Anytime validation tokens

US 10,586,229 B2
Filed: 07/08/2013
Issued: 03/10/2020
Est. Priority Date: 01/12/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a validation server computer having one or more microprocessors and operated by a trusted entity, a registration request from a token manufacturer;

determining, by the validation server computer, that the token manufacturer is approved to be a trusted token manufacturer;

generating, by the validation server computer, a token manufacturer key for the trusted token manufacturer,sending, by the validation server computer, a registration response message including the token manufacturer key and an indication of an algorithm for generating approved serial numbers to the trusted token manufacturer;

generating, by a computer of the trusted token manufacturer, a token serial number using the algorithm;

generating, by the computer of the trusted token manufacturer, a token specific key and signing the token specific key with the token manufacturer key;

storing, by the computer of the trusted token manufacturer, token specific information including the token specific key and the token serial number in a token;

receiving, by the validation server computer, a validation request to validate the token before the token is activated for first time use in a transaction, the validation request including the token serial number and a challenge message, the challenge message signed with an authentication key derived at least in part from the token serial number, the authentication key being distinct from the token specific key;

validating, by the validation server computer, the token at least in part by deriving the authentication key from the token serial number and verifying the challenge message signature with the derived authentication key;

generating, by the validation server computer, a replacement key from a master key, the replacement key being distinct from the token specific key and the authentication key; and

activating, by the validation server computer, the token for first time use, wherein activating the token comprises, at least in part, replacing the token specific key from the token manufacturer stored in the token with the replacement key generated from the master key at least in part by establishing, by the validation server computer, a secure communication session directly with the token through a network and providing the replacement key generated from the master key.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and method for producing, validating, and registering authentic verification tokens are disclosed. Such systems and methods include generating verification token specific key pairs. The key pairs can be signed by a verification token manufacturer master key or public key certificate for an additional level of authenticity. Related methods and systems for authenticating and registering authorized verification token manufacturers are also disclosed. Once a verification token manufacturer is authenticated, it can be assigned a manufacturer-specific key pair or certificate and in some cases, a predetermined set of serial numbers to assign to the verification tokens it produces. Each serial number can be used to generate a verification token specific key pair specific to the associated verification token. One component of the verification token key pair can be stored to the verification token. Optionally, the component of the verification token key pair stored to the verification token can be signed by the manufacturer specific master key or certificate and stored a verification token public certificate.

582 Citations

15 Claims

1. A method comprising:
- receiving, by a validation server computer having one or more microprocessors and operated by a trusted entity, a registration request from a token manufacturer;
  
  determining, by the validation server computer, that the token manufacturer is approved to be a trusted token manufacturer;
  
  generating, by the validation server computer, a token manufacturer key for the trusted token manufacturer,sending, by the validation server computer, a registration response message including the token manufacturer key and an indication of an algorithm for generating approved serial numbers to the trusted token manufacturer;
  
  generating, by a computer of the trusted token manufacturer, a token serial number using the algorithm;
  
  generating, by the computer of the trusted token manufacturer, a token specific key and signing the token specific key with the token manufacturer key;
  
  storing, by the computer of the trusted token manufacturer, token specific information including the token specific key and the token serial number in a token;
  
  receiving, by the validation server computer, a validation request to validate the token before the token is activated for first time use in a transaction, the validation request including the token serial number and a challenge message, the challenge message signed with an authentication key derived at least in part from the token serial number, the authentication key being distinct from the token specific key;
  
  validating, by the validation server computer, the token at least in part by deriving the authentication key from the token serial number and verifying the challenge message signature with the derived authentication key;
  
  generating, by the validation server computer, a replacement key from a master key, the replacement key being distinct from the token specific key and the authentication key; and
  
  activating, by the validation server computer, the token for first time use, wherein activating the token comprises, at least in part, replacing the token specific key from the token manufacturer stored in the token with the replacement key generated from the master key at least in part by establishing, by the validation server computer, a secure communication session directly with the token through a network and providing the replacement key generated from the master key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the token specific key is stored in a secure memory of the token.
  - 3. The method of claim 1, wherein the token specific information of the token includes executable validation software for storing in a secure memory.
  - 4. The method of claim 1, further comprising sending instructions for programming the token to the trusted token manufacturer.
  - 5. The method of claim 1, wherein determining the token manufacturer is approved to be the trusted token manufacturer includes performing a risk review of the token manufacturer.
  - 6. The method of claim 1, wherein the token is an embedded component of a mobile communication device.
  - 7. The method of claim 1, wherein the token is a device that includes a peripheral interface for communicating with a mobile communication device.
  - 8. The method of claim 1, wherein the token specific key stored in the token is a token specific public key of a token specific key pair, and a token specific private key of the token specific key pair is not stored in the token.
  - 9. The method of claim 1, wherein the token specific key stored in the token is a token specific public key of a token specific key pair, and a token specific private key of the token specific key pair is also stored in the token.
  - 10. The method of claim 1, wherein the token specific key stored in the token is a component of a token specific key pair, and a token specific private key of the token specific key pair is shared between the token manufacturer and the validation server computer.
  - 11. The method of claim 1, wherein the token specific key stored in the token is signed by the master key to generate a token public certificate that is stored in the token.
  - 12. The method of claim 1, wherein the trusted entity is one of an issuer, an acquirer, or a processing network.
  - 13. The method of claim 1, further comprising keeping the secure communication session active at least in part by receiving, by the validation server computer, a heartbeat message from the token.
  - 14. The method of claim 1, wherein validating the token comprises:
    - receiving, by the validation server computer, one or more pieces of machine-unique information associated with the token; and
      
      comparing, by the validation server computer, the one or more pieces of machine-unique information against a database of computer information associated with known fraudsters.
  - 15. The method of claim 14, wherein the one or more pieces of machine-unique information include a serial number of at least one of:
    - a processor, a disk drive or an operating system of a computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Hurry, Simon, Hammad, Ayman
Primary Examiner(s)
Nilforoush, Mohammad A.

Application Number

US13/937,042
Publication Number

US 20140019364A1
Time in Patent Office

2,437 Days
Field of Search

705 50-912
US Class Current
CPC Class Codes

G06F 21/33   using certificates

G06F 21/34   involving the use of extern...

G06F 2221/2129   Authenticate client device ...

G06Q 20/355   Personalisation of cards fo...

G06Q 20/3552   Downloading or loading of p...

G06Q 20/3829   involving key management

Anytime validation tokens

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

582 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Anytime validation tokens

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

582 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links