1. Patent Search
  2. Details

METHOD OF CONFIGURING OR CHANGING A CONFIGURATION OF A POS TERMINAL AND/OR ASSIGNMENT OF THE POS TERMINAL TO AN OPERATOR

20190005480 ยท 2019-01-03

    Inventors

    Cpc classification

    International classification

    Abstract

    A method of configuring or changing a configuration of a POS terminal by at least one operator, in which an authorization of the operator by the POS terminal is established, in which after successful authorization of the at least one operator, the at least one operator carries out the configuration or change of the configuration, in which an identification feature for identification of the at least one operator is introduced into the POS terminal, in which this identification feature is used for authorizing the at least one operator. A method of associating a POS terminal with an operator, in which the POS terminal checks the integrity of the identification feature of the operator for identification of the operator, with which the POS terminal is associated.

    Claims

    1. A method of configuring or changing a configuration of a POS terminal, wherein the configuration or change of a configuration is carried out by at least one operator, characterized in that an identification feature for identification of the at least one operator is introduced into the POS terminal after the production and up to the first startup, this identification feature is used for authorizing the at least one operator, an authorization of the at least one operator is established by the POS terminal, and after successful authorization of the at least one operator, the at least one operator carries out the configuration or change of the configuration.

    2. The method as claimed in claim 1, characterized in that the operator initializes a POS terminal which is uninitialized by the producer of the POS terminal.

    3. The method as claimed in claim 1, characterized in that the identification feature is introduced by the operator.

    4. A method of associating a POS terminal with an operator, characterized in that the POS terminal checks the integrity of an identification feature of the operator for the identification of the operator with whom the POS terminal is associated, the POS terminal only permits a change of a configurable property by the operator with whom the POS terminal is associated.

    5. The method as claimed in claim 4, characterized in that the POS terminal verifies cryptographically with which operator the POS terminal is associated.

    6. The method as claimed in claim 5, characterized in that a data element, which is stored in the POS terminal, is used as the identification feature.

    7. The method as claimed in claim 1, characterized in that each operator uses a different data element in the POS terminal assigned to him.

    8. The method as claimed in claim 1, characterized in that a payment application is configured during the configuration.

    9. The method as claimed in claim 8, characterized in that the payment application is introduced into the POS terminal in the form of an executable program code.

    10. The method as claimed in claim 1, characterized in that the payment application is signed using a private key.

    11. The method as claimed in claim 1, characterized in that a public key is known to the POS terminal, and a right is granted using this public key of introducing applications into the POS terminal, and the POS terminal carries out a check of the authorization before the introduction of the application, and/or a manipulation of the application is checked by the POS terminal.

    12. The method as claimed in claim 1, characterized in that cryptographic keys are configured during the configuration.

    13. The method as claimed in claim 1, characterized in that cryptographic keys are introduced from a central body into the POS terminal.

    14. The method as claimed in claim 13, characterized in that the cryptographic keys are introduced into the POS terminal in a secure environment, or the cryptographic keys are protected by cryptographic methods during the transfer.

    15. The method as claimed in claim 1, characterized in that, in the case of a symmetrical cryptography for transferring cryptographic keys, an operator-specific master key is generated by the operator, the master key is stored, a device-specific key is derived for the POS terminal from the master key by means of a unique identifier of the POS terminal, and the derived device-specific key is introduced into the POS terminal.

    16. The method as claimed in claim 1, characterized in that a device, which distributes the cryptographic keys of an operator, derives the device-specific key for the POS terminal and encrypts the cryptographic keys by means of this device-specific key, the encrypted cryptographic keys are introduced into the POS terminal, subsequently the cryptographic keys are decrypted by the POS terminal using the device-specific key.

    17. The method as claimed in claim 1, characterized in that, in the case of an asymmetrical cryptography for transferring cryptographic keys into the device, which distributes the keys of the operator, key pairs are provided and a corresponding certificate, which contains the public key, the certificate is introduced into a POS terminal and therefore the POS terminal only accepts cryptographic keys which are authorized by this device of the operator, subsequently the device of the operator introduces cryptographic keys into the POS terminal, wherein the cryptographic keys are encrypted using the public key of the POS terminal and are signed using the private key of a key pair, the cryptographic keys are decrypted by the POS terminal after the introduction into the POS terminal, which has the corresponding private key, and an authorization check is carried out by means of the public key, which the device of the operator has introduced via the corresponding certificate in the first step.

