A Fundamentally Secure Payment Device Interfaced to Regular PCs

Abstract

The present contribution introduces a new way for solving the issue of security for payments over the internet. It particularly addresses the issues related to the PC weaknesses like the combination of key loggers and spyware software. The device uses exclusively symmetric encryption (AES) that ties the device directly to the payment server base at fabrication time. The device is connected to the PC through the USB interface from which it takes its power. The platform architecture is built around three entities: a I/O processor (IOP) responsible for the communication and user interface and a management of keys processor (MKP), responsible for all of the messages processing. Encryption is assured by a dedicated hardware engine for increased performance. The device is made known to the payment server at fabrication time through the assignment of a device ID. Both the server and the device will use secret keys known only to the two parties. This way, the authentication and security are guaranteed at the source. The device ID along with the device and server set of keys are assembled in a data storage packet, scrambled, encrypted by a completely secret device internal key, and stored on a local serial EEPROM. Moreover, the EEPROM setting procedure is a one way procedure where no way of reading back the clear device ID and set of keys is available. The strength of this approach is the fact that the device ID is associated with a set of device keys within the payment server database.