Home
Patent Search
IMT Blog
REGISTER
|
SIGN IN
United States Patent
6047887
Rosen
April 11, 2000
Title
System and method for connecting money modules
Abstract
An improved monetary system using electronic media to exchange economic value securely and reliably. The invention provides a complete monetary system having electronic money that is interchangeable with conventional paper money comprising (1) issuing banks or financial institutions that are coupled to a money generator device for generating and issuing to subscribing customers electronic money including electronic currency backed by demand deposits, or electronic credit authorizations; (2) correspondent banks that accept and distribute the electronic money; (3) a plurality of transaction devices that are used by subscribers for storing electronic money, for performing money transactions with the on-line systems of the participating bank or for exchanging electronic money with other like transaction devices; (4) teller devices, associated with the issuing and correspondent banks, for process handling and interfacing the transaction devices to the issuing and correspondent banks, and for interfacing between the issuing and correspondent banks themselves; (5) a security arrangement for maintaining the integrity of the system; and (6) reconciliation and clearing processes to monitor and balance the monetary system.
Inventors:
Rosen; Sholom S.
(New York,
NY
)
Assignee:
Citibank, N.A.
(New York,
NY
)
Appl. No.:
039933
Filed:
March 16, 1998
Current U.S. Class:
235/379
235/492
Field of Search:
235/379,375,382.5,492
U.S. Patent Documents
3559175
January 1971
Pomeroy
3573747
April 1971
Adams et al.
3749887
July 1973
Guiliani
3852571
December 1974
Hall et al.
3906460
September 1975
Halpern
3932730
January 1976
Ambrosio
3934122
January 1976
Riccitelli
3937925
February 1976
Boothroyd
3971916
July 1976
Moreno
4001550
January 1977
Schatz
4007355
February 1977
Moreno
4053735
October 1977
Foudos
4120452
October 1978
Kimura et al.
4172552
October 1979
Case et al.
4179064
December 1979
Yoshioka et al.
4214230
July 1980
Fak et al.
4218582
August 1980
Hellman et al.
4224666
September 1980
Giraud
4256955
March 1981
Giraud et al.
4270042
May 1981
Case
4277837
July 1981
Stuckert
4302810
November 1981
Bouricius et al.
4305059
December 1981
Benton
4320387
March 1982
Powell
4321672
March 1982
Braun et al.
4341951
July 1982
Benton
4404649
September 1983
Nunley et al.
4405829
September 1983
Rivest et al.
4442345
April 1984
Mollier et al.
4443027
April 1984
McNeeley et al.
4453074
June 1984
Weinstein
4454414
June 1984
Benton
4460965
July 1984
Trehn et al.
4467139
August 1984
Mollier
4498000
February 1985
Decavele et al.
4511970
April 1985
Okano et al.
4523087
June 1985
Benton
4523297
June 1985
Ugon et al.
4529870
July 1985
Chaum
4536647
August 1985
Atalla et al.
4549075
October 1985
Saada et al.
4575621
March 1986
Dreifus
4597046
June 1986
Musmanno et al.
4614861
September 1986
Pavlov et al.
4625276
November 1986
Benton et al.
4629872
December 1986
Hallberg
4630201
December 1986
White
4634845
January 1987
Hale et al.
4642768
February 1987
Roberts
4650978
March 1987
Hudson et al.
4667088
May 1987
Kramer et al.
4673802
June 1987
Ohmae et al.
4689478
August 1987
Hale et al.
4692601
September 1987
Nakano
4697073
September 1987
Hara
4705211
November 1987
Honda et al.
4722055
January 1988
Roberts
4723284
February 1988
Munck et al.
4727243
February 1988
Savar
4727244
February 1988
Nakano et al.
4734568
March 1988
Watanabe
4736094
April 1988
Yoshida
4742215
May 1988
Daughters et al.
4748668
May 1988
Shamir et al.
4750119
June 1988
Cohen et al.
4751640
June 1988
Lucas et al.
4752676
June 1988
Leonard et al.
4752877
June 1988
Roberts et al.
4757185
July 1988
Onishi
4759064
July 1988
Chaum
4766293
August 1988
Boston
4766539
August 1988
Fox
4767920
August 1988
Kitta et al.
4799156
January 1989
Shavit et al.
4822984
April 1989
Remery et al.
4823264
April 1989
Deming
4825052
April 1989
Chemin et al.
4827112
May 1989
Yoshino et al.
4837422
June 1989
Dethloff et al.
4839504
June 1989
Nakano
4864109
September 1989
Minematsu et al.
4877947
October 1989
Mori
4879747
November 1989
Leighton et al.
4906828
March 1990
Halpern
4914698
April 1990
Chaum
4926480
May 1990
Chaum
4941173
July 1990
Boule et al.
4949380
August 1990
Chaum
4959788
September 1990
Nagata et al.
4962530
October 1990
Cairns
4964164
October 1990
Fiat
4968873
November 1990
Dethloff et al.
4973828
November 1990
Naruse et al.
4977595
December 1990
Ohta et al.
4985833
January 1991
Oncken
4987593
January 1991
Chaum
4991210
February 1991
Chaum
4992646
February 1991
Collin
4995081
February 1991
Leighton et al.
4996711
February 1991
Chaum
5012076
April 1991
Yoshida
5128997
July 1992
Pailles et al.
5162989
November 1992
Matsuda
5175416
December 1992
Mansvelt et al.
5191193
March 1993
LeRoux
5212789
May 1993
Rago
5220501
June 1993
Lawler et al.
5221838
June 1993
Gutman et al.
5231569
July 1993
Myatt et al.
5305200
April 1994
Hartheimer et al.
5379344
January 1995
Larsson et al.
5418854
May 1995
Kaufman et al.
5453601
September 1995
Rosen
5455407
October 1995
Rosen
5473692
December 1995
Davis
5539828
July 1996
Davis
5568552
October 1996
Davis
5898154
April 1999
Rosen
Foreign Patent Documents
0 172 670 A2
Feb., 1986
EP
0 346 180 B1
Dec., 1989
EP
0 416 916 A2
Mar., 1991
EP
0 421 808 A2
Apr., 1991
EP
0 500 956 A1
Sep., 1992
EP
0 621 570 A1
Oct., 1994
EP
1-290096
Nov., 1989
JP
2-1049
Jan., 1990
JP
2-116966
May., 1990
JP
3-73065
Mar., 1991
JP
3-92966
Apr., 1991
JP
391261 B1
Feb., 1986
EP
4-080866
Mar., 1992
JP
4-227567
Aug., 1992
JP
417 007 A1
Mar., 1991
EP
5-504643
Jul., 1993
JP
54-017098
Feb., 1979
JP
54-119859
Sep., 1979
JP
57-094877
Jun., 1982
JP
58-57784
Dec., 1983
JP
59-151280
Aug., 1984
JP
6-503913
Apr., 1994
JP
60-008978
Jan., 1985
JP
60-146361
Aug., 1985
JP
60-196874
Oct., 1985
JP
60-198683
Oct., 1985
JP
61-043034
Mar., 1986
JP
61-052793
Mar., 1986
JP
61-166680
Jul., 1986
JP
61-233822
Oct., 1986
JP
61-38519
Aug., 1986
JP
61-94177
May., 1986
JP
62-025372
Feb., 1987
JP
62-080761
Apr., 1987
JP
62-254248
Nov., 1987
JP
62-275784
Nov., 1987
JP
62-293469
Dec., 1987
JP
63-168771
Jul., 1988
JP
63-204495
Aug., 1988
JP
63-245591
Oct., 1988
JP
63-257089
Oct., 1988
JP
63-257885
Oct., 1988
JP
63-308669
Dec., 1988
JP
63-32658
Feb., 1988
JP
63-39099
Feb., 1988
JP
63-44274
Feb., 1988
JP
B-51249/90
Sep., 1990
AU
WO 8 303 018
Sep., 1983
WO
WO 9 116 691
Oct., 1991
WO
WO 9 117 528
Nov., 1991
WO
WO 9 308 545
Apr., 1993
WO
Other References
"The Digital Distributed System Security Architecture", Morrie Gasser, et al., Nat'l Inst. of Standards & Tech., 12th Nat'l Computer Security Conference, Oct. 10-13, 1989. .
"SPX: Global Authentication Using Public Key Certificates", Joseph J. Tardo and Kannan Alagappan, IEEE, CH2986-8/91 (232-243). .
"Practical Uses of Synchronized Clocks in Distributed Systems", Barbara Liskov, 10th Annual ACM Symposium on Principles of Distributed Computing, Aug. 19-21, 1991. .
"An Architecture for Practical Delegation in a Distributed System", Morrie Gasser, Ellen McDermott, IEEE Computer Society Symposium on Research in Security and Privacy, May 7-9, 1990. .
"Hybrid Concurrency Control for Abstract Data Types", Maurice P. Herlihy, William E. Weihl, 7th ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems, Mar. 21-23, 1988. .
Data Communications Networks Directory (vol. VIII, Fascicle VIII.8) Recommendations X.500-X.521;, The Int'l Telegraph & Telephone Consultative Committee, IX Plenary Assembly, Melbourne, Nov. 14-25, 1988. .
Security For Computer Networks (An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer) (1984) D.W. Davies and W.L. Price, Ch. 6 (p.145-146), Ch. 10, Glossary. .
MiraiCard Report (Future Card), Dec. 1988, IC Card Reduction-to-Practice Study Group; with English language translation. .
Financial Information System, Extra No. 3, May 26, 1986, Financial Information System Center (FISC); with partial English language translation. .
Study Aids for Bills and Checks, Makoto Tairo, Jun. 10, 1990, Japan Business Publisher; with English language translation. .
