Cryptographic architecture for use with a high security personal identification system

Having thus described our invention, what we claim as new, and desire to secure by Letters Patent is:

1. A personal identification system for effecting the authentication of users at a series of remote terminal devices, each of which is connected to a central computational facility, wherein each terminal includes means for entering personal identification criteria and further includes a resident encryption/decryption device located therein, the improvement in said personal identification system which comprises:

secure means external to each said terminal for verifying said user entered personal identification criteria,

said system comprising at least one central computational facility to which each of said terminals is connected,

each said terminal including means therein for reading a user inserted token having printed thereon, in machine readable form, a first data word (ACCT) unique to said user,

means operable by said user for physically entering a unique personal identification number (PIN) where said PIN bears a unique functional relationship to the cryptographic transformation of said first data word,

means for transmitting said first data word (ACCT) in recoverable form to said centralized computing facility,

means for cryptographically transforming said first data word as a function of at least said PIN under a suitable encryption key and for transmitting same to said centralized computational facility, wherein said encryption key is a function of said PIN,

means resident in said centralized computational facility for cryptographically verifying the relationship between said PIN and said first data word entered at said terminal and,

means for producing an accept/reject signal in response thereto.

2. A personal identification system as set forth in claim 1 wherein said system includes a host-computer which is connected to at least one centralized computational facility operating as a Controller for interfacing said terminals to said host-computer, and

means in each Controller, for causing account transactions to be performed by the host when said host is available or by said Controller when the host is not available.

3. A personal identification system as set forth in claim 2 including means in each said terminal for reading an off set value recorded on said token in machine readable form, and

means for combining said off-set value with said PIN to produce a resultant encryption key,

means for supplying said encryption key to said encryption/decryption device resident in each said terminal for encrypting said first data word and for transmitting said first data word encrypted under said key to said Controller.

4. A personal identification system for use in a Multi-Remote Terminal Computer System for identifying users at a terminal, each said terminal including means for entering personal identification criteria therein and further including a resident encryption/decryption device, the improvement in said personal identification system which comprises secure means, external to said terminal, for verifying said user entered personal identification criteria, said system comprising:

at least one central Host Computer and a plurality of intermediate Controller devices functionally located between said computer and a number of said terminal devices, each Controller including a resident encryption/decryption device and wherein each terminal is connected to said Host Computer through a Controller,

each said Terminal having means for reading a user inserted token having printed thereon, in machine readable form, a first data word (ACCT) unique to said user,

means for physically entering a unique memorized personal identification number by said user as a second data word and means for reading a third data word on said token which bears a unique functional relationship to said first data word in combination with said user entered personal identification number,

means for transmitting said first data word in recoverable form as a first message (M.sub.1) and said second and third data words as a non-recoverable function of said encryption/decryption device and said first data word as a second message (M.sub.2) from said Terminal to its associated Controller,

means resident in said Controller for cryptographically verifying the relationship between said second and third data words relative to said first data word entered at said Terminal and means for notifying said terminal that the proper relationship does or does not exist.

5. A personal identification system as set forth in claim 4 including means for sending a fourth data word from the Terminal to said Controller as third message (M.sub.3) specifying the current status of operations within said Terminal which can only exist at the current time, and means in said Terminal for receiving status information with messages from said Controller to verify that the status conditions have been properly met.

6. A personal identification system as set forth in claim 4 wherein said means for cryptographically verifying the relationship between said first data word (ACCT) and said second and third data words includes means for entering a master key (K) stored at said Controller into the encryption/decryption device resident in said Controller and means utilizing said master key in combination with said two message words (M.sub.1 and M.sub.2) for verifying the functional relationship between said first data word (ACCT) and said PIN.

7. A personal identification system as set forth in claim 6 including means for transmitting said first data word from said Terminal to said Controller in clear form,

means for performing a bitwise transformation on the said second and third data words to form an encryption key (K'),

means utilizing said encryption device in said Terminal for performing a key-controlled block cipher cryptographic transformation on said first data word under control of said computed encryption key (K') to form said message M.sub.2 and for transmitting said encrypted message (M.sub.2) to said Controller, and

means for utilizing said encryption key (K') for encrypting and then transmitting said status information in encrypted form to said Controller as massage M.sub.3.