    18. The method as claimed in claim 1, characterized in that runtime parameters are configured during the configuration.

    19. The method as claimed in claim 18, characterized in that changes of the runtime parameters for the configuration of the POS terminal only take place after successful authorization by a terminal management system.

    20. The method as claimed in claim 1, characterized in that a terminal management system communicates with the POS terminal via a direct communication connection, and the terminal management system establishes an encrypted communication connection to the POS terminal, and the terminal management system authenticates itself with respect to the POS terminal by means of an asymmetrical key pair and a corresponding certificate, and the POS terminal carries out an authorization check, and after positive check, a change of runtime parameters is carried out.

    21. The method as claimed in claim 1, characterized in that a terminal management system communicates with the POS terminal without a direct communication connection, and changes of runtime parameters are carried out using signed data packets and a subsequent authorization check.

    22. The method as claimed in claim 1, characterized in that, to activate optional functions of the POS terminal, the operator requests a license for activation at the producer, the license for activation is granted, and the operator activates the function on at least one POS terminal.

    23. The method as claimed in claim 22, characterized in that the activation takes place in the form of license keys.

    24. The method as claimed in claim 1, characterized in that a hardware topology is configured during the configuration.

    25. The method as claimed in claim 1, characterized in that additional hardware is activated or deactivated by means of signed data packets.

    26. The method as claimed in claim 1, characterized in that to verify an operator association of a POS terminal, a random number is generated and transmitted to the POS terminal, and the POS terminal forms a tuple from random number and operator feature and signs it using the private key, the POS terminal responds with the operator feature, the signature, and the certificate, subsequently the certificate is checked, subsequently the tuple of random number and operator feature is formed, and the signature of this tuple is checked using the public key from the certificate.

    Description

    [0106] Further features and advantages of the invention result on the basis of the associated drawings, in which various embodiments of a configuration according to the invention are shown only by way of example, without restricting the invention to these exemplary embodiments. In the figures of the drawings:

    [0107] FIG. 1 shows an overview of a structure of digital certificates and public key infrastructures;

    [0108] FIG. 2 shows an illustration of a certificate;

    [0109] FIG. 3 shows an overview of the management of a feature for identification of different operators;

    [0110] FIG. 4 shows an overview of various certification bodies;

    [0111] FIG. 5 shows a flow chart for the introduction of an operator feature.

    [0112] FIG. 1 shows the use of digital certificates and public key infrastructures. To be able to check a digital signature and authenticate the signatory, the following preconditions have to be provided:

    [0113] The public key itself has to be known.

    [0114] It has to be known with which signatory the public key is to be associated. This means which subject (for example, a technical device or a legal or natural person) has sole access to the corresponding private key.

    [0115] The linkage of these two items of information can be established in a digital certificate. After checking the correctness of the specifications, the certificate itself is digitally signed by a trustworthy certification body.

    [0116] The receiver of a digitally signed document can check the signature via an indirection step as follows, if the public key of the certification body is known to him: The certificate of the supposed signatory is checked using the public key of the certification body. In case of success, the signature of the document is subsequently checked using the public key from the certificate.

    [0117] If this check is also successful, the signature can thus be associated with the subject specified in the certificate.

    [0118] The advantage which results from this indirection step is that only the public key of the certification body has to be known to the receiver of signed documents in order to be able to check digital signatures for all signatories for which this body has issued certificates.

    [0119] This chain can be extended by issuing certificates for trustworthy certification bodies. This chain of trust finally ends at a trust anchor, represented by the public key of the trustworthy certification body superior to all of these. Such a hierarchy of certification bodies is referred to as a public key infrastructure.

    [0120] A widespread format for digital certificates is defined in the ITU-T standard X.509. A widespread public key infrastructure (PKI) is the Internet PKI defined in IETF RFC 5280 for authenticating communication users in the Internet.

