Elevated security execution mode for network-accessible devices
US-2024411878-A1 · Dec 12, 2024 · US
Systems and methods for protecting against relay attacks
US2021126939A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2021126939-A1 |
| Application number | US-201816766250-A |
| Country | US |
| Kind code | A1 |
| Filing date | Nov 28, 2018 |
| Priority date | Nov 28, 2017 |
| Publication date | Apr 29, 2021 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems, methods, and devices are disclosed for preventing relay attacks. A user device may receive (e.g., when proximate to the first access device), from an intervening device, device identification data for a first access device. A message may be received from a second access device via the intervening device. The message may include a digital signature generated based at least in part on second access device identification data. The user device may validate the message utilizing the digital signature and a public key. If the message is invalid, the user device may discard the message. If the message is valid, (e.g., unaltered), the user device may determine that the user has not confirmed an intent to interact with the second access device and may terminate an further interaction with the second access device accordingly.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method, comprising: receiving, by a user device from an intervening device, first access device identification data for a first access device; receiving, by the user device that is proximate to the first access device, a message from a second access device via the intervening device, the message comprising message data including at least second access device identification data, and a digital signature that is created by signing a hash of the at least second access device identification data with a private key of a public/private key pair associated with the second access device; obtaining the hash from the digital signature using a public key; generating an additional hash of the message data; comparing, by the user device, the hash to the additional hash; determining, by the user device, if the hash matches the additional hash; when the hash does not match the additional hash, automatically terminating, by the user device, any further interaction with the second access device; and when the hash matches the additional hash: determining that a user of the user device has not confirmed an intent to interact with the second access device; and terminating any further interaction with the second access device based at least in part on determining that the user has not confirmed an intent to interact with the second access device. 2 . The method of claim 1 , wherein the intervening device is a first intervening device and wherein the message is transmitted from the second access device to the user device via the first intervening device and a second intervening device. 3 . The method of claim 1 , wherein the message data further comprises an interaction value, and wherein the digital signature is created by signing the hash of the message data. 4 . The method of claim 1 , wherein the first access device and the second access device are automated fuel dispensers. 5 . The method of claim 1 , wherein the public key is received with the first access device identification data. 6 . The method of claim 1 , wherein the public key is associated with the second access device, and wherein the message data further comprises the public key. 7 . The method of claim 1 , further comprising: presenting, by the user device, the first access device identification data in a request to interact with the first access device to the user of the user device; and receiving, by the user device, a confirmation from the user that the user wants to interact with the first access device. 8 . The method of claim 1 , further comprising, when the hash matches the additional hash: presenting, by the user device to the user of the user device, the second access device identification data in a subsequent request to interact with the second access device; and receiving, by the user device, an additional confirmation that the user of the user device wants to interact with the second access device. 9 . The method of claim 8 , further comprising: in response to receiving the additional confirmation that the user of the user device wants to interact with the second access device, transmitting, by the user device to the second access device, a second message comprising second message data including the at least second access device identification data and the public key, wherein transmitting the second message causes the second access device to terminate any further processing of the second message. 10 . The method of claim 9 , wherein the second access device is caused to terminate further processing of the second message based at least in part on determining that the second message data does not match the message data sent from the second access device to the user device. 11 . A user device, comprising: a processor; and a computer readable medium, the computer readable medium comprising code, executable by the processor, for implementing a method comprising: receiving, from an intervening device, first access device identification data for a first access device; receiving, as the user device is proximate to the first access device, a message from a second access device via the intervening device, the message comprising message data including at least second access device identification data, and a digital signature that is created by signing a hash of the at least second access device identification data with a private key of a public/private key pair associated with the second access device; obtaining the hash from the digital signature using a public key; generating an additional hash of the message data; comparing the hash to the additional hash; determining if the hash matches the additional hash; when the hash does not match the additional hash, automatically terminating any further interaction with the second access device; and when the hash matches the additional hash: determining that a user of the user device has not confirmed an intent to interact with the second access device; and terminating any further interaction with the second access device based at least in part on determining that the user has not confirmed an intent to interact with the second access device. 12 . The user device of claim 11 , wherein the intervening device is a first intervening device and wherein the message is transmitted from the second access device to the user device via the first intervening device and a second intervening device. 13 . The user device of claim 11 , wherein the message data further comprises an interaction value, and wherein the digital signature is created by signing the hash of the message data. 14 . The user device of claim 11 , wherein the first access device and the second access device are automated fuel dispensers. 15 . The user device of claim 11 , wherein the public key is received with the first access device identification data. 16 . The user device of claim 11 , wherein the public key is associated with the second access device, and wherein the message data further comprises the public key. 17 . The user device of claim 11 , wherein the method further comprises: presenting the first access device identification data in a request to interact with the first access device to the user of the user device; and receiving a confirmation from the user that the user wants to interact with the first access device. 18 . The user device of claim 11 , wherein the method further comprises, when the hash matches the additional hash: presenting, to the user of the user device, the second access device identification data in a subsequent request to interact with the second access device; and receiving an additional confirmation that the user of the user device wants to interact with the second access device. 19 . The user device of claim 18 , wherein the method further comprises: in response to receiving the additional confirmation that the user of the user device wants to interact with the second access device, transmitting, by the user device to the second access device, a second message comprising second message data including the at least second access device identification data and the public key, wherein transmitting the second message causes the second access device to terminate any further processing of the second message. 20 . The user device of claim 19 , wherein the second access device is caused to terminate further processing of the second message based at least in part on determining that the second message data does not match the mess
Assignees
Inventors
Classifications
Counter-measures against attacks; Protection against rogue devices · CPC title
Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication · CPC title
Financial cryptography, e.g. electronic payment or e-cash · CPC title
- H04L63/1441Primary
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
received data contents, e.g. message integrity · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2021126939A1 cover?
- Systems, methods, and devices are disclosed for preventing relay attacks. A user device may receive (e.g., when proximate to the first access device), from an intervening device, device identification data for a first access device. A message may be received from a second access device via the intervening device. The message may include a digital signature generated based at least in part on se…
- Who is the assignee on this patent?
- Visa Int Service Ass
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1441. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Apr 29 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).