WO2001090858A1 - Mobile information storage and communication device and method of communication - Google Patents

Abstract

An electronic mobile data communication device for storing information related to a holder of the device and communicating such information to a requester in a data network via a host computer. The device comprises electric energy supply means, data input means, data processing means, data storage non-volatile memory means and data transceiver means in operative connection. The data storage means has a number of programmable memory locations for storing the information to be communicated as a structured collection of data. On acknowledgement by the holder, the transceiver means, is adapted to automatically transmit selected pieces of the data to the requester.

Description

MOBILE INFORMATION STORAGE AND COMMUNICATION DEVICE AND METHOD

OF COMMUNICATION

Field of the invention The present invention relates to an electronic mobile data communication device for storing information related to a holder of the device and communicating such information to a requester such as a host computer in a data network.

BACKGROUND OF THE INVENTION

The fabulous growth of the Internet has risen several concerns about the handling of private and secret information. It is a general understanding that it must be a balance between usability and security, where most attempts to increase the security generally give a trade-off in terms of usability. The development of technologies allowing download and invocation of scripts and applications on a remote computer increases usability of services. However, this development also creates security problems, so that remote sites may be able to retrieve private information from a client's hard disk without the user actually noticing that something fraudulent is going on. A related threat is the spread of viruses, where apart from direct damage, virus code may, from the user's perspective, reside silent and in the background intercept secret usernames, passwords and credit card numbers from user dialogues. This information can then be processed and automatically transferred to an alien site. As Internet services are generally location independent, a remote playback of recorded information from an alien site gains access to the same re- sources as the valid user. .

As the usage of the Internet further grows, and more and more inexperienced users start using more and more advanced services, security, and privacy needs to be taken more seriously. One aspect is authentica tion, where the general problem is in the service end to positively identify an individual at a remote location. The general approach is a login procedure, where the service provider prompts the user for a user identity and a password. A more sophisticated method is to use a challenge-response scheme, where the service provider challenges the user with a code, which differs from time to time, and the user must then pass back a response, which is unique to each challenge. This method also includes usage of single use codes, where the user initially has been supplied with a set of secret random codes, known only by the service provider and the user.

A second aspect is digital signatures, where a recipient of information needs a replacement for a hand-written signature and to positively identify the information integrity, where a fraudulent modification of the information can be detected.

A third aspect is privacy in terms of visibili ty, where some applications require encryption of the information passed between a sender and a recipient. The encryption key must be known by the sender and the recipient only. In order to increase the. strength of the encryption, the key can be changed over time, ultimately for each new session.

A fourth aspect is privacy in terms of accessibility, where the access to private personal data needs to be controlled. Depending on the user's personal security preferences, different types of information may have different security attributes for read and write access. Even if most operating systems include some access security, information stored on a local hard disk is generally accessible for both reading and writing when a user is logged in.

A fifth aspect is mobili ty, where the user moves between different computers, including mobile terminals. Personal information, including secret keys and passwords gener- ally resides on a computer's fixed storage, i.e. the hard disk. It is generally not feasible to move this information between different locations, as well as the problem of keeping data in different locations synchronized. A related concern is the security problem, which arises when secret information is stored in a non-movable media.

A sixth aspect is session termina tion, where a login procedure generally distinguishes between being on-line or off-line. A common concern is the case when a user have logged in to a service and performed some desired action and then leaves the computer without having performed a logout action. A visible metaphor is a car, where the start procedure turns the engine on and makes the car usable. When the key is removed, the engine stops and the car is. unusable. If the car is left with the key in and the engine on, anyone can steal it and drive away.

It would be desirable to address these concerns without seriously affecting the usability and accessibility, which both are the to the acceptance of the Internet and the usage of personal computers.

The growth of the Internet and the wide public acceptance of browsing around different sites have also created a myriad of different ways for the site owners to gain information about a specific user attending their services. In order to access information, vendors and service providers often prompt the user to enter personal information on a series of forms. Often the user then gets a username and a password and is then entitled to visit the same site again, this time possibly to a personalized environment, like a "personal home- page". At some sites, such environment includes rights to order products or services either to be billed or the payment withdrawn from a credit card account.

This ends up being a big obstacle for both the user and the service provider. The users generally find this proc- ess time-consuming and complicated, thereby creating a barrier to perform an impulse action, since the "click and go" procedure is lost. In addition thereto, the user ends up with a large set of different usernames and passwords, as most sites cannot accept the users' personal preferences. From the service provider's point of view, there is no general way of positively determine whether the entered information is authentic, and the user database quickly fills up with both duplicates and _."Mr. Donald Duck" records. Another aspect is that there is no general way of maintaining user persistence, i.e. identifying, keeping settings and redirect a user revisiting a site. The commonly used method of storing "cookies", i.e. small files on the client computer ends up being an obstacle, since the ^'cookie files gets lost and mobile users tend to access the same site from different locations.

Large application systems present a challenge in terms of usability for the end-user, where navigation between different software modules and applications tends to be complex to grasp and navigate. Older types of mainframe based applications are generally organized as a tree-structure, where different menu- forms are used to direct the user to the application module performing the desired action.

