The lottery server transmits the terminal validation response message to thenetwork gateway400, at step S1112.
• If the terminal validation request is successful, thegateway authenticator414 associates the administrator sysID with the specified lane number. Thegateway authenticator414 then transmits the terminal validation response message to thepayment terminal200, in response to the terminal validation request, at step S1114. If the terminal validation request was successfully validated, thepayment terminal200 saves the specified lane number in thememory214, together with the administrator sysID.
• The merchant typically executes the terminal validation method on each of the merchant'spayment terminals200. Eachpayment terminal200 may thereafter use the administrator sysID and the payment terminal's local terminal credential to identify itself to the lottery server. As will be demonstrated in the next section, the administrator sysID and associated local terminal credential allow the lottery server to confirm the validity of thepayment terminal200.
5. Transaction Proposal Processing
• After the merchant has activated thepayment terminals200 and set up the network gateway400 (and optionally validated thepayment terminals200 to the lottery server), the merchant's customer may execute the transaction processing method, depicted inFIG. 12, to complete an online transaction with a network device (lottery server)500 of thesecond communications network104.
• At step S1200, an operator of the electronic cash register transmits a sign-on request message from the electronic cash register to the associatedpayment terminal200. If theterminal authentication processor218 determines that the terminal authentication certificate is valid, theterminal authentication processor218 establishes an encrypted channel with thenetwork gateway400, at step S1202. Typically, theterminal authentication processor218 uses the terminal authentication certificate to establish a mutually-authenticated SSL connection with thenetwork gateway400. Thenetwork gateway400 may refuse the connection if the terminal authentication certificate has expired.
• Thetransaction processor220 then generates a sign-on authentication request message that includes one or more the administrator credentials which thetransaction processor220 reads from thememory214 of thepayment terminal200. Preferably, the sign-on authentication request message includes the administrator sysID and the local terminal credential of the payment terminal200 (if assigned). Thetransaction processor220 transmits the sign-on authentication request message to thenetwork gateway400 over the encrypted channel, at step S1204.
• Thegateway authenticator414 validates the sign-on authentication request by verifying that thenetwork gateway400 has associated the specified local terminal credential with the specified administrator sysID. Thegateway authenticator414 then generates a sign-on authentication response message, indicative of the validity of the credentials. Thegateway authenticator414 transmits the sign-on authentication response message to thepayment terminal200, in response to the sign-on authentication request, at step S1204.
• Thenetwork gateway400 may periodically receive summary lottery information from the lottery server (in response to “ping” messages transmitted by thenetwork gateway400, for example). The summary lottery information typically includes a list of the various lottery games that are available and, for each available lottery game, the deadline for purchasing lottery tickets and the current jackpot. If the credentials included with the sign-on authentication request are valid, preferably the sign-on authentication response message indicates that the sign-on authentication request was successful, and thegateway authenticator414 downloads the most recent summary lottery information to thepayment terminal200. Otherwise, the sign-on authentication response message indicates that the sign-on authentication request failed.
• If the sign-on authentication response is successful, thetransaction processor220 prompts the customer to select one of the available lottery games and the corresponding wager amount. The customer may use thedata input device202 to select the desired lottery game from the list of available lottery games, and to input the desired wager amount.
• The customer proposes a transaction with the lottery server by entering the requested information into thepayment terminal200. From one or more administrator credentials and/or one or more terminal credentials, thetransaction processor220 generates a transaction proposal message that specifies the particulars of the proposed transaction. The transaction proposal message identifies the selected lottery game and wager amount, and preferably also includes one or more administrator credentials and/or one or more terminal credentials which thetransaction processor220 reads from thememory214 of thepayment terminal200. Preferably, the transaction proposal message includes the administrator sysID, terminal ID, terminal serial number, and lane number. Thetransaction processor220 transmits the transaction proposal request to thenetwork gateway400 over the encrypted connection, at step S1208.
• In a previous online transaction, the operator of the lottery server may have detected suspicious or fraudulent activity involving thepayment terminal200, and may have reported said activity to the operator of theterminal management server350. In response, the operator of theterminal management server350 may have updated the database of theterminal management server350 to indicate that the terminal authentication certificate assigned to thepayment terminal200 is revoked. Accordingly, while not shown inFIG. 12, after receiving the transaction proposal request thegateway authenticator414 may transmit to the terminal management server350 a certificate status request message that includes the terminal ID and/or terminal serial number and requests that theterminal management server350 determine whether the terminal authentication certificate that is associated with the specified terminal credentials has been revoked. Theterminal management server350 may respond to thenetwork gateway400 with a certificate status response message indicating the revocation status of the terminal authentication certificate.
• If the terminal authentication certificate has been revoked, the transaction processing method terminates. Otherwise, thegateway authenticator414 generates a random transaction pointer, and associates the transaction pointer with the transaction proposal message. Preferably, thegateway authenticator414 generates the transaction pointer from one or more of the selected lottery game, wager amount, administrator sysID, terminal ID, terminal serial number, and lane number. Preferably, however, the elements of the transaction proposal message cannot be determined from the transaction pointer.
