EP1672601A1 - Method and apparatus for controlling a game of chance - Google Patents

Method and apparatus for controlling a game of chance Download PDF

Info

Publication number
EP1672601A1
EP1672601A1 EP05021900A EP05021900A EP1672601A1 EP 1672601 A1 EP1672601 A1 EP 1672601A1 EP 05021900 A EP05021900 A EP 05021900A EP 05021900 A EP05021900 A EP 05021900A EP 1672601 A1 EP1672601 A1 EP 1672601A1
Authority
EP
European Patent Office
Prior art keywords
microprocessor system
security
microprocessor
game
chance
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP05021900A
Other languages
German (de)
French (fr)
Inventor
Thomas Frey
Markus Stulle
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
IFS Informationstechnik GmbH
Original Assignee
IFS Informationstechnik GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from EP05007099A external-priority patent/EP1672600A1/en
Application filed by IFS Informationstechnik GmbH filed Critical IFS Informationstechnik GmbH
Priority to EP05021900A priority Critical patent/EP1672601A1/en
Priority to PCT/EP2006/002955 priority patent/WO2006103089A1/en
Publication of EP1672601A1 publication Critical patent/EP1672601A1/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F17/00Coin-freed apparatus for hiring articles; Coin-freed facilities or services
    • G07F17/32Coin-freed apparatus for hiring articles; Coin-freed facilities or services for games, toys, sports, or amusements
    • G07F17/3202Hardware aspects of a gaming system, e.g. components, construction, architecture thereof
    • G07F17/3216Construction aspects of a gaming system, e.g. housing, seats, ergonomic aspects
    • G07F17/3218Construction aspects of a gaming system, e.g. housing, seats, ergonomic aspects wherein at least part of the system is portable
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F17/00Coin-freed apparatus for hiring articles; Coin-freed facilities or services
    • G07F17/32Coin-freed apparatus for hiring articles; Coin-freed facilities or services for games, toys, sports, or amusements
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F17/00Coin-freed apparatus for hiring articles; Coin-freed facilities or services
    • G07F17/32Coin-freed apparatus for hiring articles; Coin-freed facilities or services for games, toys, sports, or amusements
    • G07F17/3225Data transfer within a gaming system, e.g. data sent between gaming machines and users
    • G07F17/323Data transfer within a gaming system, e.g. data sent between gaming machines and users wherein the player is informed, e.g. advertisements, odds, instructions
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F17/00Coin-freed apparatus for hiring articles; Coin-freed facilities or services
    • G07F17/32Coin-freed apparatus for hiring articles; Coin-freed facilities or services for games, toys, sports, or amusements
    • G07F17/3244Payment aspects of a gaming system, e.g. payment schemes, setting payout ratio, bonus or consolation prizes
    • G07F17/3251Payment aspects of a gaming system, e.g. payment schemes, setting payout ratio, bonus or consolation prizes involving media of variable value, e.g. programmable cards, programmable tokens