The recent explosion in terms' of availability and usage of the Internet presents another challenge. Although experi- enced users find it appropriate to enter a Uniform Resource Locator (URL) address like http: //www. microsoft . com/insider/ access2000Zdefaul t . htm, this is generally considered as painstaking, especially for an inexperienced user. The possibility of- typing a specified URL incorrectly or simply finding the task too complicated can be considered as an. obstacle for attracting visitors to. a particular site or service.

Another aspect is the growing number of manufacturers providing support for their products on the Internet, where each product has an URL containing product information, sup- port, software updates, drivers etc. On product packaging, CD- ROMs, registration forms, etc, a URL is generally present to obtain support about the product. It is an obvious obstacle for the end-user to start the Internet browser, accurately en- ter an URL and finally register the product to gain access to the support site.

The physical state of a product may be used to direct a end^' user to different applications or URLs. A product which has .not been paid in a store, not being opened, being tampered with, being negatively affected by transportation etc., may provide valuable feedback for the manufacturer at the same time , that its state properties may allow a support environment to change its behavior based thereupon.

A simple user-friendly form on a packaging itself may be used to manually enter some variables in the same way a traditional paper form is being used. A simple keypad incorporated in a packaging may be used to direct the user to an appropriate support site, customer feedback form, upgrade site, advertisement etc. There is further a general demand for establishing a customer to manufacturer relationship to handle support and after-sales activities. As today's Internet users and e-commerce customers do not establish a relation to a single shop or vendor, it would be desirable to be able to create a link, where the customer gets an easy way of contacting the vendor and attending the personal web-site, where manual or automated feedback about a product's usage can be exchanged. Further promotions from the vendor can then be performed to the customer.

Objects of the invention

An object of the invention is to provide a. small, portable, application- and workstation-independent low-cost device which is capable of storing information related to a holder/owner of the device in a well-defined manner, and capa- ble of readily communicate a selection of this information to a requester in a data network. The requester would typically be a service provider in the network, for example on the Internet, but could also be the owner oneself retrieving per- sonal information stored in the. device to a personal computer. Another object of the invention is to provide a mobile data communication device that is capable of carrying and readily communicating a number of single use secret codes to securely authorize or entitle a service from a service pro- vider. The secret codes could be used in producing digital signatures on information stored in or external to the device and communicated between the holder and service provider. The secret codes could also be used to encrypt the information to be. communicated. Still another object of the invention is to provide a mobile and low-cost data communication device which is capable of storing locations in a data network, such as URLs on the Internet, and is capable of readily accessing these locations in an automated manner.

SUMMARY OF THE INVENTION^' According to one aspect of the present invention there is provided an electronic mobile data communication.de- vice for storing information related to a holder of the device and communicating such information to a requester such as a host computer in a data network. The device has electric energy supply means, data input means, data processing means, data storage non-volatile memory means and data transceiver means in operative connection. The data storage means has a number of programmable memory locations for storing said information as a structured collection of data, and the data transceiver means, when initialized by the holder, is adapted to automatically transmit selected pieces of said data to said requester.

From another point of view the device can be regarded as a mobile data carrier or "token" device (TD) having^' differ- ent non-volatile memory locations and input means to control access to these memory locations. The device further comprises a wireless transceiver interface to allow bi-directional communication with a host application running either on a local computer or in a multi-tier environment, where the client ap- plication is controlled by a server application running at a Service Provider (SP) . The terminal device is equipped with a transceiver interface connected to an I/O port, allowing a software application to communicate with the TD bi- directionally. The memory locations included in the TD can be characterized as having different purposes and attributes:

1. Fixed static storage that cannot be altered after personalization of the TD. These locations may include fixed information like a world-unique TD identifier, a user name, nationality, sex, weight, length, hair color, i.e. passport information, programmed by the TD issuer. In addition to this, other fixed information may be included, such as licenses, including flight certificate, drivers li- cense, haulers/carrier license etc-.

2. User defined static data that are alterable by the TD holder only. These data may include information such as current address, e-mail address, telephone number, nickname etc. 3. Service provider defined static data that are alterable by a service provider only. Means of deleting — but not altering — such information may be included. 4. A general-purpose read/write location, alterable by both the SP and TD.

5. A tag owner database, where each entry stored in the memory array is tagged with a tag identifier and a link to this database.

Each stored tag can be queried from the application program running in the connected computer. The user can assign different security attributes on each tag and for each entry in the tag owner database, depending on the privacy and secu- rity concern for each particular combination of tag and owner.. The meaning of the tags is to be defined by a central tag authority, thereby enabling a public use of them. There may also be some tag owner specific tag IDs, where only the tag ^'owner knows the meaning. Each tag may also keep a timestamp when it expires.

Although a timestamp can be specified not to expire at all, the administrative task of keeping track of which tags to keep when the storage space is about to be exhausted is left to the TD owner. The TD owner can at any time delete a specific tag, or all tags owned by a specified tag owner. For fixed tags, the rules may apply differently.

