Secure smart card device
The present invention relates to a smart card device. More particularly, the present invention relates to a device for passing data to a smart card, and to a method of passing data to a smart card.
Smart cards, also known as IC (Integrated Circuit) Cards, are used for various purposes. They can be used for payments with the integrated circuit of the card holding a balance of tokens representing a monetary value. They can also be used for identification and authorization purposes, for instance, for identifying the subscriber to a particular service.
Most smart cards have two modes of operation: a "standard" mode which can be entered into simply by activating the card, for instance, by inserting the card in a card reader, and a "secure" mode which can only be entered into by passing a suitable user authentication to the card. This user authentication typically is a PIN (Personal Identification Number), often called PIN code, typically consisting of a four-digit number. For entering the PIN code, a keypad or keyboard is required.
It is of course important that the PIN code is only known to the authorized user of the smart card. Attempts have been made to fraudulently obtain the PIN code, using "fake" terminals or otherwise by using the data entered into the keyboard or keypad. To maintain a high level of data security, it is therefore important that the data, such as the PIN code, entered into a keypad by a user are not re-routed to other devices.
United States Patent US 5,920,730 discloses a computer keyboard unit that changes from normal or "standard" mode to secure mode to input a PIN code into the smart card. This is accomplished by using a combined keyboard and smart card controller, and passing any PIN data directly from the keyboard, via the combined controller, to the smart card reader (Fig. 3 of US 5,920,730). In this way, it is avoided that the PIN code is passed to the host PC connected to the keyboard unit. The combined controller, however, is still linked to the host computer via both a host link and a serial link, thus making an attack via one of these links feasible. In particular, a malicious host PC could gain access to the keyboard controller and gain knowledge of the PIN code entered via the keyboard. This is all the more a risk since, in US 5,920,730 it is the host PC that controls the "try PIN" routine in which the PIN is passed from the keyboard to the smart card. United States Patent US 6,056,193 discloses a computer keyboard with an integral smart card reader. The keyboard is connected to a personal computer. In a PIN entry mode, a switch disconnects the keys from the keyboard controller and connects them with a security module, a dedicated processor. The security of this known keyboard is based upon the principle that the user, and not the application, causes the keyboard to enter "PIN data mode". For this purpose the user may have to press a special key or perform a similar action, which has the disadvantage that the user may forget to do so. In addition, this known arrangement has the disadvantage of requiring an additional dedicated processor, the security module, for its security functions. It will be clear that this additional processor adds to both the cost and the size of the keyboard.
It is therefore an object of the present invention to overcome these and other problems of the prior art and to provide a device for passing data, in particular a PIN, to a smart card while avoiding any security risks.
It is a further object of the present invention to provide a device for passing data to a smart card, which device does not require an additional dedicated processor.
It is a further object of the present invention to provide a method of passing data, in particular a PIN, to a smart card while avoiding any security risks. Accordingly, the present invention provides a device for passing data to a smart card, the device comprising:
• a smart card reader for exchanging data with the smart card,
• a keyboard for entering data,
• a detector for detecting the smart card, and • at least one further circuit, wherein a connection is provided between the keyboard, the smart card reader and the further circuit, and wherein switching means are provided for disconnecting the keyboard from the further circuit in response to the detector detecting the smart card.
That is, in the device of the present invention, the keyboard is disconnected from the rest of the device upon detection of the presence of a smart card, and only a connection between the keyboard and the smart card reader is maintained. In this way, it is ensured that the PIN code entered into the keyboard can be passed only to the smart card, not to any other parts of the same device or to other devices. Detecting the presence of the smart card requires no user action and is therefore both simpler and more secure than having the user activate a secure mode of the device.