1984 International Zurich Seminar On Digital Communications, Electronic Wallet, S. Even, O. Goldreich, Y. Yacobi, 1984. .
Privacy Protected Payments Unconditional Payer and/or Payee Untraceability, D. Chaum, Smart Card 2000, 1989. .
Security Without Identification: Card Computers To Make Big Brother Obsolete, D. Chaum, 1987. .
Untraceable Electronic Cash, D. Chaum, et al. .
New Banking Practice Overall Course--6: Foreign Exchange, Yuzo Wajima et al., Jul. 7, 1987, Finance Study Group Co.; partial translation. .
Nikkei Datapro/Financial System, Oct. 1989, Nikkei Business Publications, Inc.,KS3-210-101 to 217; partial translation. .
Total Banking System, Sumio Isizaki et al., Sep. 30, 1972, Industry Book; partial translation. .
Dictionary of Financial and Economic Terminology, Yoshino et al., Jan. 10, 1990, Economic Acts Study Group (translation of p. 165). .
New Saitama Bank's Strategies on International ATMs, Oct. 17, 1985, Economic Acts Study Group; English language translation. .
Facom OS IV/F4 MSP, APFS/X Manual SBAL/X External Net Version, Fujitsu, Oct. 1988; translation of Figure 1.7. .
Dictionary of Financial Terminology, Toshio Ono et al., Mar. 10, 1987; Economic Acts Study Group (translation of p. 125). .
New Era's Money / IC Card, IC Card Study Group, Mar. 8, 1986; Finance Study Group Co. (Japanese language). .
Computer Banking Re: Third ON Overview and Information Strategies, Sumio Isizaki, Jan. 20, 1987; Finance Study Group Co. (Japanese language). .
"Electronic Money" System Proposal--To Realize Cashless Society--, Fujitsu System Comprehensive Laboratory, Apr. 1991; English translation. .
Proposal of an Electronic Funds Transfer Method Considering User's Privacy, Hirotsugu Kinoshita and Shigeo Tsujii, The Transactions of the Institute of Electronics, Information and Communication Engineers, vol. J70-D No. 12, Dec. 1987; with English translation. .
Cashing Service Transaction Rules for Banks in Tokyo, Jan. 1984 (Japanese language). .
Financial Network Manual, Tomoi Fujii, Aug. 10, 1988; Financial Information System Center Co; partial translation. .
Computer Banking No. 13, Sumio Ishizaki, 1987; Modern Sales Co.; translation of Fig. 4.1. .
An Introduction to the Checks Act, Tsuneo Ko, Jul. 30, 1967; Yuhikaku Sosho; partial translation. .
Latest Checking Practice, Hitoshi Horiuchi, Jul. 10, 1982; Consultant Co.; English translation. .
Thomas M. Atwood, The case for object-oriented databases, IEEE Spectrum, Feb. 1991. .
David Chaum, Online Cash Checks, Centre for Mathematics and Computer Science, Amsterdam. .
Common Sense in Bills and Checks, Toshio Inoue, Jan. 20, 1987, Nikkei Bunko; partial English translation p. 150. .
Foreign Exchange Basic, Masanori Sikiba et al, Sep. 20, 1991, Economic Acts Study Group; partial translation p. 92. .
Smart Cards--The Ultimate Personal Computer, Jerome Svigals, 1985, Macmillan Publishing Co., NY, NY, pp. 1-20, 71-92. .
Zero Knowledge Interactive Proof and Electronic Cash, Kazuo Ohta et al., Mar. 28, 1990, The Institute of Electronics, Information and Communication Engineers; English translation. .
Application Modes and Operation Controls of EPS 1100 Integrated Communication System Series, Jun. 1987, Nihon Univac (Japanese language). .
Basic Plan for Third System of Personal Credit Information (Draft) (Addition and Change of Register Information), May 1991, Nihon NCR Inc. (Japanese language). .
CAFIS Customer-Basis Agency Sales Business Services Specification (Bank POS Business Version): First Edition, August 1989, NTT Data Communications Co., Ltd. (Japanese language). .
Series 1100, Real Time System, TMS 1100 Manual, Mar. 1990, UNISYS; translated Fig. 13-2. .
Series 2200/1100, Real Time System, BOS 11 Manual, Jun. 1989, UNISYS; English translation. .
Bank-of-Japan Financial Network System Application Details (Foreign Exchange Yen Payment Related Business), Oct. 1987, Bank of Japan; partial translation. .
The Bills and Checks Acts, Takeo Suzuki, Aug. 10, 1974, Yuhikaku (Japanese language) with partial translation of p. 361-362. .
A Distributed Electronic Bill System, Takashima Youichi et al., Denshi Joho Tsushin Gakkai Gijutsu Kenkyu Hokoku, vol. 87, No. 120, 1987; English Translation. .
Study Aid for IC Cards, Yasuo Hosogai et al., May 30, 1986, Japan Business Publisher; partial translation. .
Banking Business Overall Course, Teruo Miyaji, May. 21, 1980, Finance Study Group (Japanese language). .
Guidelines For Card Society, Sep. 1990, Printing Bureau of Ministry of Finance; partial translation. .
Operating System Basic, NEC Information Processing Education Dept., Apr. 20, 1993, Japan Efficiency Assoc. Management Center; partial translation. .
Prospects For IC Card Applications, May. 28, 1991, Yano Economy Laboratory (Japanese language). .
Series 2200/1100, Total On-Line Banking System FAST 100 Manual / Applicable Business Version, Apr. 1989, UNISYS (Japanese language). .
Applicable Business and Record Formats, Jan. 1984, National Banking Association (Japanese language). .
Notification No. 826 Re: On-Line Fund Transfer Transactions Through Communication Line Between Financial Institutions Computers and Customers' Terminals, Apr. 7, 19898, Banking Bureau of Ministry of Finance (Japanese language). .
Basic Design of Bank POS System (Draft No. 0), Jan. 1985, NTT (Japanese language). .
ANSER--Function Adding Services Specifications Ver. VIII, Jun. 1989, NTT Data Communication Co., Ltd. (Japanese language). .
CAFIS--Design of Connection Conditions (Bank POS Business Version) Ver. 2, Feb. 1989, NTT Data Communication Co., Ltd. (Japanese language). .
CAFIS--Design of Connection Conditions (Bank POS Business Version) Ver. 1, Dec. 1989, NTT Data Communication Co., Ltd. (Japanese language). .
CAFIS--Specification of Customer Basis Agency Sales Business Service (Bank POS Business Version), Ver. 1, Aug. 1989, NTT Data Communication Co., Ltd. (Japanese language). .
Smart Cards, Jerome Svigals, 1985 (Japanese; not translated) (corresponding to Smart Cards: The Ultimate Personal Computer). .
"Le paiement electronique", P. Remery, J.C. Pailles, and F. Lay, L'Echo des Recherches, No. 134, 4.degree. trimester 1988--original French version and English Translation. .
Bruce Schneier, "Applied Cryptography" 1994, pp. 417-429. .
Stephen M. Bellovin and Michael Merritt, "Limitations of the Kerberos System", Winter, 1991, pp. 1-16. .
David Chaum, Achieving Electronic Privacy, Scientific American, Aug. 1992. .
Dancoin Ltd., The Company, Danmont A/S 1991. .
O'Reilly, Ireland's Pocket Revolution: The Micro That Replaces Cash, Cheques, And Cards, Retail Banker International, Feb. 20, 1984, at 4. .
Nakamoto, Japanese Take To The Top The Prepaid Plastic Card Business, Financial Times, Nov. 17, 1988, at 7. .
Rowe, Au Revoir Le Cash?, Banking Technology, Jul.-Aug. 1991, at 46. .
Okamoto and Ohta, Universal Electronic Cash, Cryptography Symposium (1991). .
Article 4A, Uniform Commercial Code, Callaghan & Company, dated Apr. 1990. .
"Security Without Identification: Transaction Systems To Make Big Brother Obsolete" Chaum, D., Communications of the ACM, 28:10, Oct. 1985. .
"Disposable Zero-Knowledge Authentications and Their Applications To Untraceable Electronic Cash", Okamoto, T. et al., 481-496, undated. .
D.W. Davies, "Use of the Signature Token to Create a Negotiable Document", Advances in Cryptology Proceedings of Crypto 83, Plenum Press, New York 1983, p. 377-382..~
Primary Examiner:
Hajec; Donald
Assistant Examiner:
Tremblay; Mark
Attorney, Agent or Firm:
Morgan&Finnegan, LLP
Parent Case Text
This is a divisional of application Ser. No. 08/371,201 filed Jan. 11, 1995, now U.S. Pat. No. 5,898,154 which is a divisional of application Ser. No. 07/794,112 filed Nov. 15, 1991, now U.S. Pat. No. 5.453,601.
Claims
I claim:
1. A method for connecting a first money module to one of a plurality of other money modules, comprising the steps of:
a first money module, having a first money module certificate, establishing communication with a network server;
said first money module sending its money module certificate to said network server;
said network server sending said money module certificate to a security server;
said security server verifying said certificate;
said security server sending security information to said money module;
said network server establishing communication with a second money module, without specification of a particular second money module, selected from amongst a plurality of other money modules, each said other money module having a money module certificate; said second money module receiving said first money module certificate via said network server;
said second money module sending its certificate to said first money module via said network server.
2. The method of claim 1, wherein said money modules are part of a local network, and comprising the step of said local network routing messages to said second money module.
3. The method of claim 1, further comprising the step of said first money module and said second money module performing an electronic money withdrawal or deposit transaction.