. When a host application queries the TD for a particular tag, the TD checks the security attribute for the tag. If the tag is programmed as "not free", the TD alerts the re- questing application to prompt the user to acknowledge the request to retrieve the particular tag(s). The user then performs the acknowledgement by using the input means on the TD, thereby achieving a security that cannot be tampered with in the local application. Although the information storage is secured by software means, it can be considered that some users will find an extra relief in the emotional feeling that the removal of the TD- from the interface physically inhibits further information retrieval and modification. From still another point of view the device according to the invention is capable of performing secure transactions, where a^' SP needs to verify if a desired action is authentic. A device according to the invention is capable of keeping a storage of single-use keys to perform encryption. An application in the terminal retrieves keys from the TD, where each new encryption uses a unique set of keys, known only by the^'TD and the SP.

A device according to the invention is also capable of creating a "digital signature" for each transaction being performed. An irreversible hashing algorithm, using the binary representation of the information being transferred and the key retrieved from the TD can form such a digital signature, which can be used by the SP to verify that the transferred in- formation is intact and signed by an authorized user.

A device according to the invention is further capable of governing a timed usage of a service, where each "logon" procedure marks a key value as used. When all keys in the TD has been used, the authentication fails and the service usage expires. A metaphor is the ticket or "telephone-card", where the usage and physical marking of the ticket is represented by the invalidation of each key index entry. There may be applications where each key entry represents a specific option available for download. After one option has been used once, it cannot be used again. Value added vouchers, often included in software packages or music recordings, allows retrieval of an option or a future upgrade to authentic users.

Counterfeiting and the obstacles involved with the current paper based methods can easily be automated and made secure.

A device according to the invention, close linked to the aspect above, addresses one common method of protecting software, where small devices, "dongles", are connected to an I/O port of the computer, where the application software searches for the presence of the dongle in order to start or perform some desired action.- This is a big obstacle for the user, since these dongles generally interferes with the ordinary usage of the I/O port. Also, functional generally prob- lems arise when multiple dongles, particularly from different vendors, are attached. Another obstacle is the physical location of the I/O ports, which makes it impractical to move the dongle between different computers.

A token device according to the invention can also take other forms. For example, it can be manufactured to be integrated into a package such as a cardboard box, a courier pack,, ticket, voucher etc.

A navigation device according to the invention, an access token device, in its most basic. form, has a pre- • programmed URL. When the token is placed on a transceiver interface connected to an ordinary personal computer, an installed driver launches a browser application and navigates to this predetermined URL.

In an enhanced form, the access token is provided with input means, which may include a keyboard or touch-sensitive graphic images or electronic circuits, registering the state of a package.

Depending on the state of the input means, the navigation process can be controlled to switch between different pre-programmed URLs.

The access token contains a world-unique identifier, such as a 64-bit number. In addition, there is a read/write memory area, which can be altered from the host application.

The navigation process can be performed in three dif- ferent ways:

1. The server application receives the identity and the state of the token and/or input means to determine which URL or application to launch. 2. The client application or browser receives the state of the token and/or input means to determine which URL or application to launch.

3. The TD keeps a list of URLs. Depending on the state of the token and/or input means the TD transmits different

URLs to the browser.

In summary, the invention provides a convenient device , and^' a method for the management of personal data, addressing mobility and privacy concerns, enabling information to be carried between multiple locations as well as the ability to physically hold the information in a secure place when needed.

BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 is a front view with parts broken away of a transaction card according to the invention;

•Fig. 2 is a diagrammatic view showing a transaction card according to Fig.l in communication with a service provider in a network; Fig. 3 shows a first layer printed onto a bottom lamina of a transaction card according to the invention and including capacitive conductor patches;

Fig. 4 shows a second layer printed onto the first layer of the bottom lamina and including an insulating, patch; Fig. 5 shows a third layer printed onto the second layer of the bottom lamina and including electric circuits;

Fig. 6 is a functional diagram of a transaction terminal according to the invention;

Fig. 7 is a functional diagram of a transaction device according to the invention; and

Fig. 8 is a block and circuit diagram of a system including a transaction terminal and a transaction device ac- , cording to the invention. Fig. 9 diagrammatically depicts components of a device according to the invention;

Fig. 10 diagrammatically shows a device according to the invention in communication with a personal computer; Fig. 11 shows a database table representation of a portion of a non-volatile memory of the device;

Fig. 12 shows a table explaining the data field shown .in Fig. 4;

Fig. 13 shows table representations of another por- tion of a memory of the device and of a service provider; and.

Fig. 14 shows a device according to the invention incorporated in a package provided with input means and adapted for communication with a service provider.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

A preferred embodiment of a mobile low-cost electronic token device according to the invention is shown in Figs. 1 through 5. Although the device can be implemented in objects having virtually any shape, such as a badge, cardboard box or a CD envelope, a convenient standardized format is the physical shape of an IS07811 credit card having integrated electronics. The card 10 may optionally be provided with a magnetic strip (not shown) and an embossed text field to be approved for use as a conventional credit card.

As is apparent from Fig. 1, the card 10 is preferably composed of three laminated sheets 12, 18, 24, preferably of polyester plastics, material and having a combined thickness of about 0.8 mm, i.e. the thickness of the conventional credit card.

