Efficient key generator for distribution of sensitive material from multiple application service providers to a secure element such as a universal integrated circuit card (UICC)
US-9210138-B2 · Dec 8, 2015 · US
Hybrid integration of software development kit with secure execution environment
US11240219B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11240219-B2 |
| Application number | US-201916672219-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 1, 2019 |
| Priority date | Dec 31, 2014 |
| Publication date | Feb 1, 2022 |
| Grant date | Feb 1, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A portable communication device may include a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment. The secure application may receive, from the mobile application, a storage request to store sensitive data. The storage request may include an encrypted data type identifier and an encrypted sensitive data. The secure application may decrypt the encrypted data type identifier and the encrypted sensitive data using a transport key, and re-encrypt the sensitive data using a storage key. The re-encrypted sensitive data can then be stored in a memory of the portable communication device which is outside the trusted execution environment.
First claim
Opening claim text (preview).
What is claimed is: 1. A portable communication device comprising: one or more processor circuits; and one or more memory units coupled to the one or more processor circuits and storing computer readable code implementing a mobile application in an application execution environment and a secure application in a trusted execution environment, which when executed by the one or more processor circuits, performs operations including: receiving, by the secure application from the mobile application executing in the application execution environment of the portable communication device, a first storage request to store first sensitive data, the first sensitive data being cryptogram generation key, the first storage request including a first encrypted data type identifier and an encrypted cryptogram generation key; decrypting, by the secure application, the first encrypted data type identifier and the encrypted cryptogram generation key using a transport key; determining, by the secure application, that the first decrypted data type identifier indicates that the first sensitive data is cryptogram generation key; re-encrypting, by the secure application based on the first decrypted data type identifier, the cryptogram generation data using a key to generate a re-encrypted cryptogram generation key; and storing the re-encrypted cryptogram generation key in a memory of the portable communication device outside the trusted execution environment. 2. The portable communication device of claim 1 , wherein the key is a key-storage key, and wherein the operations further include: receiving, by the secure application from the mobile application, a cryptogram generation request to generate a transaction cryptogram, the cryptogram generation request including the re-encrypted cryptogram generation key and transaction data; decrypting, by the secure application, the re-encrypted cryptogram generation key using the key-storage key; encrypting, by the secure application, the transaction data using the cryptogram generation key to generate the transaction cryptogram; and sending, by the secure application to the mobile application, the generated transaction cryptogram. 3. The portable communication device of claim 2 , wherein the transaction data is received by the mobile application from an access device, and the mobile application transmits the generated transaction cryptogram to the access device to conduct a transaction. 4. The portable communication device of claim 2 , wherein the cryptogram generation key is a limited-use key. 5. The portable communication device of claim 4 , wherein the operations further include: receiving, by the secure application from the mobile application, a key replenishment request, the key replenishment request including the re-encrypted cryptogram generation key and a transaction verification log; decrypting, by the secure application, the re-encrypted cryptogram generation key using the key-storage key; generating, by the secure application, a hash value computed over at least the transaction verification log using the decrypted cryptogram generation key; and sending, by the secure application to the mobile application, the hash value. 6. The portable communication device of claim 5 , wherein the mobile application sends the hash value to a server to request a new limited-use key. 7. The portable communication device of claim 1 , wherein the encrypted cryptogram generation key is received by the mobile application from a server, and the encrypted cryptogram generation key is signed by the server, and wherein the operations further include: verifying, by the secure application, that the encrypted cryptogram generation key was signed by the server using a certificate associated with the server. 8. A method for managing sensitive data in a portable communication device having a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment, the method comprising: receiving, by the secure application from the mobile application executing in the application execution environment of the portable communication device, a first storage request to store first sensitive data, the first sensitive data being a cryptogram generation key, the first storage request including a first encrypted data type identifier and an encrypted cryptogram generation key; decrypting, by the secure application, the first encrypted data type identifier and the encrypted cryptogram generation key using a transport key; determining, by the secure application, that the first decrypted data type identifier indicates that the first sensitive data is a cryptogram generation key; re-encrypting, by the secure application based on the first decrypted data type identifier, the first sensitive data using a key to generate a re-encrypted cryptogram generation key; and storing the re-encrypted cryptogram generation key in a memory of the portable communication device outside the trusted execution environment. 9. The method of claim 8 , wherein the key is a key-storage key, the method further comprising: receiving, by the secure application from the mobile application, a cryptogram generation request to generate a transaction cryptogram, the cryptogram generation request including the re-encrypted cryptogram generation key and transaction data; decrypting, by the secure application, the re-encrypted cryptogram generation key using the key-storage key; encrypting, by the secure application, the transaction data using the cryptogram generation key to generate the transaction cryptogram; and sending, by the secure application to the mobile application, the generated transaction cryptogram. 10. The method of claim 9 , wherein the transaction data is received by the mobile application from an access device, and the mobile application transmits the generated transaction cryptogram to the access device to conduct a transaction. 11. The method of claim 9 , further comprising: selecting, by the secure application, the key-storage key to use for the re-encrypting of the decrypted cryptogram generation key based on the first encrypted data type identifier indicating the first storage request is for the cryptogram generation key. 12. The method of claim 9 , wherein the cryptogram generation key is a limited-use key. 13. The method of claim 12 , further comprising: receiving, by the secure application from the mobile application, a key replenishment request, the key replenishment request including the re-encrypted cryptogram generation key and a transaction verification log; decrypting, by the secure application, the re-encrypted cryptogram generation key using the key-storage key; generating, by the secure application, a hash value computed over at least the transaction verification log using the decrypted cryptogram generation key; and sending, by the secure application to the mobile application, the hash value. 14. The method of claim 13 , wherein the mobile application sends the hash value to a server to request a new limited-use key. 15. The method of claim 8 , wherein the encrypted cryptogram generation key is received by the mobile application from a server, and the encrypted cryptogram generation key is signed by the server, and wherein the method further comprises: verifying, by the secure application, that the encrypted cryptogram generation key was signed by the server using a certificate associated with the server. 16. The method of claim 8 , further comprising: storing, by the secure application, a crypto library in
Assignees
Inventors
Classifications
- H04L63/062Primary
for key distribution, e.g. centrally by trusted party (cryptographic mechanisms or cryptographic arrangements for key distribution involving a central third party H04L9/0819) · CPC title
Generation of secret information including derivation or calculation of cryptographic keys or passwords · CPC title
involving additional devices, e.g. trusted platform module [TPM], smartcard or USB · CPC title
using key encryption key · CPC title
combining multiple encryption tools for a transaction · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11240219B2 cover?
- A portable communication device may include a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment. The secure application may receive, from the mobile application, a storage request to store sensitive data. The storage request may include an encrypted data type identifier and an encrypted sensitive data. The …
- Who is the assignee on this patent?
- Visa Int Service Ass
- What technology area does this patent fall under?
- Primary CPC classification H04L63/062. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 01 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).