8. A personal identification system as set forth in claim 7 wherein said encryption/decryption device in said Controller is functionally identical to that located in each Terminal and inluding key storage means located in said Controller for storing the system master key (K),

means for encrypting the message M.sub.1 received from said Terminal as a function of said master key resident in said Controller device to produce a key (K"),

means for again encrypting the message M.sub.1 under control of the computed key (K") to produce a message M.sub.2 ',

means for comparing the message M.sub.2 ' produced by the encryption device with the message M.sub.2 received from said Terminal, and

means actuable upon a successful comparison for notifying the Terminal that a positive identification of the user at the Terminal has ben received.

9. A personal identification system as set forth in claim 8 wherein each said terminal includes means for reading and storing said second data word read from said user inserted token and means utilizing said second data word in combination with said user entered PIN to produce said encryption key K' via a bitwise modulo 2 addition of predetermined bits of said two words and wherein the length of said second data word is substantially greater than that of the user entered PIN.

10. A personal identification system as set forth in claim 9 including means in said Controller for utilizing said computed key (K") for decrypting the status word message (M.sub.3) to produce a status word which may be utilized for veryifying transaction status within the Controller and for subsequent retransmission to and verification by the terminal.

11. A message handling protocol for enhancing the security of the personal identification procedures of an electronic data processing system said system comprising a plurality of terminals and at least one centralized data processing facility wherein the personal identification procedures are to be performed, wherein each of said Terminals and said centralized data processing facility include an encryption/decryption device capable of performing a key-controlled block cipher cryptographic transformation on blocks of data supplied to same, each said Terminal further including means for reading a first unique personal identification data word (ACCT) from a token carried by a user of the system and for accepting a second unique memorized and personally entered data word (PIN) by said user, wherein a predetermined cryptographically ascertainable relationship exists between said first and second words, said method comprising the steps of:

transmitting said first data word from said termanal to said centralized computing facility in recoverable form as a first message word (M.sub.1),

converting said personally entered data word (PIN) into a non-recoverable form by means of said encryption/decryption device, including deriving an encryption key as a function of said PIN and encrypting said first data word under said derived key, and

transmitting said converted word to said central computing facility as a second message word (M.sub.2),

performing a cryptographic transformation of said first message word in said centralized computing facility under control of a master key, and

comparing the results of said transformation with the second message word (M.sub.2) transmitted from said Terminal to said centralized processing facility, and

indicating a positive identification if the predetermined relationship exists therebetween.

12. A message handling protocol as set forth in claim 11 including the step of encrypting a data word representative of current status information in said Terminal as a cryptograhic function of said user entered data word utilizing said encryption/decryption device in said Terminal,

transmitting said encrypted status word as message word M.sub.3 to said centralized computing facility, and

decrypting said status word in said centralized computing facility utilizing the encryption/decryption device resident therein under control of a key derived from said first data word.

13. A message handling protocol as set forth in claim 11 including in said Controller the steps of recovering said first data word from the message word M.sub.1 received from said Terminal,

encrypting said recovered data word under control of said stored master key (K) resident in said central computing facility to form a second key (K"), using the second key to again encrypt said recovered first data word to form a data word M.sub.2 ', and comparing said data word M.sub.2 ' with the second message word M.sub.2 transmitted from said Terminal to said central processing facility.

14. A message handling protocol as set forth in claim 13 including the steps of further utilizing said second derived key (K") to decrypt the third data word M.sub.3 transmitted from said Terminal to said centralized M.sub.3 transmitted from said Terminal to said centralized computing facility to derive the status information contained therein.

