Key pair infrastructure for secure messaging

US 10,205,709 B2
Filed: 12/14/2016
Issued: 02/12/2019
Est. Priority Date: 12/14/2016
Status: Active Grant

First Claim

Patent Images

1. A verification server comprising:

a processor; and

a memory coupled to the processor, the memory storing instructions, which when executed by the processor, cause the verification server to perform operations including;

receiving, over a first network, a request for a public key from an access device, wherein the access device sends the request in response to an interaction with a client device;

generating the public key, a private key that corresponds to the public key, and a key identifier associated with the private key, wherein the public key and the private key are limited-use keys;

transmitting the public key and the key identifier to the access device, wherein the access device transmits the public key and the key identifier to the client device;

receiving, from the client device over a second network, a message and the key identifier from the client device, wherein the message is encrypted using the public key;

retrieving the private key associated with the key identifier;

decrypting the message using the private key;

generating a signature of the public key using a shared secret, wherein the shared secret was previously shared between the verification server and the access device; and

transmitting the signature of the public key to the access device with the public key and the key identifier, wherein the access device validates the signature of the public key using the shared secret, and wherein the access device transmits the public key and the key identifier to the client device after validation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention use a limited-use public/private key pair to encrypt and decrypt messages sent through an intermediary. The messages may contain sensitive information and may be transmitted between entities over one or more networks. In some embodiments, the entities and/or the networks may be untrusted. Nevertheless, the content of the messages may remain protected by virtue of the limited-use key pair infrastructure.

33 Citations

View as Search Results

22 Claims

1. A verification server comprising:
- a processor; and
  
  a memory coupled to the processor, the memory storing instructions, which when executed by the processor, cause the verification server to perform operations including;
  
  receiving, over a first network, a request for a public key from an access device, wherein the access device sends the request in response to an interaction with a client device;
  
  generating the public key, a private key that corresponds to the public key, and a key identifier associated with the private key, wherein the public key and the private key are limited-use keys;
  
  transmitting the public key and the key identifier to the access device, wherein the access device transmits the public key and the key identifier to the client device;
  
  receiving, from the client device over a second network, a message and the key identifier from the client device, wherein the message is encrypted using the public key;
  
  retrieving the private key associated with the key identifier;
  
  decrypting the message using the private key;
  
  generating a signature of the public key using a shared secret, wherein the shared secret was previously shared between the verification server and the access device; and
  
  transmitting the signature of the public key to the access device with the public key and the key identifier, wherein the access device validates the signature of the public key using the shared secret, and wherein the access device transmits the public key and the key identifier to the client device after validation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The verification server of claim 1, wherein the operations further include:
    - generating a token in response to the message, wherein the token authorizes access to a resource; and
      
      transmitting the token to the access device.
  - 3. The verification server of claim 2, wherein the token is transmitted to the access device via the client device.
  - 4. The verification server of claim 1, wherein the operations further include:
    - generating a token in response to the message, wherein the token authorizes access to a resource;
      
      generating a signature of the private key using the token and the private key; and
      
      transmitting the token and the signature of the private key to the access device, wherein the access device validates the signature of the private key using the public key and the token.
  - 5. The verification server of claim 4, wherein the token and the signature of the private key are transmitted to the access device via the client device.
  - 6. The verification server of claim 4, wherein the operations further include:
    - expiring the private key after generating the signature of the private key.
  - 7. The verification server of claim 1, wherein the private key associated with the key identifier is retrieved after determining that the key identifier has not expired.
  - 8. The verification server of claim 1, wherein receiving the request for the public key occurs after generating the public key, the private key, and the key identifier.
  - 9. The verification server of claim 1, wherein generating the public key, the private key, and the key identifier comprises generating a plurality of public keys including the public key, a plurality of private keys including the private key, and a plurality of key identifiers including the key identifier prior to receiving the request, and wherein after receiving the request, the operations further include:
    - selecting the public key from the plurality of public keys, the private key from the plurality of private keys, and the key identifier from the plurality of key identifiers.

10. A method comprising:
- receiving, by a verification server over a first network, a request for a public key from an access device, wherein the access device sends the request in response to an interaction with a client device;
  
  generating, by the verification server, the public key, a private key that corresponds to the public key, and a key identifier associated with the private key, wherein the public key and the private key are limited-use keys;
  
  transmitting the public key and the key identifier to the access device, wherein the access device transmits the public key and the key identifier to the client device;
  
  receiving, by the verification server from the client device over a second network, a message and the key identifier from the client device, wherein the message is encrypted using the public key;
  
  retrieving the private key associated with the key identifier;
  
  decrypting the message using the private key;
  
  generating a signature of the public key using a shared secret, wherein the shared secret was previously shared between the verification server and the access device; and
  
  transmitting the signature of the public key to the access device with the public key and the key identifier, wherein the access device validates the signature of the public key using the shared secret, and wherein the access device transmits the public key and the key identifier to the client device after validation.
- View Dependent Claims (11, 12)
- - 11. The method of claim 10, further comprising:
    - generating a token in response to the message, wherein the token authorizes access to a resource;
      
      generating a signature of the private key using the token and the private key; and
      
      transmitting the token and the signature of the private key to the access device, wherein the access device validates the signature of the private key using the public key and the token.
  - 12. The method of claim 11, further comprising:
    - expiring the private key after generating the signature of the private key.