In the preferred embodiment the card is provided with in^¬ put means including a keypad 14, data storage and processing means including an integrated circuit (IC) 50, and trans- ceiver/energy supply means including a capacitive transceiver or bi-directional transmitter 38, parts of which are shown in Figs. 6 through 9. While the input means is shown and described as a keypad, it may well be a biometric sensor, such as a fingerprint reader (not shown) . Although there are established standards around so called "Smart Cards", where the connection to a host computer interface uses a galvanic con- . nection, in the preferred embodiment there is used the capacitive interface. By using a capacitive interface, the card can be made sealed with no sensitive parts accessible by the user,, where for traditional Smart Cards, mechanical degradation, ^• dirt, grease and corrosion of contact pads is a major obstacle .

The keypad 14, which is suitably located at an upper part of the card front face has twelve keys for manual entry of numbers 0-9 as well as "Enter" and "Clear" commands. The keypad 14 is preferably a membrane-type keypad that is embedded in the card 10. More precisely, the thin resilient polyester plastic material of the top sheet 12, having printed key sym- bols on its front face, constitutes the keypad key membranes. On the bottom inside face of the top sheet 12 electrically conductive switch pads 16 are printed. The intermediate sheet 18 functions as a spacing layer having circular recesses 20 in register with the switch pads 16 and also having a rectangular recess 22 housing IC 50. The bottom sheet 24 has an uppermost printed circuit layer 26 (se also Fig. 4) including switch areas 28 in register with the switch pads 16 and the circular recesses 20. The arrangement is such that when a cardholder presses. a key on the keypad 14, the corresponding conductive switch pad 16 overbridges the space of about 0.5 mm formed by the corresponding recess 22 and comes into contact with a registering switch area 28. A corresponding electric circuit 32, which is normally broken by a dense pattern of conductors 30 camming into each other in the switch area 28, is thereby closed. Each electric circuit 32 is connected to the IC 50 via printed connector patches of a connecting interface 54.

As mentioned above, the printed circuit layer 26 forms a top layer in the bottom sheet 24. As indicated in Figs. 5 and 6, the inside of the bottom sheet 24 has two underlying additional printed layers, namely a printed electrically insulating^' intermediate layer 34 and a printed capacitive bottom layer 36. The bottom layer 36, which forms a part of the capacitive transceiver 38 (Fig. 9) to be later described, com- prises three capacitive patches 40, 42, 44 which are electri- . cally connected to the IC 50 via printed, connector patches 46, 47, 48. These are in turn connected to connector patches 56, 58, 58 of the connecting interface 54 (Fig. 4) when the top circuit layer 26 is printed onto the insulating intermediate layer 34.

In a manner well known in the art and to be later closer described, the IC 50 has data storage, processing and input/output means designed for the particular purpose and for use of the card as a transaction device. Fig. 2 shows a transaction card 10 ready for use, placed on a Card Interface (CI) comprising a capacitive close proximity transceiver in the shape of a card reader 60.

The card reader 60 has a card-receiving surface 62 onto which the card 10 is placed to communicate with a requester or a Service Provider (SP) 72, which in turn is capable of communicating with the card reader via a network 70 and a Transaction Terminal (TT) 68 connected to the card reader 60 by a cable 66/ The shown card reader 60 has also a display 64 for prompting necessary actions during a communication process. A database 74 of the SP 72 stores information that can be used in communication with a large number of devices 10 according to the invention.

The connection between TT 68 and SP can either be continuous or intermittent. The TT 68 can either be specially de- signed for the purpose or be a standard personal computer including a portable computer, PDA (Personal Digital Assistant) or even a cellular telephone, equipped with the reader or reader interface 60. The transceiver of the card reader 60 is capable of bidirectional communication with cards. The card reader 60 is shown as a stand-alone device but can also be an integral part (not shown) of the TT 68.

The card can perform data exchange with the TT using the card reader 60. As mentioned above, in the preferred embodiment exchange of data is performed by wireless means using close-proximity capacitive data transmission and power supply for the card to be later described.

Figs. 6 and 7 show diagrammatic, functional arrangements of respectively a card reader 60 and the card/ device 10, whereas Fig. 8 shows specific components of the combined system.

As indicated in Fig. 8, the capacitive patches 40, 42, 44 of the card 10 will come into registration with corresponding capacitive patches 40b, 42b, 44b facing the patches 40, 42, 44 in close proximity when the card 10 is located on the receiving surface 62 (Fig. 2) . The card 10 and the card reader 60 will then form a capacitive circuitry which is capable of supplying electric power to the circuitry of the card 10 and ex- changing digital data between the card 10 and the card reader 60 as follows:

In the following description the card reader is regarded as an external host unit 60 sharing a capactive interface in close proximity to the card 10 regarded as a guest unit and including the integrated circuit 50 connected via an interface 126. The three pairs of conductive areas 40-40b, 42-42b, and 44-44b form the common- capacitive interface.

When the transaction terminal 68 is a personal computer, it is typically equipped with a standard V.24/V.28 interface. The transaction terminal 68 is further equipped with a proprietary software driver (not shown) to control the data flow for the host unit 60. Depending on the desired functionality, this driver can either be an installed driver module or a part of an application program.

The CCITT V.24/V.28 electrical specification states a minimum voltage output swing at a stated loading. Even though the specification itself does not state that an attached device may be powered from the interface, as long as the stated maximum loading is not exceeded, it is a benefit to be inde- . pendent of external power. Where it is undesired to put further, loading on the serial port or the serial port itself does not fully comply to the driver requirements stated in the specification, external power may be applied from an AC/DC adapter or batteries included in the host unit. If desired, an interface. control signal may be used to control the power of the host unit 60, where one state is a low-power, standby condition and the other an active, full-power state.

