Patent 312794

Let it be known that His Royal Highness, the King of Norway, by means of his delegation of power to the his Honorable Minister of Justice, by his delegation of power to the Director of Patentstyret, has awarded me Patent No. 312794: "Sikkert kort med kommunikasjonskanal til brukeren".

As I am sure you are aware, a patent is a "deal" between the holder of a novel device (invention), and the ruler of the land. The Ruler argues as follows: It is good for the economy of my land if as many new machines, and other inventions as possible are made available. Hence, I will offer inventors a deal. If they make their idea public, I'll will grant them an exclusive right to utilize the idea for 20 years (for example). In this manner, the inventor has protection against others, but the prize to pay is that he must make his idea public. From this it is obvious why a "world-wide patent" doesn't exist.
Note: I am not a lawyer!

What the patent itself looks like can be seen on the right (if you click on the image you will get a (very!) large (for the technicly inclined: 200dpi) version.

Very briefly, the patent observes that it is very hard to make a good, digital signature on some data with the help of a smart card. The problem is the setting: The user inserts his card into a reader, which is connected to the machine that holds the data that is to be signed. The data itself (or a transformation thereof, such as a digital hash) is transfered to the card, which signs it with some sicret key stored inside the card. The problem is that the user himself has no means to control what is actually given to the card to be siged. Or, in other words, the entity that controls the reader decides what the user is to sign: This is not the understanding the user have of the secuirty model supported by the "higly secure smart cards".
Furthermore: when smart cards are used for authentication, the PIN has to be given to some equipment and then subsequently to the card. However, this means that the one who controls the equipment can steal the PIN. Whether the PIN can be used to steal something depends on the protocols in play.
The patent discusses these problems, and offer a solution.

Notice that for a patent to be granted, the Patentstyret must be convinced that the idea is new, that is has "real" applications, and that it can be realized. Or, in other words, Patentstyret believes that my idea can be applied, and that it can be manufactured.

We could imagine that a smart card had a (small) keyboard and a (small) screen on one side, and in this way making communication between the user and the card possible. In particluar, before signing some data, the data could be displayed so that the user could be certain that the correct data will be signed.
However, there is a big problem: The cards are designed to be inserted into the reader. Stop for a moment to recall what a smart card looks like: It has the electrical contacts about 3/4 down on one side, and the card must be firmly inserted in the reader for the contacts to be reachable. This fact leaves very little, if any, space for the keyboard and screen. Also, when a card is inserted into a slot in the reader, there is no support beneath the card, making a keyboard difficult to envision: the card will bend if you try to press a key on the front. Now, there are several ways to ment this. We could, for example, envision a card with tiny keyboard and screen on the lower part of the card, and a reader where you slide the card in. This is possible, but I believe the keyboard and screen would be too small to be useful.

A different aspect, no less important, is that of compatability. What we call smart cards are in fact standarized. All mechanical aspects, such as size, stiffness and heat resitance, are specified by ISO/IEC 7810; these are (more or less) the same as the good old magnetic-stripe cards. The electical aspects (such as placement of the points of contact, and the protocols) are specified in ISO/IEC 7816. It is hard to overestimate the impact of these standards: Just finding a wallet that can hold cards of a different size is close to impossible.

The challenge, then, is to design an implementation of the smartcard that has the following properties:

The main issue is by far the one of compatability. After all, a PDA with a smart card embedded in it (for example a mobile phone) would satisfy all our demands. The PDA has a proper display, and a processor capable of dealing with non-trivial protocols. However, have you used any such solution lately?
Nor have I. There are two reasons: The issuers (VISA, AmEx, Diners) have no incentive to give their business to the carriers, and standardisation. What we need is the well proven consept of backward compatability.

My idea is that a smartcard can be split in two. The first half, called the smallest part, is a smartcard such as we know them today. In particular, it has the form factor of the smart cards. This smalles part is connetced to the largest part of the card through a hinge. The result can be seen on the figure on the right of this paragraph. If you click on the image, you will get a better look. The numbers are as follows:

  1. The hinge
  2. The smallest part of the card. The processor is embedded here.
  3. Teh electricalk contacts, as specified by the standard.
Please look at the drawing and consider the following crucial claim: In this drawing, the hinge is placed in the middle of the card. If the hinge is placed all the way to the end (to the left on the drawing), the smalles part and the largest part becomes equally long. And, the smallest part becomes identical to a smart card!

Let me digress to satisfy the technically inclined. The drawing has been made in MetaPost. I am sure you appreciate the manner in which the text on the screen and on the keys are proper letters (in a proper font) which has been projected correctly. I am also sure you will appreciate that this is also the case with the electical contacts. 'nuf said

Now there are a few things of interest:

The text itself is here; notice that because this is a Norwegian Patent it is obviolusly written in Norwegian. The patent is "self contained" and you need not know anything about security or smartcards to enjoy it.

The crucial question remains: Will this idea have an impact (and make me soaking rich)?
I believe the answer is no.