Linked registration

US 10,069,820 B2
Filed: 08/24/2017
Issued: 09/04/2018
Est. Priority Date: 05/29/2013
Status: Active Grant

First Claim

Patent Images

1. A method for secure registration of a new application with a server system, the new application operating on an electronic user system wherein an old application operating on the same electronic user system has already been securely registered with the server system by reference to a user-specific credential, the method comprising:

initializing a first secure link between the new application and the server system and thereby establishing a first encryption key;

communicating first check data from the server system to the new application over the first secure link, the first check data being passed from the new application to the old application;

initializing a second secure link between the old application and the server system based on a second encryption key, the second encryption key being based on an input of the user-specific credential by the user to the old application;

communicating the first check data from the old application to the server system over the second secure link;

communicating enciphered second check data from the server system to the old application over the second secure link, the enciphered second check data being encrypted with the first encryption key, the enciphered second check data being further encrypted by the old application using a third encryption key to generate doubly-enciphered check data thereby, the doubly-enciphered check data being passed from the old application to the new application, wherein the third encryption key is derived from the first check data and the user-specific credential inputted to the old application; and

communicating a decrypted version of the doubly-enciphered check data from the new application to the server system over a secure link between the new application and the server system, the decrypted version of the doubly-enciphered check data being generated at the new application by decrypting the doubly-enciphered check data using the first encryption key and a fourth encryption key, wherein the fourth encryption key is generated at the new application based on the first check data and an input of the user-specific credential by the user to the new application.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure registration of a new application with a server system is provided. An old application has been registered with the system. A first link between the new application and the system establishes a first key and first check data is communicated from the system to the new application and passed to the old application. A second link between the old application and the system establishes a second key based on input of a credential to the old application; the first check data is communicated from the old application to the system. Enciphered second check data is communicated from the system to the old application over the second link and further encrypted by the old application using a third key. This generates doubly-enciphered check data which is passed to the new application and decrypted using the first key and a fourth key, generated at the new application based on the first check data and input of the credential to the new application.

12 Citations

23 Claims

1. A method for secure registration of a new application with a server system, the new application operating on an electronic user system wherein an old application operating on the same electronic user system has already been securely registered with the server system by reference to a user-specific credential, the method comprising:
- initializing a first secure link between the new application and the server system and thereby establishing a first encryption key;
  
  communicating first check data from the server system to the new application over the first secure link, the first check data being passed from the new application to the old application;
  
  initializing a second secure link between the old application and the server system based on a second encryption key, the second encryption key being based on an input of the user-specific credential by the user to the old application;
  
  communicating the first check data from the old application to the server system over the second secure link;
  
  communicating enciphered second check data from the server system to the old application over the second secure link, the enciphered second check data being encrypted with the first encryption key, the enciphered second check data being further encrypted by the old application using a third encryption key to generate doubly-enciphered check data thereby, the doubly-enciphered check data being passed from the old application to the new application, wherein the third encryption key is derived from the first check data and the user-specific credential inputted to the old application; and
  
  communicating a decrypted version of the doubly-enciphered check data from the new application to the server system over a secure link between the new application and the server system, the decrypted version of the doubly-enciphered check data being generated at the new application by decrypting the doubly-enciphered check data using the first encryption key and a fourth encryption key, wherein the fourth encryption key is generated at the new application based on the first check data and an input of the user-specific credential by the user to the new application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - comparing, at the server system, the first check data communicated from the old application against the first check data communicated to the new application;
      
      comparing, at the server system, the second check data communicated from the new application against the second check data communicated to the old application; and
      
      completing a registration for the new application in response to a matching result of the step of comparing the first check data and to a matching result of the step of comparing the second check data.
  - 3. The method of claim 2, wherein the electronic user system comprises an electronic device having an associated unique device identifier, the server system storing the unique device identifier in association with the registration for the old application, the method further comprising:
    - communicating the unique device identifier from the new application to the server system; and
      
      comparing, at the server system, the unique device identifier communicated from the new application against the unique device identifier stored in association with the registration for the old application; and
      
      wherein the step of completing the registration for the new application is in response to a matching result of the step of comparing the unique device identifier.
  - 4. The method of claim 2, further comprising:
    - initializing a timer at the server system when the enciphered second check data is communicated from the server system to the old application;
      
