Trusted service manager (TSM) architectures and methods

What is claimed is: 1. A trusted service manager (TSM) server comprising: a non-transitory machine-readable memory containing instructions to facilitate transactions via short message service (SMS) over a network; and one or more hardware processors coupled to the non-transitory machine-readable memory and configured to read instructions from the non-transitory machine-readable memory to cause the TSM server to perform operations comprising: generating a random key for a client device; encrypting the random key using a public certificate of the client device; transmitting, via a first encrypted channel, the random key to a crypto secure element included in the client device; registering the client device with the TSM server via the crypto secure element by storing authentication data in the crypto secure element, the client device being registered exclusive of an app secure element that is physically separate from the crypto secure element, wherein the random key, the authentication data, and data corresponding to a payment instrument are excluded from the app secure element; signing a payment application using a public key of the TSM server; transmitting, via a second encrypted channel, the payment application to the app secure element of the client device; after the transmitting the payment application to the app secure element, receiving, from the payment application, an encrypted SMS message comprising a payment certificate and an address of a service provider (SP), wherein the payment certificate is sent from the crypto secure element to the payment application in response to the crypto secure element authenticating biometric information of a user associated with the client device inputted to the crypto secure element via a secure tunnel, and wherein the SMS message from the client device is encrypted in accordance with the random key; decrypting the SMS message using the random key and determining the address of the SP; re-encrypting the SMS message using a second stored key corresponding to the SP; and forwarding the re-encrypted SMS message to the SP. 2. The trusted service manager server of claim 1 , wherein the operations further comprise: signing a second payment application using the public key of the TSM server, the second payment application corresponding to a second SP that is different from the SP; and transmitting the second payment application to the app secure element, wherein the transmitting the payment application and the transmitting the second payment application are performed based on the registering the client device with the TSM server. 3. The trusted service manager server of claim 1 , wherein the random key is established using Diffie-Hellman (D-H) key exchange. 4. The trusted service manager server of claim 1 , wherein the encrypted SMS message is a secure SMS message addressed to the trusted service manager (TSM) and comprising the address for the service provider (SP) to which the TSM server is to forward the encrypted SMS message. 5. The trusted service manager server of claim 1 , wherein the encrypted SMS message is sent by a secure SMS, wherein when an SMS is sent, the message is encrypted using AES-256, and SHA-512 HMAC is attached. 6. The trusted service manager server of claim 1 , wherein: the encrypted SMS message is sent by a secure SMS, wherein when an SMS is sent, the message is encrypted using AES-256, and SHA-512 HMAC is attached, and the SHA-512 HMAC is 64 bytes in binary and truncation is used to bring data to 32 bytes of BASE-64 encoding. 7. The trusted service manager server of claim 1 , wherein: the encrypted SMS message is sent by a secure SMS, wherein when an SMS is sent, the message is encrypted using AES-256, and SHA-512 HMAC is attached, and a counter tags the encrypted SMS message for replay protection. 8. A method of facilitating transactions via short message service (SMS) over a network comprising: generating, by a trusted service manager (TSM) server, a random key for a client device; encrypting the random key using a public certificate of the client device; transmitting, via a first encrypted channel, the random key to a crypto secure element included in the client device; registering the client device with the TSM server via the crypto secure element by storing authentication data in the crypto secure element, the client device being registered exclusive of an app secure element that is physically separate from the crypto secure element, wherein the random key, the authentication data, and data corresponding to a payment instrument are excluded from the app secure element; signing a payment application using a public key of the TSM server; transmitting, via a second encrypted channel, the payment application to the app secure element of the client device; after the transmitting the payment application to the app secure element, receiving, from the payment application, an encrypted SMS message comprising a payment certificate and an address of a service provider (SP), wherein the payment certificate is sent from the crypto secure element to the payment application in response to the crypto secure element authenticating biometric information of a user associated with the client device inputted to the crypto secure element via a secure tunnel, and wherein the SMS message from the client device is encrypted in accordance with the random key; decrypting the SMS message using the random key and determining the address of the SP; re-encrypting the SMS message using a second stored key corresponding to the SP; and forwarding the re-encrypted SMS message to the SP. 9. The method of claim 8 , wherein the random key comprises AES-256 and SHA-512. 10. The method of claim 8 , wherein the random key is established using Diffie-Hellman (D-H) key exchange. 11. The method of claim 8 , wherein the encrypted SMS message is a secure SMS message addressed to the trusted service manager (TSM) server and comprising the address for the service provider (SP) to which the TSM server is to forward the encrypted SMS message. 12. The method of claim 8 , wherein the encrypted SMS message is sent by a secure SMS, wherein when an SMS is sent, the message is encrypted using AES-256, and SHA-512 HMAC is attached. 13. The method of claim 8 , wherein: the encrypted SMS message is sent by a secure SMS, wherein when an SMS is sent, the message is encrypted using AES-256, and SHA-512 HMAC is attached, and the SHA-512 HMAC is 64 bytes in binary and truncation is used to bring data to 32 bytes of BASE-64 encoding. 14. The method of claim 8 , wherein: the encrypted SMS message is sent by a secure SMS, wherein when an SMS is sent, the message is encrypted using AES-256, and SHA-512 HMAC is attached, and a counter tags the encrypted SMS message for replay protection. 15. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a trusted service manager (TSM) server to perform operations comprising: generating a random key for a client device; encrypting the random key using a public certificate of the client device; transmitting, via a first encrypted channel, the random key to a crypto secure element included in the client device; registering the client device with the TSM server via the crypto secure element by storing authentication data in the crypto secure element, the client device being registered exclusive of an app secure element that is physically separate from the crypto secure element, wherein the random key, the authentication data, and data corresponding to a payment instrument are excl