Methods for secure cryptogram generation
First Claim
1. A computer-implemented method comprising:
- determining, by a user device, a key pair comprising a public key and a private key;
sending, by the user device, a provisioning request message including the public key to a server computer;
receiving, by the user device, a provisioning response message including an encrypted credential from the server computer;
determining, by the user device, a response shared secret using the private key and a static server public key;
decrypting, by the user device, the encrypted credential using the response shared secret to determine a credential;
obtaining a key derivation parameter from the credential;
determining a first cryptogram key using the key derivation parameter;
generating a first cryptogram using the first cryptogram key; and
sending the first cryptogram to a second computer.
0 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention introduce efficient methods for securely generating a cryptogram by a user device, and validating the cryptogram by a server computer. A secure communication can be conducted whereby a user device provides a cryptogram without requiring the user device to persistently store an encryption key or other sensitive data used to generate the cryptogram. The user device and server computer can mutually authenticate and establish a shared secret. Using the shared secret, the server computer can derive a session key and transmit key derivation parameters encrypted using the session key to the user device. The user device can derive the session key using the shared secret, decrypt the encrypted key derivation parameters, and store the key derivation parameters. Key derivation parameters and the shared secret can be used to generate a single use cryptogram key, which can be used to generate a cryptogram for conducting secure communications.
57 Citations
32 Claims
-
1. A computer-implemented method comprising:
-
determining, by a user device, a key pair comprising a public key and a private key; sending, by the user device, a provisioning request message including the public key to a server computer; receiving, by the user device, a provisioning response message including an encrypted credential from the server computer; determining, by the user device, a response shared secret using the private key and a static server public key; decrypting, by the user device, the encrypted credential using the response shared secret to determine a credential; obtaining a key derivation parameter from the credential; determining a first cryptogram key using the key derivation parameter; generating a first cryptogram using the first cryptogram key; and sending the first cryptogram to a second computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer-implemented method, comprising:
-
receiving, by a server computer, a provisioning request message from a user device, the provisioning request message including a device public key; determining, by the server computer, a request shared secret using the device public key and a static server private key; generating, by the server computer, a response shared secret using the static server private key and the device public key; obtaining a key derivation parameter for determining a first cryptogram key from the response shared secret; encrypting, by the server computer, a credential using the response shared secret to determine encrypted response data, the credential including the key derivation parameter; and sending, by the server computer, to the user device, a provisioning response message including the encrypted response data. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A computer system, comprising:
-
a memory that stores computer-executable instructions; and a processor configured to access the memory and execute the computer-executable instructions to; determine an key pair comprising a public key and a private key; send a provisioning request message including the public key to a server computer; receive a provisioning response message including an encrypted credential from the server computer; determine a response shared secret using the private key and a static server public key; decrypt the encrypted credential using the response shared secret to determine a credential; obtain a key derivation parameter from the credential; determine a first cryptogram key using the key derivation parameter; generate a first cryptogram using the first cryptogram key; and send the first cryptogram to a second computer. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
-
-
28. A server computer comprising:
-
a memory that stores computer-executable instructions; and a processor configured to access the memory and execute the computer-executable instructions to; receive a provisioning request message from a user device, the provisioning request message including a device public key; determine a request shared secret using the device public key and a static server private key; generate a response shared secret using the static server private key and the device public key; obtain a key derivation parameter for determining a first cryptogram key from the response shared secret; encrypt a credential using the response shared secret to determine encrypted response data, the credential including the key derivation parameter; and send to the user device a provisioning response message including the encrypted response data. - View Dependent Claims (29, 30, 31, 32)
-
Specification