15. A message handling protocol for use in a remote terminal oriented computer system having a plurality of terminals connected to a central host computer via at least one intermediate Controller unit to which each terminal is connected, each terminal and each Controller having resident therein a functionally identical key-controlled block cipher encryption/decryption device, said protocol being characterized by a unique functional relationship between an account number stored on a user inserted token which may be inserted in a terminal for reading and a memorized personal identification number which is memorized by the user and personally entered at the terminal, and wherein said account number stored on said token and the personal identification number are related to each other by a perdetermined key-controlled cryptographic transformation as a function of a master system key, said system being further characterized by the fact that said master key is stored only in the Controller devices and neither said system master key nor the personally entered identification numbers ever appear on the communication lines between a terminal and its associated Controller, said protocol including the steps of;

reading the account number from the user inserted token and transmitting same to said Controller as a first message word M.sub.1,

encrypting said account number under control of an encryption key which is a function of the user entered personal identification number and transmitting said encrypted word to said Controller as a second message word M.sub.2,

the Controller operations comprising the steps of encrypting the received message word M.sub.1 under control of the system master key (K) to form a further key K",

reencrypting the message M.sub.1 under control of said computed key K" to produce a cryptogram M.sub.2 ',

comparing the message word M.sub.2 received from the terminal with the cryptogram M.sub.2 ' and notifying the terminal of a successful comparison,

determining if the host-computer is available to process a particular transaction requested by a user at a terminal, and, if the host is available,

connecting the terminal directly to the host computer via said Controller to allow a transaction to proceed.

16. A message handling protocol as set forth in claim 15 wherein said token carries a second data word in machine readable form, utilizing said second data word as an offset value and fuctoinally combining same with the user entered personal identification number to form a resultant personal identification number (PINTRUE) and using this resultant personal identification number as the encryption key at the terminal for encrypting said account number for transmission to said Controller.

Description Submit all comments and votes

DESCRIPTION

Technical Field

The present invention relates generally to the field of personal identification utilizing a computer or similar computational hardware. More particularly, it is related to personal identification when used with a personal identification token such as a charge account card or the like at some sort of a terminal device capable of reading information stored thereon. A typical example of such a terminal would be a cash-issuing terminal as conventionally used by many large banking institutions to simplify various types of transactions including but not limited to the issuing of cash to a person requesting same. It is to be understood that the present system could equally well be used with a Terminal system similarly equipped with a card reading device and for performing some function in accordance with a "valid" determination such for example as allowing a person to enter an otherwise locked gate or the like.

It is further assumed that the terminal is provided with facilities for encrypting messages to be sent to a Host computer or intermediate Controller for its use in validating or invalidating the transaction, and facilities for decrypting response messages containing such validation information.

The information on which this validation is based conventionally includes information on a card or token presented by the user to the terminal, and a segment of user entered data, normally referred to as a PIN (personal identification number). This PIN is then utilized in a predetermined fashion within the hardware provided at the Host Computer to which said terminal is connected. The host computer on receipt of these messages then extracts data relative to the identified account and, by means of further operations, validates or invalidates the person attempting to use the terminal.

While such identification procedures may be made extremely secure when the host is available to the terminal for authentication, problems arise during periods when the host is not available, such for example as on weekends, when it might be desirable to have the terminals available to customers when the central facility is not operating or during periods of equipment outages at the host. One method utilized in the past for handling this situation has been to have the basic encryption key utilized during the encipherment and decipherments procedures necessary for authentication to be entered by system personnel at each terminal. For such systems the secrecy of the key is compromised as a function of the number of terminals in which it is entered. As more terminals are used and thus, more people who must physically enter the key at the terminals are increased, the greater the probability that a dishonest person might be involved. Similarly, although great precautions are taken to render the key storage areas of the highest reliability, there is also an increased possibility that someone might be able to intercept the key information as it is entered into the terminal or in some other way obtain the true encryption key.

It is accordingly a primary object of the present invention to provide a system for authenticating terminal users wherein it is not necessary to ever enter the basic system encryption key into the terminal for successful off-host operation.

It is a further object of the invention to provide such a personal identification system wherein the keys are entered only into centralized Controllers, each of which is connected to a plurality of terminals and to the host computer.

It is yet another object of the present invention to provide such a system wherein each of the Controllers performs the user identification operation whenever the host is unavailable.

It is a still further object of the present invention to provide such a personal identification system wherein status information from the terminal is included with the authentication query to the Controller and included subsequently in messages back to the terminals which prevents "stale" authentication messages obtained by eavesdroppers to be used in an attempt to overcome the system security provisions.

