Hybrid integration of software development kit with secure execution environment

US 10,187,363 B2
Filed: 12/31/2015
Issued: 01/22/2019
Est. Priority Date: 12/31/2014
Status: Active Grant

First Claim

Patent Images

1. A portable communication device comprising:

one or more processor circuits; and

one or more memory units coupled to the one or more processor circuits and storing computer readable code implementing a secure application in a trusted execution environment, which when executed by the one or more processor circuits, performs operations including;

receiving, by the secure application from a mobile application executing in an application execution environment of the portable communication device, a first storage request, the first storage request including a first encrypted data type identifier and an encrypted cryptogram generation key;

decrypting, by the secure application, the first encrypted data type identifier and the encrypted cryptogram generation key using a transport key;

determining, by the secure application, that the first decrypted data type identifier indicates the first storage request is for a cryptogram generation key;

re-encrypting, by the secure application, the decrypted cryptogram generation key using a key-storage key to generate a re-encrypted cryptogram generation key;

storing the re-encrypted cryptogram generation key outside the trusted execution environment;

receiving, by the secure application from the mobile application, a cryptogram generation request, the cryptogram generation request including the re-encrypted cryptogram generation key and transaction data for a transaction, wherein the transaction data is received by the mobile application from an access device;

decrypting, by the secure application, the re-encrypted cryptogram generation key using the key-storage key;

encrypting, by the secure application, the transaction data using the decrypted cryptogram generation key to generate the transaction cryptogram; and

sending, by the secure application to the mobile application, the generated transaction cryptogram, wherein the mobile application transmits the generated transaction cryptogram to the access device to conduct the transaction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A portable communication device may include a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment. The secure application may receive, from the mobile application, a storage request to store sensitive data. The storage request may include an encrypted data type identifier and an encrypted sensitive data. The secure application may decrypt the encrypted data type identifier and the encrypted sensitive data using a transport key, and re-encrypt the sensitive data using a storage key. The re-encrypted sensitive data can then be stored in a memory of the portable communication device which is outside the trusted execution environment.

Citations

20 Claims

1. A portable communication device comprising:
- one or more processor circuits; and
  
  one or more memory units coupled to the one or more processor circuits and storing computer readable code implementing a secure application in a trusted execution environment, which when executed by the one or more processor circuits, performs operations including;
  
  receiving, by the secure application from a mobile application executing in an application execution environment of the portable communication device, a first storage request, the first storage request including a first encrypted data type identifier and an encrypted cryptogram generation key;
  
  decrypting, by the secure application, the first encrypted data type identifier and the encrypted cryptogram generation key using a transport key;
  
  determining, by the secure application, that the first decrypted data type identifier indicates the first storage request is for a cryptogram generation key;
  
  re-encrypting, by the secure application, the decrypted cryptogram generation key using a key-storage key to generate a re-encrypted cryptogram generation key;
  
  storing the re-encrypted cryptogram generation key outside the trusted execution environment;
  
  receiving, by the secure application from the mobile application, a cryptogram generation request, the cryptogram generation request including the re-encrypted cryptogram generation key and transaction data for a transaction, wherein the transaction data is received by the mobile application from an access device;
  
  decrypting, by the secure application, the re-encrypted cryptogram generation key using the key-storage key;
  
  encrypting, by the secure application, the transaction data using the decrypted cryptogram generation key to generate the transaction cryptogram; and
  
  sending, by the secure application to the mobile application, the generated transaction cryptogram, wherein the mobile application transmits the generated transaction cryptogram to the access device to conduct the transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The portable communication device of claim 1, wherein the operations further include:
    - receiving, by the secure application from the mobile application, a second storage request, the second storage request including a second encrypted data type identifier and an encrypted token;
      
      decrypting, by the secure application, the second encrypted data type identifier and the encrypted token using the transport key;
      
      determining, by the secure application, that the second decrypted data type identifier indicates the second storage request is for a token;
      
      re-encrypting, by the secure application, the decrypted token using a token-storage key to generate a re-encrypted token; and
      
      storing the re-encrypted token outside the trusted execution environment.
  - 3. The portable communication device of claim 2, wherein the operations further include:
    - decrypting, by the secure application, the re-encrypted token using the token-storage key; and
      
      sending, by the secure application to the mobile application, the decrypted token.
  - 4. The portable communication device of claim 1, wherein the cryptogram generation key is a limited-use key.
  - 5. The portable communication device of claim 4, wherein the operations further include:
    - receiving, by the secure application from the mobile application, a key replenishment request, the key replenishment request including the re-encrypted cryptogram generation key and a transaction verification log;
      
      decrypting, by the secure application, the re-encrypted cryptogram generation key using the key-storage key;
      
      generating, by the secure application, a hash value computed over at least the transaction verification log using the decrypted cryptogram generation key; and
      
