FIELD OF THE INVENTION This invention relates to a data transaction system for smart cards and, in particular, to a secured data transaction system where the transactions and the data related thereto are securely stored.

BACKGROUND OF THE INVENTION Smart cards are becoming increasingly important and widespread for all manner of data transactions. Typically, a smart card user performs a transaction via a read/write station containing a user interface, a card interface and a processor with a memory. To perform a transaction with a smart card, the user defines his request via the card interface, which feeds data to the processor for execution and storage in memory. The results of such a transaction are usually stored as data in the memory of the station for later use. In practice, data retrieval generally takes place either at a time convenient to the resources of the system, or on a periodic basis. Later on, the institution involved in the deal may retrieve the data and credit or debit the user's account, as appropriate.

Along with the growth in popularity of smart cards and so-called "super smart"cards, a rise in criminal activity has spurred the demand for the prevention of fraudulent transactions. The great amount of money involved in the smart card market has attracted, and continues to attract, a growing number of unscrupulous efforts to defeat the data transaction card's security.

A partial response to this threat is provided by the protocols and algorithms which include security measures such as DES, an acronym for Data Encryption Standard dealing with passwords, encryption and decryption of communications and of data. DES allows host and terminal applications to operate safely in environments wherein the threat of intrusion by unauthorized cards and terminals, eavesdropping, playback of captured passwords and data, or alteration or substitution of data is a risk. DES provides protection to communications, to data transactions and to data stored in memory.

DES provides an effective protection against the danger that unauthorized circles will profit from stolen memories containing passwords and transaction monies, from communication being established between the wrong parties and from data transfer being intercepted. Various kinds of available security measures applied in systems are commonly referred to as SAM, an acronym for Secured Application Module.

According to the prior art, the necessary security measures for protecting communications, transactions and the consequent data are incorporated within the read/write units such that they are physically connected to the circuits of the read/write station. The SAM uses the processor and the memory of the read/write station accordingly to run and store the software application constituting the SAM. The many elements of the read/write station including the SAM, are kept closely together, packaged inside one hardware unit. The memory of known read/write stations thus contains not only the security means, including password and protocols, but also the record of the transactions perfonned and the money involved.

Methods of practical implementation of security measures are taught, for example, in US Patent 5,664,017 in the name of Gressel et al. and in US Patent 5,694,472 for a Personal Management System, to Johnson et al.

Since relatively large sums of money may be involved, transaction information is of great value both to the user of the card and to the company concerned. Therefore, it is important to safeguard the data against possible loss, such as loss due to a power shortage. One known approach that provides a partial remedy is the use of non-volatile memories, able to retain data even without power. Nevertheless, even non-volatile memory cannot prevent physical damage incurred by the read/write station from the possible destruction of the stored data.

Another conventional measure for the prevention of potential loss of data in memory is immediately to transfer the data out of memory, for real-time processing. However, although feasible, this kind of response imposes a strain on the communication and processing resources by requiring attention without delay, thus increasing costs to the provider of the service and, ultimately, to the customer. It would thus be advantageous if data could be left in memory without fear of loss resulting from possible damage suffered by the card read/write station.

Besides physical harm to the data card station, there is also the danger of an electrical malfunction, even as unintentional as a mistake by personnel performing routine maintenance. For example, an accidental short-circuit due to human error is enough to wipe out the contents of a memory device.

Therefore, isolation of the memory from electrically conductive connections is desirable.

For mobile card reader systems, such as those to be installed for fare collection in vehicles of mass transportation services, there lingers the peril of an accident destroying the data transaction equipment, including memory and data. It would therefore be beneficial to provide for crash-proof protection to

the memory containing the data, comparable to the armored protection imparted to the"black box"installed in aircraft.

These drawbacks of prior art systems do not appear to have been even addressed, still less solved, notwithstanding the ongoing effort in recent years to render smart card data transaction systems ever more secure. As noted, the bulk of this effort has been concentrated in the application of ever more secure cryptology algorithms for providing proper verification and signature authentication. However, this is just so much wasted effort if direct access to the memory containing the sensitive data is insufficiently restricted.

SUMMARY OF THE INVENTION It is therefore an object of the invention to provide a secured data transaction system for use with smart cards wherein the shortcomings associated with the prior art are significantly reduced or eliminated.