It has been found that a more secure personal identification system may be realized by a system architecture which includes the following provisions. A plurality of messages are transmitted from the Terminal to the Controller using personally entered criteria and criteria appearing on a token presented by a customer. The Controller which is provided with the highly secure system encryption key establishes the authenticity of the customer. Subsequently a message is transmitted from the Controller back to the terminal again using only data supplied by the terminal to inform the Terminal of a proper (or improper) identification.

It is to be understood that the Controller initiated authentication procedure would be utilized at least during offhost operations.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 comprises an overall high level block diagram of a terminal driven computer system incorporating the cryptographic system architecture of the present invention.

FIG. 2 comprises an organizational diagram of FIGS. 2A through 2D.

FIGS. 2A through 2D comprise a detailed functional block diagram defining the architecture of a Controller block as shown in the block diagram of FIG. 1.

FIG. 3 comprises an organizational diagram for FIGS. 3A through 3D.

FIGS. 3A through 3D comprise a detailed functional block diagram defining the architecture of a Terminal block as shown in the block diagram of FIG. 1.

FIG. 4 comprises an organizational diagram for FIGS. 4A and 4B.

FIGS. 4A and 4B comprise an operational sequence diagram of the operations occurring in a terminal during an authentication procedure.

FIG. 5 comprises an organizational diagram of the FIGS. 5A and 5B.

FIGS. 5A and 5B comprise an operational sequence diagram of the hardware of the controller architecture shown in FIGS. 2A through 2D during an off-host authentication procedure occurring within the Controller.

DISCLOSURE OF INVENTION

In a system of cash-issuing Terminals connected to one or more computers for authorization purposes, it is essential, and standard practice, to have a secret personal identification number (PIN) associated with each account number (ACCT), to impede the misuse of lost, stolen, or forged identification ("credit") cards. It is also desirable, and is the practice in existing systems that communication between the terminal and the rest of the system (central Host computer or separate Controller) be enciphered, in order that an opponent not be able to learn PINs by passive wiretapping, or authorize transactions by active wiretapping. It is further desirable that the validity of each PIN be systemwide, independent of which Terminal and Controller are involved in a transaction.

This invention augments this design philosophy with the following desirable additional objectives:

(a) to arrange that the PIN for each ACCT be arbitrarily choosable and alterable, without changing the ACCT;

(b) to arrange that authentication be achievable by any of a set of Controllers of limited storage capacity (too small to contain a table of PINs vs. ACCTs) to which the various Terminals are attached, at times when the Host is unavailable; and

(c) to arrange that no cryptographic keys are stored in the Terminal for otherwise an opponent might learn such a key via the possible untrustworthiness of one of the persons involved in entering the keys into many Terminals, or else by forcibly invading a terminal, and the using such a key to compromise the system.

The means provided by the present invention for accomplishing these objectives are the following. We arrange that the cryptographic key to be used in enciphering a transaction between a Terminal and a Controller or Host shall be large enough (e.g. 56 bits) to deter its determination by an opponent by a trial of all possible keys, and also shall vary drastically from one transaction (involving a particular ACCT) to another (involving a different ACCT), so that an opponent who is also a legitimate user of the system cannot, from information in his possession, thereby learn the keys for other ACCTs. To do this we arrange that the key for each transaction, which we will call PINTRUE, shall depend on the ACCT in a way which is readily determinable both (a) at any Controller and/or Host, and (b) at any Terminal. To achieve (a) we define the PINTRUE for each ACCT to be a cryptographic function of ACCT, under a systemwide master key K which is known to all Controllers and the Host, but which for security reasons is not stored in the Terminals. For each transaction, the Controller (or Host) computer recomputes PINTRUE as the given function of this master key K and of ACCT which has been transmitted to the Controller by the Terminal which has read it from the Customer's card. To accomplish (b) we arrange that the PINTRUE for the account be derivable from information furnished by the customer in the form of the card and his PIN. PIN is small enough for the customer to remember (say 4 to 6 decimal digits or letters), but PINTRUE is large enough (say 56 bits) to render it impractical for an opponent to enumerate all possible PINTUREs on a computer. We put on the card, in machine-readable form, a "PIN offset" PINOFF which when suitably combined with PIN will yield PINTRUE, which is thereby available at the Terminal to serve as a communication-encrypting key. This law of combination, and the resulting definition of PINOFF, must be such that, given an arbitrarily chosen PIN and the system-defined PINTRUE, such a PINOFF can be determined at the time the card is manufactured. A suitable such law of combination is to exclusive-or the chosen PIN with an equal-length subset of PINTRUE to obtain PINOFF (at the time of manufacture of the card) and with the corresponding subset of PINOFF to obtain PINTRUE (at the time of use of the card).