      checking the value of the timer at the server system when the decrypted version of the doubly-enciphered check data is communicated from the new application to the server system; and
      
      comparing the checked value of the timer against a predetermined expiry time; and
      
      wherein the step of completing the registration for the new application is in response to a result of the step of comparing the checked value of the timer against the predetermined expiry time.
  - 5. The method of claim 2 further comprising:
    - maintaining a retry counter at the server system, the retry counter being incremented in response to a non-matching result of the step of comparing the first check data or in response to a non-matching result of the step of comparing the second check data or in response to a non-matching result of the step of comparing the unique device identifier or in response to a non-matching result of the step of comparing the checked value of the timer; and
      
      terminating the secure registration of the new application if the retry counter meets a predetermined threshold.
  - 6. The method of claim 1, further comprising:
    - storing the first encryption key and first check data on the electronic user system; and
      
      triggering the operation of the old application at the electronic user system; and
      
      wherein the steps of storing and triggering are performed by the new application in response to the step of communicating the first check data from the server system to the new application.
  - 7. The method of claim 1, further comprising:
    - storing the first encryption key and first check data at the server system and disabling the first secure link, in response to the step of communicating the first check data from the server system to the new application.
  - 8. The method of claim 1, further comprising:
    - initializing a third secure link between the new application and the server system; and
      
      wherein the step of communicating a decrypted version of the doubly-enciphered check data from the new application to the server system is over the third secure link.
  - 9. The method of claim 1, further comprising:
    - triggering the operation of the new application at the electronic user system by the old application, in response to the step of communicating the enciphered second check data from the server system to the old application, thereby passing the doubly-enciphered check data from the old application to the new application; and
      
      receiving the user-specific credential from the user at the new application.
  - 10. The method of claim 1, wherein the server system comprises a first gateway server and a second gateway server, the first secure link being between the new application and the first gateway server and the second secure link being between the old application and the second gateway server.
  - 11. The method of claim 10, wherein the step of communicating first check data from the server system to the new application comprises communicating the first check data from the first gateway server to the new application and the step of communicating the first check data from the old application to the server system over the second secure link comprises communicating the first check data from the old application to the second gateway server over the second secure link, the method further comprising:
    - initializing a first secure inter-server link between the first gateway server and the second gateway server; and
      
      communicating the first check data and the first encryption key from the first gateway server to the second gateway server over the first secure inter-server link.
  - 12. The method of claim 10, wherein the step of communicating the second check data from the server system to the old application comprises communicating the enciphered second check data from the second gateway server to the old application over the second secure link and wherein the step of communicating the decrypted version of the doubly-enciphered check data from the new application to the server system comprises communicating the decrypted version of the doubly-enciphered check data from the new application to the first gateway server over a secure link between the new application and the server system, the method further comprising:
    - initializing a second secure inter-server link between the first gateway server and the second gateway server; and
      
      communicating the second check data from the first gateway server to the second gateway server over the second secure inter-server link.
  - 13. The method of claim 10, wherein:
    - the first gateway server has an associated unique gateway identity;
      
      the step of communicating the first check data and the first encryption key from the first gateway server to the second gateway server further comprises communicating the unique gateway identity of the first gateway server over the first secure inter-server link;
      
      the step of communicating the second check data from the first gateway server to the second gateway server further comprises communicating the unique gateway identity of the first gateway server over the second secure inter-server link; and
      
      the method further comprises comparing the unique gateway identity communicated over the second secure inter-server link against the unique gateway identity communicated over the first secure inter-server link.
  - 14. The method of claim 1, wherein the electronic user system comprises an electronic device, the old application and the new application both operating on the electronic device.

15. An electronic system for secure application registration, comprising:
- an electronic user system, configured to operate an old application and a new application; and
  
  a server system, the old application operating on the electronic user system being already securely registered with the server system by reference to a user-specific credential; and
  
  wherein the electronic system is configured to register the new application securely with the server system by;
  
  initializing a first secure link between the new application and the server system and thereby establishing a first encryption key;
  
  communicating first check data from the server system to the new application over the first secure link, the first check data being passed from the new application to the old application;
  
  initializing a second secure link between the old application and the server system based on a second encryption key, the second encryption key being based on an input of the user-specific credential by the user to the old application;
  
  communicating the first check data from the old application to the server system over the second secure link;
  