Definitions

  • the invention refers to a method for controlling a game of chance by a hand-held security microprocessor system and relates to a hand-held security microprocessor system for controlling a game of chance. Furthermore, the invention refers to a method and a computer system for initializing such a hand-held security microprocessor system.
  • games of chance can be based on the feature that a lucky number has to be determined, which is not known to the player.
  • the determination of the lucky number in the following called reference-ID, can be performed in a variety of ways, e.g. the player could simply try to guess it, a random number generator could be employed in the search, or a more sophisticated game algorithm could be designed possibly including some feedback or guidance for the player. Therefore, even though the following description refers mainly to the type of game in which the player tries to directly guess the reference-ID, more advanced types of games based on the fundamental feature of guessing an unknown reference-ID are possible. Usually, once the reference-ID is found the player will be awarded a prize.
  • Hand-held security microprocessor systems for controlling a game of chance are generally known.
  • US 6,852,031 B1 discloses to use a smart card in combination with gaming machines such as slot machines and video poker machines.
  • gaming machines such as slot machines and video poker machines.
  • a gaming machine having a master controller and an additional smart card are provided, whereas when executing a gaming application on the smart card, gaming instructions are generated to be received by the master controller for execution.
  • US 6,234,898 B1 discloses a method and an apparatus for controlling a gaming operation.
  • a secure apparatus is provided on which software related to the control and operation of the game and data related to gains or losses of the player of the game is stored.
  • US 2004/0166942 A1 discloses a distributed gaming accelerator, in particular a method and an apparatus is described for speeding up the response time of games played over a network.
  • a gaming server and one or more gaming consoles are provided.
  • the gaming server creates a plurality of random seeds which are communicated via one of the gaming consoles to one of the secure storage and processing devices.
  • After initiating a game a set of random numbers required to play a game are produced from one of the seeds in the secure storage and processing device and based thereon a game play sequence including a game and/or gamble outcome is produced in the secure storage and processing device.
  • FR 2674975 A discloses a portable terminal to effect transactions in a memory card holding credit information.
  • the transactions can be the result of a purchase action or of a lottery game.
  • the card user enters first data via the terminal and second data are received by the terminal from the network.
  • the transaction on the credit information is carried out in accordance with the first data and the second data.
  • US 6,852,031 B1, US 6,234,898 B1, US 2004/0166942 A1 and FR 2674975 A merely refer to gaming machines with attainable prizes of comparatively low value so that problems might occur if prizes of high values are to be involved.
  • the security standards as well as the type of transparency of the system depend on whether the game is organized and conducted by one party only or whether multiple parties are involved. In the latter case the transparency, e.g. the possibility to verify the system state in specific situations by specific persons, is an essential aspect.
  • an official certification of the security standards should be provided.
  • the promoter can rent a complete gaming machine to an exhibitor who can then in turn offer an attraction to a crowd of people as the potential players, like on marketing events or on sports events. In case of a winning the player can either claim the prize directly from the promoter or via the exhibitor.
  • This object is solved by a method for controlling a game of chance by a hand-held security microprocessor system according to claim 1, by a hand-held security microprocessor system for controlling a game of chance according to claim 9, by a method for initializing a hand-held security microprocessor system according to claim 17 and by a computer system for initializing a hand-held security microprocessor system according to claim 24.
  • the method according to the invention for controlling a game of chance by a hand-held security microprocessor system has a microprocessor system with a microprocessor, an external data interface, a non-volatile data storage and a non-volatile programme storage, wherein in the non-volatile programme storage a security operating system is stored which is booted with the microprocessor and a controlling programme is stored which is executable on the microprocessor and wherein said microprocessor system is encapsulated in a sealed housing which cannot be dismantled without breaking the seal, comprising the steps of storing via the security operating system at least one reference-ID together with initial status data related to said at least one reference-ID in the non-volatile data storage, changing the initial status data related to the at least one reference-ID by the controlling programme, if winnings of the game of chance are identified by the controlling programme on the basis of said reference-ID, wherein, at least until all possible winnings are identified by the controlling programme on the basis of said at least one reference-ID, the security operating system
  • the method according to the invention for initializing said hand-held security microprocessor system comprises the steps of generating said at least one reference-ID, writing said at least one reference-ID together with initial status data related to said at least one reference-ID in the non-volatile data storage of the microprocessor system, and writing said at least one reference-ID additionally to a secure data terminal.
  • the computer system according to the invention for initializing said hand-held security microprocessor system for controlling a game of chance comprises means for generating said at least one reference-ID, means for writing said at least one reference-ID together with initial status data related to said at least one reference-ID in the non-volatile data storage of the microprocessor system, and means for writing said at least one reference-ID additionally to a secure data terminal.
  • the inventive solution is based on the cognition that the at least one reference-ID is always stored in advance together with initial status data on the hand-held security microprocessor system, before a game of chance is carried out by the controlling programme. Status data which are related to information regarding the outcome of the game are stored together with the corresponding reference-ID. Only after a winning is identified on the basis of a specific reference-ID, information about the reference-ID can be exchanged via the external data interface. In this stage, the winning and its status can then be verified by any third party.
  • the promoter will keep a certified copy of the reference-ID in a security envelope after the reference-ID was stored on the hand-held microprocessor system so that both the promoter and the exhibitor can check the correctness of the winning by opening the envelope.
  • An immediate write access is prohibited both to a specific reference-ID and the corresponding initial status data at least until all possible winnings are identified on the basis of said reference-ID. After that, the immediate write access might be released so that the hand-held security microprocessor system may be reused for other purposes.
  • the main task of the security operating system is to administrate the immediate read and immediate write access to the smart card via the external data interface.
  • An immediate access to specific data allows everybody to access these data without the need of an identification.
  • read access to the status data of a reference-ID is provided according to the invention for everybody, since this information does not represent sensitive data.
  • the prohibited immediate write access to the reference-ID will prevent anybody from rewriting the reference-ID once it has been set before the game of chance takes place. Since the security operating system controls the external data interface, it is not possible to circumvent this mechanism of data access. Nevertheless, an administrator access to the data of the smart card, which is activated once a corresponding identification has taken place, could be still allowed by the security operating system.
  • An efficient way to improve the security in such communications is to employ encryption methods. In this way, even if it would become possible to listen to the communications, the obtained data could not be used.
  • the necessary keys for the encryption and decryption have to be stored in a secure area of the microprocessor system where they cannot be accessed except by the security operating system.
  • a typical security issue relating to communication consists of an intruder pretending to be an authorized user of the microcontroller system. This scenario can for example occur when the microcontroller system is connected to a programming machine and this problem can be overcome best by performing an identification of the user, i.e. requesting a specific identification (ID). Only if the comparison with a corresponding ID being stored in a read/write-protected area on the microcontroller yields a match, this user is authorized to continue using the microcontroller. Further problems, e.g.
  • the security operating system will provide the necessary functions to operate the microcontroller according to the invention, while achieving a specific security standard by preventing unauthorised users from accessing specific operating system functions or data and by limiting the necessary external communications to a minimum.
  • the microcontroller system and its security operating system will be certified according to some security standards, e.g. the common criteria standard.
  • the security operating system is preferably stored on the microcontroller system within a read only memory (ROM) already during the production. In any case it has to be ensured that no manipulation of it can take place.
  • ROM read only memory
  • the controlling programme is a sub-instance with regard to the security operating system. It can be booted together with the security operating system or can be executed on demand.
  • the main task of the controlling programme is to control the game of chance which should be carried out by means of the hand-held security microprocessor system.
  • the controlling programme has internal read access to the at least one reference-ID and internal read/write access to the initial status data related to the at least one reference-ID and updates the initial status data in accordance with the winnings of the game of chance. If winnings of the game of chance are identified by the controlling programme on the basis of said reference-ID, the new status of the game of chance is determined and the corresponding initial status data are overwritten.
  • a user account information about wins and losses is usually not administrated by the controlling programme.
  • the administration of any account or credit information is not necessary according to the invention since the distribution of the wins and losses will be fixed in advance by the promoter.
  • the distribution of wins and losses can be agreed upon in a contract between the promoter and the exhibitor so that there is no need to administrate any wins and losses with regard to a game credit of the user.
  • Another task of the controlling programme is to enhance the data security in particular with regard to the at least one reference-ID.
  • the controlling programme can also watch in addition to the security operating system that there is no exchange of information about the at least one reference-ID via the external data interface until all possible winnings of said reference-ID are identified by the controlling programme.
  • the exchange of information could not only be initiated by a direct read access via the external data interface which can be supervised by the security operating system but could also initiated by the controlling programme itself, for example in order to display the reference-ID on a display of a gaming machine which is connected to the security microprocessor system. Therefore, the controlling programme could involve corresponding checking routines for all data leaving the security microprocessor system via the external data interface in order to ensure that information about the at least one reference-ID is not outputted which could reveal for the user possible winnings.
  • the microprocessor system is enclosed in a sealed housing which can only be opened by breaking the seal.
  • This feature allows to identify clearly by an examining authority every attempt of mechanical intrusion into the system.
  • the seal and hence status of the microprocessor system can be verified by everyone including the player. This will demonstrate at every level (game player/exhibitor/promoter/developer) the integrity of the microprocessor system and improve the overall trust into the system.
  • an examining authority typically the promoter and/or the exhibitor, is able to verify the system's integrity whenever required.
  • the microprocessor system is encapsulated within a chip card, e.g. a smart card.
  • the individual elements of the microprocessor system are embedded into one component, namely an integrated circuit, which is encapsulated within a plastic card.
  • the seal is represented by the fixture of the integrated circuit within the plastic card, this is usually done using epoxy resin, and by the physical bond between the individual elements of the integrated circuit.
  • it is virtually impossible to dismantle this type of microprocessor system without visibly breaking the seal.
  • PC-Cards can be used, wherein the external data interface can be connected e.g. to notebooks, thus simplifying the programming process.
  • USB universal serial bus devices
  • microprocessor a microprocessor
  • housings for the microprocessor system have the advantage of being standardized, hence simplifying their usage and certification and reducing costs
  • purpose built sealed housings for the microprocessor system could be used as well. This would allow to even further increase the security and at the same time specific features could be included into the housing of the microprocessor system or the microprocessor system itself.
  • the external data interface could include an interface for direct communication with the player, e.g. a keypad or display, or additional hardware could be included to improve the encoding and decoding operations.
  • a purpose built sealed housing could be based on so-called crypto boxes usually used to encode network traffic. Even though the highest security standard can be achieved by physically joining the individual elements of the microprocessor system into an integrated circuit, a seal can also be applied to a housing enclosing separate components for each element of the microprocessor system.
  • Sealed housings are not limited to the examples given above and further solutions include e.g. personal digital assistants (PDAs) or security terminals.