According to the invention there is provided a secured data transaction system comprising: a Smart Card Interface (SCI) for interfacing with smart cards and a Remote Secure Application Module (RSAM) located remote from the SCI for processing data from smart cards and for providing security functions; the SCI comprising: an SCI memory containing a predetermined instruction set, an SCI processor coupled to the memory for operating in accordance with said instruction set, a first SCI communication interface coupled to the SCI processor for allowing bi-directional communication between at least one smart card and at least one device coupled to the SCI, and a second SCI communication interface coupled to the SCI processor for allowing bi-directional contactless communication between the SCI and the RSAM; and

the RSAM comprising: an RSAM memory containing a predetermined instruction set and comprising a secured area reserved for security applications and for secure storage of data related thereto, an RSAM processor coupled to the RSAM memory for operating in accordance with said instruction set, and an RSAM communication interface coupled to the RSAM processor for allowing bi-directional contactless communication between the RSAM and the SCI; whereby data associated with the smart card interface is stored in the RSAM memory remote from the smart card so as to be inaccessible to or from the smart card.

Thus in accordance with the invention, the security measures and secured operations and their storage are assigned to a remote device separate from the read/write station accepting the smart cards. A read/write station, constituted by the Smart Card Interface or SCI, receives the smart card and forwards the data stored therein to the Remote Secured Application Module, (RSAM), for processing the security measures and the transactions and for storing the security measure software, the transactions and the data related thereto.

It follows that to prevent the loss of data stored in memory in case of complete or partial damage to the station, the memory device is best maintained separate from the read/write station. Thus, by confining the data memory as a separate entity in its own housing, detached from the read/write station, the chances are high that the data will remain intact regardless of hann to the station.

Further security may be achieved by hiding the memory device containing the data, so as to render it less easily accessible. Alternatively, security may be enhanced by preventing the physical removal of the memory

from the system or, on the contrary, permitting removal of the memory from the system for safe consignment elsewhere. Removal of the memory is desirable, for example, at the end of a work session, when personnel abandon the premises thereby leaving a facility unattended.

It will be appreciated that improved security is afforded by separating the read/write functions from the SAM functions. Therefore, it is beneficial to maintain physical separation between those functions in the read/write station which handle the user's requests and allow for reading of the card data and which are in contactless communication with each other, from the independent and remote device which implements the secure treatment of data processing, of the security measures and of the secure storage.

The system is transparent to the user who, as in hitherto proposed systems, presents his smart card to the read/write station constituted by the Smart Card Interface, which accepts the smart card and transfers processing and storage operations to the Remote Secured Application Module (RSAM).

The system according to the invention allows for secure retrieval of the data stored in the memory of the RSAM via one or more SCI, while ensuring that impairment of one SCI does not impair other SCIs in the system. Further, impairment of the SCI does not either influence the functioning of the RSAM or alter the integrity of the data stored in the memory of the RSAM If desired, a host computer may be provided for communication with the smart card interface (s). The host computer may be a PC comprising a host processor for operating functions of the host computer and of the SCI, for establishing bi-directional communication between the host and the SCI, and for retrieval of data contained in the RSAM. A host memory coupled to the host processor within the host allows for secured storage of data received from the RSAM memory. The SCI communication interface allows communication with the host communication means, whereby the host communicates with the SCI for control of SCI functions, and the host

authorizes data retrieval from the RSAM and commands secure storage of data received from the RSAM memory into the host memory.

BRIEF DESCRIPTION OF THE DRAWINGS In order to understand the invention and to see how it may be carried out in practice, a preferred embodiment will now be described, by way of non-limiting example only, with reference to the accompanying drawings, in which: Fig. la is a block diagram showing functionally a detail of a secure data transaction system according to a first embodiment of the invention; Fig. lb shows schematically a modification to the system shown in Fig. la; Fig. 2a and 2b show schematically further variations of the system illustrated in Figs. la and lb; and Fig. 3 is a flow diagram showing the principal operating steps associated with the system shown in Fig. la.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT Fig. la shows a system designated generally as 10 comprising a Smart Card Interface (SCI) 12, and a Remote Secured Application Module (RSAM) 14. The SCI 12 may be part of a station such as, for example, an Automatic Teller Machine (not shown in Fig. 1 a), utilized for reading and for writing to secured contact/contactless smart cards for carrying out financial transactions.

The SCI 12 includes a processor 15 (constituting an SCI processor) coupled to a transceiver 16 having a coil antenna 17 for effective non-contact inductive coupling with a coil antenna 18 coupled to the RSAM 14. The SCI 12 is energized by an external power supply whilst the RSAM 14 may or may not be self-powered, as will be explained in greater detail below.

The RSAM 14 comprises an antenna interface 19 coupled to the coil antenna 18 and to a microprocessor 20 (constituting an RSAM processor) which is itself coupled to an EEPROM 21. The antenna interface 19 is not itself a feature of the present invention and so is not described in further detail. It is described more fully in WO 98/29830 published on July 9,1998.