A principal circuitry of the host unit 60 may be imple- mented as follows:

The host unit 60 is designed to be connected to a standard V.24/V.28 serial port, where the voltage levels of outputs RTS and DTR are programmed by the interface software to be at a high level, thereby providing a positive supply volt- age. for the circuit elements. The Receive Data Input (RxD) has mark level at a negative level, thereby providing a negative supply for a level shifter 98. Additional tank and smoothing capacitors 82, 96 are provided and may be supplemented with a voltage-stabilizing element, such as a parallel zener diode (not shown) .

A level shifter 84 provides shifting of input voltages to the host unit, and provides- a logic high output when the input is at mark level, i.e. inactive. An oscillator schmitt-trigger NAND circuit 86 will then oscillate at a frequency primarily set by a LC resonant circuit comprising a resistor 90, an inductance 92, and a capacitor 94 present on the output of schmitt-trigger 88. This resonant circuit provides a carrier output on conducting area 42b. By the resistive feedback this design provides for an automatic tuning of the resonant circuit to operate at its peak output amplitude, relatively independent of the complex impedance loading of 42b. By selecting a C OS/HCMOS schmitt-trigger 88, the value of resistive feedback can be kept high to reduce the loading of the resonant circuit. Further benefits of using HCMOS devices includes low operating power, low output impedance, rail-to-rail output swing and input protection diodes, thereby providing a high output swing of the resonant circuit with a minimum of design complexity. When a space level is present on the input of level shifter 84, a logic low output disables the oscillator function, so that the output of the resonant circuit fades and a DC level is present on terminal 42b. When a serial data stream is received on the input of level shifter 84, the output of the resonant circuit will provide a pulse-modulated carrier, which is then capacitively coupled over to the portable device.

The guest unit 10 has a high input impedance and is further explained below in the detailed description of the trans- action device interface.

Accordingly, when capacitive interface plates 40 and 42/44 are placed in close proximity to the corresponding plates 40b, 42b and 44b, capacitors are formed by plates 40- 40b, 42-42b and 44-44b. The actual capacitor values are pri- mari.ly given by the plate size, the distance between the plates and the type of dielectric material (s) present between them.

The design where plates 42 and 44 are connected together implies a reduced stray capacitive coupling between plates 42b and 44b. Another benefit is that the portable device is symmetric, i.e. it can be rotated in steps of 180° without loss of functionality.

A first closed capacitive loop is formed by following the output of the resonant circuit in the host unit 60, via plates 42b-42 to the guest unit 10, through a rectifier bridge 120 having four diodes 122, through the parallel impedance circuit 114 including a capacitor 116 and a resistor 118, and back to ground in the host unit 60 via plates 40-40b. A second closed capacitive loop is formed by following . the output of the resonant circuit in the host unit 60, via plates 42b-42, 44-44b and via the input diode 106 and resistor 102 down to ground in the host unit 60.

When the oscillator circuit 16 in the host unit 10 is en- abled, the first capacitive loop induces a voltage on terminal RX in the. guest unit 10. By an optional peak-hold diode and tank capacitor (not shown) , a low-current circuitry can then be powered in the guest unit 10, without severely affecting the signal transfer between the host unit 60 and the guest unit 10.

When the oscillator 88 is modulated by a data stream from the transaction terminal 68, a corresponding demodulated output is formed at terminal^' RX in the guest unit 10. By an optional voltage limiter and schmitt-trigger (not shown) on RX, a clean, demodulated signal can be directly processed by the integrated circuit 50 in the guest unit 10.

The guest unit 10 further comprises a transistor 112 connected in parallell with the impedance circuit 114. Digital data information can be transmitted back from the guest unit 10 to the host unit 60 by controlling the transistor 112 -from a TX terminal in the guest unit 10. When the transistor 112 conducts, the input on plate 42 is effectively shorted to ground via plates 40-40b, thereby attenuating the voltage on plate 44 coupled to plate 44b. The quiescent coupling of the carrier filtered in the input network connected to the level shifter 98 in the host unit 60 is then attenuated. A properly selected threshold value of the input to level shifter 98 together with a hysteresis perform the demodulation of the in- formation transferred from the guest unit 10 to the transaction terminal 68.

In the case of power transfer from the host unit 60 to the guest unit 10, it is an undesired effect that NRZ (Non- Return to Zero) -modulated data disable the voltage on the RX terminal in the guest unit. By applying a different modulation scheme well known in the art, such as PPI, FM or Manchester, the off-time can be reduced, thereby enabling a more continuous voltage in the guest unit 10.

This preferred embodiment has an inexpensive, easy to im- plement, self-tuned design with relaxed requirements of the reactive components. Components having a relatively poor tolerance of about ±10% of ideal values are usable in the system and are widely available at a low cost. The capacitive loading formed by the guest unit 10 as well as different stray capaci- tances just slightly moves the oscillator center frequency, without severely affecting the output amplitude.

As the host unit 60 operates at low power, it can be directly powered from the interface signals, thereby eliminating the need for external power, such as provided from an AC adapter or a set of batteries.