4. The method of claim 1, wherein said other money modules are teller money modules.
5. The method of claim 4, wherein said first money module is a transaction money module.
6. The method of claim 4, wherein said first money module is a teller money module.
7. The method of claim 1, wherein said other money modules are money generator money modules.
8. The method of claim 7, wherein said first money module is a teller money module.
9. A money module connecting system comprising:
a first money module having a processor and a memory that stores electronic money and a first money module certificate;
a network server having an external interface application, a communication session manager application and a route message application;
a security server having an external interface application and a bad money module control application;
a local network having a plurality of other money modules, where each said other money module has a money module certificate;
where said money module is programed to send its money module certificate to said network server to initate a communication session with a second money module without specifying said second money module;
where said network server is programmed to send said first money module certificate to said security server, and to establish communication with said second money module via routing by said local network;
where said security server is programmed to validate said first money module certificate and to send security information to said first money module; and where said second money module is programmed to send its money module certificate to said first money module.
10. The system of claim 9, wherein said first money module and said second money module are programmed to perform an electronic money withdrawal or deposit transaction.
11. The system of claim 9, wherein said other money modules are teller money modules.
12. The system of claim 11, wherein said first money module is a transaction money module.
13. The system of claim 11 wherein said first money module is a teller money module.
14. The system of claim 9, wherein said other money modules are money generator money modules.
15. The system of claim 14, wherein said first money module is a teller money module.
Description
BACKGROUND OF THE INVENTION
The present invention relates to an electronic monetary system for implementing electronic money payments as an alternative medium of economic exchange to cash, checks, credit and debit cards, and electronics funds transfer. The Electronic-Monetary System is a hybrid of currency, check, card payment systems, and electronic funds transfer systems, possessing many of the benefits of these systems with few of their limitations. The system utilizes electronic representations of money which are designed to be universally accepted and exchanged as economic value by subscribers of the monetary system.
Today, approximately 350 billion coin and currency transactions occur between individuals and institutions every year. The extensive use of coin and currency transactions has limited the automation of individual transactions such as purchases, fares, and bank account deposits and withdrawals. Individual cash transactions are burdened by the need of having the correct amount or providing change therefor. Furthemore, the handling and managing of paper cash and coins is inconvenient, costly and time consuming for both individuals and financial institutions alike.
Although checks may be written for any specific amount up to the amount available in the account, checks have very limited transferability and must be supplied from a physical inventory. Paper-based checking systems do not offer sufficient relief from the limitations of cash transactions, sharing many of the inconveniences of handling currency while adding the inherent delays associated with processing checks. To this ends economic exchange has striven for greater convenience at a lower cost, while also seeking improved security.
Automation has achieved some of these qualities for large transactions through computerized electronic funds transfer ("EFT") systems. Electronic funds transfer is essentially a process of value exchange achieved through the banking system's centralized computer transactions. EFT services are a transfer of payments utilizing electronic "checks," which are used primarily by large commercial organizations.
The Automated Clearing House (ACH) and point of sale (POS) systems are examples of electronic funds transfer systems that have become used by retail and commercial organizations on a substantial basis in recent years. However, the payments made through these types of EFT systems are limited in that they cannot be performed without the banking system. Moreover, ACH transactions usually cannot be performed during off business hours.
Home Banking bill payment services are examples of an electronic funds transfer system used by individuals to make payments. Currently, home banking initiatives have found few customers. Of the banks that have offered services for payments, account transfers and information over the telephone lines using personal computers, less than one percent of the bank's customers are using the service. One reason that Home Banking has not been a successful product is because the customer cannot deposit and withdraw money as needed in this type of system.
Current EFT systems, credit cards, or debit cards, which are used with an on-line system to transfer money between accounts, such as between the account of a merchant and that of a customer, cannot satisfy the need for an automated transaction system that provides for the transfer of universally accepted economic value outside of the banking system.
To implement an automated, yet more convenient transaction system that does not require the banking system to intermediate the transfer, and that can dispense some form of economic value, there has been a trend towards off-line electronic funds transfer. For example, numerous ideas have been proposed for come form of "electronic money" that can be used in cashless payment transactions as alternatives to the traditional currency and check types of payment systems. See U.S. Pat. No.
4,977,595, entitled "METHOD AND APPARATUS FOR IMPLEMENTING ELECTRONIC CASH, and U.S. Pat. No. 4,305,059, entitled "MODULAP FUNDS TRANSFER SYSTEM."
The more well known techniques include magnetic stripe cards purchased for a given amount and from which a prepaid value can be deducted for specific purposes. Upon exhaustion of the economic value, the cards are thrown away. Other examples include memory cards or so called smart cards which are capable of repetitively storing information representing value that is likewise deducted for specific purposes.
However, these proposed systems suffer from a failure to recognize fully the significance of bank deposits as money, and their necessity to back any form of universally accepted monetary representations that may be issued. In the systems disclosed thus far, representations of economic value, whether electronic or paper, are issued without the backing of equal valued liabilities as the counterpart to their assets.
None of the paperless payment systems that have been proposed so far are comprehensive enough so as to implement a multipurpose electronic monetary system that includes not only the automated devices that allow subscribers to transfer electronic funds or money between then without any intermediating system, but that also encompasses and includes an entire banking system for generating the value represented by the electronic money and for clearing and settling the electronic money accounts of the banks and financial institutions involved to maintain a monetary balance within the system.
Thus, there is a need for a system that allows common payer to payee economic exchanges without the intermediation of the banking system, and that gives control of the payment process to the individual. Furthermore, a need exists for providing a system of economic exchange that can be used by large organizations for commercial payments of any size, that does not have the limitations of the current EFT systems.
Accordingly, it is an object of the present invention to provide a complete electronic monetary system which utilizes electronic money that is interchangeable with traditional cash and is universally accepted.
It is another object of the present invention to provide a method of securely transferring economic value including currency and credit among subscribers, among financial institutions, and between subscribers and financial institutions.
A further object of the present invention is to provide a multipurpose paperless payment system whereby transactions can be carried out in both an on-line and an off-line code between subscribers.
It is yet another object of the present invention to provide a payment system that reduces the cost of central electronic funds transfer systems by off loading much of the payments to off-line devices.
It is still another object of the present invention to provide a system of inexpensive electronic transfers to reduce an institution's cost of managing paper cash, checks and coins.
It is still a further object of the present invention to provide a user friendly electronic payment system that may be used reliably and securely for real time transfers of money between members of the general public, between members of the general public and commercial organizations, and between commercial organizations.
It is still another object of the present invention to provide a system for depositing and withdrawing economic value which may be integrated with a wide variety of data processing and data communication systems including currently available home banking services.
It is still a further object of the present invention to provide an electronic monetary system which utilizes electronic money in the form of multiple currencies.
It is yet a further object of the present invention to provide a system for safely transferring economic value in transactions of virtually any size denomination.
It is yet another object of the present invention to provide a medium of economic exchange that is fungible, easily transferable, undeniably redeemable, and secure from reuse, duplication, and counterfeiting.
The foregoing objects and advantages of the invention are illustrative of those which can be achieved by the present invention and are not intended to be exhaustive or limiting of the possible advantages which can be realized. Thus, these and other objects and advantages of the invention will be apparent from the description herein or can be learned from practicing the invention, both as embodied herein or as modified in view of any variations which may be apparent to those skilled in the art. Accordingly, the present invention resides in the novel methods, arrangements, combinations and improvements herein shown and described.
SUMMARY OF EXEMPLARY EMBODIMENT
To achieve the foregoing, and other objects, the method and apparatus of the present invention employ a preferred embodiment in the form of an electronic-monetary system having (1) banks or financial institutions that are coupled to a money generator device for generating and issuing to subscribing customers electronic money including electronic currency backed by demand deposits and electronic credit authorizations: (2) correspondent banks that accept and distribute the electronic money; (3) a plurality of transaction devices that are used by subscribers for storing electronic money, for performing money transactions with the on-line systems of the participating banks or for exchanging electronic money with other like transaction devices in off-line transactions; (4) teller devices, associated with the issuing and correspondent banks, for process handling and interfacing the transaction devices to the issuing and correspondent banks, and for interfacing between the issuing and correspondent banks themselves; (5) a clearing bank for balancing the electronic money accounts of the different issuing banks: (6) a data communications network for providing communications services to all components of the system; and (7) a security arrangement for maintaining the integrity of the system, and for detecting counterfeiting and tampering within the system.
In the preferred embodiment, the functions of the money generating devices, the transaction devices, and the teller devices will be performed by a combination of tamper-proof computer hardware and application software modules that way be networked together. Information is transmitted in an encrypted form to provide security from unauthorized inspection. The electronic money is transmitted with digital signatures to provide authentication, and security from modification or counterfeiting.
The electronic money exchanged by these devices may be an electronic representation of currency or credit. An important aspect of the electronic currency is that it is the equivalent of bank notes and is interchangeable with conventional paper money through claims on deposits in an issuing bank, but can be withdrawn or deposited both at an issuing bank and at a correspondent bank. However, only the issuing banks can generate the electronic currency, and will be liable for its redemption.
The issuing banks later utilize inter-bank clearing and settling processes to maintain the monetary balance in the banking system, as is currently practiced by today's banking industry.
The electronic money representations are fungible, universally accepted, and undeniably redeemable from the issuing banks, i.e., they have the characteristics of money transactions. To preserve the integrity of the electronic monetary system, each exchange of electronic money includes, along with other information, data identifying the monetary unit of the credit or currency, (i.e., dollars, yen, etc.) the amount by unit of credit or currency, the bank issuing the electronic credit or currency, and several digital signatures.
SUMMARY OF THE INVENTION
In accordance with these and other objects of the invention, a brief summary of the present invention is presented. Some simplifications and omissions may be made in the following summary, which is intended to highlight and introduce some aspects of the present invention, but not to limit its scope. Detailed descriptions of a preferred exemplary embodiment adequate to allow those of ordinary skill in the art to make and use the inventive concepts will follow in later sections.