In addition, the reuse of stale keys by an opponent is thwarted by an exchange of encrypted messages whose variable plaintext is known to both the Terminal and the Controller, for example, terminal-status information (TSI) such as the amount of money remaining in the Terminal, or the serial-number of the transaction.

The objects of the present invention are accomplished in general by a personal identification architecture wherein one or more remotely located terminals, each of which is capable of receiving data supplied by an individual, via the reading of a credit card-like device and keyboard entry. Each Terminal is in turn connected via a data communication link to a Controller. Each Controller is connected to a central Host computer via a suitable data communication link. Said Controller performed personal identification procedure is available at least when the Host is not available to the system for performing personal identification functions. The identification system includes means at the Terminal for transmitting as message M.sub.1 a first portion of data, called ACCT, supplied by said individual (typically via a machine-readable card) to the Controller in clear form. Means are additionally provided for computing an encryption key from data supplied by said individual which key is in turn utilized by an encryption/decryption block included in the said terminal for encrypting said first block of data and transmitting same to said Controller as a second message (M.sub.2). The Controller includes an encryption/decryption unit identical to that contained in the terminal device and further has stored therein a master key (K) for controlling the operation of the Controller encryption/decryption unit. Whenever a personal identification request is received by the Controller, the Controller accesses the first message M.sub.1 comprising the data block 1 entered by the individual into the Terminal and encrypts same in the encryption/decryption unit under control of the master key. The results of this encryption are used as a key to a encipher M.sub.1 into a message M.sub.2 ' which is then compared with message M.sub.2 received from the terminal and if a comparison is successful an "accept" signal is sent from the Controller back to the Terminal which indicates that account transaction may proceed. In the case of a cash-issuing banking terminal this would cause a specified amount of cash to be directly issued to the individual or alternatively it might permit some form of credit to be extended to the individual. In the case of a facility access system the Terminal "accept" signal might allow the individual to utilize a computer terminal or gain access to a facility such as a building, plant or some other physical facility.

Having thus very generally related the operations of the present invention there will follow a general discussion of the theory of operation of the present invention with respect to the high level block diagram of FIG. 1. In referring to the figure it will be noted that a series of Controllers (1,2, . . . N) are connected over suitable lines to a host computer. In turn each Controller has a series of Terminals (1,2, . . . N) connected thereto. Thus, any of the individual terminals are selectively connectable to the host computer through their respective Controller.

In the subsequent description of the invention it will be assumed that the environment of the present invention is in a cash-issuing terminal system wherein each terminal is capable of issuing cash to a customer upon a suitable request and a subsequent system approval of the customer's identification.

It is further assumed that each customer is in possession of a portable token such as a credit card containing an account number (ACCT) and a personal identification offset number (PINOFF) both of which are stored in machine readable form on said credit card and wherein each terminal is capable of appropriately reading said data from the credit card. It is further assumed that each customer has in his possession a personal identification number (PIN) which is committed to memory and which he is capable of entering into the Terminal at a suitable data entry point, such as a keyboard, upon request.

It is assumed that the system is capable of operation in one of two modes. The first is On-Line wherein each transaction requested by a customer at a terminal is sent directly to the Host for validation. The Host may maintain a positive file listing all ACCTs, the customers' names, possibly but not necessarily the PINTRUES's to be described, and a considerable unspecified further amount of information relative to the account. In the On-Line mode the Host controls the validation operations and will send an "accept" or "reject" message in appropriate form to the terminal upon application by the customer. This validation will include the steps to be described for a Controller (excluding the computation of PINTRUE if not needed). The particular manner in which additional checks are done by a particular system is of no particular interest to the present invention and will not be discussed further here.

The second mode of operation is Off-Host which implies that the Host Computer is not available for service to perform account validation operations such for example as on weekends or during equipment outages, but the Controller to which the Terminal is attached is available.