  • PDAs personal digital assistants
  • status data associated with a reference-ID are stored in the non-volatile memory in the microcontroller system. This is an important element in providing the necessary transparency for all parties involved in organizing and conducting the game. Since each reference-ID has its own status data, a request can be performed at any time using an immediate read access to verify the status of a particular reference-ID. In case of a winning the corresponding status data are changed accordingly and this status change can be observed by everyone using the immediate read access. The resulting increased transparency of this feature will convince the promoter, exhibitor and player to use the microcontroller system for games involving prizes of high value.
  • an external data interface is supplied for transferring data from and to the microprocessor system.
  • the external data interface is typically designed to enable a communication based on electronic data.
  • electrical contacts can be used to communicate with an appropriate reading device or a contact-less communication can be established.
  • the external data interface could alternatively or additionally include means for communicating directly with the player.
  • input buttons and visual or audio feedback systems could be utilized.
  • winnings are determined based on the reference-ID.
  • This algorithm is part of the controlling programme which is controlled by the security operating system. Being stored securely on the microprocessor systems it cannot be changed by the player.
  • this algorithm could be performed only on the reference-ID, i.e. employing the microprocessor systems similar to a scratch-card, generally this algorithm will require additional data.
  • additional data in the following called a random number, can be supplied during the game of chance.
  • a match between a random number and the reference-ID resulting in a winning does not necessarily require the reference-ID and the random number to be completely identical. It could be sufficient that the algorithm determines a certain agreement between both numbers.
  • multiple winnings could be achieved with respect to one reference-ID in case multiple random numbers are compared.
  • the status data relating to the corresponding reference-ID are changed. For example the game status is modified to indicate the winning(s), the number of attempts left in connection with this reference-ID is reduced or the corresponding reference-ID is excluded from further games.
  • the microprocessor system is encapsulated in a smart card.
  • Smart cards offer the advantages of being comparatively cheap due to the widespread use and of providing a housing which ideally suits the requirement of a sealed housing.
  • the smart card could comprise further security features, e.g. a magnetic stripe including encrypted information relating to the specific card or a hologram.
  • Fig. 1 A detailed description of a smart card which can be used according to the invention is given with reference to Fig. 1 below.
  • a verification of the microprocessor system and/or a verification of possible winnings is performed on the basis of a promoter-ID (PID) and/or a exhibitor-ID (EID) stored in the non-volatile data storage by the promoter and/or exhibitor respectively.
  • PID promoter-ID
  • EID exhibitor-ID
  • an electronic envelope is generated based on the PID and/or EID which are transferred onto the smart card by the promoter and exhibitor respectively before the game of chance takes place. These unique and unknown numbers are encoded together with the reference-ID into a data package, which can be read before and during the game is conducted preferably using immediate read access. Either symmetric or asymmetric encoding algorithms can be used, however, in either case the encoding key stored in the microprocessor system is not disclosed and only the de-/encoding algorithm is known.
  • the electronic envelope can be opened. This is done by supplying the PID and/or EID to the microprocessor system which in return discloses the encoding key.
  • the data package can be decoded and discloses the reference-ID together with the PID and/or the EID for verification.
  • Various strategies are possible in which way to encode the PID and/or the EID into the data package (electronic envelope), e.g. two different electronic envelopes could be used for the promoter and exhibitor or the PID and EID could form part of the respective keys. It should be noted that even if no data package is generated by the microprocessor system and a conventional envelope is used instead, the PID and EID could still be employed to verify the identity of the microprocessor system.
  • immediate read access to the at least one reference-ID is granted once all possible winnings related to said reference-ID are identified. Since at this stage no further attempts to conduct a game are possible and the game status is recorded in the status data, it is safe to allow read access to the reference-ID for everyone.
  • This feature can be used to further improve the integrity of the system. For example, it might be important to disclose the reference-ID in case the winning was determined based only on a certain agreement between the random number and the reference-ID.
  • the at least one reference-ID is generated within the microprocessor system.
  • the generated reference-ID is then stored in the non-volatile data storage of the microcontroller system.
  • initial data necessary to generate the reference-ID i.e. the number of digits, is transferred to the microprocessor system.
  • the reference-ID can be generated typically using a random number generator.
  • the initialization of the random number generator that is the transferring of an initial seed onto the microprocessor system can either be performed within a secure environment or within an insecure environment using appropriate encryption methods. In either case this data has to be transferred to the microprocessor system preferably before the game starts to prevent a deterioration of the security standard, e.g. to avoid unauthorized sending of an initial seed or listening to the communication.
  • immediate read and/or write access is granted once a password which corresponds to an administrator password is supplied to the microprocessor system via the external data interface.
  • the administrator password could be copied onto the microprocessor system during the basic configuration, i.e. when installing the security operating system using a programming machine.
  • the microprocessor system can be connected multiple times to the programming machine, whereby each time a comparison between the supplied password and the administrator password will be performed. In this way it is possible to reuse the microprocessor system for several games.
  • a visual and/or audio feedback is given in case of a winning.
  • the player is immediately informed about the successful game outcome.
  • immediate read access to the reference-ID does not necessarily have to be granted in case of all corresponding winnings have been identified, since for the player it is usually sufficient to be informed only about the game outcome.
  • the visual and/or audio feedback can either be generated directly by a suitable external data interface or a command can be transmitted by the external data interface to a connected gambling machine.
  • a predetermined number of games can be conducted with a reference-ID.
  • an access counter is provided by the security operating system. Each time a game of chance is conducted the access counter is incremented with respect to that reference-ID.
  • This feature increases the security, since even if the microprocessor system is lost or stolen the validity of the microprocessor system expires once the predetermined number of games has been reached. Since the only access to the microprocessor system is through the security operating system and more specifically through functions thereof like a command to start a game of chance, it is not possible to temper with the microprocessor system in such a way as to conduct games without increasing the number of games already conducted. Once a predetermined number of games of chance relating to a reference-ID have been conducted, the microprocessor system canriot be used for further games relating to this reference-ID.
  • a random number to be used in the game of chance is transmitted to the microprocessor system via the external data interface.
  • a random number is required for certain types of games of chance. For example in the lottery type game of chance in which the player tries to find the reference-ID a random number can be supplied by the player in this way. While the transmission of the random number does not require specific security measures, the processing is done by the security operating system, i.e. the gaming algorithm. Alternatively, a random number could be generated within the smart card using a random number generator.
  • said at least one reference-ID is generated by a random generator.
  • a random generator There are specific criteria to ensure that the produced reference-ID is a random number which is not subject to a preferred choice of the user and therefore is a random number which has the required random distribution. Such criteria could also be employed in the random generator.
  • said at least one reference-ID is written to said security microprocessor system by an application protocol data unit (APDU).
  • APDU application protocol data unit
  • the application protocol data unit is a data container realized by software in which certain application data are bundled for a data exchange with said security microprocessor system.
  • an authentication-ID being stored in the non-volatile data storage of said security microprocessor system is read out and is written together with the reference-ID to the secure data terminal.
  • smart cards can be globally identified on the basis of a unique authentication-ID.
  • the authentication-ID enables to assign a specific reference-ID always to a specific security microprocessor system even after the security microprocessor system has been issued to the exhibitor.
  • the general aim of the secure data terminal is to provide both for the promoter and for the exhibitor an extra comparative safe place for the at least one reference-ID.
  • the reference-ID stored in the secure data terminal can be taken in order to verify the outcome of the game according to the rules. Either the reference-ID could be guessed by the player and the exhibitor.
  • the promoter can use the secure data terminal in order to verify the correctness of the winnings before the prize is payed out to the exhibitor.
  • the reference-ID could not be guessed by the player and the exhibitor due to the limited number of attempts.
  • the exhibitor can use the secure data terminal in order to verify that the promised winnings were indeed possible during the game after the access to the reference-ID was cleared by the promoter.
  • said secure data terminal is a printer printing data in a security envelope.
  • Security envelopes are well known for example in connection with the treatment of GSM-cards. The same technique could be used for carrying out the present invention.
  • said secure data terminal is an extra comparative smart card.
  • Either the comparative smart card or the security envelope will be kept by the promoter and will be locked in a safe place for a later comparison after the game of chance has been played.
  • said security microprocessor system has an extra comparative non-volatile data storage which is used as said secure data terminal.
  • the comparative reference-ID is placed on the same security microprocessor system which is handed over to the exhibitor by the promoter.
  • specific encoding techniques are available which guarantee also for this solution a safe verification of the outcome of the game of chance.
  • Fig. 1 shows a smart card used as a sealed security microprocessor system according to the invention.
  • Smart cards are chip cards into which miniaturized IT components are embedded.
  • the basic features of smart cards including physical properties, electronic signals and transmission protocols are standardized in ISO/IEC 7816. Smart cards can provide a secure environment to store and protect sensitive data.
  • the types of smart cards can be divided into two categories.
  • Fig. 1 shows a smart card used as a sealed security microprocessor system according to the invention.
  • Smart cards are chip cards into which miniaturized IT components are embedded.
  • the basic features of smart cards including physical properties, electronic signals and transmission protocols are standardized in ISO/IEC 7816. Smart cards can provide a secure environment to store and protect sensitive data.
  • the types of smart cards can be divided into two categories.
  • the second type of smart cards, the so-called microprocessormultifunction smart cards provide a miniaturized microprocessor and memory components.
  • Microprocessor multifunction smart cards can be used to perform a given task using specific application programs stored on the card in conjunction with a card operating system (COS) which provides some basic functions.
  • COS card operating system
  • Common to both types of smart cards is the fact that only a machine-machine interface is present in form of a standardized external interface on the smart card. A suitable card reader is required to communicate with a smart card.
  • the external interface transmits data either using contacts or in a contact-less way, e.g. according to ISO/IEC 14443.
  • a contact-less way e.g. according to ISO/IEC 14443.
  • RFID Radio Frequency Identification
  • microprocessor multifunction smart cards are necessary, since the access to the data stored on the card can be strictly controlled by the microprocessor in conjunction with the security operating system.
  • the game of chance itself is conducted using a controlling programme.
  • the memory components of a microprocessor multifunction smart card are similar with regard to their functionality to such components used in microcomputers, i.e. typically a rewritable memory in form of a RAM (random access memory) for storing temporary data and a non-rewritable memory in form of a ROM (read only memory) for storing permanent data such as the COS are provided.
  • An electronically erasable programmable read only memory (EEPROM) is usually provided for storing data permanently, while still being able to modify this data if required.
  • the smart card 101 shown in Fig. 1 is a microprocessor multifunction smart card, thus the integrated microchip 102 contains a microprocessor.
  • the microprocessor is represented by the central processing unit (CPU) 103.
  • a numerical processing unit (NPU) 104 is supplied additionally in this particular smart card.
  • An NPU can be added to a smart card when it becomes necessary to perform intensive numerical calculations such as performing encryption or decryption algorithms.
  • the NPU 104 communicates only with the CPU 103 and with a rewritable memory in form of a random access memory (RAM) 105 for storing temporary data.
  • RAM random access memory
  • Further memories are provided in form of an electronically erasable programmable read only memory (EEPROM) 106 and in form of a read only memory (ROM) 107.
  • EEPROM electronically erasable programmable read only memory
  • the non-volatile data storage according to the invention is part of the EEPROM 106.