According to a broad aspect of the invention, an electronic monetary systems provides for transactions utilizing electronic money including electronic currency backed by demand deposits in a bank in lieu of cash transactions, and electronic credit authorizations. The invention comprises a money module for generating the electronic money; a money module for issuing, distributing, and accepting the electronic money; and a money module for accepting, storing, and transferring the electronic money between other accepting money modules and between the accepting money module and the issuing money module.
According to a further aspect of the invention, an electronic monetary system is provided for implementing and maintaining electronic money which includes electronic currency that is interchangeable with conventional money through claims on deposits in a bank and electronic credit authorizations.
The system includes a plurality of issuing banks; a generator module for creating electronic money; teller modules coupled to the generator module, for performing teller transactions and for interfacing with other teller modules, such transactions including the accepting and the distributing of the electronic money; a security system for providing the overall integrity of the electronic monetary system; a clearing and settling process for balancing the electronic money accounts of the separate issuing banks and for clearing the electronic money issued by the issuing banks; and a plurality of transaction modules owned by authorized users for transferring the electronic money between the transaction modules and between the transaction modules and the teller modules.
In accordance with another aspect of the invention, the functions of the generator modules, the transaction modules, and the teller modules will be performed by a combination of tamper-proof computer hardware and application software that may be networked together.
The electronic money exchanged by these modules, which may be an electronic representation of currency backed by demand deposit accounts at the issuing bank or credit authorizations, may be transmitted with digital signatures to provide security from unauthorized modification or counterfeiting. In a preferred embodiment, security from counterfeiting and tampering is also provided by requiring the modules and the individual units of electronic money to be renewed periodically. Offending modules or counterfeit electronic money can be removed from circulation as soon as they are discovered.
Briefly, a process in accordance with the invention comprises the steps of
(1) providing a generating module to generate electronic representations of economic value backed by demand deposits or by a credit line;
(2) providing a teller module to accept the generated electronic representations of economic value and to issue the electronic representations of economic value;
(3) providing the authorized users with a transacting module for accepting, storing and transferring the electronic representations of economic value to other authorized users having the transacting module and to the teller processing module;
(4) accepting and transferring the electronic representations of economic value to other authorized users having a transacting module and to the teller module; and
(5) providing a security system to allow the transfer of electronic representations of economic value in a secure manner between the generating module, the teller module and the transacting module.
BRIEF DESCRIPTION OF THE DRAWINGS
Other objects and advantages of the present invention will become more apparent by the following description with reference to accompanying drawings, in which:
FIG. 1 is a diagram illustrating general aspects of the invention;
FIG. 2 is a schematic diagram of the operative arrangement of the components, according to the invention.
FIG. 3 is a perspective diagram of several embodiments of external systems that may house a money module, according to the invention.
FIG. 4 is a block form diagram of a Transaction money module, according to the invention.
FIG. 5 is a block form diagram of a Teller money module, according to the invention.
FIG. 6 is a block form diagram of a Money Generator module, according to the invention.
FIG. 7 is a block diagram of the network arrangement, according to the invention.
FIG. 8 is a block diagram of a Network Server, according to the invention.
FIG. 9 is a flow diagram of the security system, according to the invention.
FIG. 10 is a block form diagram of a security server, according to the invention.
FIGS. 11-24 are flow diagrams of accounting examples according to the invention.
FIG. 25 a flow diagram of the Transaction Reconciliation System, according to the invention.
FIG. 26 is a flow diagram of the Clearing System, according to the invention.
FIG. 27 is a flow diagram of the Money Issued Reconciliation System, according to the invention.
FIGS. 28-50A are flow charts of transaction examples, according to the invention.
FIG. 51 shows an example of a note transfer tree.
DISCLOSURE OF THE PREFERRED EMBODIMENT OF THE INVENTION
The present invention contemplates an improved monetary system using electronic media to securely and reliably exchange economic value. The system can be implemented by integrating novel data processing systems with other procedures which can be implemented with the current worldwide banking systems.
Throughout this description, "electronic money" may also be referred to by the abbreviation "E-M." Additionally, the term "bank" is used hereinafter to indicate any banking, financial institution or the like which is a participant of the present invention.
Referring now to the drawings, wherein like numerals refer to like components, there is disclosed in FIG. 1, in block form, broad aspects of the preferred embodiment. In FIG. 1, the general relationship among the features of the system is shown. The system includes Issuing Banks 1 each having a Teller money module 5 and a Money Generator module 6; Correspondent Banks 2 each having a Teller money module 5; an electronic money clearing Bank 31 a Certification Agency 28 and a plurality of Transaction money modules 4 owned by subscribers of the systems. Though money generator module 6 and teller module 5 are preferably embodied separately, the functions of these modules may be embodied in a unitary device under processor control.
Electronic notes 11, the media for transferring electronic money, are generated by the Money Generator module 6 for an Issuing Bank 1. These notes 11 are then transferred by a Teller money module 5 to a subscriber utilizing a Transaction money module 4. Electronic notes 11 may be representations of currency or credit authorizations. For security reasons, all electronic notes 11 will expire after a preset time period. Once expired, the notes 11 must be redeemed at a participating bank for updated ones before they can be transferred.
An Issuing Bank 1 generates and distributes the electronic notes 11, and is liable for their redemption. An Issuing Bank 1 performs deposits, withdrawals, payments to loans and inquiries for other money modules.
A Correspondent Bank 2 is a participating bank which distributes electronic money through accounts it maintains at Issuing Banks 1, but does not generate any electronic money, and is not liable for its redemption. Because it cannot generate any electronic money, the Correspondent Bank 2 in the preferred embodiment must make real-time requests of electronic money from an account it maintains at an Issuing Bank 1 whenever a subscriber wishes to withdraw electronic money at a Correspondent Bank 2.
Conversely, a Correspondent Bank 2 deposits all electronic money deposited by subscribers, to the accounts the Correspondent Bank 2 holds at Issuing Banks 1. These accounts will be described hereinafter. A Correspondent Bank 2, like an Issuing Bank 1, will perform deposits withdrawals, payments to loans and bank inquiries.
Notably, an Issuing Bank 1 may also be a Correspondent Bank 2 for the monetary units that it does not generate. For example, an Issuing Bank 1 for electronic dollar notes 11 may key a Correspondent Bank 2 for electronic notes 11 of yen, marks, etc., issued by other banks.
It is also important to note that the system of the invention can function without Correspondent Banks 2. For example, a subscriber can eliminate the use of a Correspondent Bank 2 by communicating directly with his/her Issuing Bank 1 when making a deposit, withdrawal, etc. Correspondent Banks 2 are included in the preferred embodiment for the practical purpose of expanding distribution of the system while reducing the risks that are inherent in any banking system, such as the risks caused by the collapse of a bank issuing money.
The Clearing Bank 3 is utilized when more than one bank is issuing electronic money. According to the invention, it is anticipated that more than one bank will be issuing electronic money. Thus, the Clearing Bank 3 is provided to clear the electronic money deposited and to balance accounts it maintain for the Issuing Banks 1. The Clearing Bank 3 maintains demand accounts for each Issuing Bank 1 in the system.
The Certification Agency 28, is the centerpiece of the system security. It provides a process that "certifies" the validity of a money module for a certain period of time by issuing a certificate to each money module. A money module must have a valid certificate in order to be able to transact with other money modules 4, 5, 6.
Before the certificate expires, it must be updated so that a subscriber can continue to use his/her transaction money module 4. This process makes users of the system establish periodic contact with the Certification Agency 28.
Periodic contact allows for faster response when tampering with the money modules of the system is detected. To this end, the Certification Agency 28 also provides a list of offending or compromised money modules to other money modules so that transactions with the bad units may be blocked.
The components shown in FIG. 1 are best understood by referring to the system's operative arrangement illustrated in FIG. 2. As illustrated in FIG. 2, the preferred embodiment provides for supplements to the current banking system that include the following additional components: a plurality of the Transaction money modules 4, the Teller money modules 5, and the Money Generator modules 6, for creating, transferring and storing the electronic notes 11 (money); a Clearing System 13 to balance the accounts of banks issuing currency and credit; a security system 21 to maintain the integrity of the electronic notes 11; the current banking systems 20; a network 25 (exemplified by the lines interconnecting modules and systems) to mediate transactions between money modules 4,5,6, the participating banks 1,2,3 of system 20 and the security system 21; a Transaction Reconciliation system 22 to detect money module malfunctions and insider tampering of the system: a Money Issued Reconciliation System 23 to detect counterfeiting and reuse of electronic money; and a Money Position System 24 to keep track of the electronic money in circulation.
Playing major roles in the preferred embodiment are three classes of "money modules" for creating, storing, and transferring the electronic objects that represent economic value. These include the Transaction money modules 4, the Teller money modules 3, and the Money Generator modules 6. It is contemplated that these money modules 4,5,6 will be a combination of tamper-proof hardware and application software that are meant to be components of a larger processing environment.
Referring to the top right-hand side of FIG. 2, a Transaction money module 4 containing electronic notes 11 stored therein (not shown) may be used to exchange foreign currency or make a payment with another Transaction money module 4, using a secure, encrypted protocol either by a telephonic link, or a proximate communication link. Because it is contemplated that an electronic note 11 will be fungible, i.e., it can be broken into any desired amount, the amount transacted between the Transaction, money modules 4 may be of any amount up to the amount stored in the payer's Transaction money module 4.
A payee's Transaction money module 4 that has received the electronic notes 11 as a payment may, in turn, be used to transfer all or any amount of the electronic money contained therein to another subscriber's Transaction money module 4. Alternatively, the payee may deposit the electronic money into his/her bank account.