• Thegateway authenticator414 then generates a transaction proposal response message that includes the transaction pointer and provides an indication of the payment particulars (e.g. payment amount) for the proposed transaction. Preferably, the indication of payment particulars comprises a payment image that is associated with the payment particulars. More preferably, the payment image comprises a bar code (e.g. universal product code) which thegateway authenticator414 generates from the selected lottery game and wager amount. Thegateway authenticator414 transmits the transaction proposal response message to thepayment terminal200, in response to the transaction proposal, at step S1210.
• Upon receipt of the transaction proposal response, thetransaction processor220 saves the transaction pointer in thememory214, and may render the payment particulars on thedisplay device204 of thepayment terminal200. The operator of the electronic cash register may then input the payment particulars into the electronic cash register, and transmit the payment particulars from the electronic cash register to thepayment terminal200, at step S1212. If the payment particulars comprise a payment image (e.g. universal product code), thetransaction processor220 may use the printer of thedisplay device204 to render the payment image. The operator of the electronic cash register may then use the bar code scanner of the electronic cash register to scan the printed payment image and thereby input the payment particulars into the electronic cash register. Alternately, instead of using manual input or scanning of a payment image to input the payment particulars into the electronic cash register, thetransaction processor220 may transmit the payment particulars directly to the electronic cash register.
• The customer then provides payment for the proposed transaction. The customer may provide cash payment for the proposed transaction, and the operator of the electronic cash register may use the electronic cash register to provide thetransaction processor220 with a successful payment confirmation message. However, since the customer has used thepayment terminal200 to generate the transaction proposal, preferably thetransaction processor220 invokes thepayment processor216, upon receipt of the payment particulars from the electronic cash register, to thereby allow the customer to provide electronic payment for the proposed transaction via thepayment network106.
• To provide electronic payment for the proposed transaction, the customer may interface the customer's payment card with the contact/contactlesstoken interface209 of thepayment terminal200 to thereby provide thepayment processor216 with the required payment account information (e.g. credit card number, debit account number). The customer may also use thedata input device202 to provide any required customer credentials (e.g. personal identification number). Thepayment processor216 may transmit the payment particulars and payment account information over thepayment network106 at step S1214, and provide thetransaction processor220 with a successful payment confirmation message, at step S1216, after receiving confirmation from thepayment network106 that the customer successfully provided payment for the proposed transaction.
• Upon receiving a successful payment confirmation message, thetransaction processor220, generates a transaction completion request message that requests completion of the proposed transaction with the lottery server, and includes the transaction pointer. Preferably, the transaction completion request message also includes one or more administrator credentials and/or one or more terminal credentials which thetransaction processor220 reads from thememory214 of thepayment terminal200. More preferably, the transaction completion request message includes the administrator sysID, terminal ID, terminal serial number, and lane number. If thetransaction processor220 does not receive a successful payment confirmation message from the electronic cash register within a predetermined time period, thetransaction processor220 does not generate a transaction completion request message and instead deletes the transaction pointer from thememory214 to thereby prevent the customer from completing the proposed transaction with the lottery server.
• Thetransaction processor220 transmits the transaction completion request to thenetwork gateway400 over the encrypted channel, at step S1218. In response, thegateway authenticator414 uses the administrator sysID (included in the transaction completion request) to locate the corresponding gateway authentication certificate, and then uses the located gateway authentication certificate to establish an encrypted communications channel with the lottery server via thesecond communications network104, at step S1220. Typically, thegateway authenticator414 uses the gateway authentication certificate to establish a mutually-authenticated SSL connection with the lottery server.
• Thegateway authenticator414 also uses the transaction completion request to locate the previously-selected lottery game and wager amount, and generates a transaction request message that specifies the selected lottery game and wager amount. Preferably, the transaction request message also includes one or more administrator credentials and/or one or more terminal credentials from the transaction completion request. More preferably, the transaction request message includes the administrator sysID and lane number. At step S1222, thegateway authenticator414 transmits the transaction request message to the lottery server over the encrypted channel that is established between thenetwork gateway400 and the lottery server.
• The lottery server may validate the transaction request message by verifying that the lottery server has already associated the administrator sysID and lane number with the gateway authentication certificate (e.g. after step S1110 of the terminal registration method). If the lottery server is able to validate the transaction request message, preferably the lottery server generates a transaction response message that includes a transaction completion image that provides confirmation of completion of the proposed transaction. More preferably, the lottery server randomly generates any/all game numbers/indicia that are required for the selected lottery game, and the transaction completion image comprises a lottery ticket image that depicts the generated game numbers/indicia. Otherwise, the lottery server generates a transaction response message that indicates that the transaction request could not be validated.
• The lottery server downloads the transaction response message to thenetwork gateway400, in response to the transaction request message, at step S1224. Thegateway authenticator414 generates a transaction completion response message from the transaction response message. If the transaction request was successfully validated, preferably the transaction completion response message includes the transaction pointer and the transaction completion image. Thegateway authenticator414 downloads the transaction completion response message to thepayment terminal200, in response to the transaction completion request, at step S1226.
• If the transaction completion request was successfully validated, thetransaction processor220 deletes the transaction pointer from thememory214, and prints the transaction completion image that was included with the transaction completion response.