  • COS a security operating system
  • ROM 107 the data to be processed is stored temporarily in the RAM 105 and permanently in the EEPROM 106.
  • Application programs such as the controlling programme can either be stored in the ROM 107 or in the EEPROM 106.
  • An I/O system 108 is provided to deal with the input and output of data. It is linked to the external data interface 109, which can be based on electrical contacts or can be based on a contact-less transmission to the card reader.
  • Fig. 2 shows an embodiment of a gambling machine 201 according to the invention wherein the microprocessor system is a smart card 202 as described with reference to Fig. 1 and consequently interfaces for direct communication with the player are not included in the microprocessor system and have to be accessed via the external data interface.
  • the microprocessor system is a smart card 202 as described with reference to Fig. 1 and consequently interfaces for direct communication with the player are not included in the microprocessor system and have to be accessed via the external data interface.
  • the gambling machine 201 contains two player interfaces.
  • the first player interface 203 represents means for performing the payment and submitting commands to start and/or control the game of chance. It would be feasible, that games of chance can only be conducted once a certain amount has been transmitted to the smart card using tokens.
  • tokens representing a monetary value
  • Such tokens can be transferred to the smart card from a further card, i.e. from a micro-payment card, belonging to the player via a separate card reader being part of the first player interface 203.
  • payment can be made using a coin acceptor, in which case tokens can be generated within the gambling machine and can be transferred to the smart card 202.
  • the second player interface 204 includes a visual and/or audio feedback system for presenting the status of the game, the number of tokens of the player available etc. Additionally, a showcase can be used for presenting symbolically a prize. To further increase the interest of potential players a control line between the gambling machine and the showcase can be added in order to automatically open the showcase in case a player wins.
  • Both player interfaces communicate with the smart card 202 through the external data interface using the card reader 205.
  • This communication can be performed using contacts on the smart card 202 and on the card reader 205 or in a contact-less way.
  • the card reader 205 can either be positioned inside the gambling machine or on the outside of the gambling machine, in which case the player has access to the card reader 205. This would be advantageous, if the players have individual smart cards 202, which can be sold or otherwise distributed.
  • the smart card 204 contains all remaining elements to conduct the game of chance. As indicated by the dashed box 206, only the smart card 204 represents a security-related element. Consequently, only the smart card 204 has to be certified to ensure the promoter that no security breaches are present.
  • the gambling machine could comprise additionally a gaming controller for controlling the first and the second player interface.
  • the smart card is principally sufficient to conduct a game of chance according to the invention, it might be advantageous to add some generic control elements to the gambling machine.
  • the game controller might deal with the input of the tokens or control the visual and/or audio feedback system according to commands from the smart card.
  • the smart card might even send information to the gaming machine to compute the output, i.e. advanced computer graphics, independently, provided all security related gaming operations are still performed within the microprocessor system.
  • Fig. 3 shows a basic flow chart representing the fundamental method for conducting a game of chance according to the invention.
  • the first step consists of initializing a microprocessor system within a programming machine 301.
  • This process starts with a non-personalized microprocessor system 302, in which only the necessary infrastructure, e.g. the microprocessor, the external data interface and means for storage, is present.
  • the security operating system and possibly also the controlling programme can already be stored on the card, preferably within the ROM using a suitable hardware mask during the production.
  • the status data of the non-personalized microprocessor system 302 is of no importance and is usually not yet set.
  • This data includes a reference-ID, the controlling programme if this has not been transferred onto the card yet, the initial status data and possibly card specific information which allows to uniquely identify each microprocessor system.
  • a reference-ID data to produce a reference-ID within the microprocessor system could be stored and the reference-ID could be generated within the microprocessor system at this stage.
  • the promoter-ID (PID) and/or the exhibitor-ID (EID) can be transferred to the microprocessor system in order to allow verifications of the microprocessor system and/or the claimed winnings.
  • the status data include information whether further games can be conducted and information whether a winning according to the invention has been achieved.
  • the at least one reference-ID is stored in the data storage within a secure environment. This greatly improves the security and at the same time reduces the efforts necessary to deal with security issues related to the data transfer via the external data interface.
  • Secure environments according'to the invention are therefore situations in which the authority transferring the reference-ID has a complete control of the microprocessor system without anybody being able to interfere with this communication.
  • the promoter transfers the reference-ID onto the microprocessor system, however, this could also be done by the exhibitor as long as no potential players are involved.
  • the reference-ID will be transferred onto the microprocessor system before the game of chance takes place and preferably without any specific request from the smart card to do so in this specific moment.
  • a microprocessor system 304 contains the initial status data where these flags are set to "Winning: No" and "Game Active: Yes". It should be noted at this point, that more than one game of chance could be stored on the microprocessor system, whereas each individual game would have its own reference-ID and could have its own controlling programme associated with it. In this case several independent initial game status would have to be stored on the smart card during the initialization 303.
  • the second step consists of using the initialized microprocessor system 304 within a gambling machine 305. Once a corresponding command is transmitted from the gambling machine 305 to the processor unit of the microprocessor system, the game of chance is started 306. A winning is determined based on the reference-ID, for example by performing a comparison between a random number and the reference-ID.
  • the controlling programme will change the status data accordingly. Typically, the flag "Game Active” will also be modified to prevent further games from taking place. At this stage a prize can be claimed 308.
  • the microprocessor system it is sufficient to be in possession of the microprocessor system to claim a prize. This is a consequence of the decision to combine all security-related elements in the microprocessor system.
  • the agency to which the microprocessor system is handed over i.e. the promoter, can read out the status data to verify whether a winning has been achieved and if so which random number was supplied.
  • a verification as explained with reference to Figs. 5 - 7 can be performed in the case that the promoter and/or exhibitor have initialised the microprocessor system accordingly.
  • the microprocessor system can either be reinitialized, i.e. within a programming machine 301, or has to be destroyed 309.
  • microprocessor system has to be reinitialized, i.e. within a programming machine 301, or has to be destroyed 313.
  • Fig. 4A and Fig. 4B show a flow chart representing a first method of allowing a verification of the game of chance by the promoter and the exhibitor.
  • a verification aims at ensuring the promoter that in the case of a winning the identity and the integrity of the microprocessor system is in order.
  • the exhibitor and hence the player is interested to verify in the case no winning has been achieved that a winning was indeed possible.
  • the reference-ID is enclosed in a sealed envelope for this purpose. If no winning was achieved, the envelope can be opened to show the player the correct reference-ID which can be tested to provide the proof. If, however, a winning is achieved, the sealed envelope will show the promoter that the winning is valid.
  • the first method of performing the verification according to Fig. 4A and Fig. 4B is based on supplying a promoter-ID (PID) and an exhibitor-ID (EID) to the microprocessor system before the game of chance takes place.
  • PID promoter-ID
  • EID exhibitor-ID
  • An electronic envelope based on symmetric encoding substitutes the traditional sealed envelope.
  • the microprocessor system is produced as usual and a basic initialization is performed with the security operating system, including the gaming algorithm.
  • a PID is stored securely on the microprocessor system.
  • the PID is only known to the promoter and must not be disclosed. This PID is used by the microprocessor system to generate an encoding key to encode the electronic envelope.
  • encoded_text coding_algorithm [ key ] ( plain_text )
  • plain_text represents the information to be encoded using the encoding algorithm "coding_algorithm” in combination with the encoding key "key” and the result is the encoded information "encoded_text”.
  • decoding algorithm is written as "coding_algorithm-1”.
  • an electronic envelope referring to the promoter is generated, which contains the reference-ID.
  • the reference-ID "ref-ID” itself is generated in this example using the random number generator of the microprocessor system.
  • This information can be read out in the next step, e.g. using immediate read access. Due to the encryption no security breaches are possible. Only the promoter is able to open this electronic envelope.
  • the microprocessor system has been set up at this stage to start conducting games, i.e. the initialization is finished.
  • the exhibitor wants to be able to proof that a winning would have been possible in case no winning was achieved, a separate electronic envelope with respect to the exhibitor will be generated.
  • the EID will be transferred and stored on the microprocessor system.
  • the exhibitor electronic envelope can be read out using immediate read access.
  • the reference-ID can be read out.
  • the promoter can open the promoter electronic envelope by sending the PID to the microprocessor system.
  • a limited number of trials to send the correct PID can be implemented further increasing the security.
  • the microprocessor system responds to the correct PID by sending the previously generated random number "Z1".
  • a failed verification indicates a manipulated microprocessor system.
  • a verification can be performed by the exhibitor - provided an EID has been supplied previously.
  • the EID is transferred to the microprocessor system which returns the random number Z3.
  • Fig. 5A and Fig. 5B show a flow chart representing a second method of allowing a verification of the game of chance by the promoter and the exhibitor. This method is partly based on the traditional concept using a sealed envelope.
  • the security operating system is stored in the microprocessor system.
  • a PID is stored securely followed by the necessary game date, e.g. the reference-ID, corresponding initial status data, number of attempts etc.
  • An EID can be stored on the microprocessor system additionally, however, this is only required if the exhibitor requires additional security.
  • the game of chance can be conducted until either a winning has been achieved, or no further attempts are possible.
  • the microprocessor system allows read access to the reference-ID.
  • the sealed envelope can be opened by the promoter verifying that no fraud has taken place.
  • the promoter can verify that this is indeed a microprocessor system initialized by the promoter by supplying the PID to the microprocessor system. A confirmation will be produced by the microprocessor system, if the correct PID is supplied. Using a PID with a sufficient high number of digits and limiting the number of possible attempts to submit the PID during the verification ensures a certain security standard based on probabilities.
  • the sealed envelope can be opened by the exhibitor to demonstrate that a winning was possible.
  • the reference-ID enclosed can be submitted to the microprocessor system, which replies with a confirmation.
  • the exhibitor can verify, that this microprocessor system has been initialised by exhibitor by supplying the EID to the microprocessor system.
  • a confirmation will be produced by the microprocessor system, if the correct EID is supplied.
  • Using an EID with a sufficient high number of digits and limiting the number of possible attempts to submit the EID during the verification ensures a certain security standard based on probabilities. Even if the EID has not been submitted within the predetermined number of attempts, the promoter can perform its verification identical to the situation in which a winning took place.
  • Fig. 6A and Fig. 6B show a flow chart representing a third method of allowing a verification of the game of chance by the promoter and the exhibitor. This method is based again on an electronic envelope, however, this time asymmetric encoding is used leading to some simplifications within the realization of the verification.
  • an activation with the PID is performed as follows.
  • the microprocessor system generates an asymmetric key "PKEY” comprising the private key “PKEY-SEC” and the public key "PKEY-PUB".
  • the public key "PKEY-PUB” and the electronic envelope Chiffrat RSA [ PKEY - SEC ] ( PID ) obtained from the PID using the asymmetric RSA (Rivest, Shamir, and Adleman Algorithm) algorithm can be read out by the promoter.
  • the public key "PKEY-PUB” must not be disclosed by the promoter. Using “Chiffrat” and "PID” allows the promoter to verify that "PKEY-PUB" is correct.
  • the reference-ID is generated using the random number generator of the microprocessor system.
  • ENV R S A [ P KEY ⁇ SEC ] ( ref ⁇ I D ) and can be read out from the microprocessor system.
  • the initialization is finished and a game can either be started or the exhibitor can produce an exhibitor electronic envelope.
  • the microprocessor system generates a further asymmetric key "KKEY” comprising the private key "KKEY-SEC" and the public key "KKEY-PUB".
  • the game of chance can be conducted until either a winning has been achieved, or no further attempts are possible.
  • the microprocessor system allows read access to the reference-ID.
  • the reference-ID calculated in this way can be submitted to the microprocessor system, which issues a confirmation.
  • this check can only be performed a limited number of times.
  • the exhibitor has the possibility to perform a verification of the authenticity of the microprocessor system.