The value of the electronic money stored in the Transaction money module 4 may also be redeemed at any participating bank (e.g., Correspondent Bank 2 or Issuing Bank 1) for paper money by transferring any amount of the electronic money to a bank's Taller money module 5, whereby a teller or an Automated Teller Machine (ATM) will return an equal amount of paper money. Naturally, it is anticipated that paper money may also be exchanged for equal valued electronic money.
As will be appreciated, the Transaction money module 4 may be configured to make deposits, withdrawals, loan payments, inquiries and exchanges of currencies of electronic notes 11 directly through a Teller money module 5 at an Issuing 1 or Correspondent Bank 2 or remotely through a telephonic connection to an Issuing 1 or correspondent Bank 2 Teller money module 5 (thereby providing, among other things, the transactions not available in current home banking systems). Upon a request to transact with a bank, the Teller money module 5 mediates the transactions for the subscriber's bank account as well as the banking system's electronic money accounts.
It should be noted that a subscriber will not be required to maintain a bank account in order to own and use a Transaction money module 4. For instance, a subscriber may obtain a stand-alone computing device that contains a Transaction money module 4 and use the device only in off-line peer-to-peer transactions with other devices containing a Transaction money module 4, such as a merchant's point-of-sale terminal. Of course, the merchant may then transfer the electronic money to another commercial organization to meet its obligations, or it may deposit the electronic money at its own bank.
In the preferred embodiment, electronic money deposited at any Issuing Bank 1 other than the original Issuing Bank 1 itself will subsequently be settled for value with the original Issuing Bank 1 through the central clearing and settling process performed by the Clearing System 13. It is anticipated that the clearing and settling processes will be managed by the Clearing Bank 3 (FIG. 1). Each Issuing Bank 1 Teller money module 5 sends all the electronic notes 11 deposited at its bank but issued from other Issuing Banks 1 to the Clearing Bank 3 in order to settle for the value posted to their customers' accounts.
When a withdrawal, an exchange for foreign currencies, an exchange of paper cash for electronic money, or an updating of the electronic money occurs, the Money Generator module 6, FIG. 2, creates and digitally signs electronic objects having economic value--either currency or credit notes 11 (FIG. 1)--that are to be sent to the Transaction money modules 4 through the participating bank's Teller money modules 5 in the form of a packet of electronic notes 11. As mentioned above, the electronic currency notes 11 are the equivalent of bank notes that are backed by deposits, and can be traded between Transaction money modules 4.
During the withdrawal transaction, the Teller money module 5 and the Transaction money module 4 may establish a communications link using an encrypted protocol to securely transfer the notes 11 from the Teller money module 5 to the Transaction money module 4.
Records of the notes 11 generated and conveyed by the Money Generator module 6 are sent to the local bank's Transaction Reconciliation System 22 and an issuing Bank's 1 Money Issued Reconciliation System 23 for maintaining statistical And housekeeping functions. Records of the electronic notes 11 cleared and settled at the Clearing Bank 3 are also provided to the Money Issued Reconciliation System 23. From those compilations, a financial position of the system can be produced by the Money Position System 24.
Discrepancies and malfunctions are reported to the Security System 21 which downloads the lists of problem money modules to all money modules in the system when they are connected to the Network 25. By carrying this list, a Transaction money module 4 will be inhibited from transacting with other suspect Transaction money modules 4.
Having thus provided an overview of the preferred embodiment, there will now follow a more detailed description of the individual elements and the transactions between them.
Money Modules
FIG. 3 provides several embodiments of external systems or devices for housing money modules,
In the preferred embodiment, the external system or device will typically contain data display means, data input means, data processing means, memory storage means, direct connection or contactless bidirectional communications means, and the money module packaged in a tamper-proof housing, all interfaced by suitable means for information transfer, such as are well known in the art.
As will be understood, a money module way be embodied as a modular component of any larger processing environment while still performing the same functions. For example, Transaction money modules 4 may work as co-processors embedded in personal portable computing devices like the Hewlett-Packard 95LX, or as co-processors in mainframe computers, workstations, point-of-sale terminals or telephone devices (fixed or portable) connected to a network.
A Teller money module 5 may be embodied as a co-processor in the bank's financial computer systems. The Money Generator module 6 could be a separate processing unit networked to the bank, a co-processor in a general purpose computer, or it may be combined with an Issuing Bank's 1 Teller money module 5 in a larger processor as illustrated by the unitary device 1001 of FIG. 1.
Because it is anticipated that a money module will be implemented in a separate processing device, it is assumed that, corresponding interface circuitry would be provided in the host processing device to provide communication between the processing device and the money module.
Notably, all classes of money modules contemplated by the invention may be implemented programmatically or by direct electrical connection through customized integrated circuits, or a combination of both, using any of the methods known in the industry for providing the functions described below without departing from the teachings of the invention. Those skilled in the art will appreciate that from the disclosure of the invention provided herein, commercial semiconductor integrated circuit technology would suggest numerous alternatives for actual implementation of the inventive functions of the money module that would still be within the scope of the invention.
Transaction Money Module
In one embodiment, the Transaction money module 4 way be imbedded in any computer of any size or use, like those serving as general purpose computers or work-stations, to provide functions not limited to E-M transaction use. This latter application will allow for such uses as real-time, off-line payments between personal computing devices, or on-line payments for network services such as information retrieval, telephone calls, or for purchasing airline tickets, theater tickets, etc.
In another embodiment, the Transaction money module 4 may be imbedded in an individual hand-held integrated circuit unit, such as a personalized hand-held computer that may be readily carried by an individual as though it were a wallet. As an illustration, the device of the preferred embodiment may include a keyboard, a pan or stylus, a touch screen or voice recognition circuitry as a data input means, an alphanumeric LCD dot matrix display as a display means, an infrared optical transceiver as a contactless bidirectional communications means, and an RJ-11 telephone jack coupled to modem circuitry as a telephonic communications means. Additionally, the device may also include various electronic processing and storage means for providing calculator capabilities, for storage and processing data of the owner, etc.
It is important to note that the particular design of the external device is not critical to the invention, and other technologies suitable for accomplishing the foregoing functions may also be used. For example, an LED instead of an LCD display panel may be used; radio, infrared, inductive or capacitive communications methods may be used instead of direct connection; optical communications methods may be used; etc.
In general, it is anticipated that any Transaction money module 4 owned by a subscriber will be embodied in a self-contained, tamper-resistant unit that contains components which are difficult to access, and thus prevent any person from improperly examining, counterfeiting or modifying any of its contents or arrangements. For example, integrated semiconductor circuits, whose contents are difficult to examine, encased in a tamper-resistant package such as that formed by an epoxy or plastic lamination may provide a high degree of physical security while providing the necessary storage, computation, timing, and other data processing functions.
However, the invention is not limited to any particular tamper-resistance means, inasmuch as there are a number of methods known in the industry for providing such security. Such tamper-resistance will also prevent the owner, who can control only some of the internal operations of the Transaction money modules 4, from certain accesses to thereby provide security from abuse to other relevant institutions and individuals.
Each Transaction money module 4 will have a way of ensuring its own association with a particular subscriber, so that its use by other individuals may be limited. In addition to the use of Personalized Identification Number (PIN) methods that are well known in the art, the Transaction money module 4 may also include means such as a fingerprint reader, voiceprint analyzer, written signature analyzer, or other so-called biometrics means, to determine the physical identity of an authorized subscriber.
Additionally, the Transaction money module 4 may utilize personalized interactive proofs using questions that only a true owner would be able to correctly answer, such as the owner's mother's maiden name, his/her favorite color, etc. Any such techniques may provide additional security for organizations, and may also be to the advantage of the authorized user since such security can protect the subscriber's data from inspection and use by someone also coming into possession of the Transaction money module 4.
Because the Transaction money module 4 can take on a variety of physical representations, it will be described by the functions performed in addition to the pertinent physical characteristics of a preferred embodiment.
Referring now to FIG. 4, a Transaction money module 4 is shown diagrammatically in block form. Specifically, a Transaction money module 4 has (1) an xternal interface 30 that interfaces the Transaction money module 4 to the module's data processing means, the input/output xmans (human interface) and the communications circuitry of the external device; (2) a session manager 31 to control and commit (i.e., finalize) or abort a transaction session; (3) a transactor 32 to manage application functions; and (4) a money holder 38 to contain and manage the electronic representations of money.
According to the invention, the following application functions may be implemented in the preferred embodiment of the present invention:
The To Subscriber application 33 performs the function of comparing the owner identification characteristics, such as a user's personal identification number (PIN) and biometrics characteristic (e.g., fingerprint, voiceprint, etc.), that are stored in the memory of the Transaction money module 4, to those of the individual who is attempting to gain access to the Transaction money module 4. After the proper ownership is verified, the Transaction money module 4 may be activated, and the user is allowed certain accesses to the Transaction money module's 4 stored contents. Messages to the subscriber, and subscriber inquiries as to the information contained within the Transaction money module 4 are also handled by this application function.
The To Teller application 34 interfaces the Transaction money module 4 to the Teller money modules 5 for initiating and performing deposit, withdrawal, loan payment transactions, and bank inquiries with such Teller money modules 5.
The Pay/Exchange application 35 supervises the sending and receiving of electronic notes 11 between Transaction money modules 4, managing the process in which the electronic notes 11 are properly "packaged" as to amount, digital signatures, etc. This application provides that the electronic notes 11 are transferred in a recognized, valid format. Notably, this is the application that allows a money module to perform payments and foreign exchanges. Without this application in the preferred embodiment, a Transaction money module 4 cannot Make a payment to another Transaction Money Module 4.