The guest unit operates at virtually zero quiescent current, without compromising the abilities to receive data at any time.

Returning to Fig. 2, a token device (TD) 10 according to the invention is shown in communication with a service provider 72 via a data network 70 such as the Internet.

Functionally, he device 10 can also be considered as comprised of the major components organized as in the diagrammatic scheme of operatively interconnected blocks shown in Fig.9. In this embodiment the device 10 has the integrated circuit 50 incorporating data processing means 130 and nonvolatile memory means 132.

As previously mentioned, the integrated circuit 50 is capable of transmitting and receiving information to and from the service provider 72 by the interface coupling means 36 via signal conditioning means 136. The electric energy for the components of the device 10^' is supplied via voltage stabilizing means 138. The electric energy source can be a thin cell battery laminated in the card. However, the electric energy is. preferably transferred to the device 10 from the card reader 30 by the interface coupling means 36.

In the preferred embodiment the interface coupling means 24 includes wireless transceiver means incorporating the close proximity capacitive transceiver described previously. The card reader 30 communicating with the device 10 is provided with the corresponding interface 60 (fig. 8) capable of transmitting and receiving digital information to and from the device 10. For a closer description of a bi-directional tranceiver interface of this type, reference is made to appli^ cant's pending U.S. Patent titled "System for bi-directional transfer of electric signals" (Application No. 09/507,089).

In the embodiment shown in Fig. 10, the reader inter- face 60 is connected to a personal computer 68 by a cable such as a serial cable 66, and may conveniently be located close to the top surface of a mouse pad 140. When the device 10 according to the invention shaped as a credit card is placed on the reader interface 60 it is immediately prepared to communicate with an application program in the transaction terminal/personal computer 68.

When the user receives the device 10, the device is prepared for personalization and the memory 132 is preprogrammed with a unique identification number. A driver package is available as a resident program or a plug-in module to an Internet browser, allowing a request for a particular memory tag to be retrieved back to the host application server. The information stored in the non-volatile memory 16 is organized in a record structure, where each record is divided into data fields. Each record is identified by a unique record identifier, ID, which is specified for each access to a record. The central part of each record is the data, the meaning of which depends on the ID. To establish interoperability between different applications and TDs, an authority defines the meaning of certain ranges of IDs. In an open environment, where the meaning of certain IDs are clearly defined and available, an application may retrieve information from a TD. and get the desired data without having further knowledge about the purpose and the issuer of the TD.

In order to clearly identify each issued TD as unique, an authority must define an ID which holds an unique identifier. That record must be stored at the time of manufacturing of the TD and must not be changed during the lifetime of the TD.

The memory 132 has memory locations for storing records according to the tables shown in Figs. 11 and 13 as a structured collection of data. As shown in Fig. 12, each record represents a piece of information or data and includes attributes governing the access to these data. More precisely, the access attributes govern restrictions whether the information stored therein may be read or altered by overwriting. In the Fig. 11 table, for example, tag 0 representing the location for the world-unique identification number of the device can be read without restriction. Tags 1-4, on the other hand, can be read only by acknowledgement, either by pressing an OK- key (tags 1,2) or entering a four digit PIN-code on the keypad (tags 3, 4) . As to overwriting, memory locations labeled by tags 0-2 cannot be altered at all once they are entered, whereas the memory locations labeled by tags 3, 4 may be altered by the owner only.

Information in the TD is organized in a record structure, where each record is defined by: Identity field: Uniquely identifies the record in the memory array.

Data: Data associated with the record. The exact meaning of the data field i.s defined by the ID.

Read attribute: Controls the read access for the record.

Write attribute: Controls the write access for the record. The attributes govern the access permissions read and write access, respectively, where the attributes are defined by a type and access counter, defined below. Type, which is one of the following:

Disabled: Access is disabled. Free: The record can be accessed without restrictions.

Acknowledge: Access must be acknowledged using the input means, typically an OK button. Identify: Access is allowed if the TD holder identifies itself using a personal signature using the input means, typically a PIN code entry, where different types may apply for length of code or different codes.

Access counter:

A preset counter, which after each valid access is decremented by one. When the counter reaches zero, further access to the record is disabled. An external host application can request access to records in the TD by specifying a list of IDs. Depending on the security attributes, further user authentication may be needed using the input means. If the request is positively acknowledged, in the case of read access, the information is then transferred back to the host application. In the case of write access, information is then requested from the host application.

By introducing the concept endpoint authentication, all requests for reading or writing information in the TD are validated in the same physical device. This means that no un- desired "invisible" data access can be performed without the user acknowledges it. Further, since the TD is physically separated- from the host computer, no fraudulent interception of access codes is possible.

Following the example shown in Fig, 11, a sample ses- sion may be executed as:

1. Query the client and TD for Tag ID 0. Since Read attribute is set to "OK", the data "2810034712113021" is passed back to the server application without user intervention.

2. The server application finds that the requested ID is not in the database, so another request for tags 1 and 2 are passed to the TD. Since the attributes are set to Req ACK, the client browser displays a dialog indicating "The server application would like to retrieve your First name and Last name. Acknowledge if you accept this request". If the user con- firms the request by pressing the "Ok" button on the TD, the data "John" and "Smith" are both passed back to the server application.