Claims (20)

1. A method of network gateway authenticating, comprising:

a network gateway receiving an authentication request from a communications terminal, the communications terminal being in communication with an identity token, the authentication request including a token cryptogram generated from a cryptographic key stored on the identity token;

the network gateway transmitting the authentication request to a communications network; and

the network gateway receiving an authentication response from the communications network in accordance with a validity of the token cryptogram, the authentication response including a gateway authentication certificate, the gateway authentication certificate being configured to authenticate the network gateway to a network device of the communications network.

2. The method according toclaim 1, wherein the authentication request includes a credential, the authentication response receiving comprises the network gateway associating the gateway authentication certificate with the credential, and the method further comprises the network gateway authenticating to the network device via the credential and the associated gateway authentication certificate.

3. The method according toclaim 2, further comprising the network gateway receiving a validation request from the communications terminal, and facilitating authentication of the communications terminal to the network device via the gateway authentication certificate and the validation request.

4. The method according toclaim 3, wherein the facilitating the authentication of the communications terminal comprises the network gateway using the validation request to locate the gateway authentication certificate associated with the credential, using the located gateway authentication certificate to establish an encrypted connection with the communications network, and transmitting the validation request to the communications network over the encrypted connection.

5. The method according toclaim 4, wherein the credential is associated with the communications terminal.

6. The method according toclaim 1, wherein the network device determines the validity of the token cryptogram.

7. The method according toclaim 2, further comprising the communications terminal generating a terminal activation request from the credential and from a private encryption key, and the network gateway generating an activation response from the terminal activation request, the activation response including a terminal authentication certificate, the terminal authentication certificate being configured to facilitate authentication of the communications terminal to the network gateway.

8. The method according toclaim 7, further comprising the communications terminal determining a validity of the terminal authentication certificate and, in accordance with an outcome of the terminal authentication certificate validity determining, authenticating to the network gateway by establishing an encrypted connection with the network gateway using the terminal authentication certificate.

9. A computer-readable medium comprising computer processing instructions stored thereon for execution by a network gateway, the computer processing instructions, when executed by the network gateway, causing the network gateway to perform the method ofclaim 1.

10. A network gateway, comprising:

a gateway authenticator configured to communicate with a communications terminal and to (i) receive an authentication request from the communications terminal, the authentication request including a token cryptogram generated from a cryptographic key stored on an identity token interfaced with the communications terminal, (ii) transmit the authentication request to a communications network, and (iii) receive an authentication response from the communications network in accordance with a validity of the token cryptogram, the authentication response including a gateway authentication certificate, the gateway authentication certificate being configured to authenticate the network gateway to a network device of the communications network.

11. The network gateway according toclaim 10, wherein the network gateway is configured to associate the gateway authentication certificate with a credential received from the communications terminal, and to authenticate to the network device of the communications network via the credential and the associated gateway authentication certificate.

12. The network gateway according toclaim 11, wherein the network gateway is configured to receive a validation request from the communications terminal, and to facilitate authentication of the communications terminal to the network device of the communications network via the gateway authentication certificate and the validation request.

13. The network gateway according toclaim 12, wherein the network gateway is configured to facilitate the authentication of the communications terminal by (i) using the validation request to locate the gateway authentication certificate associated with the credential, (ii) using the located gateway authentication certificate to establish an encrypted connection with the communications network, and (iii) transmitting the validation request to the communications network over the encrypted connection.

14. The network gateway according toclaim 13, wherein the credential is associated with the communications terminal.

15. The network gateway according toclaim 10, wherein the network device determines the validity of the token cryptogram.

16. An authentication network, comprising:

a communications terminal including a token interface for interfacing an identity token with the communications terminal; and

a network gateway in communication with the communications terminal, the network gateway being configured to (i) receive an authentication request from the communications terminal, the authentication request including a token cryptogram generated from a cryptographic key stored on the identity token, (ii) transmit the authentication request to a communications network, and (iii) receive an authentication response from the communications network in accordance with a validity of the token cryptogram, the authentication response including a gateway authentication certificate, the gateway authentication certificate being configured to authenticate the network gateway to a network device of the communications network.

17. The authentication network according toclaim 16, wherein the network gateway is configured to associate the gateway authentication certificate with a credential received from the communications terminal, and to authenticate to the network device of the communications network via the credential and the associated gateway authentication certificate.

18. The authentication network according toclaim 17, wherein the network gateway is configured to receive a validation request from the communications terminal, and to facilitate authentication of the communications terminal to the network device of the communications network via the gateway authentication certificate and the validation request.

19. The authentication network according toclaim 18, wherein the network gateway is configured to facilitate the authentication of the communications terminal by (i) using the validation request to locate the gateway authentication certificate associated with the credential, (ii) using the located gateway authentication certificate to establish an encrypted connection with the communications network, and (iii) transmitting the validation request to the communications network over the encrypted connection.

20. The authentication network according toclaim 16, wherein the network device determines the validity of the token cryptogram.

Images