The Tran Log Mgr. application 36 provides the management and overseeing of a log that records completed transactions undertaken by the money module. For each completed transfer of electronic money, an illustrative Tran Log records:
(1) the type of transfer (i.e., payment, deposit, foreign exchange, etc.),
(2) the date of transfer,
(3) the amount of transfer,
(4) the Issuing Bank 1 identifier
(5) the note identifier,
(6) the monetary unit,
(7) the identifier of the other money module involved in the transaction, and
for deposits, withdrawals and loan payments:
(8) the bank account number,
(9) the bank identifier, and
(10) the amount of the transaction.
In the preferred embodiment, every money module will have an identifier. A money module identifier may be thought of as the "serial number" of the money module and is never changed.
It is anticipated that a subscriber may have access to several of the fields of data stored in the Tran Log application, such as histories of the amount, date, and type of transfer. Information as to the expiration date of a certificate may also be accessed by the subscriber so that he/she will be informed are to the need to update or revalidate the money module's certificate.
The Maintain Security application 37 manages a list of money module identifiers that are known to have been generally compromised. In particular, this is a list that is distributed to each money module when it communicates with the Network 25, and is a list of money modules that have passed an invalid or counterfeit electronic note 11 or have performed acts deemed detrimental to the system.
When establishing a session between money modules, each money module checks its list of bad money modules to see if the other is an offending money module. If the other money module's identifier appears on the list, the communication is broken off.
This application also provides the process for obtaining the certificate unique to the money module, for synchronizing an internal clock, and for managing the creation of new cryptography keys.
The Note Directory 39 application performs the function of keeping track of the location, identification and value of each of the electronic notes 11 stored within the money module. A note 11, whether it is an electronic currency note or an electronic credit note, is the basic unit of electronic money. It is the electronic object representing the economic value, the electronic bits that contain the amount, expiration date, note identifier etc. (described in detail below) that gets digitally signed (described below) and encrypted when being transferred Both electronic currency notes 11 and electronic credit notes 11 nay be located by the Note Directory 39.
The Note Directory application 39 updates the current amounts of electronic notes 11 (both currency and credit), after every transfer. A date-of-expiration, a note identification number and an Issuing Bank identifier is also recorded with the location of each note 11.
In summary, the Note Directory 39 keeps track of the note identification number, the Issuing Bank 1 identifier, the date-of-expiration of the note 11, the location of the note 11 as; stored in the Transaction money module 4, and the current amounts of the value of each of each of the notes 11 stored. These records are maintained for both electronic currency and electronic credit. For a credit note 11, the account number of the credit line is also maintained.
The Notes application 40 manages the storage of the representations of the electronic notes 11 themselves, both currency and credit notes 11. This application also generates the transfers when notes 11 are to be conveyed.
The Packet Manager application 41 manages the construction and formatting of a packet of electronic notes 11 that are to be transferred to another money module. For example, the Packet Manager 41 will utilize an algorithm so that the least number of electronic notes 11 are used to fulfill the requested amount of transfer, with the earliest dated electronic notes 11 being used first. Alternatively, when a packet of notes 11 is transferred to the receiving money module, the Packet Manager
41 application "disassembles" the packet, verifying the date and separating the data fields that represent the different electronic notes 11.
The formatted packet gets several data fields appended to it when electronic notes 11 are "assembled." An identifier data field provides the indica that identifies it as a packet. Additionally, data fields for the total value of the notes 11, the number of notes 11, and the individual locations of the notes 11 are provided.
The Verifier application 42 verifies that a received packet contains valid electronic notes 11 before a receiving money module accepts them. The Verifier 42 also checks that the total amount received is equal to the sum of the electronic notes
11 that are to be transferred. If the total amount and the individual electronic notes 11 are valid, an acknowledgment is returned to allow for completion of the transfer. Otherwise, an "invalid" message is sent, and the transfer may be aborted.
Services applications that are provided fall under two categories: Clock/Timer 43 and Cryptography. The Clock/Timer 43 provides output pulses for controlling a transaction timeout, such as the time between the sending of a message and the return of a corresponding message.
As will be appreciated, when two money modules are communicating, they may be monitoring a time-out protocol. For example, after a first money module has sent a message to a second money module, the Session Manager 31 of the first money module ("A") may set a timer for a reply if the Transactor 32 indicates that a reply is required. The Session Manager 31 may also number the message sent. This number would appear in the reply message from the Session Manager 31 of the second money module ("B").
If the timer expires before the message has been received, then Session Manager A 31 will query Session Manager B 31 to determine if the transaction is still running in B. If B does not reply then Session Manager A 31 will abort the transaction. If a reply is received that the transaction is proceeding, then the timer will be reset to a new time. If A queries B a predetermined number of times without receiving a reply to the original messages then A may abort the transaction.
Separately, this application also maintains the current date and time, both for user display and for verifying that an electronic note 11 to be received is not an expired one, along with other general clock functions that are commonly used in that industry.
The Cryptography application contains a Public Key 44 operation, a Symmetric Key 45 operation, and a Random Number Generator 46. While the tamper-resistance of the Transaction money module 4 and its components makes it difficult for a person to modify the structure of the device or its contents, known cryptographic techniques are also employed to provide secure communications and payment transfers between money modules.
Public key cryptography 44, as is well known in the art, may be employed by this application to provide public key digital signatures, which are called "digital signatures" or simply "signatures" for brevity. The data in electronic notes 11, may be represented by a digital number. The electronic notes 11, are signed by digital signatures formed from this number. A digital signature can then be checked as corresponding to a particular message by anyone knowing the corresponding public key, which in the preferred embodiment would be all other money modules.
This application provides each money module with the ability to check the digital signature for authenticity. A money module receiving the digitally signed electronic note 11 can in turn sign and transfer it to others, who could also check, sign and distribute it.
Because of the "one way" nature and computational complexity of public-key digital signatures, it is thought to be infeasible to decipher and duplicate then within a feasible period of time, making such a security system resistant to forgery.
Lastly, this application also creates new public and private keys when needed.
Symmetric Key cryptography 45 provides private key algorithms that are wall known in the art, for individual session security and privacy between money modules. In the preferred embodiment, this application provides encryption/decryption means in order to secure information being exchanged between two money modules.
Any well known symmetric key cryptography technique, such as the National Data Encryption Standard (DES) system or other cryptography techniques, may be provided in this application. For example, due to the increasing interest in providing cryptographically secured communications, manufacturers are providing various semiconductor integrated circuit devices which perform the encryption and decryption of data. Cylink corporation's CIDEC data encryption devices are examples of commercially available encryption/decryption circuitry that would be suitable in the present invention for this application. Due to the federally mandated use of the DES algorithm, devices such as these are widely utilized to implement that algorithm.
It is important to note that the details of the particular cryptographic methodology utilized by the money modules are not critical and are not limited to a particular cryptographic technique.
The Random Number Generator 46 generates random like numbers for creating new public/private keys for the Public Key application 44 and new private keys for the Symmetric Key 45 application. This application is utilized to vary in an unpredictable way the generation of temporary asesion keys.
Circuitry for providing such random number generation capability are well known in the art. For instance, a circuit utilizing a "noisy" diode may provide random values, as is well known in the industry. Random numbers may also be provided by a pseudorandom number generator circuit which implements a mathematical algorithm, such as the power-residue algorithm, that generates apparently random values from a "seed" number. The use of clocks or counters provides another often used source of random data. As will be understood, the Random Number Generater 46 may use techniques that are well known to a person of ordinary skill in the art to generate the temporary numbers, and thus need not be further described.
It should be further understood that the foregoing functions disclosed herein may be performed by known programing techniques and/or dedicated hardware and in some cases may be combination of both or shared resources from each. As may be appreciated by a person skilled in the art, any changes in form and detail can be made in dependence on specific application requirements without departing from the essential features of the money modules.1
Teller Money Module
The banking systems 20 of both the Issuing Banks 1 and the Correspondent Banks 2 interface to the system of the invention through a Teller money module 5. The Teller money module 5 may be imbedded in any general purpose computer or workstation. The particular design of the Teller money module 5, like the Transaction money module 4, may be implemented in readily known programming techniques or dedicated computer hardware, or a combination of both. As will be appreciated by at person skilled in the art, various designs of the Teller money module 5 may be employed to implement the functions described herein.
The details of one embodiment of the Teller money module 5 is shown in block form in FIG. 5. The Teller money module 5 contains many of the same components and application functions of the Transaction money module 4 described above Therefore, the identical components will only be repeated briefly here, while the distinguishing components will be fully described. It should be noted that the Teller money module 5, like other money modules of the system, is also contained within a tamper-proof enclosure of the type common in the industry, so as to ensure the necessary security involved.
The Teller money module 5 contains an External Interface 30, a Session Manager 31, a Transactor 32 and a Money Holder 31 that perform similar functions to the corresponding components in the Transaction money module 4 described above.
Briefly, the External Interface 30 interfaces the Teller money module 5 to other processing and communications means within the Teller money module 5 host processor; the Session Manager 31 acts to control and commit (i.e., finalize) or abort a transaction session between the Teller money module 5 and another money module; the Money Holder 38 manages the storing and retrieval of electronic money; and the Transactor 32 manages that application functions of a To Teller 34, the Tran Log Mgr. 36, the Maintain Security 37, the To Bank 47, a To Money Generator 48, and the To Transaction 49.
The following list describes in brief, the applications contained in the Teller money module 5 that are functionally identical to the applications found in the Transaction money module 4:
To Teller 34: Interfaces deposit and withdrawal functions to another Teller money module 5.
Tran Log Mgr. 36: Transaction log manager for recording transaction details.
Maintain Security 37: Manages the list of compromised money modules, applies for certificates, synchronizes the clocks, and manages the creation of new digital keys.
Note Directory 39: Keeps track of the location, value and identification of notes 11 by monetary unit. Summary totals are also maintained.