13. An access device comprising:
- a processor; and
  
  a memory coupled to the processor, the memory storing instructions, which when executed by the processor, cause the access device to perform operations including;
  
  receiving a request to send a message from a client device;
  
  in response to the request, requesting a public key from a verification server, wherein the verification server generates the public key, a private key that corresponds to the public key, and a key identifier associated with the private key, and wherein the public key and the private key are limited-use keys;
  
  receiving the public key and the key identifier from the verification server;
  
  transmitting the public key and the key identifier to the client device, wherein the client device encrypts the message using the public key and transmits the message and the key identifier to the verification server, and wherein the verification server retrieves the private key using the key identifier and decrypts the message using the private key, wherein the verification server generates a signature of the public key using the public key and a shared secret that was previously shared between the verification server and the access device, wherein the signature of the public key is received by the access device with the key identifier; and
  
  validating the signature of the public key using the shared secret, wherein the public key and the key identifier are transmitted to the client device after validation.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The access device of claim 13, wherein after the verification server decrypts the message using the private key, the verification server generates a token corresponding to the message, wherein the token authorizes access to a resource, and wherein the operations further include:
    - receiving the token from the verification server.
  - 15. The access device of claim 13, wherein after the verification server decrypts the message using the private key, the verification server generates a token corresponding to the message and generates a signature of the private key, wherein the token authorizes access to a resource, and wherein the operations further include:
    - receiving the token and the signature of the private key from the verification server; and
      
      validating the signature of the private key using the public key.
  - 16. The access device of claim 13, wherein the operations further include:
    - expiring the public key after the access device validates the signature of the public key using the shared secret.
  - 17. The access device of claim 13, wherein before receiving the request to send the message, the operations further include:
    - sharing the shared secret with the verification server, wherein the verification server thereafter generates the signature of the public key using the public key and the shared secret;
      
      receiving the signature of the public key with the public key and the key identifier;
      
      validating the signature of the public key using the shared secret; and
      
      transmitting the public key and the key identifier to the client device.

18. A method comprising performing, by an access device:
- receiving a request to send a message from a client device;
  
  in response to the request, requesting a public key from a verification server, wherein the verification server generates the public key, a private key that corresponds to the public key, and a key identifier associated with the private key, and wherein the public key and the private key are limited-use keys;
  
  receiving the public key and the key identifier from the verification server;
  
  transmitting the public key and the key identifier to the client device, wherein the client device encrypts the message using the public key and transmits the message and the key identifier to the verification server, and wherein the verification server retrieves the private key using the key identifier and decrypts the message using the private key, wherein the verification server generates a signature of the public key using the public key and a shared secret that was previously shared between the verification server and the access device, wherein the signature of the public key is received by the access device with the key identifier; and
  
  validating the signature of the public key using the shared secret, wherein the public key and the key identifier are transmitted to the client device after validation.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The method of claim 18, wherein after the verification server decrypts the message using the private key, the verification server generates a token corresponding to the message, wherein the token authorizes access to a resource, the method further comprising:
    - receiving the token from the verification server.
  - 20. The method of claim 18, wherein after the verification server decrypts the message using the private key, the verification server generates a token corresponding to the message and generates a signature of the private key, wherein the token authorizes access to a resource, the method further comprising:
    - receiving the token and the signature of the private key from the verification server; and
      
      validating the signature of the private key using the public key.
  - 21. The method of claim 18, further comprising:
    - expiring the public key after the access device validates the signature of the public key using the shared secret.
  - 22. The method of claim 18, wherein before receiving the request to send the message, the method further comprising:
    - sharing the shared secret with the verification server, wherein the verification server thereafter generates the signature of the public key using the public key and the shared secret;
      
      receiving the signature of the public key with the public key and the key identifier;
      
      validating the signature of the public key using the shared secret; and
      
      transmitting the public key and the key identifier to the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
John, Rhidian, Prokop, Bartlomiej Piotr, Looney, Thomas
Primary Examiner(s)
Hailu, Teshome

Application Number

US15/379,227
Publication Number

US 20180167367A1
Time in Patent Office

790 Days
Field of Search

713176
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/068   using time-dependent keys, ...

H04L 63/10   for controlling access to d...

H04L 63/126   the source of the received ...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0827   involving distinctive inter...

H04L 9/085   Secret sharing or secret sp...

H04L 9/088   Usage controlling of secret...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/3247   involving digital signatures

Key pair infrastructure for secure messaging

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Key pair infrastructure for secure messaging

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links