Methods for secure credential provisioning
US-10461933-B2 · Oct 29, 2019 · US
Methods for secure credential provisioning
US11201743B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11201743-B2 |
| Application number | US-201916566651-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 10, 2019 |
| Priority date | Jan 27, 2015 |
| Publication date | Dec 14, 2021 |
| Grant date | Dec 14, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments can provide methods for securely provisioning sensitive credential data, such as a limited use key (LUK) onto a user device. In some embodiments, the credential data can be encrypted using a separate storage protection key and decrypted only at the time of a transaction to generate a cryptogram for the transaction. Thus, end-to-end protection can be provided during the transit and storage of the credential data, limiting the exposure of the credential data only when the credential data is required, thereby reducing the risk of compromise of the credential data.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method, comprising: determining, by a user device, a one-time user public key; determining, by the user device, a storage protection public key; sending, by the user device to a provisioning server computer, a provisioning request message including the one-time user public key and the storage protection public key; receiving, by the user device, an encrypted provisioning response message from the provisioning server computer, the encrypted provisioning response message comprising encrypted credential data, wherein the encrypted credential data is encrypted using the storage protection public key; determining, by the user device, a response shared secret using a static server public key; determining, by the user device, a response session key from the response shared secret, the response session key usable for decrypting the encrypted provisioning response message; decrypting, by the user device, the encrypted provisioning response message using the response session key to determine the encrypted credential data; and storing, by the user device, the encrypted credential data. 2. The computer-implemented method of claim 1 , wherein the storage protection public key and the one-time user public key both correspond to a same user private key. 3. The computer-implemented method of claim 1 , wherein the storage protection public key and the one-time user public key correspond to different user private keys. 4. The computer-implemented method of claim 1 , further comprising: in response to an indication to generate a cryptogram used for authenticating an authorization request message, retrieving the encrypted credential data; decrypting the encrypted credential data using a storage protection private key corresponding to the storage protection public key to obtain the credential data; and generating the cryptogram using the credential data. 5. The computer-implemented method of claim 4 , further comprising: encrypting the storage protection private key using a key encryption key; storing the encrypted storage protection private key; retrieving the encrypted storage protection private key; and decrypting the encrypted storage protection private key using the key encryption key to obtain the storage protection private key that is used in decrypting the encrypted credential data. 6. The computer-implemented method of claim 1 , wherein determining the one-time user public key comprises generating an ephemeral user key pair comprising an ephemeral user private key and an ephemeral user public key, wherein the ephemeral user public key is used as the one-time user public key. 7. The computer-implemented method of claim 1 , wherein the provisioning request message further comprises supplementary data including identification data, a user device identifier, or authentication data, and wherein the response session key is determined using the supplementary data. 8. The computer-implemented method of claim 1 , wherein a portion of the provisioning request message is encrypted using a request session key that is derived from a request shared secret, the request shared secret generated using the static server public key and a user private key corresponding to the one-time user public key. 9. The computer-implemented method of claim 1 , wherein determining the response session key from the response shared secret further comprises inputting key derivation data and the response shared secret into a key derivation function (KDF). 10. The computer-implemented method of claim 1 , wherein the encrypted credential data is stored in a secure module of the user device. 11. The computer-implemented method of claim 1 , wherein a storage protection private key corresponding to the storage protection public key is stored in a different location than the encrypted credential data. 12. The computer-implemented method of claim 1 , wherein the credential data comprises a limited use key (LUK) and cryptogram key derivation data usable for deriving a cryptogram key that is used to generate a cryptogram. 13. The computer-implemented method of claim 1 , wherein the encrypted credential data is stored in a storage server remotely connected to the user device. 14. A computer system, comprising: a memory that stores computer-executable instructions; and a processor configured to access the memory and execute the computer-executable instructions to implement a method comprising: determining a one-time user public key; determining a storage protection public key; sending to a provisioning server computer a provisioning request message including the one-time user public key and the storage protection public key; receiving an encrypted provisioning response message from the provisioning server computer, the encrypted provisioning response message comprising encrypted credential data, wherein the encrypted credential data is encrypted using the storage protection public key; determining a response shared secret using a static server public key; determining a response session key from the response shared secret, the response session key usable for decrypting the encrypted provisioning response message; decrypting the encrypted provisioning response message using the response session key to determine the encrypted credential data; and storing the encrypted credential data. 15. The computer system of claim 14 , wherein the storage protection public key and the one-time user public key correspond to different user private keys. 16. The computer system of claim 14 , wherein the method further comprises: in response to an indication to generate a cryptogram used for authenticating an authorization request message, retrieving the encrypted credential data; decrypting the encrypted credential data using a storage protection private key corresponding to the storage protection public key to obtain the credential data; and generating the cryptogram using the credential data. 17. The computer system of claim 14 , wherein the credential data comprises a limited use key (LUK) and cryptogram key derivation data usable for deriving a cryptogram key that is used to generate a cryptogram. 18. The computer system of claim 14 , wherein a storage protection private key corresponding to the storage protection public key is stored in a different location than the encrypted credential data. 19. The computer system of claim 14 , wherein the storage protection public key and a corresponding storage protection private key are encrypted using a key encryption key before being stored. 20. The computer system of claim 14 , wherein a portion of the provisioning request message is encrypted using a request session key that is derived from a request shared secret, the request shared secret generated using the static server public key and a user private key corresponding to the one-time user public key.
Assignees
Inventors
Classifications
Revocation or update of secret information, e.g. encryption key update or rekeying · CPC title
involving Diffie-Hellman or related key agreement protocols · CPC title
Financial cryptography, e.g. electronic payment or e-cash · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
- H04L9/0822Primary
using key encryption key · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11201743B2 cover?
- Embodiments can provide methods for securely provisioning sensitive credential data, such as a limited use key (LUK) onto a user device. In some embodiments, the credential data can be encrypted using a separate storage protection key and decrypted only at the time of a transaction to generate a cryptogram for the transaction. Thus, end-to-end protection can be provided during the transit and s…
- Who is the assignee on this patent?
- Visa Int Service Ass
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0822. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 14 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).