It is the need of this operational alternative to which the present invention applies and which will now be described in detail. The Controllers will not have as much storage capacity as the Host, in particular they cannot store PIN's for all accounts. It is noted in passing that the Controller may include a negative file, listing accounts which are no longer valid, which list may be checked by the Controller before a final validation indication is returned to a terminal. Other validation operations could also be built into the Controller. Examples might be total transaction size, number of transactions within a specified time period, etc. However, these do not relate materially to the inventive concepts being described herein and are not described further.

At this point there will follow a general description of the computations made within the Terminal and the Controller without specifically referring to the disclosed hardware of FIGS. 2A through 2D and 3A through 3D. There will follow a specific description of the operation of the system hardware disclosed in these two figures with reference to the series of operational sequence charts of FIGS. 4A, 4B, 5A and 5B.

Returning now to the description of the overall operation of the system to perform a validation or authentication operation it is assumed that the three above items of data, namely ACCT and PINOFF contained in the customer's credit card and PIN committed to his memory are functionally related by the formula

PINOFF + PIN=PINTRUE (1)

PINTRUE=E.sub.K (ACCT) (2)

In this formula the value E.sub.K denotes encipherment with the master key K of the quantity in the parentheses, in this case the account number (ACCT). This could also be written as E(K,ACCT).

It is assumed that PINOFF and PIN are combined for example by bitwise addition modulo 2 into the value PINTRUE.

In such cryptographic systems it is desired, however, that the size of PINTRUE be sufficiently large to resist discovery and accordingly the size of 56 bits has been found suitable. in the presently disclosed embodiment, for example, if PINOFF is expressed as a 56 bit binary number, i.e. (x.sub.1, x.sub.2, . . . , x.sub.56) and PIN is chosen by six alphabet characters written or decoded as a thirty bit binary number (y.sub.1, y.sub.2, . . . , y.sub.30) then the combination of these two by means of bitwise addition modulo 2 would be expressed by the formula

(PINOFF+PIN)=(x.sub.1 + y.sub.1, . . . , x.sub.30 + y.sub.30, x.sub.31, x.sub.32, . . . , x.sub.56) (3)

The above sizes of all PINTRUE, PINOFF and PIN are not critical but represent typical sizes which would provide a high degree of security via the large size PINTRUE while at the same time maintaining a relatively small number for PIN which must be committed to memory by the customer accurately.

Having generally set forth the functional relationship of the account number (ACCT), the personal identification number offset (PINOFF) and the personal identification number itself (PIN), the present architecture utilized to make the requisite computations and comparisons in a highly secure manner will now be set forth. It should be first noted that the encryption/decryption units located in both the terminal device and the Controller must be identical block cipher key controlled encryption devices. The specific algorithm performed by the devices is not critical to the present invention, however, all of the devices in a single system must obviously operate identically. A suitable encryption/decryption device would be that specified by the National Bureau of Standards Federal Information Processing Standard for Data Encryption Systems number 46. The operation of the system proceeds as follows. First the customer places his credit card in the terminal and the account number (ACCT) and the personal identification number offset (PINOFF) are read by the Terminal. Next the customer keys in his individual PIN. The Terminal controls cause the following messages to be sent to the Controller. The first one (M.sub.1) comprises the account number (ACCT) in clear form. (See later for possible encryption of ACCT).

M.sub.1 =ACCT in the clear (4)

The second message (M.sub.2) is computed by the Terminal and is represented by the following formula

M.sub.2 =E.sub.(PINOFF+PIN).sup.(ACCT) (5)

The above formula implies that the account number is encrypted under a key (K') which is specified to be PINOFF+PIN. These two messages are received by the Controller which as stated previously has the master key K stored therein. Keeping in mind the following relationship

PINTRUE=E.sub.K (ACCT)=E.sub.K (M.sub.1) (6)

The Controller then computes the quantity which is referred to herein as

M.sub.2 '=E.sub.PINTRUE (M.sub.1) (7)

M.sub.1 is the account number of the customer sent in clear form from the terminal to the Controller and in accordance with formula (1) the encryption of this account number under the system master key should produce the quantity PINTRUE. Similarly as indicated in formula (1) if the proper quantity PINOFF and PIN are entered by the customer and passed through the bitwise modular addition they should similarly produce the quantity PINTRUE. At this point it will be apparent that the two quantities M'.sub.2 computed by the Controller and the message M.sub.2 transmitted from the terminal to the Controller should be equal if the proper relationship exists between PINOFF, PIN, and PINTRUE. If there is agreement the Controller accepts the identity of the customer and proceeds to check the negative file. If satisfactory the transaction is continued, still using the key PINOFF + PIN=E.sub.K (ACCT)=PINTRUE. The above procedures have the following advantages.

