Browse Prior Art Database

Expiration mechanism for chipcards

IP.com Disclosure Number: IPCOM000015246D
Original Publication Date: 2001-Oct-12
Included in the Prior Art Database: 2003-Jun-20
Document File: 8 page(s) / 93K

Publishing Venue

IBM

Abstract

Mechanism to support chipcard expiration Idea of the disclosure Today’s chipcard’s allow protection of data by a PIN in a time-insensitive manner, i.e., the PIN does never expire. The invention enables a PIN to expire after a specified time period given in days. When the PIN is expired, the user is requested to change the PIN before he can proceed to access protected content on the chipcard. The advantage is that the use of the card is constrained not only to persons who know the PIN, but also to a time period after which the PIN is invalidated, forcing the Card Holder to re-identify himself as the legitimate person. The forced renewal of PIN is widely practised in environments where the PIN is stored and processed in a terminal or a host application. However, those environments do not benefit from the secure and tamper-proof storage of sensitive data on a chipcard.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 32% of the total text.

Page 1 of 8

Expiration mechanism for chipcards

Mechanism to support chipcard expiration Idea of the disclosure

Today's chipcard's allow protection of data by a PIN in a time-insensitive manner,
i.e., the PIN does never expire. The invention enables a PIN to expire after a specified time period given in days. When the PIN is expired, the user is requested to change the PIN before he can proceed to access protected content on the chipcard. The advantage is that the use of the card is constrained not only to persons who know the PIN, but also to a time period after which the PIN is invalidated, forcing the Card Holder to re-identify himself as the legitimate person.

    The forced renewal of PIN is widely practised in environments where the PIN is stored and processed in a terminal or a host application. However, those environments do not benefit from the secure and tamper-proof storage of sensitive data on a chipcard.

    The invention presents the first combination of both secure data storage on chipcards and time-controlled Card Holder Verification.

    Another application of the invention is the limitation of the card lifecycle by not allowing the time period to be re-activated after expiry. In the latter case, the card is unusable after the time period is expired.

    The invention is in principle applicable to all chipcards which contain a microprocessor.

State of the Art Cardholder Verification

    The advantage of a smart card over a magnetic stripe card is that the cardholder's password or PIN can be stored in the card in a way that it can never be read from the outside. The comparison of the password or PIN, known only by the cardholder, is done within the chip.

Data items on the card which are protected by a CHV require the external world
(i.e., the terminal) to supply the correct PIN to the card in order to access the data for reading or writing.

Verification

    It is to the benefit of both a smart card owner and a smart card issuer that the identity of the cardholder is confirmed before the card is used. Before both parties transact with each other, they must be assured of the identity of the other party.

PIN Codes

    A Personal Identification Code (PIN) is usually a four-digit number that accompanies a smart card and must be memorized by the cardholder. The PIN is stored securely within the smart card in a way that can never be read from the external world. Data and functions on the smart card can be protected in a way that access from the external world is allowed only after the correct PIN code is presented.

The PIN can be assigned and stored in the card during personalization. The

1

Page 2 of 8

application program can supply the PIN code in two different ways. If the user has an intelligent smart card reader attached (for example a smart card reader with a keyboard and display), then the application can ask the smart card reader to display the password prompt and accept the user's input. If the user has a simple smart card reader attached, then the PIN c...