3. Now, assume that the user has proceeded in the dialog with the service provider and wants to get informed about future products. The server application then requests tag 4 from the TD. Since the attribute is set to "Request PIN", the browser displays a dialog indicating "The server application would like to retrieve your e-mail address. Enter your PIN to accept this request". If the user confirms the request, the data "joe@hotmail.com" is passed back to the server application.

The next time the user attends the same URL (Uniform Resource Locator) on the Internet, a lookup in the database finds the unique identifier and can automatically redirect the. user to a suitable location, such as the.personal homepage. Another option when multiple tags are requested is that the user may acknowledge or reject each individual tag to be passed back to the server application. An "Ok to all" or "Ok to the rest" option may provide additional convenience for the user.

To further protect users' privacy, the storage capabilities of the TD can be used to store personal settings on the TD, instead of keeping it in a central database. The user is always in charge of controlling any attempt to retrieve or alter data from the TD by setting access attributes accordingly. The user can at any time delete all records in the TD associated with a particular site or service.

Laws in many countries require an option to unsub- scribe a service, whereby all records linked to a particular user are removed. A process which is easy to perform, where the world-unique identifier is used.

An additional stand-alone software application may be provided to be installed on the host computer to support an easy overview over the stored information and, when applicable, performs basic operations regarding tag data and attributes. A backup and restore utility may also be provided to move information between disk storage and the TD. In the example shown in Fig. 13, there are stored six predefined keys in the non-volatile memory. Two of these keys have been used. The TD keeps an image of the same key values as those stored in the SP database. Following this example, a transaction can be performed as :

1. The SP requests the ID, i.e. the data corresponding to tag ID 0 in Fig. 12, thereby identifying which SP image in the database to be used for the transaction process. 2. The SP requests the next key unused value, specifying index 258.

3. The TD prompts the user from the display of host computer 68 or card reader 60 to enter the PIN from the keypad of

•^' device 10 4. The TD transfers the value 6210CBD4 back to the SP and marks index 258 as used. 5. The SP receives the key value and compares it with the value stored in local image. The index value is then marked as used. Another transaction indicated in Fig.13 can be performed as :

1. The SP requests authentication of a desired action.

2. The TD searches for the first unused value, which would be 258. 3. The TD prompts the user to enter the PIN from the keypad

4. The TD transfers the ID, index 258 and the value 6210CBD4 back to the SP.

5. The SP uses the ID together with index 258 to determine if the key value is authentic. The limited number of pre-stored keys can be used to enable a time- or usage-limited scheme, such as a given service expires after a predetermined number of usage occasions.

The device 10 is preferably issued by a "trusted partner" as compared with current trusted partners supplying network interface boards, each of which also has a world- unique identification number. When a TD is issued, the user is prompted to change the PIN, thereby making the usable access code known only to the TD holder. The general commonly used method to permanently block the TD if more than three consecutive invalid PINs are entered may be implemented.

Apart from the factory-programmed identity ID, TDs may be shipped blank and be programmed later in the lifecycle of the .card. The TD authority may define the write attributes of some IDs as "write once", which then means that the data can be written one time only.

A key aspect of the invention is that there is no way of retrieving or modifying the PIN using the external interface. This implies that even if a fraudulent knowledge about a TD' s PIN is presnt, there is by no means possible to remotely retrieve information from a TD without having the physical TD. The possibility of a valid TD holder in a fraudulent way retrieving information from the TD can of course never be prevented. Since the security and integrity of the system must not rely on the fact that some parts of the technology and algorithms are kept strictly secret, it can be expected that third party drivers, including fraudulent ones, are developed, and from the applications point of view, acts like if it was a physical TD connected, there must be a secure way of qualifying retrieved or written information as authentic.

One option is to use a digital signature of each record retrieved from or written to the card, where data of a predetermined record are used as an operator for the digital signature algorithm.

Another option is a predefined challenge-response ID, which when challenged, creates a digital signature of the information which leaves the TD. The TD authority defines a limited range of IDs, where the data is automatically transferred to the host application when triggered by events like TD presence, TD removal and triggering of input means. Depending on the driver, this can be used to automatically trigger launching of a host application, such as a word processing program or an Internet browser. Further, the data passed from the TD may include additional application parameters, such as a document specifier or a target URL, to be used for navigation, thereby creating an interactive navigation device.

In the embodiment shown in fig, 14, the device 10'' is integrated into a package 11 such as a cardboard box. The cardboard structure has a user input means 15 provided with pressure sensitive areas 17 for signaling depressions by the user via. signal lines 13 to the device 10''. The pressure sensitive areas 17 are provided with printed symbols or characters (not shown) guiding the user in the process. The transaction terminal reader interface 60 is in this case embedded close to the surface of a tabletop 140', for example in a package distributing terminal.

In an alternative embodiment shown in Fig. 10, the device 10' is integrated in a software CD package 11' that can be placed on the capacitive reader interface 60. The capacitive interface 60 is connected to the serial port of a per- sonal computer 68. The capacitive interface may alternatively be a small device^' such as the interface 60 in Fig. 2 having a cavity matching the physical shape of the device 10.

