Confidential authentication and provisioning
US-11757662-B2 · Sep 12, 2023 · US
Confidential authentication and provisioning
US12244739B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12244739-B2 |
| Application number | US-202318231084-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 7, 2023 |
| Priority date | Jun 30, 2015 |
| Publication date | Mar 4, 2025 |
| Grant date | Mar 4, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods are for confidentially and securely provisioning data to an authenticated user device. A user device may register an authentication public key with an authentication server. The authentication public key may be signed by an attestation private key maintained by the user device. Once the user device is registered, a provisioning server may send an authentication request message including a challenge to the user device. The user device may sign the challenge using an authentication private key corresponding to the registered authentication public key, and may return the signed challenge to the provisioning server. In response, the provisioning server may provide provisioning data to the user device. The registration, authentication, and provisioning process may use public key cryptography while maintaining confidentiality of the user device, the provisioning server, and then authentication server.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method comprising: encrypting, by an authentication server, an authentication challenge to obtain an encrypted authentication challenge; sending, by the authentication server, the encrypted authentication challenge to a user device; receiving, by the authentication server, an encrypted authentication response from the user device; generating, by the authentication server, a shared secret using an authentication server private key and a user device authentication public key; decrypting, by the authentication server, the encrypted authentication response using the shared secret to obtain an authentication response including a signed authentication challenge, wherein the user device generated the signed authentication challenge by signing the authentication challenge using a user device authentication private key corresponding to the user device authentication public key; and authenticating, by the authentication server, the user device based on verifying the signed authentication challenge included in the authentication response using the user device authentication public key. 2. The computer-implemented method of claim 1 , wherein the authentication challenge is encrypted using the user device authentication public key, the user device authentication public key having been previously obtained from the user device via a registration process. 3. The computer-implemented method of claim 2 , wherein the registration process comprises: receiving, from the user device, a signed user device authentication public key generated by the user device signing the user device authentication public key using a user device attestation private key, the user device attestation private key corresponding to a user device attestation public key. 4. The computer-implemented method of claim 3 , wherein the signed user device authentication public key is received in an encrypted registration response, the computer-implemented method further comprising: decrypting the encrypted registration response to obtain the signed user device authentication public key; and validating the signed user device authentication public key using the user device attestation public key. 5. The computer-implemented method of claim 1 , further comprising receiving, by the authentication server, an identifier from the user device, the identifier associated with the user device authentication public key. 6. The computer-implemented method of claim 1 , further comprising: receiving, by the authentication server, a blinded user device authentication public key and an encrypted user device blinding factor from the user device; decrypting, by the authentication server, the encrypted user device blinding factor using the shared secret to obtain a user device blinding factor; and verifying, by the authentication server, the blinded user device authentication public key using the user device blinding factor and the user device authentication public key. 7. The computer-implemented method of claim 1 , further comprising sending, by the authentication server, provisioning data to the user device in response to verifying the signed authentication challenge. 8. A computer-implemented method comprising: receiving, by a user device, an encrypted authentication challenge from an authentication server; decrypting, by the user device, the encrypted authentication challenge to obtain an authentication challenge; generating, by the user device, a shared secret using a user device authentication private key corresponding to a user device authentication public key and an authentication server public key; generating, by the user device, a signed authentication challenge by signing the authentication challenge using the user device authentication private key corresponding to the user device authentication public key; encrypting, by the user device, an authentication response including the signed authentication challenge using the shared secret to obtain an encrypted authentication response; and sending, by the user device, the encrypted authentication response to the authentication server, wherein the authentication server authenticates the user device based on verifying the signed authentication challenge included in the authentication response using the user device authentication public key. 9. The computer-implemented method of claim 8 , further comprising sending, by the user device, an identifier to the authentication server, the identifier associated with the user device authentication public key. 10. The computer-implemented method of claim 8 , wherein the authentication server generates the shared secret using the user device authentication public key and an authentication server private key, and decrypts the encrypted authentication response using the shared secret. 11. The computer-implemented method of claim 8 , further comprising: generating, by the user device, a user device blinding factor; and generating, by the user device, a blinded user device authentication public key using the user device authentication public key and the user device blinding factor. 12. The computer-implemented method of claim 11 , further comprising: encrypting, by the user device, the user device blinding factor using the shared secret to obtain an encrypted user device blinding factor; and sending, by the user device, the encrypted user device blinding factor to the authentication server, wherein the authentication server verifies the blinded user device authentication public key using the user device blinding factor and the user device authentication public key. 13. The computer-implemented method of claim 8 , further comprising: receiving, by the user device, an encrypted authentication server certificate from the authentication server; and decrypting, by the user device, the encrypted authentication server certificate using the shared secret to obtain an authentication server certificate, the authentication server certificate including the authentication server public key. 14. The computer-implemented method of claim 8 , further comprising receiving, by the user device, encrypted provisioning data, wherein the user device decrypts the encrypted provisioning data using the shared secret to obtain provisioning data. 15. The computer-implemented method of claim 8 , further comprising: signing, by the user device, the user device authentication public key using a user device attestation private key to obtain a signed user device authentication public key, the user device attestation private key corresponding to a user device attestation public key; encrypting, by the user device, the signed user device authentication public key to obtain an encrypted registration response; and sending, by the user device, the encrypted registration response to the authentication server. 16. The computer-implemented method of claim 15 , further comprising: encrypting, by the user device, a user device attestation certificate including the user device attestation public key to obtain an encrypted user device attestation certificate, wherein the encrypted registration response includes the encrypted user device attestation certificate. 17. The computer-implemented method of claim 8 , wherein the shared secret is a first shared secret, the computer-implemented method further comprising: receiving, by the user device, a blinded authentication server public key and an encrypted authentication server certificate from the authentication server; generating, by the user device, a second shared secret us
Assignees
Inventors
Classifications
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL] · CPC title
involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC · CPC title
using a plurality of keys or algorithms · CPC title
- H04L9/0844Primary
with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12244739B2 cover?
- Systems and methods are for confidentially and securely provisioning data to an authenticated user device. A user device may register an authentication public key with an authentication server. The authentication public key may be signed by an attestation private key maintained by the user device. Once the user device is registered, a provisioning server may send an authentication request messa…
- Who is the assignee on this patent?
- Visa Int Service Ass
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0844. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 04 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).