      sending, by the secure application to the mobile application, the hash value.
  - 6. The portable communication device of claim 5, wherein the mobile application sends the hash value to a server to request a new limited-use key.
  - 7. The portable communication device of claim 1, wherein the encrypted cryptogram generation key is received by the mobile application from a server, and the encrypted cryptogram generation key is signed by the server.
  - 8. The portable communication device of claim 7, wherein the operations further include:
    - verifying, by the secure application, that the encrypted cryptogram generation key was signed by the server using a certificate associated with the server.
  - 9. The portable communication device of claim 1, wherein the operations further include:
    - storing, by the secure application, a crypto library in the trusted execution environment, the crypto library including the transport key, the key-storage key, and the token-storage key.
  - 10. The portable communication device of claim 1, wherein the operations further include:
    - selecting, by the secure application, the key-storage key to use for the re-encrypting of the decrypted cryptogram generation key based on the first encrypted data type identifier indicating the first storage request is for the cryptogram generation key.

11. A method for managing sensitive data in a portable communication device having a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment, the method comprising:
- receiving, by the secure application from the mobile application, a first storage request, the first storage request including a first encrypted data type identifier and an encrypted cryptogram generation key;
  
  decrypting, by the secure application, the first encrypted data type identifier and the encrypted cryptogram generation key using a transport key;
  
  determining, by the secure application, that the first decrypted data type identifier indicates the first storage request is for a cryptogram generation key;
  
  re-encrypting, by the secure application, the decrypted cryptogram generation key using a key-storage key to generate a re-encrypted cryptogram generation key;
  
  storing the re-encrypted cryptogram generation key in a memory of the portable communication device which is outside the trusted execution environment;
  
  receiving, by the secure application from the mobile application, a cryptogram generation request, the cryptogram generation request including the re-encrypted cryptogram generation key and transaction data for a transaction, wherein the transaction data is received by the mobile application from an access device;
  
  decrypting, by the secure application, the re-encrypted cryptogram generation key using the key-storage key;
  
  encrypting, by the secure application, the transaction data using the decrypted cryptogram generation key to generate the transaction cryptogram; and
  
  sending, by the secure application to the mobile application, the generated transaction cryptogram, wherein the mobile application transmits the generated transaction cryptogram to the access device to conduct the transaction.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, further comprising:
    - receiving, by the secure application from the mobile application, a second storage request, the second storage request including a second encrypted data type identifier and an encrypted token;
      
      decrypting, by the secure application, the second encrypted data type identifier and the encrypted token using the transport key;
      
      determining, by the secure application, that the second decrypted data type identifier indicates the second storage request is for a token;
      
      re-encrypting, by the secure application, the decrypted token using a token-storage key to generate a re-encrypted token; and
      
      storing the re-encrypted token in the memory of the portable communication device which is outside the trusted execution environment.
  - 13. The method of claim 12, further comprising:
    - decrypting, by the secure application, the re-encrypted token using the token-storage key; and
      
      sending, by the secure application to the mobile application, the decrypted token.
  - 14. The method of claim 11, wherein the cryptogram generation key is a limited-use key.
  - 15. The method of claim 14, further comprising:
    - receiving, by the secure application from the mobile application, a key replenishment request, the key replenishment request including the re-encrypted cryptogram generation key and a transaction verification log;
      
      decrypting, by the secure application, the re-encrypted cryptogram generation key using the key-storage key;
      
      generating, by the secure application, a hash value computed over at least the transaction verification log using the decrypted cryptogram generation key; and
      
      sending, by the secure application to the mobile application, the hash value.
  - 16. The method of claim 15, wherein the mobile application sends the hash value to a server to request a new limited-use key.
  - 17. The method of claim 11, wherein the encrypted cryptogram generation key is received by the mobile application from a server, and the encrypted cryptogram generation key is signed by the server.
  - 18. The method of claim 17, further comprising:
    - verifying, by the secure application, that the encrypted cryptogram generation key was signed by the server using a certificate associated with the server.
  - 19. The method of claim 11, further comprising:
    - storing, by the secure application, a crypto library in the trusted execution environment, the crypto library including the transport key, the key-storage key, and the token-storage key.
  - 20. The method of claim 11, further comprising:
    - selecting, by the secure application, the key-storage key to use for the re-encrypting of the decrypted cryptogram generation key based on the first encrypted data type identifier indicating the first storage request is for the cryptogram generation key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Smirnoff, Sergey, Bhattacharya, Soumendra
Primary Examiner(s)
Naghdali, Khalil

Application Number

US14/985,853
Publication Number

US 20160191236A1
Time in Patent Office

1,118 Days
Field of Search

713171
US Class Current
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 9/0822   using key encryption key

H04L 9/0861   Generation of secret inform...

H04L 9/0897   involving additional device...

Hybrid integration of software development kit with secure execution environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hybrid integration of software development kit with secure execution environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links