Notes 40: Manages storage for the electronic notes 11 of exchange, and creates the transfers for the notes 11.
Packet Manager 41: Manages the assembly and disassembly of a packet to be transferred to a different money module.
Verifier 42: Verifies that a received packet contains valid electronic notes 11.
Clock/Timer 43: Controls transaction timeout, expiration of the validity of the electronic notes 11, expiration of the certificate, a general clock functions.
Cryptography
(i) Public key 44: used for signatures to sign and validate notes 11 and to set up a secure transaction session.
(ii) Symmetric key 45: Controls the security of a transaction session.
(iii) Random number generator 46: Generates random like numbers for new cryptographic keys.
Some of the distinguishing applications are the To Bank 47 and To Transaction 49 applications. The To Bank application 47 provides the interfacing means whereby the Teller money module 5 can perform exchanges of data for inquiries and account postings with the on-line systems of a bank. This application is also utilized for crosschecking the customer's account number with the accounts and type of transaction being requested.
The To Transaction application 49 performs deposits, withdrawals and payments to loans. This application operates whenever a Teller money module 5 is transacting with a subscriber's Transaction money module 4.
As mentioned above, a Teller money module 5 may be associated with an Issuing Bank 1 or a Correspondent Bank 2. When the Teller money module 5 is associated with a Correspondent Bank 2, it is utilized for intermediating deposits, withdrawals, and payments to loan accounts between a Transaction money module 4, the Correspondent Bank's 2 on-line systems, and an Teller money module 5 at an Issuing Bank 1.
When operating in an Issuing Bank 1 mode, the Teller money module 5 is used for intermediating deposits, withdrawals, and payments to loan accounts between other money modules and the Issuing Bank's 1 on-line systems. Additionally, when the Teller money module 5 is performing in an Issuing Bank 1 mode, a To Money Generator application 48 way be employed when requesting new notes 11.
Basically, the To Money Generator application 48 performs banking functions dealing with requests for electronic notes 11. It interfaces an Issuing Bank's 1 Teller money module 5 to a Money Generator Module 6.
All of the other elements performed in an Issuing Bank's 1 Teller money module 5 are essentially identical to the similarly named components and application functions described above.
Money Generator Module
FIG. 6 is a block diagram illustrating the application functions of a Money Generator module 6. Money Generator modules 6 provide the mechanism that Issuing Banks 1 utilize to issue electronic money. A Money Generator module 6 is also encased in a tamper-resistant package for the same security reasons stated above for other money modules.
A Money Generator module 6 generates the electronic money (in the form of electronic notes 11, to be described in further detail below), and distributes them to other money modules through the Teller money module 5 of an Issuing Bank 1. The Money Generator module 4 includes a unique application not present in other money modules for responding to requests for electronic money. This is the Money Creator application 50.
The Money Creator application 50 creates and formats the electronic objects representing value--either currency backed by demand deposits, or credit authorizations--and digitally signs these "electronic notes 11" using public key cryptography in conjunction with its secret key, so that it may be sent to an Issuing Bank's Teller money module 5.
Notably, in a Money Generator module 4 the To Bank application 47 notifies the bank systems of any irregularities, off-loads transaction records in the Tran Log to the Transaction Reconciliation System 22 and transfers electronic notes 11 to the Money Issued Reconciliation System 23. All of the other applications of the Money Generator module 6 are identical to the similarly named applications of the money modules described above.
The Network
According to one embodiment of the invention, the individual components of the present invention may communicate over a Network 25, as shown in FIG. 7. The Network 25 will link together the Issuing Banks 1, Correspondent Banks 2, the Clearing Bank 3 and the Certification Agency 28.
Transaction money modules 4 may be coupled to the Network 25 over the telephone exchange or via special terminal facilities at bank locations (e.g., additional contactless or cable connections at an ATM booth). A communication layer will carry transaction requests (e.g., deposits, withdrawals), packets of notes 11 and new certificates securely across the Network 25. In the preferred embodiment, the Network 25 will also provide directories of financial services, and update the money module clocks and the bad money module list of all money modules.
As will be understood, the Network 25 may use well known data link or communications systems and techniques that utilize, for example, telephone lines, fiber-optic land lines, and satellites, and that include connective, timing and control software and circuitry for allowing access and transmitting digital information. The Network 25 may use commercially available protocols and operating techniques such as those set forth by the International Standards Organization ("ISO") for Open Systems Interconnect network standards. It is important to note that the particular design of the Network 25 is not critical and suitable technologies for accomplishing the foregoing data communications functions may be used.
Each entity (Banks 1 and 2, Certifying Agency 25, or Clearing Bank 3) is also assumad to have an individual local network 16, 17, 18 and a gateway to the larger system Network 25. The larger Network 25 will provide directory services for the routing of messages to connect to the appropriate local network 16, 17, 18. The local network 16, 17, 18 has the responsibility of routing messages to the correct money module or a Security Server 27. A Security Server 27 is associated with each participating bank and the Certification Agency 28, and is used for implementing the security of the system.
FIG. 7 illustrates the preferred embodiment of the Network 25 generally, indicating that money modules of any participating bank may be intercoupled to the money modules of other banks and financial institutions, or another subscriber's Transaction money module 4 via a communications link directly connected into switching and processing centers and alternatively connected to a local network 16, 17, 15 at each entity.
A money module need only identify the local network 16, 17, 18 destination (typically a bank subnetwork) for the transmission of most messages. The local network 16, 17, 18 will route the message to an appropriate money module for establishing a session. Once a session is established, the Network 25 directs all messages between the two money modules. The Network 25 also controls messages between money modules and Security Servers 27.
Transaction money modules 4 may communicate over that Network 25 for deposits, withdrawals, payments to loan accounts updates or inquiries. The Teller S and Money Generator module 6 will sign on the Network 25 periodically to update security information. The sign-on will be initiated by the money module Session Manager 31, or by the bank Security Server 27 if recertification is required or if there are changes to the bad money module list.
A bank services directory may be available to the money modules primarily for updating the electronic notes 11 and performing foreign exchange. A list of participating banks for either service will be available from the Network 25.
In the preferred embodiment, the Network 25 will provide time services to the individual components of the present invention. Transaction 4, Teller 5 and Money Generator modules 6 and Security Server 27 clocks may be updated from a Network Server 26 in the Network 25 every time that the respective money module accesses the Network 25.
Network Servers 26 way provide the money module services described below, and gateway services to the local networks 15, 17, 18. The application functions of the preferred embodiment of the Network Server 26 are shown in the block diagram of FIG. 8. The following application functions are contemplated for the Network Server 26:
(1) External Interface 56--a communications layer which interfaces to the Network 25; and
(2) Communication Session Manager 57--manages a communication session between money modules, and between a money module and the Security Server 27.
Application Services are provided by:
(3) Manage Network Sign-on 58--controls the money module Network sign-on process;
(4) Synchronized Time/Date 59--keeps money module Clock/Timer 43 services synchronized to a system time;
(5) Route Message 60--directory services for routing messages, controlling message routing during sign-on and during a money module session; and
(6) Direct to Bank Services 61--provides information on services provided by participating banks.
As will be appreciated by one skilled in the art, switching and processing centers that are known in the industry may be used to enable the networking cooperation between a financial institution and any other that is coupled to the same centers.
Electronic Notes
We turn now to a further description of the elements of the electronic notes 11 themselves.
An electronic currency note 11 representing value is essentially an electronic object created from a transaction request (deposit or withdrawal) which is backed by demand deposits at an Issuing Bank 1. At various times and in various points of the system, the notes may appear in electrical or magnetic forms or as electromagnetic radiation. These notes 11 may be transferred over several transactions just like paper money, with the additional property of fungibility that allows the electronic notes 11 to be commuted and transferred in amounts less than or equal to the value of the note 11.
Notes 11 may be split by appending a transfer record to the note 11 and signing the note 11 using the private cryptographic key of the money module transferring the note 11. Electronic credit notes 11, however, can only be transferred once in the preferred embodiment, because it is anticipated that its receiver must deposit the credit note 11 so that the loan may be realized.
Credit notes 11, unlike currency notes 11 are drawn on a subscriber's loan account. Each credit note 11 carries the account number it is drawn on. The account may be a revolving credit or credit line on which the note 11 is drawn, operating much in the same way that a check or a credit card account works in today's banking industry. Credit notes 11 can represent a part of or all of the credit line of the account.
In the preferred embodiment, the credit notes 11 can only be transferred to another Transaction money module 4 by the owner of the account, and the receiver of a credit note 11 can only deposit it into his or her account as currency. From there, the credit note 11 is cleared with the currency at the clearing Bank 3. The subscriber's bank recognizes the loan upon receipt of the cleared credit note 11.
When credit notes 11 are withdrawn, they do not trigger any accounting transactions in the preferred embodiment. Current credit line processing may need to be modified to keep track of the amount of the credit line in the subscriber's Transaction money module 4. Whenever the subscriber communicates with the Issuing Bank 1 maintaining the credit line, the amount of the credit line in the Transaction money module 4 is removed and replaced based on any adjustments to the credit line in the bang system 20. Total credit notes 11 plus outstanding loans must be less than or equal to the total amount of the credit line.
Electronic notes 11 are comprised of three collections of data fields, namely a Body group, a Transfer group, and a Signatures and Certificate group. The Body group of data fields includes the following information:
(1) the type of electronic note 11, i.e., whether it is a currency note 11 or a credit note 11:
(2) the Issuing Bank's 1 identifier;
(3) the monetary unit identifier.
(4) a Note identifier;
(5) its date-of-issue;
(6) its date-of-expiration;
(7) the subscriber's account number (used only for credit notes 11);
(8) the amount or value of the note 11; and
(9) the Money Generator module 6 identifier.