    [0121] As shown in FIG. 2, digital certificates can also be used for authorization, i.e., for granting rights to the affected subject, in addition to the authentication. For this purpose, a description of the granted rights is stored in the certificate in a syntax which is well defined within the respective area of application (that is, within the validity of the public key infrastructure). If the signed document contains, for example, a request to exercise a specific right, it is thus checked on the basis of the certificate whether the corresponding right has been granted to the requesting subject by the certification body.

    [0122] FIG. 3 shows the management of a feature for identification of different operators.

    [0123] The features for identification of the different operators are managed by a central and trustworthy certification body (for example, the producer of the terminal), which represents the so-called trust anchor. This body allocates an individual feature to each operator. This feature for identification of the operator is stored as an expansion in a digital certificate, which is signed by the certification body. The operator is the owner of the private key, the public key of which is contained in the digital certificate, and therefore they can also identify themselves as the possessor of the feature for identification by means of the private key. Therefore, the trustworthy certification body authorizes an operator to perform changes on the configuration of a POS terminal, and ensures simultaneously that no other operator can thereupon perform changes on the configuration of the POS terminal. Moreover, the description of the granted rights for changing specific properties of the configuration (for example, applications, cryptographic keys, or runtime parameters) is stored in a certificate, and therefore the operator can use different keys for different configurable properties.

    [0124] FIG. 4 shows a further embodiment of the invention.

    [0125] The trustworthy certification body can also operate and authorize further certification bodies to manage rights for changing individual configurable properties separately.

    [0126] In a further embodiment of the invention, indirection steps may be introduced by the trustworthy certification body authorizing further trustworthy bodies (for example, system integrators), to manage a subset of features for identification of the different operators. These can in turn authorize further trustworthy bodies to manage a partial set of their subset of features, and therefore a hierarchical tree structure arises. To depict this structure in the feature for identification of different operators, for example, the format of an object identifier (4.36.13) can be used. In this case, the first number describes the trustworthy certification body. The second number describes the authorized body located underneath (for example, the system integrator) and is managed by the trustworthy certification body. The last number describes the operator and is managed by the authorized body located above it (for example, the system integrator).

    [0127] The trustworthy certification body can also enable the authorized bodies (for example, the system integrators) to operate several of their own bodies, in which each of these trustworthy bodies in turn manage rights for changing different configurable properties. The certificate of these trustworthy bodies thus includes, in addition to the features for identification of the operator, also the granted rights (for example, for introducing applications or cryptographic keys), which this body manages.

    [0128] FIG. 5 shows an example, in which a POS terminal is associated with an operator at the time of the startup.

    [0129] The operator of a system for processing cashless payment procedures (referred to as payment system in short hereafter), a system integrator, which implements the payment system on order of the operator, the terminal producer, who supplies the POS terminal to the system integrator, and such a POS terminal are participating in this example.

    [0130] The operator orders the system integrator to implement a payment system, which is to be operated in future by said operator.

    [0131] The system integrator decides to integrate POS terminal of the terminal producer in the implementation of the payment system. He orders a new operator feature for the operator with the terminal producer.

    [0132] The terminal producer checks by telephone conversation with the operator whether the system integrator is authorized to request an operator feature in the name of the operator. According to the present example, this is the case.

    [0133] The terminal producer generates a new unique operator feature and introduces it together with the contact data of the operator and the system integrator into a centrally controlled register of allocated operator features.

    [0134] The terminal producer communicates the allocated operator feature to the system integrator.

    [0135] The system integrator communicates the operator feature to the operator.

    [0136] The system integrator generates a key pair and exports the public key in a secure device for signing applications.

    [0137] The system integrator orders, at the terminal producer, the issuance of a certificate having the following attributes: [0138] as the subject: identification data of the system integrator; [0139] as the authorization: change applications; [0140] the allocated operator feature; [0141] said public key of the device for signing applications.

    [0142] The terminal producer checks by telephone conversation with the operator whether the system integrator is to be authorized to introduce applications into POS terminal of the operator. In the present example, this is the case.

    [0143] In his role as certification body for devices for signing applications, the terminal producer issues the ordered certificate having the following attributes: [0144] as the publisher: identification data of the certification body; [0145] as the subject: identification data of the system integrator; [0146] as the authorization: change applications; [0147] the operator feature of the operator; [0148] the public key of the device for signing applications; [0149] a signature about the mentioned attributes, which was prepared by means of the private key of the certification body.

