Entity authentication for pre-authenticated links
US-2024396898-A1 · Nov 28, 2024 · US
Methods for secure credential provisioning
US10461933B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10461933-B2 |
| Application number | US-201615008388-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 27, 2016 |
| Priority date | Jan 27, 2015 |
| Publication date | Oct 29, 2019 |
| Grant date | Oct 29, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments can provide methods for securely provisioning sensitive credential data, such as a limited use key (LUK) onto a user device. In some embodiments, the credential data can be encrypted using a separate storage protection key and decrypted only at the time of a transaction to generate a cryptogram for the transaction. Thus, end-to-end protection can be provided during the transit and storage of the credential data, limiting the exposure of the credential data only when the credential data is required, thereby reducing the risk of compromise of the credential data.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method, comprising: determining, by a user device, a one-time user public key; sending, by the user device to a provisioning server computer, a provisioning request message including the one-time user public key; receiving, by the user device, an encrypted provisioning response message from the provisioning server computer, the encrypted provisioning response message comprising encrypted credential data; determining, by the user device, a response shared secret using a static server public key; determining, by the user device, a response session key from the response shared secret, the response session key usable for decrypting the encrypted provisioning response message; decrypting, by the user device, the encrypted provisioning response message using the response session key to determine the encrypted credential data; determining, by the user device, a storage protection key from the response shared secret, the storage protection key being different from the response session key and usable for decrypting the encrypted credential data; encrypting, by the user device, the storage protection key with a key encryption key to generate an encrypted storage protection key; storing, by the user device, the encrypted storage protection key; storing, by the user device, the encrypted credential data; retrieving, by the user device, the encrypted credential data; retrieving, by the user device, the encrypted storage protection key; decrypting, by the user device, the encrypted storage protection key using the key encryption key to obtain the storage protection key; and decrypting, by the user device, the encrypted credential data using the storage protection key to obtain credential data. 2. The computer-implemented method of claim 1 , wherein the encrypted credential data includes a limited use key (LUK) or key derivation data for a single use key (SUK). 3. The computer-implemented method of claim 1 , wherein the encrypted credential data is stored in a storage server remotely connected to the user device and the encrypted storage protection key is stored in the user device. 4. The computer-implemented method of claim 1 , wherein the retrieving of the encrypted credential data is in response to an indication to generate a cryptogram used for authenticating an authorization request message, the method further comprising: generating the cryptogram using the credential data. 5. The computer-implemented method of claim 4 , wherein decrypting the encrypted credential data using the storage protection key comprises: deriving a credential encryption key using the storage protection key and key derivation data for the credential encryption key, the key derivation data comprises data specific to the user device; and decrypting the encrypted credential data using the credential encryption key. 6. The computer-implemented method of claim 4 , wherein the cryptogram is generated using a cryptogram key derived from the credential data. 7. The computer-implemented method of claim 1 , wherein a blinded static server public key is received with the encrypted provisioning response message, and wherein the response shared secret is determined using the blinded static server public key. 8. The computer-implemented method of claim 1 , wherein determining the one-time user public key comprises generating an ephemeral user key pair comprising an ephemeral user private key and an ephemeral user public key, wherein the ephemeral user public key is used as the one-time user public key. 9. The computer-implemented method of claim 1 , wherein determining the one-time user public key comprises blinding a static user public key. 10. A computer-implemented method, comprising: determining, by a user device, a one-time user public key; generating, by the user device, a request shared secret using a static server public key and a user private key corresponding to the one-time user public key; encrypting, by the user device, request data using the request shared secret to obtain encrypted request data; sending, by the user device to a provisioning server computer, a provisioning request message including the one-time user public key and the encrypted request data; receiving, by the user device, an encrypted provisioning response message from the provisioning server computer, the encrypted provisioning response message comprising encrypted credential data; determining, by the user device, a response shared secret using the static server public key; determining, by the user device, a response session key from the response shared secret, the response session key usable for decrypting the encrypted provisioning response message; decrypting, by the user device, the encrypted provisioning response message using the response session key to determine the encrypted credential data; determining, by the user device, a storage protection key from the response shared secret, the storage protection key being different from the response session key and usable for decrypting the encrypted credential data; encrypting, by the user device, the storage protection key with a key encryption key to generate an encrypted storage protection key; storing, by the user device, the encrypted storage protection key; and storing, by the user device, the encrypted credential data. 11. The computer-implemented method of claim 10 , wherein the encrypted credential data includes a limited use key (LUK) or key derivation data for a single use key (SUK). 12. The computer-implemented method of claim 10 , wherein the encrypted credential data is stored in a storage server remotely connected to the user device and the encrypted storage protection key is stored in the user device. 13. A computer system, comprising: a memory that stores computer-executable instructions; and a processor configured to access the memory and execute the computer-executable instructions to: determine a one-time user public key; send, to a provisioning server computer, a provisioning request message including the one-time user public key; receive an encrypted provisioning response message from the provisioning server computer, the encrypted provisioning response message comprising encrypted credential data; determine a response shared secret using a static server public key; determine a response session key from the response shared secret, the response session key usable for decrypting the encrypted provisioning response message; decrypt the encrypted provisioning response message using the response session key to determine the encrypted credential data; determine a storage protection key from the response shared secret, the storage protection key being different from the response session key and usable for decrypting the encrypted credential data; encrypt the storage protection key with a key encryption key to generate an encrypted storage protection key; store the encrypted storage protection key; store the encrypted credential data; retrieve the encrypted credential data; retrieve the encrypted storage protection key; decrypt the encrypted storage protection key using the key encryption key to obtain the storage protection key; and decrypt the encrypted credential data using the storage protection key to obtain credential data. 14. The computer system of claim 13 , wherein the encrypted credential data is stored in a storage server remotely connected to the computer system. 15. The computer system of claim 13 , wherein the computer-executable instructions further include instructions for: in response to an indi
Assignees
Inventors
Classifications
Generation of secret information including derivation or calculation of cryptographic keys or passwords · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption (cryptographic mechanisms or cryptographic arrangements using a plurality of keys or algorithms H04L9/14) · CPC title
using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates · CPC title
- H04L9/3226Primary
using a predetermined code, e.g. password, passphrase or PIN (network architectures or network communication protocols for supporting authentication of entities using passwords in a packet data network H04L63/083) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10461933B2 cover?
- Embodiments can provide methods for securely provisioning sensitive credential data, such as a limited use key (LUK) onto a user device. In some embodiments, the credential data can be encrypted using a separate storage protection key and decrypted only at the time of a transaction to generate a cryptogram for the transaction. Thus, end-to-end protection can be provided during the transit and s…
- Who is the assignee on this patent?
- Visa Int Service Ass
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3226. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 29 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).