Abstract

The invention relates to a method for controlling a game of chance by a hand-held security microprocessor system and relates to a hand-held security microprocessor system for controlling a game of chance. In order to provide a method and apparatus for controlling a game of chance which enable to employ high security standards between a promoter and an exhibitor, said microprocessor system comprises a microprocessor, an external data interface, a non-volatile data storage and a non-volatile programme storage, wherein in the non-volatile programme storage a security operating system is stored which is booted with the microprocessor and a controlling programme is stored which is executable on the microprocessor, means for storing via the security operating system at least one reference-ID together with initial status data related to said at least one reference-ID in the non-volatile data storage, wherein said microprocessor system is encapsulated in a sealed housing which cannot be dismantled without breaking the seal, wherein the controlling programme is arranged to change the initial status data related to the at least one reference-ID, if winnings of the game of chance are identified by the controlling programme on the basis of said reference-ID, and wherein, at least until all possible winnings are identified by the controlling programme on the basis of said at least one reference-ID, the security operating system is arranged to prohibit an immediate write access via the external data interface both to the at least one reference-ID and the initial status data related to said at least one reference-ID and is arranged to prohibit that information about the at least one reference-ID is exchanged via the external data interface.

Description

  • The invention refers to a method for controlling a game of chance by a hand-held security microprocessor system and relates to a hand-held security microprocessor system for controlling a game of chance. Furthermore, the invention refers to a method and a computer system for initializing such a hand-held security microprocessor system.
  • By way of an example games of chance can be based on the feature that a lucky number has to be determined, which is not known to the player. The determination of the lucky number, in the following called reference-ID, can be performed in a variety of ways, e.g. the player could simply try to guess it, a random number generator could be employed in the search, or a more sophisticated game algorithm could be designed possibly including some feedback or guidance for the player. Therefore, even though the following description refers mainly to the type of game in which the player tries to directly guess the reference-ID, more advanced types of games based on the fundamental feature of guessing an unknown reference-ID are possible. Usually, once the reference-ID is found the player will be awarded a prize.
  • Hand-held security microprocessor systems for controlling a game of chance are generally known.
  • US 6,852,031 B1 discloses to use a smart card in combination with gaming machines such as slot machines and video poker machines. For this purpose a gaming machine having a master controller and an additional smart card are provided, whereas when executing a gaming application on the smart card, gaming instructions are generated to be received by the master controller for execution.
  • US 6,234,898 B1 discloses a method and an apparatus for controlling a gaming operation. For controlling a gaming operation which can be operated safely in a non-secure environment a secure apparatus is provided on which software related to the control and operation of the game and data related to gains or losses of the player of the game is stored.
  • US 2004/0166942 A1 discloses a distributed gaming accelerator, in particular a method and an apparatus is described for speeding up the response time of games played over a network. For this purpose one or more secure storage and processing devices, a gaming server and one or more gaming consoles are provided. The gaming server creates a plurality of random seeds which are communicated via one of the gaming consoles to one of the secure storage and processing devices. After initiating a game a set of random numbers required to play a game are produced from one of the seeds in the secure storage and processing device and based thereon a game play sequence including a game and/or gamble outcome is produced in the secure storage and processing device.
  • FR 2674975 A discloses a portable terminal to effect transactions in a memory card holding credit information. The transactions can be the result of a purchase action or of a lottery game. The card user enters first data via the terminal and second data are received by the terminal from the network. The transaction on the credit information is carried out in accordance with the first data and the second data.
  • However, US 6,852,031 B1, US 6,234,898 B1, US 2004/0166942 A1 and FR 2674975 A merely refer to gaming machines with attainable prizes of comparatively low value so that problems might occur if prizes of high values are to be involved.
  • Depending on the value of the prize dealt with and the strategy according to which the game of chance is offered and conducted the demands on the methods and apparatuses for controlling these games have to be adapted. Furthermore, the security standards as well as the type of transparency of the system depend on whether the game is organized and conducted by one party only or whether multiple parties are involved. In the latter case the transparency, e.g. the possibility to verify the system state in specific situations by specific persons, is an essential aspect. Preferably, an official certification of the security standards should be provided.
  • On the other hand, if the security standards and the transparency of the gaming system can be increased, a new business relation between the party setting up the games and providing necessary equipment, the so-called promoter, and the party conducting the games, the so-called exhibitor, could be established. For example the promoter can rent a complete gaming machine to an exhibitor who can then in turn offer an attraction to a crowd of people as the potential players, like on marketing events or on sports events. In case of a winning the player can either claim the prize directly from the promoter or via the exhibitor.
  • It is evident that a method and apparatus to be employed in this situation have to satisfy strict security standards and provide the necessary transparency, if prizes of high values are involved. If these security standards are met, then the promoter can act like an insurance company, wherein the case of a winning is considered as the event of damage. A promoter will only offer the exhibitor conducting these games, if the probability of a winning is known in advance to the promoter and if the necessary transparency is available for the promoter. Based on the probability of winning and the value of the prize, the promoter will offer the exhibitor conducting games to specific conditions. On the other hand, transparency is also important for the player. Convincing a player to gamble is only possible, if the player can be sure that no cheating can take place, e.g. that a prize can indeed be won.
  • It is therefore an object of the invention to provide a method and apparatus for controlling a game of chance which enable to employ high security standards between a promoter and an exhibitor.
  • This object is solved by a method for controlling a game of chance by a hand-held security microprocessor system according to claim 1, by a hand-held security microprocessor system for controlling a game of chance according to claim 9, by a method for initializing a hand-held security microprocessor system according to claim 17 and by a computer system for initializing a hand-held security microprocessor system according to claim 24.
  • The method according to the invention for controlling a game of chance by a hand-held security microprocessor system has a microprocessor system with a microprocessor, an external data interface, a non-volatile data storage and a non-volatile programme storage, wherein in the non-volatile programme storage a security operating system is stored which is booted with the microprocessor and a controlling programme is stored which is executable on the microprocessor and wherein said microprocessor system is encapsulated in a sealed housing which cannot be dismantled without breaking the seal, comprising the steps of storing via the security operating system at least one reference-ID together with initial status data related to said at least one reference-ID in the non-volatile data storage, changing the initial status data related to the at least one reference-ID by the controlling programme, if winnings of the game of chance are identified by the controlling programme on the basis of said reference-ID, wherein, at least until all possible winnings are identified by the controlling programme on the basis of said at least one reference-ID, the security operating system is arranged to prohibit an immediate write access via the external data interface both to the at least one reference-ID and the initial status data related to said at least one reference-ID and is arranged to prohibit that information about the at least one reference-ID is exchanged via the external data interface.
  • The hand-held security microprocessor system according to the invention for controlling a game of chance comprises a microprocessor, an external data interface, a non-volatile data storage and a non-volatile programme storage, wherein in the non-volatile programme storage a security operating system is stored which is booted with the microprocessor and a controlling programme is stored which is executable on the microprocessor, means for storing via the security operating system at least one reference-ID together with initial status data related to said at least one reference-ID in the non-volatile data storage, wherein said microprocessor system is encapsulated in a sealed housing which cannot be dismantled without breaking the seal, wherein the controlling programme is arranged to change the initial status data related to the at least one reference-ID, if winnings of the game of chance are identified by the controlling programme on the basis of said reference-ID, and wherein, at least until all possible winnings are identified by the controlling programme on the basis of said at least one reference-ID, the security operating system is arranged to prohibit an immediate write access via the external data interface both to the at least one reference-ID and the initial status data related to said at least one reference-ID and is arranged to prohibit that information about the at least one reference-ID is exchanged via the external data interface.
  • The method according to the invention for initializing said hand-held security microprocessor system comprises the steps of generating said at least one reference-ID, writing said at least one reference-ID together with initial status data related to said at least one reference-ID in the non-volatile data storage of the microprocessor system, and writing said at least one reference-ID additionally to a secure data terminal.
  • The computer system according to the invention for initializing said hand-held security microprocessor system for controlling a game of chance comprises means for generating said at least one reference-ID, means for writing said at least one reference-ID together with initial status data related to said at least one reference-ID in the non-volatile data storage of the microprocessor system, and means for writing said at least one reference-ID additionally to a secure data terminal.
  • The inventive solution is based on the cognition that the at least one reference-ID is always stored in advance together with initial status data on the hand-held security microprocessor system, before a game of chance is carried out by the controlling programme. Status data which are related to information regarding the outcome of the game are stored together with the corresponding reference-ID. Only after a winning is identified on the basis of a specific reference-ID, information about the reference-ID can be exchanged via the external data interface. In this stage, the winning and its status can then be verified by any third party. Usually, the promoter will keep a certified copy of the reference-ID in a security envelope after the reference-ID was stored on the hand-held microprocessor system so that both the promoter and the exhibitor can check the correctness of the winning by opening the envelope. An immediate write access is prohibited both to a specific reference-ID and the corresponding initial status data at least until all possible winnings are identified on the basis of said reference-ID. After that, the immediate write access might be released so that the hand-held security microprocessor system may be reused for other purposes.
    • Security operating system
  • The main task of the security operating system is to administrate the immediate read and immediate write access to the smart card via the external data interface. An immediate access to specific data allows everybody to access these data without the need of an identification. In this way read access to the status data of a reference-ID is provided according to the invention for everybody, since this information does not represent sensitive data. On the other hand the prohibited immediate write access to the reference-ID will prevent anybody from rewriting the reference-ID once it has been set before the game of chance takes place. Since the security operating system controls the external data interface, it is not possible to circumvent this mechanism of data access. Nevertheless, an administrator access to the data of the smart card, which is activated once a corresponding identification has taken place, could be still allowed by the security operating system.
  • Furthermore, once access is granted to read and/or write data the security operating system will have to address communication related security issues.
  • These security issues deal with communications between the microcontroller system and the player, i.e. through a specific player interface, and communications between the microcontroller system and a programming machine, i.e. through a programming interface, whereas both interfaces form the external data interface.
  • An efficient way to improve the security in such communications is to employ encryption methods. In this way, even if it would become possible to listen to the communications, the obtained data could not be used. The necessary keys for the encryption and decryption have to be stored in a secure area of the microprocessor system where they cannot be accessed except by the security operating system.
  • A typical security issue relating to communication consists of an intruder pretending to be an authorized user of the microcontroller system. This scenario can for example occur when the microcontroller system is connected to a programming machine and this problem can be overcome best by performing an identification of the user, i.e. requesting a specific identification (ID). Only if the comparison with a corresponding ID being stored in a read/write-protected area on the microcontroller yields a match, this user is authorized to continue using the microcontroller. Further problems, e.g. change of the data transmission ways or the so-called reply attack, wherein the intruder sends intercepted user transmission data again after some time, can be best solved when the security operating system according to the invention does interact with other machines as little as possible and controls substantial parts of the game of chance itself.
  • All in all, the security operating system will provide the necessary functions to operate the microcontroller according to the invention, while achieving a specific security standard by preventing unauthorised users from accessing specific operating system functions or data and by limiting the necessary external communications to a minimum. Typically, the microcontroller system and its security operating system will be certified according to some security standards, e.g. the common criteria standard.
  • The security operating system is preferably stored on the microcontroller system within a read only memory (ROM) already during the production. In any case it has to be ensured that no manipulation of it can take place.
    • Controlling programme
  • The controlling programme is a sub-instance with regard to the security operating system. It can be booted together with the security operating system or can be executed on demand. The main task of the controlling programme is to control the game of chance which should be carried out by means of the hand-held security microprocessor system. The controlling programme has internal read access to the at least one reference-ID and internal read/write access to the initial status data related to the at least one reference-ID and updates the initial status data in accordance with the winnings of the game of chance. If winnings of the game of chance are identified by the controlling programme on the basis of said reference-ID, the new status of the game of chance is determined and the corresponding initial status data are overwritten. However, according to the underlying concept of the invention it should be noted that a user account information about wins and losses is usually not administrated by the controlling programme. In contrast to the prior art where a smart card for controlling a game of chance is always simultaneously used as a credit card to administrate the credit information of the user, the administration of any account or credit information is not necessary according to the invention since the distribution of the wins and losses will be fixed in advance by the promoter. For example, the distribution of wins and losses can be agreed upon in a contract between the promoter and the exhibitor so that there is no need to administrate any wins and losses with regard to a game credit of the user.
  • Another task of the controlling programme is to enhance the data security in particular with regard to the at least one reference-ID. For example, the controlling programme can also watch in addition to the security operating system that there is no exchange of information about the at least one reference-ID via the external data interface until all possible winnings of said reference-ID are identified by the controlling programme. The exchange of information could not only be initiated by a direct read access via the external data interface which can be supervised by the security operating system but could also initiated by the controlling programme itself, for example in order to display the reference-ID on a display of a gaming machine which is connected to the security microprocessor system. Therefore, the controlling programme could involve corresponding checking routines for all data leaving the security microprocessor system via the external data interface in order to ensure that information about the at least one reference-ID is not outputted which could reveal for the user possible winnings.
    • Sealed housing
  • According to the invention the microprocessor system is enclosed in a sealed housing which can only be opened by breaking the seal. This feature allows to identify clearly by an examining authority every attempt of mechanical intrusion into the system. Preferably, the seal and hence status of the microprocessor system can be verified by everyone including the player. This will demonstrate at every level (game player/exhibitor/promoter/developer) the integrity of the microprocessor system and improve the overall trust into the system. However, this is not a requirement, it is only necessary that an examining authority, typically the promoter and/or the exhibitor, is able to verify the system's integrity whenever required.
  • Every type of seal satisfying this criterion could be employed. In a preferred embodiment the microprocessor system is encapsulated within a chip card, e.g. a smart card. Here the individual elements of the microprocessor system are embedded into one component, namely an integrated circuit, which is encapsulated within a plastic card. The seal is represented by the fixture of the integrated circuit within the plastic card, this is usually done using epoxy resin, and by the physical bond between the individual elements of the integrated circuit. Clearly, it is virtually impossible to dismantle this type of microprocessor system without visibly breaking the seal.