The Transfer group of data fields includes:
(1) a total of the number of times that the electronic note 11 was transferred; (provided for currency notes 11 only)
(2) a list of transfer records that indicate, the date-of-transfer, the amount transferred and the identification number of the receiver.
The Signature and Certificates group of data fields includes:
(1) the digital signature of the Money Generator module 6;
(2) the Money Generator module 6 certificate;
(3) a list of payors which contains each payer's signature and certificate.
The body, transfer records, the signatures and the certificate of the chain of the transferred payments constitute the electronic note 11 sent. The remaining amount of the note 11 is recorded in the Note Directory 39 of the money Module in which it is stored.
It is important to note that the authenticity of an electronic note 11 is determined by the validity of the digital signature of the Money Generator module 6. And the validity of the signatures of past payors (if present). Any inconsistencies in this information will cause the transfer of any electronic notes 11 to be aborted.
It is also important to note that as a security measure, a note 11 will be valid for a limited time, up to its expiration date. An expired note 11 cannot be transferred, it must be updated by transacting with a participating bank. To this and, whenever a Transaction money module 4 performs any transaction with a Taller money nodule 5, all of the electronic notes 11 stored in a Transaction money module 4 will be transferred to the Teller money module 5 so that the notes 11 may be replaced with updated ones before they expire. This security procedure also helps to keep offending notes 11 from being circulated broadly. As will be understood, every time that a note 11 is transferred to another money module, a transfer record indicating to whom it is transferred is appended. Thus, the recipient of an electronic note 11 will also receive a record of all of the past holders of the note 11.
For example, a $50 electronic note 11 may be generated, and withdrawn by a Transaction money module 4. Assuming it is transferred to other money modules in $10, $10, and $30 denominations, the recipient money modules will receive the note 11
with the transfer record identifying the first Transaction money module 4. When a recipient of the $10 note 11 transfers $5 of it to a third party, the third party receives the note 11 along with the record indicating the previous two holders. Assuming this $5 note 11 is then deposited, a record of it will be matched with other segments of the original $50 note 11 that find there way back into the banking system by the clearing and reconciliation processes of the present embodiment. In accordance with the previous example, FIG. 51 shows how the subsequent transfer of an electronic representation of currency produces a tree-like structure of electronic representations of currency derived from the initial note produced by the money generator module. The money generator module 1003 having identifier "1" (module identifiers are contained in digitally signed certificates) produces the electronic representation of currency 1005 having a body group of data fields 1007 and a transfer group of data fields
1009. The signatures and certificates group of data fields is not shown for convenience.
The body group of data fields 1007 includes a note identifier 1011 (e.g., "12"), a money generator module identifier 1013 (e.g., "1"), an issuing bank identifier 1015 (e.g., X), a date-of-issue 1017 (e.g., 1:00:00), a date-of-expiration 1019
(e.g., 12:00:00), a note amount and a monetary unit identifier 1021 (e.g., $50). Other body group data fields such as type of note are not shown for convenience.
The transfer group of data fields 1009 includes a transfer record having a transferee identification number (e.g., "2"), a date-of-transfer (e.g., 1:00:00), and a transfer amount (e.g., $50). The transfer group data field indicating total number of transfers is not shown for convenience. The various date fields in the electronic notes are shown for illustrative purposes as being in the form day:hr:min. Other time monitoring forms (e.g., including seconds) are, of course, possible.
The electronic representation of currency 1005 from money generator module 1003 is stored in teller module 1023 having identifier "2". As part of the withdrawal of $50 by transaction module 1025 having identifier "3", teller module 1023 forms electronic representation of currency 1027 by appending transfer record 1029 to a copy of the data fields in the electronic representation of currency 1005. The note 1027 is stored in transaction module 1025 upon completion of the withdrawal. For illustrative convenience, the remaining note transfers only show the newly appended transfer record portion of the transferred note.
At 1:10:00, transaction module 1025 pays $10 by transfer record 1031 to transaction module 1033 having identifier "4". At 1:20:00, transaction module 1025 pays $10 by transfer record 1035 to transaction module 1037 having identifier "5". At
1:30:00, transaction module 1025 pays $30 by transfer record 1039 to transaction module 1041 having identifier "6". At 2:00:00, transaction module 1033 pays $5 by transfer record 1043 to transaction module 1045 having identifier "7". At 2:10:00, transaction module 1045 deposits $5 by transfer record 1047 to teller module 1049 having identifier "8". Of course, alternatively transaction module 1045 could have deposited its electronic money in teller module 1023. Only the receiver of the transferred note 11 can either deposit the note 11 or use it in payment. The Verifier 42 application of a money module is used to check the signature of each transfer, to determine if the note 11 is valid and to verify the identifier in the last transfer as the current holder of the note 11. This thwarts the new holder of a note 11 from trying to use a value greater than that which was transferred. It also inhibits copying notes 1i for use in another money module since the identifiers will not match.
As can be appreciated, a subscriber may be able to access certain information about the electronic notes 11 stored within the Transaction money module 4.
In particular, the subscriber nay be able to select information on the total amount of the electronic notes 11 stored, the monetary unit of the notes 11, the type of electronic notes 11, i.e., currency or credit, and the denomination of each note
11.
System Security
The security of the system is maintained by the participating banks and the Certification Agency 28, which creates and distributes money module certificates. A certificate of a money module is actually the money module's identifier, its public key, a digital signature of the money module's identifier and public key using the certificatory key (described below), and the version of the certificatory key. The certificate is unique in that it is associated with only one particular money module.
The Certification Agency 28 provides a secure means for money modules to validate each other prior to transacting, first by controlling the money module certificate process and second, by distributing a list of bad money module identifiers.
In the preferred embodiment, the money module certificate will be initially loaded into the money module by the Certification Agency 28. The Certification Agency 28 generates the certificate for each money module using a certificatory key (a private key of the Certificatory Agency 28). It may be changed periodically and distributed under version control processes that are commonly used in the industry. As will be appreciated, every money module will store several versions of the certificatory key in order to verify certificates created key an older key. Because it is anticipated that certificates will expire over time, it is expected that only a few versions need be kept.
A certificate will only be valid for a limited period of time after its creation. Upon expiration of the certificate, the money module will not be allowed to transact with other money modules. Any money modules discovered to have been tampered with will be limited in the amount of damage that they can do to the system since their certificate will not be updated.
To block offending modules from transacting it is also desirable to have legitimate money modules receive the latest list of offending money modules soon after the list is updated. Naturally, this requires that Transaction money modules 4 access the Certification Agency 28 on a periodic basis to obtain the latest list. Placing a time limit on the Transaction money module's 4 ability to transact (in addition to the time limit placed on electronic notes 11) will force subscribers to access the Certification Agency 28 through the Network 25 on a periodic basis to receive the latest bad money module list along with a new certificate. Advantageously, the period of the certificate validity can be closely monitored and adjusted according to security needs.
The Certification Agency 28 distributes its updated certificatory key and money module certificates on-line through the Security Server 27 (see FIG. 9). An important component of the system's security is provided by Security Servers 27 at the participating banks and Security Servers 27 at the Certification Agency 28.
Referring now to FIG. 10, a block diagram of a preferred embodiment of the Security Server 27 is shown. It is contemplated that the Security Server 27 at the Certification Agency 28 or on a bank's local network 18 will contain the following application functions:
(1) External Interface 54--a communications layer for connecting to a bank's local network 18 or the Certification Agency's local network 17;
(2) Session Manager 55--controls the security aspects of a transaction session;
(3) Create Certificate 50--certifies a certificate for any of the money modules;
(4) Create Account Profile 51--certifies and signs a bank account profile (described in detail hereinafter) that allows a Transaction money module 4 to access the subscriber's different bank accounts;
(5) Distribute Certification Keys 52--distributes the Certification Agency's 28 list of valid public keys to the money modules;
(6) Bad Money Module Control 53--controls and distributes the list of bad money modules; and (7) Services--identical to the cryptographic functions 44, 45, 49 in the money modules described above
Since certificates will expire over time, money modules will be required to apply for new certificates periodically. In order to receive a new certificate, the money module creates a new public key and private key. The new public key, the money module identifier and the old certificate are presented to the Certification Agency 28 after being digitally signed using the old private key.
The Certification Agency 28 checks the signature and if it is valid, signs the new public key and identifier and sends the certificate to the money module with a future expiration date. The Certification Agency's 28 Security Server 27 also distributes a list of bad money modules via the Network 25. Initially, each participating bank's Security Server 27 reports the identifiers of money modules which hold notes 11 invalidly or that are counterfeit. Those identifiers are passed through the Security Servers 27 and are compiled by the Certification Agency, 28.
All such identifiers are distributed to the Teller and. Money Generator modules 5, 6 respectively. A money module will not transact with another money module found on the list of bad money modules. Optionally, only those money modules which have demonstrated a flagrant breach of security will be distributed to Transaction money modules 4.
If a Transaction money module 4 is lost or stolen, the subscriber would report it to his/her bank or to the Certification Agency 28 so that the money module identifier may be placed on the bad money module list to inhibit any further transactions.
While the security of the system is provided by being is able to block a money module from transacting, system security its also maintained by providing the expiration date on the electronic notes 11 in addition to the money module certificates.
As mentioned previously, a note 11 will be valid only for a limited time period after it is generated. Its date-of-expiration is a security parameter which may also be monitored and varied as needed. The period of validity of a note 11 can be varied by the value of the note 11. Preferably, a large note 11 will expire in a shorter time period than a smaller one. For example, a $1,000,000 note way be set to expire five days after the date of its creation since it would provide a significant incentive to counterfeit, while a $50 note 11 may be set to expire after a month from the date of its creation.
A Transaction money module 4 will not accept expired note