It is noted that the term "smart card reader" is meant to comprise any device capable of passing data to or exchanging data with a smart card, by electrical, optical or other means. In particular, although the usual term "reader" is used, a "smart card reader" typically is capable of both reading data from and writing data to a smart card. The term "reader" as used in this document typically is a transparent device which does not operate on the data. The term "keyboard" is meant to encompass (computer) keyboards, keypads, and other data input arrangements, such as touch screens. In a preferred embodiment, a direct connection is present between the smart card and the keyboard. In other words, there is a direct connection between the keyboard and one of the contacts of the smart card, thus bypassing all other components of the device. Preferably, this direct connection is provided by smart card contacts which are additional to the contacts normally used. In this preferred embodiment, the smart card is preferably provided with suitable software and hardware means for scanning the keyboard for keypresses and generating the codes corresponding to these keypresses. In the preferred embodiment, therefore, the smart card controls the keyboard, and no other components of the device are involved. In particular, no "security module" or other dedicated processor (other than the smart card processor) is required. In this preferred embodiment, the switching means are preferably controlled by the detector and the smart card. That is, the detector operates the switching means when detecting the presence of the smart card, and the smart card itself (that is, its hardware and/or software) is capable of also controlling the switching means, either directly or indirectly via the detector. The switching means may advantageously comprise a first switch arranged between the keyboard and the further circuit. The switching means may advantageously further comprise a second switch arranged between the smart card reader and the further circuit.
Most present-day smart cards, however, do not allow control of the keyboard in the manner described above. In addition, they may not have (spare) contacts for allowing direct keyboard access. All data exchange with such smart cards is carried out via a smart card reader, and a keyboard controller is provided to scan the keyboard and generate the corresponding codes. The smart card reader, in turn, typically is provided with a smart card controller with generates and/or converts signals suitable for the smart card. Accordingly, in a further advantageous embodiment, the device of the present invention further comprises a keyboard controller connected to the keyboard and a smart card controller connected to the smart card reader. In this embodiment, it is envisaged that the switching means may comprise a third switch arranged between the keyboard controller and the further circuit, said third switch being preferably operated by the detector.
In an advantageous embodiment of the device of the present invention, in which a keyboard controller and a smart card controller are present, the switching means may comprise a fourth switch arranged between the smart card controller and the further component. Alternatively, or additionally, the switching means comprise a fifth switch arranged between the keyboard and the keyboard controller, said fifth switch connecting the keyboard either to the keyboard controller or to the smart card reader.
It is noted that the detector for detecting the presence of the smart card may be integral with at least one of said switches, the switch being operated directly by the smart card. The smart card, for example when being inserted in a card reader, may operate a switch present in the reader and disconnect one or more components as described above.
Alternatively, the smart card may operate a detector switch or block a light beam, thus causing the detector to produce a detection signal which in turn operates a relay or an electronic switch.
The present invention further provides a device as defined above, which is a mobile telephone set, a cordless telephone handset, a computer, an electronic organizer, a remote control unit, or another consumer device provided with a keypad. The present invention also provides a smart card for use in a device as defined above, as well as a system for smart card transactions, comprising the device as defined above.
The present invention additionally provides a method of securely passing data to a smart card using a device comprising:
• a smart card reader for exchanging data with the smart card,
• a keyboard for entering data,
• a detector for detecting the smart card, and
• at least one further circuit, wherein a connection is provided between the keyboard, the smart card reader and the further circuit, the method comprising the step of:
• disconnecting the keyboard from the further circuit in response to the detector detecting the smart card. The present invention will be further explained below with reference to examples of embodiments illustrated in the accompanying drawings, in which:
Fig. 1 schematically shows a first embodiment of a device according to the present invention.
Fig. 2 schematically shows a second embodiment of a device according to the present invention.
Fig. 3 schematically shows a third embodiment of a device according to the present invention.
The device 100 shown merely by way of non-limiting example in Fig. 1 comprises a keyboard 1, a smart card reader 2, a card detector 4 and at least one further component 5. The presence of a smart card 3 is detected by the detector 4, while data can be exchanged with the smart card 3 via the (smart card) reader 2. The smart card 3 may be a commercially available smart card known per se. A smart card typically comprises a substrate in which an integrated circuit and electrical contacts are embedded. The integrated circuit may in turn comprise a microcomputer including a processor and a memory for storing programs and application data. The smart card 3 of Fig. 1, which comprises an integrated circuit 31, is additionally provided with a built-in keyboard controller 32. This keyboard controller 32 may be constituted by a separate integrated circuit as schematically shown in Fig. 1, or may be accommodated in the integrated circuit 31.
