Methods for secure cryptogram generation

What is claimed is: 1. A computer-implemented method performed by a user device, the computer-implemented method comprising: receiving a message including an encrypted credential from a server computer; determining a response shared secret using a private key and a server public key; decrypting the encrypted credential using the response shared secret to determine a credential; obtaining a key derivation parameter from the credential; determining a first cryptogram key using the key derivation parameter; generating a first cryptogram using the first cryptogram key; and sending the first cryptogram to a second computer. 2. The computer-implemented method of claim 1 , wherein the key derivation parameter is a limited use key. 3. The computer-implemented method of claim 2 , wherein the determining the first cryptogram key includes deriving the first cryptogram key using the limited use key and a key derivation function. 4. The computer-implemented method of claim 1 , wherein the private key is included in a key pair that further includes a public key, which is an ephemeral public key, and wherein the private key is an ephemeral private key. 5. The computer-implemented method of claim 1 , wherein the determining the first cryptogram key further includes determining the first cryptogram key by using the response shared secret in addition to the key derivation parameter. 6. The computer-implemented method of claim 1 , wherein the first cryptogram is for use in a first secure communication with the second computer that validates the first cryptogram. 7. The computer-implemented method of claim 1 , further comprising: generating a request shared secret using the private key and the server public key; and encrypting request data using the request shared secret to obtain encrypted request data. 8. The computer-implemented method of claim 1 , wherein the response shared secret is determined using a blinded key that is derived from the server public key, thereby using the server public key to determine the response shared secret, and wherein the message received from the server computer further includes the blinded key. 9. The computer-implemented method of claim 1 , wherein the response shared secret is determined without a blinded key, wherein the credential includes a cryptographic nonce, and wherein the first cryptogram key is further derived using the cryptographic nonce. 10. The computer-implemented method of claim 1 , further comprising: updating the response shared secret to determine an updated shared secret using an update parameter, the credential including the update parameter; determining a second cryptogram key using the updated shared secret and the key derivation parameter; generating a second cryptogram using the second cryptogram key; and conducting a second secure communication with a validation computer using the second cryptogram. 11. The computer-implemented method of claim 10 , further comprising: generating new shared secrets for each of a plurality of new secure communications, each new shared secret generated using a previous shared secret and the update parameter; determining new cryptogram keys using the new shared secrets and the key derivation parameter; generating new cryptograms using the new cryptogram key; and conducting the new secure communications with the validation computer using the new cryptograms. 12. The computer-implemented method of claim 10 , wherein the second cryptogram is further generated using data based on cryptogram derivation parameters included in the credential, wherein the second secure communication is an authorization request, and wherein the second cryptogram authenticates at least one element of the authorization request. 13. The computer-implemented method of claim 1 , further comprising: receiving first registration data; encrypting the first registration data using the first cryptogram key to generate the first cryptogram, the first cryptogram being a registration cryptogram; encrypting the registration cryptogram using the response shared secret; and sending the registration cryptogram to the second computer that is a registration server computer, wherein the registration server computer authenticates the user device using the registration cryptogram. 14. The computer-implemented method of claim 1 , wherein the second computer is the server computer. 15. A computer-implemented method performed by a server computer, the computer-implemented method comprising: determining a request shared secret using a device public key of a user device and a static server private key; generating a response shared secret using the static server private key and the device public key; obtaining a key derivation parameter for determining a first cryptogram key from the response shared secret; encrypting a credential using the response shared secret to determine encrypted response data, the credential including the key derivation parameter; and sending to the user device, a message including the encrypted response data. 16. The computer-implemented method of claim 15 , further comprising: receiving, from the user device, a user cryptogram for validating a secure communication; determining the first cryptogram key using the key derivation parameter; generating a first cryptogram using the first cryptogram key and a cryptogram derivation parameter, the credential including the cryptogram derivation parameter; and validating the user cryptogram by comparing the user cryptogram to the first cryptogram. 17. The computer-implemented method of claim 16 , further comprising: updating the response shared secret to determine an updated shared secret; receiving, from the user device, a new cryptogram for validating a new secure communication; determining a second cryptogram key from the updated shared secret using the key derivation parameter; generating a second cryptogram using the second cryptogram key and the cryptogram derivation parameter; and validating the new cryptogram by comparing the new cryptogram to the second cryptogram. 18. The computer-implemented method of claim 15 , further comprising: providing first registration data to the user device; receiving a user registration cryptogram from the user device; determining the first cryptogram key using the key derivation parameter; encrypting the first registration data using the first cryptogram key to generate a first registration cryptogram; and verifying the user registration cryptogram by comparing the user registration cryptogram to the first registration cryptogram, wherein the user device is authenticated if the first registration cryptogram is verified. 19. The computer-implemented method of claim 18 , wherein the first registration data includes a one-time password, and wherein the user registration cryptogram is based on the one-time password. 20. A computer system comprising: a memory that stores computer-executable instructions; and a processor configured to access the memory and execute the computer-executable instructions to perform a method including: receiving a message including an encrypted credential from a server computer; determining a response shared secret using a private key and a server public key; decrypting the encrypted credential using the response shared secret to determine a credential; obtaining a key derivation parameter from the credential; determining a first cryptogram key using the key derivation parameter; generating a first cr