Biometric authenticated biometric enrollment
US-2024187223-A1 · Jun 6, 2024 · US
Efficient methods for protecting identity in authenticated transmissions
US9647832B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9647832-B2 |
| Application number | US-201514595792-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 13, 2015 |
| Priority date | Jan 13, 2014 |
| Publication date | May 9, 2017 |
| Grant date | May 9, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods are provided for protecting identity in an authenticated data transmission. For example, a contactless transaction between a portable user device and an access device may be conducted without exposing the portable user device's public key in cleartext. In one embodiment, an access device may send an access device public key to a portable user device. The user device may return a blinded user device public key and encrypted user device data. The access device may determine a shared secret using the blinded user device public key and an access device private key. The access device may then decrypt the encrypted user device data using the shared secret.
First claim
Opening claim text (preview).
What is claimed is: 1. An access device comprising: a processor; and a non-transitory computer-readable storage medium comprising code executable by the processor for implementing a method comprising: sending a request message including an access device public key to a user device, wherein the sending of the request message occurs before sending any other message requiring the user device to perform a cryptographic operation during a communication session, wherein the access device public key is associated with an access device private key, wherein the access device public key and the access device private key form an ephemeral key pair; receiving a response message including a blinded user device public key and encrypted user device data from the user device, wherein the receiving of the response message occurs before receiving any other message from the user device during the communication session, the response message being received in response to the sending of the request message, wherein the blinded user device public key is generated by the user device using a user device public key and a cryptographic nonce, and wherein the encrypted user device data is encrypted by the user device using a shared secret, the shared secret being different from the cryptographic nonce; generating the shared secret using the access device private key and the blinded user device public key, wherein the ephemeral key pair is deleted after the shared secret is generated; decrypting the encrypted user device data using the shared secret; and associating the shared secret with the user device, wherein the shared secret is used to derive encryption keys for decrypting subsequent user device data received from the user device. 2. The access device of claim 1 , wherein decrypting the encrypted user device data using the shared secret comprises generating a session key using the shared secret. 3. The access device of claim 1 , wherein the user device data comprises a user device certificate comprising a user device public key and the cryptographic nonce used to generate the blinded user device public key, and wherein the method further comprises: validating the user device certificate; generating a second blinded user device public key using the user device public key and the cryptographic nonce; and comparing the second blinded user device public key with the received blinded user device public key, wherein the user device is authenticated if the second blinded user device public key matches the received blinded user device public key. 4. The access device of claim 1 , the method further comprising: conducting a transaction using the user device data. 5. The access device of claim 1 , wherein the access device is in a system, the system further comprising: the user device, wherein the user device is configured to: receive the access device public key; generate the shared secret using the access device public key, a user device private key, and the cryptographic nonce; encrypt user device data using the shared secret; and send the message including the encrypted user device data and the blinded user device public key to the access device. 6. The access device of claim 1 , wherein the method further comprises: determining that the user device has entered a contactless field of the access device, wherein the sending of the request message occurs in response to the determining that the user device has entered the contactless field of the access device, and wherein the request message is sent via the contactless field. 7. A computer-implemented method comprising: sending, by an access device having one or more processors, a request message including an access device public key to a user device, wherein the sending of the request message occurs before sending any other message requiring the user device to perform a cryptographic operation during a communication session, wherein the access device public key is associated with an access device private key, wherein the access device public key and the access device private key form an ephemeral key pair; receiving, by the access device, a response message including a blinded user device public key and encrypted user device data from the user device, wherein the receiving of the response message occurs before receiving any other message from the user device during the communication session, the response message being received in response to the sending of the request message, wherein the blinded user device public key is generated by the user device using a user device public key and a cryptographic nonce, and wherein the encrypted user device data is encrypted by the user device using a shared secret, the shared secret being different from the cryptographic nonce; generating, by the access device, the shared secret using the access device private key and the blinded user device public key, wherein the shared secret is known to the user device, wherein the ephemeral key pair is deleted after the shared secret is generated; and associating the shared secret with the user device, wherein the shared secret is used to derive encryption keys for decrypting subsequent user device data received from the user device. 8. The computer-implemented method of claim 7 , further comprising: generating, by the access device, a session key using the shared secret. 9. The computer-implemented method of claim 8 , further comprising: decrypting, by the access device, the encrypted user device data using the session key to determine user device data. 10. The computer-implemented method of claim 9 , wherein the user device data comprises a user device certificate comprising a user device public key and a cryptographic nonce used to generate the blinded user device public key, and wherein the method further comprises: validating, by the access device, the user device certificate; generating, by the access device, a second blinded user device public key using the user device public key and the cryptographic nonce; and comparing, by the access device, the second blinded user device public key with the received blinded user device public key, wherein the user device is authenticated if the second blinded user device public key matches the received blinded user device public key. 11. The computer-implemented method of claim 9 , further comprising: conducting, by the access device, a transaction using the user device data. 12. A computer-implemented method comprising: receiving, by a user device, a request message including an access device public key from an access device, wherein the access device public key is an ephemeral public key, wherein the receiving of the request message occurs before receiving any other message requiring the user device to perform a cryptographic operation during a communication session; generating, by the user device, a shared secret using the access device public key, a user device private key, and a cryptographic nonce, the shared secret being different from the cryptographic nonce; deleting, by the user device, the access device public key after the shared secret is generated; generating, by the user device, a blinded user device public key using a user device public key and the cryptographic nonce; encrypting, by the user device, user device data using the shared secret; sending, by the user device, a response message including the blinded user device public key and the encrypted user device data to the access device in response to the receiving of the request message, thereby allowing the access device to generate the shared secret using the blinded user device public key and an access device private key co
Assignees
Inventors
Classifications
- H04L9/0844Primary
with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys · CPC title
Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor · CPC title
Financial cryptography, e.g. electronic payment or e-cash · CPC title
Obfuscation or hiding, e.g. involving white box · CPC title
for key exchange, e.g. in peer-to-peer networks (cryptographic mechanisms or cryptographic arrangements for key agreement H04L9/0838) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9647832B2 cover?
- Systems and methods are provided for protecting identity in an authenticated data transmission. For example, a contactless transaction between a portable user device and an access device may be conducted without exposing the portable user device's public key in cleartext. In one embodiment, an access device may send an access device public key to a portable user device. The user device may retu…
- Who is the assignee on this patent?
- Le Saint Eric, Visa Int Service Ass
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0844. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 09 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).