No key is resident in the terminal. It is known that exposure of such a key, whether a key is used in transmission, or one such as k, used in authentication, can lead to serious or complete compromise of such a system. In the present system the necessity of guarding K is removed with respect to the terminal, although it remains with respect to the Controller, Host and the management of information about these.

The information available to a wiretapper or interceptor consists of the messages M.sub.1 and M.sub.2 transmitted from the terminal to the controller. Subsequently, the Controller will transmit various transaction messages back to the terminal but these as stated previously will be encrypted under the terminal-computed PINTRUE which equals PINOFF + PIN. It is assumed that the encryption/decryption algorithm E is sufficiently strong to resist the determination of PINTRUE or K under these assumptions. If so, only the account number becomes available, as this is transmitted in clear form. Even this exposure which might be of incidental use to an opponent could be reduced by the use of an additional resident and perhaps alterable transmission key or cipher key for use of all transmissions between the Terminal and the Controller. The large size (at least 56 bits) of PINTRUE is such as to discourage an opponent from determining it by trail on a computer, knowing only M.sub.1 and M.sub.2.

The size of PIN can be chosen to be small enough for the user to remember it, and large enough to frustrate exhaustive trials of PIN at a terminal by the possessor of a lost or stolen card, even though this card does contain all PINOFF.

For a computerized attack by enumerating all possible PINs without trials at a terminal, an opponent would need both the M.sub.1, and M.sub.2 of a transaction, and possession of the card containing M.sub.1 and PINOFF. Even success in such an unlikely circumstance should give access only to a single PINTRUE=E.sub.K (M.sub.1) not to K for the whole system. Only the same limited information would be available to the possessor of a card and its (supposedly secret) PIN.

Further, if the relation + is suitably chosen, PIN can be chosen at will, either by the bank or by the user, as desired, and can be altered at will by altering PINOFF in a complementary fashion to yield the same PINTRUE. The suitability requirment is that PINOFF + =PINTRUE be the inverse of a function PINOFF=PINTRUE - PIN defined at least over the desired domain of PIN. The previous example of (self-inverse) function of bitwise addition mod 2 ( + ), is one such.

It should be noted that it is possible for several master keys K.sub.I, e.g., for different banks, to be used. In a transaction the proper K.sub.I could be determined by an indicator in the account number (or even by trial).

An opponent trying to "invent" or fabricate the card containing the quantities ACCT, PINOFF and PIN which would appear valid to the system must be able to find or invent ACCT and PINTRUE related by the formula

PINTRUE=E.sub.K (ACCT)=E.sub.K (M.sub.1)

This appears infeasible without knowledge of K and impractical by trial because of the size of the fields ACCT and PINTRUE, and the fact that each trial must be made at a terminal.

An additional feature included with the present system which enhances the reliability of the system is the use of terminal-unit status (TSI) information also transmitted from the Terminal to the Controller when an authentication request is made. This status information could be from a bill counter, coin counter, transaction counter, or the like located in the Terminal and mirrored in the Controller, which would assumedly change whenever a successful transaction is completed. This status information, encrypted under the computed key PINOFF+PIN is then used by the Controller, first to check that the received message is current, and then when it retransmits a credit approval or authentication (or the denial of these) back to the terminal. Before the approval is accepted by the Terminal a check is first made against the status information to make certain that the message from the Controller is current. This prevents acceptance of a stale terminal request by the Controller, or of a stale credit approval message by the Terminal, which might otherwise be utilized by a sophisticated wiretapper who might otherwise attempt to send stale recorded messages to the Controller or Terminal.

Having thus generally described the principles and underlying features of the present invention there will follow a description of the