Hybrid integration of software development kit with secure execution environment
First Claim
Patent Images
1. A portable communication device comprising:
- one or more processor circuits; and
one or more memory units coupled to the one or more processor circuits and storing computer readable code implementing a secure application in a trusted execution environment, which when executed by the one or more processor circuits, performs operations including;
receiving, by the secure application from a mobile application executing in an application execution environment of the portable communication device, a first storage request to store first sensitive data, the first sensitive data being a first token or a cryptogram generation key, the first storage request including a first encrypted data type identifier and first encrypted sensitive data;
decrypting, by the secure application, the first encrypted data type identifier and the first encrypted sensitive data using a transport key;
determining, by the secure application, whether the first decrypted data type identifier indicates that the first sensitive data is a token or a cryptogram generation key;
re-encrypting, by the secure application based on the first decrypted data type identifier, the first sensitive data using a key to generate re-encrypted first sensitive data; and
storing the re-encrypted first sensitive data outside the trusted execution environment,wherein the first sensitive data is the first token, wherein the first decrypted data type identifier indicates that the first sensitive data is a token, wherein the key is a token-storage key, and wherein the operations further include;
receiving, by the secure application from the mobile application, a second storage request to store second sensitive data, the second storage request including a second encrypted data type identifier and second encrypted sensitive data;
decrypting, by the secure application, the second encrypted data type identifier and the second encrypted sensitive data using the transport key;
determining, by the secure application, that the second decrypted data type identifier indicates the second sensitive data to store is a token;
re-encrypting, by the secure application, the second sensitive data using the token-storage key to generate a re-encrypted token; and
storing the re-encrypted token outside the trusted execution environment.
0 Assignments
0 Petitions
Accused Products
Abstract
A portable communication device may include a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment. The secure application may receive, from the mobile application, a storage request to store sensitive data. The storage request may include an encrypted data type identifier and an encrypted sensitive data. The secure application may decrypt the encrypted data type identifier and the encrypted sensitive data using a transport key, and re-encrypt the sensitive data using a storage key. The re-encrypted sensitive data can then be stored in a memory of the portable communication device which is outside the trusted execution environment.
612 Citations
12 Claims
-
1. A portable communication device comprising:
-
one or more processor circuits; and one or more memory units coupled to the one or more processor circuits and storing computer readable code implementing a secure application in a trusted execution environment, which when executed by the one or more processor circuits, performs operations including; receiving, by the secure application from a mobile application executing in an application execution environment of the portable communication device, a first storage request to store first sensitive data, the first sensitive data being a first token or a cryptogram generation key, the first storage request including a first encrypted data type identifier and first encrypted sensitive data; decrypting, by the secure application, the first encrypted data type identifier and the first encrypted sensitive data using a transport key; determining, by the secure application, whether the first decrypted data type identifier indicates that the first sensitive data is a token or a cryptogram generation key; re-encrypting, by the secure application based on the first decrypted data type identifier, the first sensitive data using a key to generate re-encrypted first sensitive data; and storing the re-encrypted first sensitive data outside the trusted execution environment, wherein the first sensitive data is the first token, wherein the first decrypted data type identifier indicates that the first sensitive data is a token, wherein the key is a token-storage key, and wherein the operations further include; receiving, by the secure application from the mobile application, a second storage request to store second sensitive data, the second storage request including a second encrypted data type identifier and second encrypted sensitive data; decrypting, by the secure application, the second encrypted data type identifier and the second encrypted sensitive data using the transport key; determining, by the secure application, that the second decrypted data type identifier indicates the second sensitive data to store is a token; re-encrypting, by the secure application, the second sensitive data using the token-storage key to generate a re-encrypted token; and storing the re-encrypted token outside the trusted execution environment. - View Dependent Claims (2, 3, 9, 10, 11)
-
-
4. A method for managing sensitive data in a portable communication device having a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment, the method comprising:
-
receiving, by the secure application from the mobile application executing in the application execution environment of the portable communication device, a first storage request to store first sensitive data, the first sensitive data being a first token or a cryptogram generation key, the first storage request including a first encrypted data type identifier and first encrypted sensitive data; decrypting, by the secure application, the first encrypted data type identifier and the first encrypted sensitive data using a transport key; determining, by the secure application, whether the first decrypted data type identifier indicates that the first sensitive data is a token or a cryptogram generation key; re-encrypting, by the secure application based on the first decrypted data type identifier, the first sensitive data using a key to generate re-encrypted first sensitive data; and storing the re-encrypted first sensitive data outside the trusted execution environment, wherein the first sensitive data is the first token, wherein the first decrypted data type identifier indicates that the first sensitive data is a token, wherein the key is a token-storage key, the method further comprising; receiving, by the secure application from the mobile application, a second storage request to store second sensitive data, the second storage request including a second encrypted data type identifier and second encrypted sensitive data; decrypting, by the secure application, the second encrypted data type identifier and the second encrypted sensitive data using the transport key; determining, by the secure application, that the second decrypted data type identifier indicates the second sensitive data to store is a token; re-encrypting, by the secure application, the second sensitive data using the token-storage key to generate a second re-encrypted token; and storing the second re-encrypted token outside the trusted execution environment. - View Dependent Claims (5, 6, 7, 8, 12)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeVisa International Service Association (Visa, Inc.)
-
Original AssigneeVisa International Service Association (Visa, Inc.)
-
InventorsSmirnoff, Sergey, Bhattacharya, Soumendra
-
Primary Examiner(s)Naghdali, Khalil
-
Application NumberUS16/165,955Publication NumberTime in Patent Office424 DaysField of Search713171US Class CurrentCPC Class CodesH04L 63/062 for key distribution, e.g. ...H04L 9/0822 using key encryption keyH04L 9/0861 Generation of secret inform...H04L 9/0897 involving additional device...