The further component 5 may be a microprocessor, an interface, a (host) computer, a microcontroller and/or similar devices or components. Although the further component 5 is shown as a single component for the sake of clarity, it will be understood that various further components could be present, each being connected to either the keyboard 1 or the card reader 2, or both.
As can be seen in Fig. 1, both the keyboard 1 and the reader 2 are connected to the further component 5, allowing keyboard data and smart card data to be passed to the further component and allowing data from the further component 5 to be passed to the reader 2. In addition, the keyboard 1 is directly connected to the reader 2 via a connection 8. This enables keyboard data to be directly passed to the card reader 2 and from there to the smart card 3. The connections with the further device 5, however, allow the further device to obtain the keyboard data. In particular, any passing of a PIN code entered into the keyboard 1 to the smart card 3 can be monitored by the further component 5, even if the further component 5 is not directly involved in this data transfer. If the further component 5 is not trusted, or has been tampered with, unauthorized persons could gain access to the PIN code.
According to the present invention, therefore, switches 11 and/or 12 are provided to disconnect the keyboard 1 and/or the card reader 2 from the further components) 5. Switch 11 is arranged between the keyboard 1 and the further component 5 so as to prevent the keyboard data reaching the further component 5. Similarly, switch 12 is arranged between the reader 2 and the further component 5 so as to prevent the further component 5 accessing the smart card during a PIN routine. Both switches 11 and 12 are operated by the detector 4 which opens the switches, and thereby disconnects the keyboard 1 and the reader 2 respectively from the further component 5, in the presence of the smart card 2. In this manner, a PIN code can be entered on the keyboard and securely transferred to the smart card without any further component 5 being able to intercept the PIN code. During this "secure mode" in which the PIN code may be entered, keyboard controller 32 may scan the keyboard for keypresses in a known manner.
It is preferred that switch 12 is closed after transferring the PIN to the card, while switch 11 preferably stays open as long as the smart card 3 is detected by the detector 4. Closing switch 12 can be done automatically, that is after the expiration of a predetermined time period, but this is preferably carried out under the control of the smart card. In the latter case, control lines (not shown) could be present connecting the reader 2 with the detector 4 and/or the switches 11 and 12 for passing control signals. Suitable control hardware and/or software could be present in the card 3 to control the switches. It is noted that, in this case, the switches are closed under the control of the smart card only, not under the control of the further component 5 or under user control as in the prior art.
It is noted that switch 12 is optional and that switch 11 effectively makes a secure PIN transfer possible by disconnecting the keyboard from the rest of the device. However, switch 12 provides an additional protection against software attacks directed at the smart card.
An alternative embodiment is shown in Fig. 2 where a keyboard controller 6 and a smart card controller 7 are provided, in addition to the keyboard 1, the smart card reader 2, the smart card 3, the detector 4 and the further component(s) 5. The keyboard controller 6 scans the keyboard in a manner known per se and produces keypress data corresponding to keypresses. The keypress data are passed on to the smart card controller 7, which in turn may convert the keypress data into a format appropriate for the smart card. The keypress data are then passed on to the smart card 3 via the reader 2. In this embodiment, it is not necessary for the smart card 3 to have a built-in keyboard controller (32 in Fig. 1).
The switches 11 and 12 are not shown in Fig. 2. Instead, switches 13 and 14 are arranged between the keyboard controller 6 and the further component(s) 5 and between the smart card controller 7 and the further component(s) 5, respectively. The switches 13 and 14 are operated by the detector 4, as in Fig. 1. Switch 13 normally connects the keyboard controller 6 and the further component(s) 5. This switch is toggled when the presence of a smart card 3 is detected at the card reader 2. As in the embodiment of Fig. 1, the smart card 3 may directly, that is mechanically, operate the switch 13, for example by pushing it into another position when the smart card 3 is inserted into the reader 2. In addition, the switch 13 may be toggled under the control of the smart card 3. To this end, control lines (not shown) may extend between the card reader 2 and the detector 4 for providing "switch open" signals which overrides any "card present" signal generated by the detector.