    [0150] The issued certificate and the certificate of the certification body for devices for signing applications are transferred by the terminal producer to the system integrator.

    [0151] The system integrator imports the two certificates into the device for signing applications.

    [0152] The system integrator signs the payment application, which is to be installed on the POS terminal to implement the payment system, using the device for signing applications.

    [0153] In this example, the system integrator has a stock of POS terminal new from the factory of the terminal producer in his warehouse. He takes a POS terminal out of the warehouse, integrated into the payment system and imports the following files: [0154] the certificate of the certification body for devices for signing applications; [0155] the certificate of the device for signing applications; [0156] the signed application.

    [0157] The POS terminal starts the process for introducing or updating applications. Firstly, it checks the signature of the certificate of the certification body using the public key of the trust anchor, which is present in integrity-protected form in the POS terminal. In the present example, this check is successful.

    [0158] The POS terminal checks the signature of the certificate of the device for signing applications using the public key from the certificate of the certification body. In the present example, this check is successful.

    [0159] The POS terminal checks whether the certificate of the device for signing applications has the authorization change applications. In the present example, this check is successful.

    [0160] The POS terminal checks whether it is already bound to an operator. That is to say, whether an operator feature has already been introduced. Since it is a POS terminal new from the factory, this is not the case in the present example.

    [0161] The POS terminal extracts the operator feature from the certificate of the device for signing applications and introduces it into an integrity-protected nonvolatile memory. The POS terminal is bound to the operator by this procedure.

    [0162] The POS terminal checks the signature of the application using the public key from the certificate of the device for signing applications. In the present example, this check is successful. The POS terminal installs the application.

    [0163] The operator generates a key pair and exports the public key in a secure device for introducing cryptographic keys.

    [0164] The operator orders, with the terminal producer, the issuance of a certificate having the following attributes: [0165] as the subject: identification data of the operator; [0166] as the authorization: introduce keys; [0167] the allocated operator feature; [0168] said public key of the device for introducing cryptographic keys.

    [0169] The terminal producer checks on the basis of the central register whether the operator feature from the certificate order is associated with the operator. In the present example, this is the case.

    [0170] In his role as the certification body for devices for introducing cryptographic keys, the terminal producer issues the ordered certificate having the following attributes: [0171] as the publisher: identification data of the certification body; [0172] as the subject: identification data of the operator; [0173] as the operation: introduce keys; [0174] the operator feature of the operator; [0175] the public key of the device for introducing cryptographic keys; [0176] a signature about the mentioned attributes which was created by means of the private key of the certification body.

    [0177] The issued certificate and the certificate of the certification body for devices for introducing cryptographic keys are transferred from the terminal producer to the operator.

    [0178] The operator imports the two certificates into the device for introducing cryptographic keys.

    [0179] The operator signs a key block, which is to be installed on the POS terminal for confidential communication between operator and POS terminal, using the device for introducing cryptographic keys.

    [0180] The operator transfers the following files to the POS terminal: [0181] the certificate of the certification body for devices for introducing cryptographic keys; [0182] the certificate of the device for introducing cryptographic keys; [0183] the signed key block.

    [0184] The POS terminal starts the process for introducing cryptographic keys. Firstly, it checks the signature of the certificate of the certification body using the public key of the trust anchor, which is provided in integrity-protected form in the POS terminal. In the present example, this check is successful.

    [0185] The POS terminal checks the signature of the certificate of the device for introducing cryptographic keys using the public key from the certificate of the certification body. In the present example, this check is successful.

    [0186] The POS terminal checks whether the certificate of the device for introducing cryptographic keys has the authorization introduce keys. In the present example, this check is successful.

    [0187] The POS terminal checks whether it is already bound to an operator. That is to say, whether an operator feature has already been introduced. At this point of the example, this is the case.

    [0188] The POS terminal extracts the operator feature from the certificate of the device for introducing cryptographic keys. It checks whether the operator feature corresponds to the already introduced operator feature. In the present example, this is the case.

    [0189] The POS terminal checks the signature of the key block using the public key from the certificate of the device for introducing cryptographic keys. In the present example, this check is successful.

    [0190] The POS terminal imports the cryptographic key. The POS terminal is therefore put into operation.