  • While chip cards might represent an ideal solution other types of sealed housings, each having individual advantages, are possible. For example so-called PC-Cards can be used, wherein the external data interface can be connected e.g. to notebooks, thus simplifying the programming process. Similarly, universal serial bus devices (USB) including a microprocessor can be employed.
  • While such housings for the microprocessor system have the advantage of being standardized, hence simplifying their usage and certification and reducing costs, purpose built sealed housings for the microprocessor system could be used as well. This would allow to even further increase the security and at the same time specific features could be included into the housing of the microprocessor system or the microprocessor system itself. For example the external data interface could include an interface for direct communication with the player, e.g. a keypad or display, or additional hardware could be included to improve the encoding and decoding operations. A purpose built sealed housing could be based on so-called crypto boxes usually used to encode network traffic. Even though the highest security standard can be achieved by physically joining the individual elements of the microprocessor system into an integrated circuit, a seal can also be applied to a housing enclosing separate components for each element of the microprocessor system.
  • Sealed housings are not limited to the examples given above and further solutions include e.g. personal digital assistants (PDAs) or security terminals.
    • Status data related to reference-IDs
  • According to the invention status data associated with a reference-ID are stored in the non-volatile memory in the microcontroller system. This is an important element in providing the necessary transparency for all parties involved in organizing and conducting the game. Since each reference-ID has its own status data, a request can be performed at any time using an immediate read access to verify the status of a particular reference-ID. In case of a winning the corresponding status data are changed accordingly and this status change can be observed by everyone using the immediate read access. The resulting increased transparency of this feature will convince the promoter, exhibitor and player to use the microcontroller system for games involving prizes of high value.
  • According to the invention an external data interface is supplied for transferring data from and to the microprocessor system. The external data interface is typically designed to enable a communication based on electronic data. For this purpose either electrical contacts can be used to communicate with an appropriate reading device or a contact-less communication can be established. The external data interface could alternatively or additionally include means for communicating directly with the player. For this purpose for example input buttons and visual or audio feedback systems could be utilized.
  • According to the invention winnings are determined based on the reference-ID. Typically, this is done by applying a specific algorithm to the reference-ID. This algorithm is part of the controlling programme which is controlled by the security operating system. Being stored securely on the microprocessor systems it cannot be changed by the player. Whereas theoretically this algorithm could be performed only on the reference-ID, i.e. employing the microprocessor systems similar to a scratch-card, generally this algorithm will require additional data. Such additional data, in the following called a random number, can be supplied during the game of chance. A match between a random number and the reference-ID resulting in a winning does not necessarily require the reference-ID and the random number to be completely identical. It could be sufficient that the algorithm determines a certain agreement between both numbers. Furthermore, multiple winnings could be achieved with respect to one reference-ID in case multiple random numbers are compared. Once all possible winnings have been identified the status data relating to the corresponding reference-ID are changed. For example the game status is modified to indicate the winning(s), the number of attempts left in connection with this reference-ID is reduced or the corresponding reference-ID is excluded from further games.
  • According to a further aspect of the invention the microprocessor system is encapsulated in a smart card. Smart cards offer the advantages of being comparatively cheap due to the widespread use and of providing a housing which ideally suits the requirement of a sealed housing. The smart card could comprise further security features, e.g. a magnetic stripe including encrypted information relating to the specific card or a hologram. A detailed description of a smart card which can be used according to the invention is given with reference to Fig. 1 below.
  • According to a further aspect of the invention a verification of the microprocessor system and/or a verification of possible winnings is performed on the basis of a promoter-ID (PID) and/or a exhibitor-ID (EID) stored in the non-volatile data storage by the promoter and/or exhibitor respectively. This method works similar to that of conventional gaming machines where a sealed envelope containing the reference-ID can be opened once the game has been finished. In case of a winning this allows the promoter to verify that no cheating has taken place and in case no winning took place this allows the exhibitor to verify that a winning was indeed possible. According to the invention an electronic envelope is generated based on the PID and/or EID which are transferred onto the smart card by the promoter and exhibitor respectively before the game of chance takes place. These unique and unknown numbers are encoded together with the reference-ID into a data package, which can be read before and during the game is conducted preferably using immediate read access. Either symmetric or asymmetric encoding algorithms can be used, however, in either case the encoding key stored in the microprocessor system is not disclosed and only the de-/encoding algorithm is known. Once a game has finished the electronic envelope can be opened. This is done by supplying the PID and/or EID to the microprocessor system which in return discloses the encoding key. The data package can be decoded and discloses the reference-ID together with the PID and/or the EID for verification. Various strategies are possible in which way to encode the PID and/or the EID into the data package (electronic envelope), e.g. two different electronic envelopes could be used for the promoter and exhibitor or the PID and EID could form part of the respective keys. It should be noted that even if no data package is generated by the microprocessor system and a conventional envelope is used instead, the PID and EID could still be employed to verify the identity of the microprocessor system.
  • According to a further aspect of the invention immediate read access to the at least one reference-ID is granted once all possible winnings related to said reference-ID are identified. Since at this stage no further attempts to conduct a game are possible and the game status is recorded in the status data, it is safe to allow read access to the reference-ID for everyone. This feature can be used to further improve the integrity of the system. For example, it might be important to disclose the reference-ID in case the winning was determined based only on a certain agreement between the random number and the reference-ID.
  • According to a further aspect of the invention the at least one reference-ID is generated within the microprocessor system. The generated reference-ID is then stored in the non-volatile data storage of the microcontroller system. For this purpose initial data necessary to generate the reference-ID, i.e. the number of digits, is transferred to the microprocessor system. Based thereon the reference-ID can be generated typically using a random number generator. The initialization of the random number generator that is the transferring of an initial seed onto the microprocessor system can either be performed within a secure environment or within an insecure environment using appropriate encryption methods. In either case this data has to be transferred to the microprocessor system preferably before the game starts to prevent a deterioration of the security standard, e.g. to avoid unauthorized sending of an initial seed or listening to the communication.
  • According to a further aspect of the invention immediate read and/or write access is granted once a password which corresponds to an administrator password is supplied to the microprocessor system via the external data interface. The administrator password could be copied onto the microprocessor system during the basic configuration, i.e. when installing the security operating system using a programming machine. In principle the microprocessor system can be connected multiple times to the programming machine, whereby each time a comparison between the supplied password and the administrator password will be performed. In this way it is possible to reuse the microprocessor system for several games.
  • According to a further aspect of the invention a visual and/or audio feedback is given in case of a winning. Hereby the player is immediately informed about the successful game outcome. In this case immediate read access to the reference-ID does not necessarily have to be granted in case of all corresponding winnings have been identified, since for the player it is usually sufficient to be informed only about the game outcome. This is in particular the case when the player has used a random number generator in the search for the reference-ID and might not even be aware of the numbers generated by said random number generator. The visual and/or audio feedback can either be generated directly by a suitable external data interface or a command can be transmitted by the external data interface to a connected gambling machine.
  • According to a further aspect of the invention only a predetermined number of games can be conducted with a reference-ID. Preferably, for this purpose an access counter is provided by the security operating system. Each time a game of chance is conducted the access counter is incremented with respect to that reference-ID. This feature increases the security, since even if the microprocessor system is lost or stolen the validity of the microprocessor system expires once the predetermined number of games has been reached. Since the only access to the microprocessor system is through the security operating system and more specifically through functions thereof like a command to start a game of chance, it is not possible to temper with the microprocessor system in such a way as to conduct games without increasing the number of games already conducted. Once a predetermined number of games of chance relating to a reference-ID have been conducted, the microprocessor system canriot be used for further games relating to this reference-ID.
  • According to a further aspect of the invention a random number to be used in the game of chance is transmitted to the microprocessor system via the external data interface. A random number is required for certain types of games of chance. For example in the lottery type game of chance in which the player tries to find the reference-ID a random number can be supplied by the player in this way. While the transmission of the random number does not require specific security measures, the processing is done by the security operating system, i.e. the gaming algorithm. Alternatively, a random number could be generated within the smart card using a random number generator.
  • According to a further aspect of the invention said at least one reference-ID is generated by a random generator. There are specific criteria to ensure that the produced reference-ID is a random number which is not subject to a preferred choice of the user and therefore is a random number which has the required random distribution. Such criteria could also be employed in the random generator.
  • According to a further aspect of the invention said at least one reference-ID is written to said security microprocessor system by an application protocol data unit (APDU). The application protocol data unit is a data container realized by software in which certain application data are bundled for a data exchange with said security microprocessor system.
  • According to a further aspect of the invention an authentication-ID being stored in the non-volatile data storage of said security microprocessor system is read out and is written together with the reference-ID to the secure data terminal. For example, smart cards can be globally identified on the basis of a unique authentication-ID. Hence, the authentication-ID enables to assign a specific reference-ID always to a specific security microprocessor system even after the security microprocessor system has been issued to the exhibitor.
  • The general aim of the secure data terminal is to provide both for the promoter and for the exhibitor an extra comparative safe place for the at least one reference-ID. After the game of chance has been performed on the security microprocessor system, the reference-ID stored in the secure data terminal can be taken in order to verify the outcome of the game according to the rules. Either the reference-ID could be guessed by the player and the exhibitor. Then the promoter can use the secure data terminal in order to verify the correctness of the winnings before the prize is payed out to the exhibitor. Or the reference-ID could not be guessed by the player and the exhibitor due to the limited number of attempts. Then the exhibitor can use the secure data terminal in order to verify that the promised winnings were indeed possible during the game after the access to the reference-ID was cleared by the promoter.
  • According to a further aspect of the invention said secure data terminal is a printer printing data in a security envelope. Security envelopes are well known for example in connection with the treatment of GSM-cards. The same technique could be used for carrying out the present invention.
  • According to a further aspect of the invention said secure data terminal is an extra comparative smart card.
  • Either the comparative smart card or the security envelope will be kept by the promoter and will be locked in a safe place for a later comparison after the game of chance has been played.
  • According to a further aspect of the invention said security microprocessor system has an extra comparative non-volatile data storage which is used as said secure data terminal. In this case the comparative reference-ID is placed on the same security microprocessor system which is handed over to the exhibitor by the promoter. However, specific encoding techniques are available which guarantee also for this solution a safe verification of the outcome of the game of chance.
  • In the following the embodiment of the invention is explained in more detail and with reference to the drawings in which
    • Fig. 1
    shows a smart card used as a sealed security microprocessor system according to the invention,
    Fig. 2
    shows an embodiment of a gaming machine according to the invention,
    Fig. 3
    shows a basic flow chart representing the fundamental method for conducting a game of chance according to the invention,
    Fig. 4A and Fig. 4B
    show a flow chart representing a first method of allowing a verification of the game of chance by the promoter and the exhibitor,
    Fig. 5A and Fig. 5B
    show a flow chart representing a second method of allowing a verification of the game of chance by the promoter and the exhibitor, and
    Fig. 6A and Fig. 6B
    show a flow chart representing a third method of allowing a verification of the game of chance by the promoter and the exhibitor.
  • Fig. 1 shows a smart card used as a sealed security microprocessor system according to the invention.
  • Smart cards are chip cards into which miniaturized IT components are embedded. The basic features of smart cards including physical properties, electronic signals and transmission protocols are standardized in ISO/IEC 7816. Smart cards can provide a secure environment to store and protect sensitive data.
  • The types of smart cards can be divided into two categories. The first category, the so-called memory cards, includes smart cards in which the chip corresponds only to a memory, usually based on semi-conductor or optical means, which can be read and possibly also written to. The second type of smart cards, the so-called microprocessor
  • Fig. 1 shows a smart card used as a sealed security microprocessor system according to the invention.
  • Smart cards are chip cards into which miniaturized IT components are embedded. The basic features of smart cards including physical properties, electronic signals and transmission protocols are standardized in ISO/IEC 7816. Smart cards can provide a secure environment to store and protect sensitive data.
  • The types of smart cards can be divided into two categories. The first category, the so-called memory cards, includes smart cards in which the chip corresponds only to a memory, usually based on semi-conductor or optical means, which can be read and possibly also written to. The second type of smart cards, the so-called microprocessormultifunction smart cards, provide a miniaturized microprocessor and memory components. Microprocessor multifunction smart cards can be used to perform a given task using specific application programs stored on the card in conjunction with a card operating system (COS) which provides some basic functions. Common to both types of smart cards is the fact that only a machine-machine interface is present in form of a standardized external interface on the smart card. A suitable card reader is required to communicate with a smart card. The external interface transmits data either using contacts or in a contact-less way, e.g. according to ISO/IEC 14443. When transmitting data using contacts standardized electrical contacts are provided on the smart card and on the card reader. Contact-less transmission utilizes various short and long range Radio Frequency Identification (RFID) technologies for transmission. So-called dual interface smart cards can transmit data via a contact or contact-less external interface.
  • According to the invention microprocessor multifunction smart cards are necessary, since the access to the data stored on the card can be strictly controlled by the microprocessor in conjunction with the security operating system. The game of chance itself is conducted using a controlling programme. The memory components of a microprocessor multifunction smart card are similar with regard to their functionality to such components used in microcomputers, i.e. typically a rewritable memory in form of a RAM (random access memory) for storing temporary data and a non-rewritable memory in form of a ROM (read only memory) for storing permanent data such as the COS are provided. An electronically erasable programmable read only memory (EEPROM) is usually provided for storing data permanently, while still being able to modify this data if required.
  • The smart card 101 shown in Fig. 1 is a microprocessor multifunction smart card, thus the integrated microchip 102 contains a microprocessor. The microprocessor is represented by the central processing unit (CPU) 103. A numerical processing unit (NPU) 104 is supplied additionally in this particular smart card. An NPU can be added to a smart card when it becomes necessary to perform intensive numerical calculations such as performing encryption or decryption algorithms. The NPU 104 communicates only with the CPU 103 and with a rewritable memory in form of a random access memory (RAM) 105 for storing temporary data. Further memories are provided in form of an electronically erasable programmable read only memory (EEPROM) 106 and in form of a read only memory (ROM) 107. The non-volatile data storage according to the invention is part of the EEPROM 106. Typically the COS, according to the invention a security operating system, is stored in the ROM 107 while the data to be processed is stored temporarily in the RAM 105 and permanently in the EEPROM 106. Application programs such as the controlling programme can either be stored in the ROM 107 or in the EEPROM 106. An I/O system 108 is provided to deal with the input and output of data. It is linked to the external data interface 109, which can be based on electrical contacts or can be based on a contact-less transmission to the card reader.