An installed software driver or browser plug-in provides the logic to retrieve data from the card memory and transfer it to the application, providing additional steps if necessary.

In this embodiment, the memory in the TD can either be fixed, pre-programmed by the issuer of the TD or be freely programmable by the TD owner using a stand-alone support application.

In its most basic form, the action of placing the device 10 on the capacitive interface automatically triggers navigation to the predetermined URL stored in the memory. If an Internet browser is not active, the software driver first launches the appropriate browser application.

In an enhanced form, the card is equipped with membrane keys as described previously, where each key or each key sequence is linked to a particular URL stored in the memory. This provides a solution for the mobile user to quickly accessing the "personal favorites" often stored on disk and accessible from an Internet browser.

If the IS07811 physical limitations does not apply, the TD can be freely integrated into simple sheets of plastic, paper or cardboard, thereby opening up the field of integrating the technology into product packaging, either integral, as tear-off part or as an included printed "active voucher".

The vendors can then open a dialog with the customer, whereby on placing a product packaging on the interface, the customer is automatically directed the appropriate product page, where product registration, support information and additional promoting may be available. Applications may include Music CD-envelopes, software packages, computer hardware etc. An additional feature is the ability to programmati- cally alter an URL at a specific location from the server application, thereby allowing a different navigation procedure after some event has occurred, such as after a successful download or after an identification procedure has been com- pleted.

By providing an electronic sensor (not shown) in the device, such as a circuit element that breaks when a packaging has been opened, a different navigation scheme can be estab- lished, thereby automatically directing the user to different locations depending on the physical state of the product.

Claims

What is claimed is:

1. An electronic mobile information storage and communication device comprising: electric energy supply means, data input means, data processing means, data storage non-volatile memory means and wireless data transceiver means in operative connection; said memory means having a number of programmable memory locations for storing records of data related to a holder of the device; and said transceiver means being adapted to automatically establish bi-directional access for a host computer to a predetermined selection of said records stored in said memory means on acknowledgement by said holder entering a valid input using said input means when the device is placed in operative proximity to a transceiver interface of the host computer.

2. The device of claim 1, wherein said input means is a keypad and said valid input comprises pressing at least one key of said keypad.

3. The device of claim 1, wherein said valid input is an identification input, said access being established only if said identification input is equal to a reference identifica- tion stored in said memory means, and said reference identification being non-accessible by an external request.

4. The device of claim 3, wherein said reference identification is initially programmed at the time of manufacture of the device and thereafter alterable, each alteration being proceeded by at least one valid reference input.

5. The device of claim 1, wherein each of said memory locations holds an attribute to control retrieval of informa- tion from said selection of records stored in said memory locations.

6. The device of claim 5, wherein data in certain rec- ords in said memory locations are used as an input parameter to an arithmetic operation, said operation operating on data included in said selection of records, a result of the operation is transmitted back to said host computer in addition to said data included in said selection, and said result being used by the host computer to determine if retrieved information is authentic.

7. The device of claim 1, wherein each of said memory locations holds an attribute to control modification of infor- mation in said selection of records stored in said memory locations .

8. The device of claim 7, wherein certain records in said memory locations are used in conjunction with a reference value, as an input parameter to an arithmetic operation, said operation operating on data included in said selection of records, said reference value being compared with a result of said arithmetic operation to determine if said request to modify information is to be accepted as authentic by the device.

9. The device of claim 1, wherein each of. said memory locations holds a preset counter, said counter being decremented by one for each valid retrieval of data from said memory locations, said counter, on reaching zero being adapted to permanently disable further attempts to retrieve data from said memory locations.

10. The device of claim .1, wherein each of said memory locations holds a preset counter, said counter being decre- mented by one for each valid modification of data in said memory locations, said counter, on reaching zero being adapted to permanently disable further attempts to modify the contents of said memory locations.

11. The device of claim 1, wherein one of said records includes a world-unique identification number to be programmed by a trusted manufacturer of the of the device prior to the device is supplied to the holder, and thereafter not being re- programmable by the holder and by said request.

12. The device of claim 1, wherein said records include a number of secret codes, each code authorizing a service to the holder from said host computer requesting said code, said host computer holding an identical image of said codes, and each code being usable a limited number of times only.

13. The device of claim 12, wherein said service includes external information transmittable to the device by said host computer.

14. The device of claim 12, wherein said secret codes are used to produce digital signatures applied to said external information.

15. The device of claim 12, wherein said secret codes are used to encrypt said external information.

16. The device of claim 1, wherein said records include information to be transmitted to a connected computer for changing an operative environment therein when the device is placed in said operative proximity to the transceiver interface.

17. The device of claim 1, wherein said records include information to be transmitted to said host computer for changing an operative environment therein when the device is removed from said operative proximity to the transceiver inte^'r- face.

18.- A method of communication using an electronic mobile information storage and communication device comprising electric energy supply means, data input means, data processing means, data storage non-volatile memory means and wireless data transceiver means in operative connection, said data storage' eans having a number of programmable memory locations storing records of data related to a holder of the device, the device being placed in operative proximity to a wireless data transceiver interface of a host computer, comprising: requesting access to a selection of said records by said host computer; and communicating access to said selection only on acknowledgement by said holder using said input means.