As stated above, the switch 13 normally (position I) connects the keyboard controller 6 and the further component(s) 5. When toggled (position II), it disconnects the keyboard controller 6 from the further component(s) 5 to prevent the further component(s) 5 from obtaining any PIN data entered into the keyboard 1. The switch 14 is arranged between the smart card controller 7 and the further component(s) 5 and normally (position I) connects the smart card controller 7 to a line 9 leading to switch 13. When switch 13 is toggled (position II), the keyboard controller 6 is connected, via switch 13, line 9 and switch 14, to smart card controller 7 and hence to smart card 3. That is, when switch 13 is toggled (position II) and switch 14 is in its rest position (position I) shown in Fig. 2, the keyboard 1 is connected to the smart card and not to the further component(s) 5. Thus PIN code data can be securely transferred from the keyboard to the smart card. Should the smart card want to transmit any data to the further component(s) 5, it then toggles switch 14 (position II), thus connecting the smart card controller 7 to the further component(s) 5. In order to temporarily store any data, data buffers could be provided in the device 100 of Fig. 2. A first data buffer could be arranged in connection 9, between switches 13 and 14, for example, to buffer any data destined for the smart card when switch 14 is in position II. A second buffer may be arranged between switch 14 and smart card controller 7, while a third buffer could be arranged between switch 14 and the further components) 5. These buffers are not shown in Fig. 2 for the sake of clarity of the drawing.
A further embodiment is shown in Fig. 3 where, as in Fig. 2, a keyboard controller 6 and a smart card controller 7 are provided, both of which are connected to the further components) 5. Instead of, or in addition to, the switches 11, 12, 13 and 14 of Figs. 1 and 2, a switch 15 is provided between the keyboard 1 and the keyboard controller 6. The switch 15 has two alternative positions: a first position I in which it connects the keyboard 1 to the keyboard controller 6, and a second position II in which it connects the keyboard 1 to the card reader 2. As can be seen, in position II, the keyboard 1 is disconnected from the keyboard controller 6, allowing a direct smart card access to the keyboard, bypassing the keyboard controller 6 and allowing the smart card keyboard controller 32 to scan and control the keyboard 1.
As in Figs. 1 and 2, the switch 15 is operated by the detector 4 and is opened when the presence of a smart card 3 is detected at the card reader 2. As in the embodiment of Fig. 1, the smart card 3 may directly, that is mechanically, operate the switch 15, for example, by pushing it into another position (position II) when the smart card 3 is inserted into the reader 2. In addition, the switch 15 may be toggled under the control of the smart card 3. To this end, a control line (not shown) may extend between the card reader 2 and the detector 4 for providing a "switch open" signal which overrides any "card present" signal generated by the detector. Also in this embodiment buffers (not shown) could be provided for temporarily storing data.
In the embodiments discussed above, it is assumed that inserting the smart card in the card reader (or a similar action which allows the exchange of data with the smart card) causes the link between the keyboard and further components and/or devices to be severed. This link is restored either when the smart card is removed or is under the control of the card (that is, its software and/or hardware). In the latter case, the card could, for instance, cause the link to be restored after the PIN code has been received. In this case, the card could also be capable of severing said link again when the PIN code has to be entered again, or when other secret data have to be passed to the card. Alternatively, the keyboard could be disconnected from the rest of the device whenever a key was pressed. Thus all data entered in the keyboard could be passed to and screened by the card, and only passed on to the rest of the device under the control of the card. The present invention is based upon the insight that, for a secure transfer of data from a keyboard to a smart card, the keyboard should be disconnected from the rest of the device, and that this disconnecting operation should be carried out upon detection of the presence of the smart card. The present invention benefits from the further insight that any reconnection of the keyboard with the rest of the device should be controlled by the smart card.
It is noted that any terms used in this document should not be construed to limit the scope of the present invention. In particular, the use of the verb "comprise" and its conjugations is not meant to exclude any elements not specifically stated. Single (circuit) elements may be substituted for multiple (circuit) elements or their equivalents.
It will be understood by those skilled in the art that the present invention is not limited to the embodiments illustrated above and that many modifications and additions may be made without departing from the scope of the invention as defined in the appendent claims.