  • Fig. 2 shows an embodiment of a gambling machine 201 according to the invention wherein the microprocessor system is a smart card 202 as described with reference to Fig. 1 and consequently interfaces for direct communication with the player are not included in the microprocessor system and have to be accessed via the external data interface.
  • The gambling machine 201 contains two player interfaces. The first player interface 203 represents means for performing the payment and submitting commands to start and/or control the game of chance. It would be feasible, that games of chance can only be conducted once a certain amount has been transmitted to the smart card using tokens. Such tokens, representing a monetary value, can be transferred to the smart card from a further card, i.e. from a micro-payment card, belonging to the player via a separate card reader being part of the first player interface 203. Alternatively, payment can be made using a coin acceptor, in which case tokens can be generated within the gambling machine and can be transferred to the smart card 202. The second player interface 204 includes a visual and/or audio feedback system for presenting the status of the game, the number of tokens of the player available etc. Additionally, a showcase can be used for presenting symbolically a prize. To further increase the interest of potential players a control line between the gambling machine and the showcase can be added in order to automatically open the showcase in case a player wins.
  • Both player interfaces communicate with the smart card 202 through the external data interface using the card reader 205. This communication can be performed using contacts on the smart card 202 and on the card reader 205 or in a contact-less way. Depending on the type of the gambling machine and the strategy of the exhibitor the card reader 205 can either be positioned inside the gambling machine or on the outside of the gambling machine, in which case the player has access to the card reader 205. This would be advantageous, if the players have individual smart cards 202, which can be sold or otherwise distributed.
  • According to the invention the smart card 204 contains all remaining elements to conduct the game of chance. As indicated by the dashed box 206, only the smart card 204 represents a security-related element. Consequently, only the smart card 204 has to be certified to ensure the promoter that no security breaches are present.
  • Even though it is not required, the gambling machine could comprise additionally a gaming controller for controlling the first and the second player interface. While the smart card is principally sufficient to conduct a game of chance according to the invention, it might be advantageous to add some generic control elements to the gambling machine. The game controller might deal with the input of the tokens or control the visual and/or audio feedback system according to commands from the smart card. In more complicated games the smart card might even send information to the gaming machine to compute the output, i.e. advanced computer graphics, independently, provided all security related gaming operations are still performed within the microprocessor system.
  • Fig. 3 shows a basic flow chart representing the fundamental method for conducting a game of chance according to the invention.
  • The first step consists of initializing a microprocessor system within a programming machine 301. This process starts with a non-personalized microprocessor system 302, in which only the necessary infrastructure, e.g. the microprocessor, the external data interface and means for storage, is present. For reasons of efficiency the security operating system and possibly also the controlling programme can already be stored on the card, preferably within the ROM using a suitable hardware mask during the production. The status data of the non-personalized microprocessor system 302 is of no importance and is usually not yet set.
  • During the initialization process 303 additional data is copied onto the microprocessor system. This data includes a reference-ID, the controlling programme if this has not been transferred onto the card yet, the initial status data and possibly card specific information which allows to uniquely identify each microprocessor system. Instead of a reference-ID data to produce a reference-ID within the microprocessor system could be stored and the reference-ID could be generated within the microprocessor system at this stage. The promoter-ID (PID) and/or the exhibitor-ID (EID) can be transferred to the microprocessor system in order to allow verifications of the microprocessor system and/or the claimed winnings. The status data include information whether further games can be conducted and information whether a winning according to the invention has been achieved. In this example two flags called "Game Active" and "Winning" are used respectively. Once a winning has been detected, the flag "Winning" will be set to "Winning: Yes". As long as further games are possible, the flag "Game Active" is set to "Game Active: Yes".
  • Preferably, the at least one reference-ID is stored in the data storage within a secure environment. This greatly improves the security and at the same time reduces the efforts necessary to deal with security issues related to the data transfer via the external data interface.
  • For the game promoter it is crucial to ensure that no fraud is possible when transferring the reference-ID onto the microprocessor system. It has to be ruled out that someone can listen to this communication, since this would allow attempts to decipher the reference-ID. Similarly, it has to be prevented that someone can transfer a different number than the reference-ID to the microprocessor system. Whereas in principle this could be avoided by improving the communication related security, any communication regarding the reference-ID within an insecure environment will remain a possible risk. In particular transferring the reference-ID once the microprocessor system is connected to a gaming machine, e.g. during the start of the game, or even worse on request of the game algorithm executed in the microprocessor system has to be considered less secure.
  • Secure environments according'to the invention are therefore situations in which the authority transferring the reference-ID has a complete control of the microprocessor system without anybody being able to interfere with this communication. Ideally, the promoter transfers the reference-ID onto the microprocessor system, however, this could also be done by the exhibitor as long as no potential players are involved. In any case, the reference-ID will be transferred onto the microprocessor system before the game of chance takes place and preferably without any specific request from the smart card to do so in this specific moment.
  • After the initialization a microprocessor system 304 contains the initial status data where these flags are set to "Winning: No" and "Game Active: Yes". It should be noted at this point, that more than one game of chance could be stored on the microprocessor system, whereas each individual game would have its own reference-ID and could have its own controlling programme associated with it. In this case several independent initial game status would have to be stored on the smart card during the initialization 303.
  • The second step consists of using the initialized microprocessor system 304 within a gambling machine 305. Once a corresponding command is transmitted from the gambling machine 305 to the processor unit of the microprocessor system, the game of chance is started 306. A winning is determined based on the reference-ID, for example by performing a comparison between a random number and the reference-ID.
  • If a winning 307 is achieved, the controlling programme will change the status data accordingly. Typically, the flag "Game Active" will also be modified to prevent further games from taking place. At this stage a prize can be claimed 308.
  • According to the invention it is sufficient to be in possession of the microprocessor system to claim a prize. This is a consequence of the decision to combine all security-related elements in the microprocessor system. The agency to which the microprocessor system is handed over, i.e. the promoter, can read out the status data to verify whether a winning has been achieved and if so which random number was supplied. A verification as explained with reference to Figs. 5 - 7 can be performed in the case that the promoter and/or exhibitor have initialised the microprocessor system accordingly.
  • Eventually, the microprocessor system can either be reinitialized, i.e. within a programming machine 301, or has to be destroyed 309.
  • If no winning has been detected 310, either further games are possible 311 or the last game has been performed 312, in which case the microprocessor system has to be reinitialized, i.e. within a programming machine 301, or has to be destroyed 313.
  • It should be noted, that in the case that more than one set of status data are present on the microprocessor system relating to more than one reference-ID, the operation of the microprocessor system in the gambling machine 305 can be repeated for each set of status data.
  • Fig. 4A and Fig. 4B show a flow chart representing a first method of allowing a verification of the game of chance by the promoter and the exhibitor. Such a verification aims at ensuring the promoter that in the case of a winning the identity and the integrity of the microprocessor system is in order. On the other hand the exhibitor and hence the player is interested to verify in the case no winning has been achieved that a winning was indeed possible. In gaming machines according to the prior art the reference-ID is enclosed in a sealed envelope for this purpose. If no winning was achieved, the envelope can be opened to show the player the correct reference-ID which can be tested to provide the proof. If, however, a winning is achieved, the sealed envelope will show the promoter that the winning is valid.
  • The first method of performing the verification according to Fig. 4A and Fig. 4B is based on supplying a promoter-ID (PID) and an exhibitor-ID (EID) to the microprocessor system before the game of chance takes place. An electronic envelope based on symmetric encoding substitutes the traditional sealed envelope.
  • Initially, the microprocessor system is produced as usual and a basic initialization is performed with the security operating system, including the gaming algorithm. In the next step a PID is stored securely on the microprocessor system. The PID is only known to the promoter and must not be disclosed. This PID is used by the microprocessor system to generate an encoding key to encode the electronic envelope.
  • In the following description the syntax for en- and decoding operations is written as: encoded_text = coding_algorithm [ key ] ( plain_text )
    Figure imgb0001
    whereas "plain_text" represents the information to be encoded using the encoding algorithm "coding_algorithm" in combination with the encoding key "key" and the result is the encoded information "encoded_text". Using symmetric coding methods the decoding algorithm is written as "coding_algorithm-1".
  • The microprocessor system generates a random number Z1 as encoding key and encodes the PID using the symmetric encoding method DES3 (triple data encryption standard algorithm) as follows G KEY = DES 3 [ Z 1 ] ( P I D ) .
    Figure imgb0002
  • After initialization of the microprocessor system with the promoter information an electronic envelope referring to the promoter is generated, which contains the reference-ID. The reference-ID "ref-ID" itself is generated in this example using the random number generator of the microprocessor system. The electronic envelope "ENV" can be written as ENV = DES 3 [ G KEY ] ( ref I D ) .
    Figure imgb0003
  • This information can be read out in the next step, e.g. using immediate read access. Due to the encryption no security breaches are possible. Only the promoter is able to open this electronic envelope.
  • In principle the microprocessor system has been set up at this stage to start conducting games, i.e. the initialization is finished. However, if the exhibitor wants to be able to proof that a winning would have been possible in case no winning was achieved, a separate electronic envelope with respect to the exhibitor will be generated. In this case the EID will be transferred and stored on the microprocessor system. The exhibitor electronic envelope will be calculated as K ENV = DES 3 [ Z 3 ] ( E I D )
    Figure imgb0004
     using the random number Z3 generated within the microprocessor system. Once again, the exhibitor electronic envelope can be read out using immediate read access.
  • Once the game of chance has been started repetitions can be performed until either a winning has been achieved or nor further attempts are possible.
  • In case of a winning in this particular example the reference-ID can be read out. At this stage the promoter can open the promoter electronic envelope by sending the PID to the microprocessor system. Preferably, a limited number of trials to send the correct PID can be implemented further increasing the security. The microprocessor system responds to the correct PID by sending the previously generated random number "Z1". The promoter can then perform the following verification EN V = DES 3 [ DES 3 [ Z 1 ] ( P I D ) ] ( ref I D )
    Figure imgb0005
    whereas ENV' has to be equal to ENV. If this is the case the promoter can be guaranteed that the microprocessor system is identical to the one being initialized by the promoter or according to the promoter's instructions and that the reference-ID has indeed been found. A failed verification indicates a manipulated microprocessor system.
  • In case no winning has been achieved within the number of possible attempts, the encoding key "GKEY" can be read out from the microprocessor system allowing the exhibitor to determine the reference-ID from the promoter electronic envelope as ref I D = DES 3 1 [ G KEY ] ( ENV )
    Figure imgb0006
     using the corresponding known decoding algorithm "DES3-1". Supplying this reference-ID to the microprocessor system will produce a result confirming that this is the correct reference-ID.
  • A verification can be performed by the exhibitor - provided an EID has been supplied previously. For this purpose the EID is transferred to the microprocessor system which returns the random number Z3. The exhibitor can calculate K EN V = DES 3 [ Z 3 ] ( E I D )
    Figure imgb0007
     which has to equal KENV in order to testify the identity of the microprocessor system. Even if the EID has not been provided, preferably within a limited number of times, the promoter can always perform its own verification by sending the correct PID in an identical way as described above.
  • Fig. 5A and Fig. 5B show a flow chart representing a second method of allowing a verification of the game of chance by the promoter and the exhibitor. This method is partly based on the traditional concept using a sealed envelope.
  • Initially the security operating system is stored in the microprocessor system. In the next step a PID is stored securely followed by the necessary game date, e.g. the reference-ID, corresponding initial status data, number of attempts etc. An EID can be stored on the microprocessor system additionally, however, this is only required if the exhibitor requires additional security.
  • After this initialization, the game of chance can be conducted until either a winning has been achieved, or no further attempts are possible. In case a winning has been achieved, the microprocessor system allows read access to the reference-ID. The sealed envelope can be opened by the promoter verifying that no fraud has taken place. The promoter can verify that this is indeed a microprocessor system initialized by the promoter by supplying the PID to the microprocessor system. A confirmation will be produced by the microprocessor system, if the correct PID is supplied. Using a PID with a sufficient high number of digits and limiting the number of possible attempts to submit the PID during the verification ensures a certain security standard based on probabilities.
  • In case the last attempt to determine the reference-ID has failed, the sealed envelope can be opened by the exhibitor to demonstrate that a winning was possible. The reference-ID enclosed can be submitted to the microprocessor system, which replies with a confirmation. The exhibitor can verify, that this microprocessor system has been initialised by exhibitor by supplying the EID to the microprocessor system. A confirmation will be produced by the microprocessor system, if the correct EID is supplied. Using an EID with a sufficient high number of digits and limiting the number of possible attempts to submit the EID during the verification ensures a certain security standard based on probabilities. Even if the EID has not been submitted within the predetermined number of attempts, the promoter can perform its verification identical to the situation in which a winning took place.
  • Fig. 6A and Fig. 6B show a flow chart representing a third method of allowing a verification of the game of chance by the promoter and the exhibitor. This method is based again on an electronic envelope, however, this time asymmetric encoding is used leading to some simplifications within the realization of the verification.
  • After a basic initialization of the microprocessor system with the security operating system and the controlling programme, an activation with the PID is performed as follows. The microprocessor system generates an asymmetric key "PKEY" comprising the private key "PKEY-SEC" and the public key "PKEY-PUB". The public key "PKEY-PUB" and the electronic envelope Chiffrat = RSA [ PKEY - SEC ] ( PID )
    Figure imgb0008
     obtained from the PID using the asymmetric RSA (Rivest, Shamir, and Adleman Algorithm) algorithm can be read out by the promoter. The public key "PKEY-PUB" must not be disclosed by the promoter. Using "Chiffrat" and "PID" allows the promoter to verify that "PKEY-PUB" is correct.
  • After transferring the number of digits of the reference-ID and the number of possible attempts to the microprocessor system, the reference-ID is generated using the random number generator of the microprocessor system. The reference-ID "ref-ID" is enclosed in an electronic envelope "ENV" as follows ENV = R S A [ P KEY SEC ] ( ref I D )
    Figure imgb0009
     and can be read out from the microprocessor system. At this stage the initialization is finished and a game can either be started or the exhibitor can produce an exhibitor electronic envelope. In the latter case the microprocessor system generates a further asymmetric key "KKEY" comprising the private key "KKEY-SEC" and the public key "KKEY-PUB". The public key "KKEY-PUB" can be read out by the exhibitor, however, it must not be disclosed. After supplying the EID the exhibitor electronic envelope is created K ENV = R S A [ K KEY SEC ] ( E I D )
    Figure imgb0010
     and can be read out.
  • The game of chance can be conducted until either a winning has been achieved, or no further attempts are possible. In case a winning has been achieved, the microprocessor system allows read access to the reference-ID. A verification can be performed by the promoter by sending an arbitrary number Z in the encoded form Z Z = R S A [ P KEY P U B ] ( Z )
    Figure imgb0011
     to the microprocessor system, which responds by sending the result of the calculation Z = R S A [ P KEY SEC ] ( Z Z ) .
    Figure imgb0012
  • Only in case the public and the private keys belong to the same asymmetric key, Z will be equal to Z', thus confirming the system's integrity.
  • In case the last attempt to determine the reference-ID has failed, the microprocessor system will allow to read out the public key PKEY-PUB which allows to determine the reference-ID as ref I D = R S A [ P KEY P U B ] ( ENV ) .
    Figure imgb0013
  • The reference-ID calculated in this way can be submitted to the microprocessor system, which issues a confirmation. Preferably, this check can only be performed a limited number of times.
  • Finally, the exhibitor has the possibility to perform a verification of the authenticity of the microprocessor system. An arbitrary number Z can be encoded by the exhibitor as Z Z = R S A [ K KEY P U B ] ( Z )
    Figure imgb0014
     and can be supplied to the microprocessor system, which responds by decoding this information into Z = R S A [ K KEY SEC ] ( Z Z ) .
    Figure imgb0015
  • An agreement between Z and Z' confirms that this microprocessor system has been initialised by the exhibitor.