The RSAM 14 is in contactless communication with the SCI 12 and is remote from the SCI, and therefore remote from the station of which the SCI is a component. Transactions requested by the owner of a secured smart card are forwarded for execution, via the SCI 12, to the RSAM 14 where they are securely processed and stored. The EEPROM 21 constitutes an RSAM memory for storing the data, an area in the EEPROM 21 being reserved for the secure storage of transactions and data so as to be inaccessible except via the SCI 12. If desired, the instruction set in accordance with which the micro- processor 20 operates may also be stored in the EEPROM 21. The antenna interface 19 includes a bi-directional communication interface that allows for bi-directional contactless communication between the RSAM 14 and the SCI 12. The SCI processor 15 and the RSAM microprocessor 20 are responsive to their respective instruction sets for retrieving data from the RSAM memory.

The SCI processor 15 is coupled to a host computer 25 (constituting a local device) and may also be coupled to a smart card 26 having a contact field (not shown) and having a microprocessor 27 operating in accordance with an instruction set contained within a memory 28 coupled thereto. The contact field of the smart card 26 engages corresponding contacts (also not shown) associated with the transceiver 16 in the SCI 12. Alternatively, a contactless smart card 30 having a coil antenna 31 may effect bi-directional communication with a coil antenna 32 coupled to the transceiver 16 within the SCI 12. The coil antenna 31 of contactless smart card 30 is connected to an antenna interface 33 coupled to a microprocessor 34 operating in accordance with an instruction set stored in a memory 35 coupled thereto. The

memory 35 may be an EEPROM operating in similar manner to the EEPROM 21 in the RSAM 14 so as to allow customization of the antenna interface 33.

In such an arrangement the transceiver 16 is a first SCI communication interface for allowing bi-directional contactless communication with the contactless smart card 30, whilst the processor 15 constitutes a second SCI communication interface for allowing bi-directional contact communication with the contact smart card 26 and with the local device 25. If desired, a separate contactless interface may be coupled to the processor 15 for allowing for contactless communication with the local device, be it a host computer or another smart card.

Although data is stored securely in the RSAM 14, authorized parties may retrieve stored data from the RSAM by means of the SCI 12. In the event of a malfunction of the SCI 12 preventing retrieval of data from the RSAM 14, the malfunctioning SCI 12 may be replaced by another functional SCI 12.

Fig. lb shows schematically such a system comprising two identical SCIs, 12 and 12', each in close contactless communication with the RSAM 14. The SCI 12'constitutes an auxiliary SCI which may be used temporarily for the purpose of data retrieval only or as a substitute for the malfunctioning SCI 12 until a replacement is installed. Alternatively, both the SCIs 12 and 12' may be permanently installed and configured for alternate operation, or the system may be configured so that the SCI 12 perfonn transactions while the SCI 12'retrieves data from the RSAM 14. Since both of the SCIs 12 and 12' are identical, their tasks may be interchanged.

Fig. 2a shows schematically yet another arrangement wherein the three elements SCI 12, SCI 12'and RSAM 14 fonn a group in which the elements are mutually remote from each other. Besides being separate, the commun- cation between the RSAM 14 and either of the SCIs 12 or 12'is contactless.

Both the remoteness and the contactless communication ensure that a failure

of any of the elements of the group, namely SCI 12, SCI 12'and RSAM 14, will not propagate to any other of the remaining elements of the group. Thus, for example, damage to the SCI 12 will not derogate from the performance of the SCI 12'and vice versa. Furthermore, the collapse of any SCI, 12 or 12', or of both of them, will have no influence on the functioning of the RSAM 14 or on the integrity of the data stored in its memory.

Fig. 2b shows schematically another variation wherein the host 25 is connected by line to two SCIs 12 and 12', in a similar configuration to that depicted in Fig. lb. Each of the SCIs 12 and 12'is coupled to a respective RSAM 14 and 14', the combination of SCI and RSAM constituting a cluster.

In practice, many clusters may be connected to the host 25 and each cluster may display a different mix of attached devices.

In all embodiments, the use of contactless communication allows for the SCI 12 to be maintained separate and remote from the RSAM 14 which performs the secure transactions and contains all the transaction data.

Contactless communication between the may be achieved by numerous methods, including: radio frequency, microwave, optical communication, infra red, fiber optic and inductive coupling. To keep manufacturing costs low inductive coupling communication is chosen which also allows transmission of energy from a transmitting antenna to a receiving antenna. The transmitting side, here SCI 12, may operate with a matched coil antenna, and the receiving side, in this case the RSAM 14, may possess a tuned coil antenna. Another reason for selecting inductive coupling communication is that it renders possible to power the circuits of the RSAM 14 with the power received from the SCI 12, whereby the RSAM 14 will not need to be self-powered but will rely on the emissions radiated from the SCI 12. This feature is especially important as it allows implementation of DES secured functions that impose a constant power drain on the system. An SRAM powered by batteries is not practical.