  communicating enciphered second check data from the server system to the old application over the second secure link, the enciphered second check data being encrypted with the first encryption key, the enciphered second check data being further encrypted by the old application using a third encryption key to generate doubly-enciphered check data thereby, the doubly-enciphered check data being passed from the old application to the new application, wherein the third encryption key is derived from the first check data and the user-specific credential inputted to the old application; and
  
  communicating a decrypted version of the doubly-enciphered check data from the new application to the server system over a secure link between the new application and the server system, the decrypted version of the doubly-enciphered check data being generated at the new application by decrypting the doubly-enciphered check data using the first encryption key and a fourth encryption key, wherein the fourth encryption key is generated at the new application based on the first check data and an input of the user-specific credential by the user to the new application.

16. A server system for secure registration of a new application operating on a remote electronic user system, wherein an old application operating on the same electronic user system has already been securely registered with the server system by reference to a user-specific credential, the server system comprising:
- a first communication interface, configured to initialize a first secure link between the new application and the server system and thereby establishing a first encryption key and to communicate first check data to the new application over the first secure link, so that the first check data may be passed from the new application to the old application;
  
  a second communication interface, configured to initialize a second secure link between the old application and the server system based on a second encryption key, the second encryption key being based on an input of the user-specific credential by the user to the old application, the second communication interface being further configured to receive the first check data from the old application over the second secure link;
  
  encryption logic, configured to generated enciphered second check data by encrypting second check data with the first encryption key, the second communication interface being further configured to communicate the enciphered second check data to the old application over the second secure link;
  
  a third communication interface, configured to receive a decrypted version of the second check data from the new application over a secure link between the new application and the server system.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The server system of claim 16, further comprising:
    - comparison logic, configured to compare the first check data received from the old application over the second secure link against the first check data communicated to the new application over the first secure link and to compare the decrypted version of the second check data received from the new application over the third secure link against the second check data communicated as enciphered second check data to the old application over the second secure link.
  - 18. The server system of claim 17, further comprising:
    - registration logic, configured to complete the registration for the new application in response to the comparison logic determining that the first check data received from the old application over the second secure link is the same as the first check data communicated to the new application over the first secure link and that the decrypted version of the second check data received from the new application over the third secure link is the same as the second check data communicated as enciphered second check data to the old application over the second secure link.
  - 19. The server system of claim 16, further comprising:
    - a first gateway server, comprising the first communication interface and the third communication interface; and
      
      a second gateway server, comprising the second communication interface.
  - 20. The server system of claim 19, further comprising:
    - an inter-server communication interface, configured to initialize a first secure inter-server link between the first gateway server and the second gateway server and to communicate the first check data and the first encryption key from the first gateway server to the second gateway server over the first secure inter-server link.
  - 21. The server system of claim 20, wherein the inter-server communication interface is further configured to initialize a second secure inter-server link between the first gateway server and the second gateway server and to communicate the second check data from the first gateway server to the second gateway server over the second secure inter-server link.
  - 22. The server system of claim 21, wherein:
    - the first gateway server has an associated unique gateway identity;
      
      the inter-server communication interface is further configured to communicate the unique gateway identity of the first gateway server over the first secure inter-server link and to communicate the unique gateway identity of the first gateway server over the second secure inter-server link; and
      
      the server system further comprises comparison logic, configured to compare the unique gateway identity communicated over the second secure inter-server link against the unique gateway identity communicated over the first secure inter-server link.
  - 23. The server system of claim 16, wherein the third communication interface is further configured to initialize a third secure link between the new application and the server system, by establishing a third encryption key and wherein the third communication interface is configured to receive the decrypted version of the second check data from the new application over the third secure link.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barclays Execution Services Ltd. (Barclays PLC)
Original Assignee
Barclays Bank PLC (Barclays PLC)
Inventors
Bradley, Steven, O'Brien, Conall, Goldstone, Jeremy, Crichton, Andrew, Sellwood, James, Ryan, Anthony
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US15/685,438
Publication Number

US 20170374054A1
Time in Patent Office

376 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/42   using separate channels for...

H04L 2463/061   applying further key deriva...

H04L 63/067   using one-time keys cryptog...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0838   using one-time-passwords

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04W 12/069   using certificates or pre-s...

H04W 4/50   Service provisioning or rec...

Linked registration

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Linked registration

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links