Claims (30)

  1. Method for controlling a game of chance by a hand-held security microprocessor system, said microprocessor system has a microprocessor, an external data interface, a non-volatile data storage and a non-volatile programme storage, wherein in the non-volatile programme storage a security operating system is stored which is booted with the microprocessor and a controlling programme is stored which is executable on the microprocessor and wherein said microprocessor system is encapsulated in a sealed housing which cannot be dismantled without breaking the seal, comprising the steps of:
    storing via the security operating system at least one reference-ID together with initial status data related to said at least one reference-ID in the non-volatile data storage,
    changing the initial status data related to the at least one reference-ID by the controlling programme, if winnings of the game of chance are identified by the controlling programme on the basis of said reference-ID,
    wherein, at least until all possible winnings are identified by the controlling programme on the basis of said at least one reference-ID, the security operating system is arranged to prohibit an immediate write access via the external data interface both to the at least one reference-ID and the initial status data related to said at least one reference-ID and is arranged to prohibit that information about the at least one reference-ID is exchanged via the external data interface.
  2. Method according to claim 1, wherein the microprocessor system is encapsulated in a smart card.
  3. Method according to one of the claims 1 - 2, wherein immediate read access to the at least one reference-ID is granted once all possible winnings related to said reference-ID are identified.
  4. Method according to one of the claims 1 - 3, wherein the at least one reference-ID is generated within the microprocessor system.
  5. Method according to one of the claims 1 - 4, wherein immediate read and/or write access is granted once a password which corresponds to an administrator password is supplied to the microprocessor system via the external data interface.
  6. Method according to one of the claims 1 - 5, wherein a visual and/or audio feedback is given in case of a winning.
  7. Method according to one of the claims 1 - 6, wherein only a predetermined number of games can be conducted with a reference-ID.
  8. Method according to one of the claims 1 - 7, wherein a random number to be used in the game of chance is transmitted to the microprocessor system via the external data interface.
  9. Hand-held security microprocessor system for controlling a game of chance, comprising:
    a microprocessor, an external data interface, a non-volatile data storage and a non-volatile programme storage, wherein in the non-volatile programme storage a security operating system is stored which is booted with the microprocessor and a controlling programme is stored which is executable on the microprocessor,
    means for storing via the security operating system at least one reference-ID together with initial status data related to said at least one reference-ID in the non-volatile data storage,
    wherein said microprocessor system is encapsulated in a sealed housing which cannot be dismantled without breaking the seal,
    wherein the controlling programme is arranged to change the initial status data related to the at least one reference-ID, if winnings of the game of chance are identified by the controlling programme on the basis of said reference-ID, and
    wherein, at least until all possible winnings are identified by the controlling programme on the basis of said at least one reference-ID, the security operating system is arranged to prohibit an immediate write access via the external data interface both to the at least one reference-ID and the initial status data related to said at least one reference-ID and is arranged to prohibit that information about the at least one reference-ID is exchanged via the external data interface.
  10. Microprocessor system according to claim 9, wherein the microprocessor system is encapsulated in a smart card.
  11. Microprocessor system according to one of the claims 9 - 10, comprising means for granting an immediate read access to the at least one reference-ID once all possible winnings related to said reference-ID are identified.
  12. Microprocessor system according to one of the claims 9 - 11, comprising means for generating the at least one reference-ID within the microprocessor system.
  13. Microprocessor system according to one of the claims 9 - 12, comprising means for granting immediate read and/or write access once a password which corresponds to an administrator password is supplied to the microprocessor system via the external data interface.
  14. Microprocessor system according to one of the claims 9 - 13, comprising means for giving a visual and/or audio feedback in case of a winning.
  15. Microprocessor system according to one of the claims 9 - 14, comprising means for allowing only a predetermined number of games to be conducted with a reference-ID.
  16. Microprocessor system according to one of the claims 9 - 15, comprising means for receiving a random number to be used in the game of chance by the microprocessor system via the external data interface.
  17. Method for initializing a hand-held security microprocessor system according to one of the claims 9 - 16 for controlling a game of chance,
    generating said at least one reference-ID,
    writing said at least one reference-ID together with initial status data related to said at least one reference-ID in the non-volatile data storage of the microprocessor system, and
    writing said at least one reference-ID additionally to a secure data terminal.
  18. Method according to claim 17, wherein said at least one reference-ID is generated by a random generator.
  19. Method according to one of the claims 17 - 18, wherein said at least one reference-ID is written to said security microprocessor system by an application protocol data unit (APDU).
  20. Method according to one of the claims 17 - 19, wherein an authentication-ID being stored in the non-volatile data storage of said security microprocessor system is read out and is written together with the reference-ID to the secure data terminal.
  21. Method according to one of the claims 17 - 20, wherein said secure data terminal is a printer printing data in a security envelope.
  22. Method according to one of the claims 17 - 20, wherein said secure data terminal is an extra comparative smart card.
  23. Method according to one of the claims 17 - 20, wherein said security microprocessor system has an extra comparative non-volatile data storage which is used as said secure data terminal.
  24. Computer system for initializing a hand-held security microprocessor system according to one of the claims 9 - 16 for controlling a game of chance,
    means for generating said at least one reference-ID,
    means for writing said at least one reference-ID together with initial status data related to said at least one reference-ID in the non-volatile data storage of the microprocessor system, and
    means for writing said at least one reference-ID additionally to a secure data terminal.
  25. Computer system according to claim 24, wherein said means for generating said at least one reference-ID is a random generator.
  26. Computer system according to one of the claims 24 - 25, wherein said means for writing said at least one reference-ID to said security microprocessor system is an application protocol data unit (APDU).
  27. Computer system according to one of the claims 24 - 26, wherein an authentication-ID being stored in the non-volatile data storage of said security microprocessor system is read out and is written together with the reference-ID to the secure data terminal.
  28. Computer system according to one of the claims 24 - 27, wherein said secure data terminal is a printer printing data in a security envelope.
  29. Computer system according to one of the claims 24 - 27, wherein said secure data terminal is an extra comparative smart card.
  30. Computer system according to one of the claims 24 - 27, wherein said security microprocessor system has an extra comparative non-volatile data storage which is used as said secure data terminal.
EP05021900A 2005-03-31 2005-10-07 Method and apparatus for controlling a game of chance Withdrawn EP1672601A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP05021900A EP1672601A1 (en) 2005-03-31 2005-10-07 Method and apparatus for controlling a game of chance
PCT/EP2006/002955 WO2006103089A1 (en) 2005-03-31 2006-03-31 Method and apparatus for controlling a game of chance

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP05007099A EP1672600A1 (en) 2005-03-31 2005-03-31 Smart card
EP05021900A EP1672601A1 (en) 2005-03-31 2005-10-07 Method and apparatus for controlling a game of chance

Publications (1)

Publication Number Publication Date
EP1672601A1 true EP1672601A1 (en) 2006-06-21

Family

ID=36353881

Family Applications (1)

Application Number Title Priority Date Filing Date
EP05021900A Withdrawn EP1672601A1 (en) 2005-03-31 2005-10-07 Method and apparatus for controlling a game of chance

Country Status (2)

Country Link
EP (1) EP1672601A1 (en)
WO (1) WO2006103089A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5507489A (en) * 1992-11-04 1996-04-16 Info Telecom Electronic game-of-chance device
US6234898B1 (en) * 1995-11-21 2001-05-22 Serge Christian Pierre Belamant Method and apparatus for controlling a gaming operation
US20020155892A1 (en) * 1998-08-26 2002-10-24 Yusuke Mishina IC card, terminal device and service management server
US6852031B1 (en) * 2000-11-22 2005-02-08 Igt EZ pay smart card and tickets system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5507489A (en) * 1992-11-04 1996-04-16 Info Telecom Electronic game-of-chance device
US6234898B1 (en) * 1995-11-21 2001-05-22 Serge Christian Pierre Belamant Method and apparatus for controlling a gaming operation
US20020155892A1 (en) * 1998-08-26 2002-10-24 Yusuke Mishina IC card, terminal device and service management server
US6852031B1 (en) * 2000-11-22 2005-02-08 Igt EZ pay smart card and tickets system

Also Published As

Publication number Publication date
WO2006103089A1 (en) 2006-10-05

Similar Documents

Publication Publication Date Title
US5146499A (en) Data processing system comprising authentification means viz a viz a smart card, an electronic circuit for use in such system, and a procedure for implementing such authentification
US7367889B2 (en) Gaming machine having hardware-accelerated software authentication
US9246886B2 (en) Device for and method of handling sensitive data
EP1497006B1 (en) Authentication in a secure computerized gaming system
RU2310907C1 (en) Method for ensuring safety of game devices and a game device for its realization
US7203841B2 (en) Encryption in a secure computerized gaming system
US5781723A (en) System and method for self-identifying a portable information device to a computing unit
US7549922B2 (en) Software security for gaming devices
US20020049909A1 (en) Encryption in a secure computerized gaming system
US20030203755A1 (en) Encryption in a secure computerized gaming system
US20030130032A1 (en) Pass-through live validation device and method
RU2265885C2 (en) Method and device for protecting operative data of playing device
RU2144695C1 (en) Method for claiming liability for card-related action by client and for accepting the claim by issuer
EP1672601A1 (en) Method and apparatus for controlling a game of chance
EP1672600A1 (en) Smart card
JPH10108963A (en) Collation judgment information of game machine control substrate and enciphering communication system
KR20040020059A (en) Method and management system for gaming management between a gaming management center and at least one gaming terminal, gaming management center and gaming terminal
AU2001245518B2 (en) Encryption in a secure computerized gaming system
AU2019261822A1 (en) An electronic gaming machine
JPS6349966A (en) Ic card system
AU2001245518A1 (en) Encryption in a secure computerized gaming system

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA HR MK YU

17P Request for examination filed

Effective date: 20061221

17Q First examination report despatched

Effective date: 20070130

AKX Designation fees paid

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20090505