Secure provisioning of credentials on an electronic device using elliptic curve cryptography
US-2015213433-A1 · Jul 30, 2015 · US
Efficient methods for authenticated communication
US11394697B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11394697-B2 |
| Application number | US-201916694668-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 25, 2019 |
| Priority date | Jun 18, 2014 |
| Publication date | Jul 19, 2022 |
| Grant date | Jul 19, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments of the invention relate to efficient methods for authenticated communication. In one embodiment, a first computing device can generate a key pair comprising a public key and a private key. The first computing device can generate a first shared secret using the private key and a static second device public key. The first computing device can encrypt request data using the first shared secret to obtain encrypted request data. The first computing device can send a request message including the encrypted request data and the public key to a server computer. Upon receiving a response message from the server computer, the first computing device can determine a second shared secret using the private key and the blinded static second device public key. The first computing device can then decrypt the encrypted response data from the response message to obtain response data.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising a first computing device for communicating with a second computing device that generates a blinded static second device public key by applying a cryptographic nonce to a static second device public key, the first computing device comprising: a processor; a memory; and a non-transitory computer-readable storage medium comprising instructions stored thereon, that, when executed on the processor, cause the processor to perform: obtaining and storing, the static second device public key in the memory; determining to communicate with the second computing device; based on the determining, retrieving the static second device public key from the memory; determining a key pair comprising a public key and a private key; generating a first shared secret using the private key and the static second device public key; receiving request data; obtaining encrypted request data by encrypting the request data using the first shared secret; sending a request message including the encrypted request data and the public key to the second computing device; receiving a response message including encrypted response data and the blinded static second device public key from the second computing device, wherein response data of the encrypted response data includes the cryptographic nonce; determining a second shared secret using the private key and the blinded static second device public key, wherein the second shared secret is different from the first shared secret; obtaining the response data by decrypting the encrypted response data using the second shared secret, wherein the response data includes a payment credential; and conducting a payment transaction using the payment credential. 2. The system of claim 1 , wherein the request data includes identification data corresponding to the first computing device or a user. 3. The system of claim 1 , wherein the public key is a combined ephemeral public key, wherein the private key is a combined ephemeral private key, and wherein the instructions, when executed on the processor, further perform: determining the combined ephemeral public key and the combined ephemeral private key using an identification factor generated using identification data and authentication data. 4. The system of claim 1 , wherein the public key is a first device public key, wherein the private key is a first device private key, wherein the request data includes a first device certificate comprising a static first device public key, wherein the response message further includes a second device public key, and wherein the instructions, when executed on the processor, further perform: generating an auxiliary shared secret using the second device public key and a static first device private key corresponding to the static first device public key, wherein decrypting the encrypted response data also uses the auxiliary shared secret. 5. The system of claim 1 , wherein the instructions, when executed on the processor, further perform: generating another shared secret and another blinded static second device public key using the second shared secret; and associating the another blinded static second device public key with the another shared secret, wherein the another shared secret is used to decrypt subsequent encrypted response data received from the second computing device. 6. The system of claim 1 , wherein the response data includes a second device certificate comprising the static second device public key, and wherein the instructions, when executed on the processor, further perform: validating the second device certificate; generating a second device session identifier using the static second device public key and the cryptographic nonce; and comparing the second device session identifier with the blinded static second device public key received from the second computing device, wherein the second computing device is authenticated if the second device session identifier matches the blinded static second device public key. 7. The system of claim 1 further comprising: the second computing device, wherein the second computing device is configured to: receive, from the first computing device, the request message; generate the first shared secret using the public key and a static second device private key; decrypt the encrypted request data using the first shared secret to obtain the request data; blind the static second device private key to determine a blinded static second device private key; generate the second shared secret using the blinded static second device private key and the public key; obtain the encrypted response data by encrypting the response data using the second shared secret; and send, to the first computing device, the response message. 8. A computer-implemented method for a first computing device for communicating with a second computing device that generates a blinded static second device public key by applying a cryptographic nonce to a static second device public key, the method comprising: obtaining and storing, by the first computing device, the static second device public key in a memory; determining, by the first computing device, to communicate with the second computing device; based on the determining, retrieving, by the first computing device, the static second device public key from the memory; determining, by the first computing device, a key pair comprising a public key and a private key; generating, by the first computing device, a first shared secret using the private key and the static second device public key; receiving, by the first computing device, request data; obtaining, by the first computing device, encrypted request data by encrypting the request data using the first shared secret; sending, by the first computing device, a request message including the encrypted request data and the public key to the second computing device; receiving, by the first computing device, a response message including encrypted response data and the blinded static second device public key from the second computing device, wherein response data of the encrypted response data includes the cryptographic nonce; determining, by the first computing device, a second shared secret using the private key and the blinded static second device public key, wherein the second shared secret is different from the first shared secret; obtaining, by the first computing device, the response data by decrypting the encrypted response data using the second shared secret, wherein the response data includes a payment credential; and conducting, by the first computing device, a payment transaction using the payment credential. 9. The computer-implemented method of claim 8 , wherein the request data includes identification data corresponding to the first computing device or a user. 10. The computer-implemented method of claim 8 , wherein the public key is a combined ephemeral public key, wherein the private key is a combined ephemeral private key, the method further comprising: determining, by the first computing device, the combined ephemeral public key and the combined ephemeral private key using an identification factor generated using identification data and authentication data. 11. The computer-implemented method of claim 8 , wherein the public key is a first device public key, wherein the private key is a first device private key, wherein the request data includes a first device certificate comprising a static first device public key, wherein the response message further includes a second device public key, the method further comprising: generating, by the first computing device, an auxiliary shared secr
Assignees
Inventors
Classifications
- G06Q20/3227Primary
using secure elements embedded in M-devices · CPC title
involving Diffie-Hellman or related key agreement protocols · CPC title
involving key management · CPC title
applying further key derivation, e.g. deriving traffic keys from a pair-wise master key · CPC title
- H04L63/0442Primary
wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for public-key encryption H04L9/30) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11394697B2 cover?
- Embodiments of the invention relate to efficient methods for authenticated communication. In one embodiment, a first computing device can generate a key pair comprising a public key and a private key. The first computing device can generate a first shared secret using the private key and a static second device public key. The first computing device can encrypt request data using the first share…
- Who is the assignee on this patent?
- Visa Int Service Ass
- What technology area does this patent fall under?
- Primary CPC classification G06Q20/3227. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jul 19 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).