Confidential communication management

US 10,218,502 B2
Filed: 03/08/2018
Issued: 02/26/2019
Est. Priority Date: 02/13/2015
Status: Active Grant

First Claim

Patent Images

1. A client computer comprising:

a memory that stores computer-executable instructions; and

one or more hardware processors configured to access the memory and execute the computer-executable instructions to implement a method comprising;

determining a client key pair comprising a client private key and a client public key;

determining a protected server key identifier associated with a server computer, the protected server key identifier encrypted by a server identifier encryption key maintained by the server computer, the protected server key identifier usable by the server computer to validate a server key identifier associated with a server private key;

identifying the server public key associated with the protected server key identifier;

generating a shared secret using the server public key and the client private key;

encrypting message data using the shared secret to obtain encrypted message data; and

sending, to the server computer, a message including the encrypted message data, the protected server key identifier, and the client public key.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for confidential communication management. For example, a client computer can determine a client key pair comprising a client private key and a client public key. The client computer can further determine a protected server key identifier, identify a server public key associated with the protected server key identifier, and generating a shared secret using the server public key and the client private key. The client computer can further encrypt message data using the shared secret and sending, to a server computer, a message including the encrypted message data, the protected server key identifier, and the client public key. The protected server key identifier can be associated with the server computer and can be usable by the server computer to identify a server private key to be used in decrypting the encrypted message data.

Citations

20 Claims

1. A client computer comprising:
- a memory that stores computer-executable instructions; and
  
  one or more hardware processors configured to access the memory and execute the computer-executable instructions to implement a method comprising;
  
  determining a client key pair comprising a client private key and a client public key;
  
  determining a protected server key identifier associated with a server computer, the protected server key identifier encrypted by a server identifier encryption key maintained by the server computer, the protected server key identifier usable by the server computer to validate a server key identifier associated with a server private key;
  
  identifying the server public key associated with the protected server key identifier;
  
  generating a shared secret using the server public key and the client private key;
  
  encrypting message data using the shared secret to obtain encrypted message data; and
  
  sending, to the server computer, a message including the encrypted message data, the protected server key identifier, and the client public key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The client computer of claim 1, wherein the one or more hardware processors are further configured to execute the computer-executable instructions to implement:
    - receiving, from the server computer, a response message including a second server public key and encrypted response data including a second protected server key identifier;
      
      decrypting the encrypted response data using the client private key and the second server public key to obtain message data and the second protected server key identifier; and
      
      storing the second protected server key identifier in association with the second server public key.
  - 3. The client computer of claim 1, wherein the protected server key identifier includes padding data and a server key identifier, wherein the padding data is usable by the server to further validate the server key identifier.
  - 4. The client computer of claim 1, wherein the one or more hardware processors are further configured to execute the computer-executable instructions to implement:
    - determining a protected client key identifier associated with the client private key.
  - 5. The client computer of claim 4, wherein the message data includes the protected client key identifier.
  - 6. The client computer of claim 5, wherein the one or more hardware processors are further configured to execute the computer-executable instructions to implement:
    - receiving, from the server computer, a response message including encrypted response data and the protected client key identifier.
  - 7. The client computer of claim 6, wherein the one or more hardware processors are further configured to execute the computer-executable instructions to implement:
    - associating the response message with the message based on the protected client key identifier.
  - 8. The client computer of claim 6, wherein the one or more hardware processors are further configured to execute the computer-executable instructions to implement:
    - determining the client private key associated with the protected client key identifier received in the response message;
      
      decrypting the encrypted response data using the client private key and a server public key to obtain response data.
  - 9. The client computer of claim 1, wherein the one or more hardware processors are further configured to execute the computer-executable instructions to implement:
    - deriving a session key based on the shared secret; and
      
      encrypting the message data using the session key.
  - 10. The client computer of claim 1, wherein the one or more hardware processors are further configured to execute the computer-executable instructions to implement:
    - for another request message including other encrypted request data, determining that another protected server key identifier does not map to an existing server public key and encrypting the other encrypted request data using a default server public key to obtain other request data.

11. A server computer comprising:
- a memory that stores computer-executable instructions; and
  
  one or more hardware processors configured to access the memory and execute the computer-executable instructions to implement a method comprising;
  
  determining a server key identifier corresponding to a server private key and a server public key;
  
  encrypting the server key identifier using a server identifier encryption key maintained by the server computer to obtain a protected server key identifier;
  
  generating a shared secret using a client public key obtained from a client computer and the server private key;
  
  encrypting message data using the shared secret to determine encrypted message data, wherein the message data includes the protected server key identifier; and
  
  sending, to the client computer, a message including the encrypted message data, the protected server key identifier being decryptable using the server identifier encryption key, the protected server key identifier usable by the server computer to validate the server key identifier.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The server computer of claim 11, wherein the one or more hardware processors are further configured to execute the computer-executable instructions to implement:
    - encrypting the server key identifier by encrypting a combination of the server key identifier, a padding element, and a random element using the server identifier encryption key, the padding element being a constant value or a message authentication code (MAC) of the server key identifier.
  - 13. The server computer of claim 11, wherein the one or more hardware processors are further configured to execute the computer-executable instructions to implement:
    - deriving a message session key based on the shared secret; and
      
      encrypting the message data using the message session key.
  - 14. The server computer of claim 11, wherein the one or more hardware processors are further configured to execute the computer-executable instructions to implement:
    - generating the protected server key identifier by encrypting a combination of the server key identifier and a padding element.
  - 15. The server computer of claim 11, wherein the message further comprises an obfuscated server public key corresponding to the server private key.
  - 16. The server computer of claim 11, wherein the one or more hardware processors are further configured to execute the computer-executable instructions to implement:
    - receiving a request message from the client computer, wherein the request message includes a protected client key identifier associated with the client computer; and
      
      including the protected client key identifier in the message sent to the client computer.

17. A client computer comprising:
- a memory that stores computer-executable instructions; and
  
  one or more hardware processors configured to access the memory and execute the computer-executable instructions to implement a method comprising;
  
  receiving, from a server, a message including encrypted message data and a protected client key identifier, the protected client key identifier encrypted by a client identifier encryption key maintained by the client computer, the protected client key identifier usable by the client computer to validate a client key identifier associated with a client private key;
  
  determining the client private key associated with the protected client key identifier;
  
  decrypting the encrypted message data using the client private key and a server public key to obtain message data and a protected server key identifier; and
  
  storing the protected server key identifier in association with the server public key.
- View Dependent Claims (18, 19, 20)
- - 18. The client computer of claim 17, wherein the one or more hardware processors are further configured to execute the computer-executable instructions to implement, before receiving the message from the server:
    - determining the protected client key identifier;
      
      encrypting request message data using the client private key and the server public key, wherein the message data includes the protected client key identifier; and
      
      sending the request message data to the server.
  - 19. The client computer of claim 17, wherein the one or more hardware processors are further configured to execute the computer-executable instructions to implement:
    - determining an order to process previous response messages before processing the message received from the server based on the value of the protected client key identifier.
  - 20. The client computer of claim 17, wherein determining the client private key associated with the protected client key identifier includes:
    - decrypting the protected client key identifier to obtain a client key identifier;
      
      determining the client private key based on the client key identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Le Saint, Eric, Bhattacharya, Soumendra
Primary Examiner(s)
Chai, Longbit

Application Number

US15/915,614
Publication Number

US 20180198606A1
Time in Patent Office

355 Days
Field of Search

713155
US Class Current
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0844   with user authentication or...

H04L 9/14   using a plurality of keys o...

Confidential communication management

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Confidential communication management

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links