Communication and energy transfer between the SCI 12 and the RSAM 14 is via inductive coupling in accordance with the teachings of US Patent 5,241,160 entitled"A System and Method for the Non-Contact Transmission of Data", in the name of Bashan et al.. incorporated herein by reference. This patent also explains how the impedance of a cable connecting a coil antenna to a transmitter may be varied without requiring re-tuning of the card resonant frequency.

Using these techniques, the matched coil antenna of the SCI may be connected by a length of SCI cable to the SCI 12 and the SCI cable may be deployed outside of the SCI so that it may be brought close to the tuned coil antenna of the RSAM 14. The distance between the SCI 12 and the RSAM 14 may thereby be significantly increased.

In like manner, the tuned RSAM coil antenna may also be connected to the RSAM 14 by a length of RSAM cable that may extend out of the housing of the RSAM. Moreover, both the SCI cable and the RSAM cable may be extended so that the maximum distance between the SCI 12 and the RSAM 14 is equal to the combined length of both cables. It will be appreciated that either or both of the two coil antennas may be connected via respective cables of equal or unequal lengths.

The length of the coil antenna cable is preferably determined as multiples of half-wavelengths, starting from zero for up to eight half- wavelengths. The measured length of such a coil antenna cable depends therefore on the frequency of the carrier signal used. Thus. assuming a carrier frequency equal to 13.56 MHz, one half-wavelength, taking the influence of the cable into account, amounts to 8 m. Preferably the length of the coil antenna cable will not reach more than 48 m and ideally it should be less than 32m. The aforementioned U. S. Patent lists the factors influencing the relative distance allowed between the two coil antennae and provides information about the distances obtainable.

Because the RSAM 14 is prone to theft or to attempted intrusion, advantage may be taken from the fact that the RSAM 14 consists of a separate unit, packaged within an individual housing and remote from the SCI 12.

Accordingly, the RSAM 14 may be physically protected, such as secreted behind a wall or embedded in concrete for purposes of concealment as well as for reasons of safekeeping and prevention of removal. With quality assurance and reliability as objectives, the housing of the RSAM 14 may be hermetically sealed against liquids or gases.

The RSAM 14 may thus reside within a housing appropriately reinforced to thwart off forceful intrusion and properly protect against physical destruction, like being clad in steel armor. To avoid shielding of the inductive communication by the steel housing, the RSAM coil antenna, with or without a span of cable, protrudes out of the steel housing.

In contrast to this approach, but with the same goal of avoiding theft and intrusion, the housing may be removable for storage in a safe place. This may be realized in practice by providing the housing in the form of a data card.

DES applications are stored in the memory of the RSAM, in a secured area reserved for security applications. The transactions and the data related thereto are also deposited in a secured area of the memory of the RSAM, in known manner. By such means the SAM may be realized in a remote housing.

Referring now to Fig. 3, there will be described a protocol for use with the system described above with particular reference to Fig. 1 of the drawings. Thus, initially a data transaction card is coupled to the SCI that receives a transaction request and prompts the card owner for entry of his secret code (PIN). On entry of a valid PIN, the transaction request is encrypted by the card so as to produce a secure Account Certificate. This is fed, via contact or non-contact communication to the SCI from where it is forwarded to the RSAM via non-contact communication. The transaction data

is decrypted by the RSAM so as to authenticate the card. If authentic, then the encrypted Account Certificate is also decrypted so as to produce an encrypted Transaction Certificate. This is fed, via non-contact communication to the SCI from where it is forwarded to the card via contact or non-contact communication. The card now decrypts the transaction data is so as to authenticate the RSAM. If authentic, the transaction is processed and an encrypted Settlement Certificate is prepared for feeding via contact or non-contact communication back to the SCI from where it is forwarded via non-contact communication to the RSAM wherein the transaction data is again decrypted so as to authenticate the card. If authentic, then the purse account is settled. In the event of an invalid card or RSAM, the transaction is aborted and a suitable message relayed via the SCI.

Whilst preferred embodiments of the invention have been described in detail, it is apparent that many modifications and variations thereto are possible, all of which fall within the scope of the invention as defined in the appended claims.

Thus, for example, whilst in the preferred embodiment a matched antenna is employed in the SCI, it will be understood that a conventional resonant circuit may be employed as is well known in the art.