Electronic transaction systems and methods therefor

US 20020023215A1
Filed: 02/23/2001
Published: 02/21/2002
Est. Priority Date: 12/04/1996
Status: Active Grant

First Claim

Patent Images

1. In a portable electronic authorization device (PEAD) without tamper proof storage of a user'"'"'s private key, a method for approving a transaction request originates from an electronic transaction system, comprising:

receiving at said portable electronic authorization device first digital data, said first digital data representing said transaction request; and

if said transaction request is approved by a user of said portable electronic authorization device, decrypting the user private key using a decryption key from a remote server, and transmitting a second digital data to said electronic transaction system, said second digital data being encrypted by said user private key.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus are disclosed for approving a transaction request between an electronic transaction system and a portable electronic authorization device (PEAD) carried by a user using an electronic service authorization token. The method includes the steps of receiving at the PEAD first digital data representing the transaction request. The PEAD provides information to the user regarding an ability to approve the transaction request. When the transaction request is approved by the user, the PEAD receives second digital data representing the electronic service authorization token. In one aspect of the invention, the method and apparatus include a remote agent server that provides a bridge between the electronic transaction system and the PEAD. In an embodiment providing a further level of security, the private key is stored on the portable device, encrypted. The decryption key is stored outside of the device, at a trusted 3^rdparty location. When the user attempts to make a signature the software sends a request for the decryption key, along with the user'"'"'s password or pass phrase keyed in at the keyboard of the PDA, smart phone, or cell phone, to a server belonging to the trusted 3^rdparty. This password is usually, but not always, different than the password stored in the PEAD. The server checks the password or pass phrase and, if it is correct sends the decryption key to the portable device, where it is used once and immediately discarded. In yet another aspect of the invention, the user'"'"'s password is securely encoded in the method and apparatus and are used at a point-of-sale location. Advantages of the invention include the ability to securely and conveniently perform transactions in a portable device.

Citations

28 Claims

1. In a portable electronic authorization device (PEAD) without tamper proof storage of a user'"'"'s private key, a method for approving a transaction request originates from an electronic transaction system, comprising:
- receiving at said portable electronic authorization device first digital data, said first digital data representing said transaction request; and
  
  if said transaction request is approved by a user of said portable electronic authorization device, decrypting the user private key using a decryption key from a remote server, and transmitting a second digital data to said electronic transaction system, said second digital data being encrypted by said user private key.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20, 21)
- - 3. A method as claimed in claim 1 wherein decrypting the user private key includes sending a request from the PEAD to the server including a password from the user of the PEAD.
  - 4. A method as claimed in claim 3 wherein the request includes transmitting a user password or pass phrase.
  - 5. A method as claimed in claim 4 wherein the password or pass phrase is keyed in at the PEAD.
  - 6. A method as claimed in claim 5 wherein if the password or pass phrase provided to the server is incorrect, the PEAD is informed and the event is recorded.
  - 7. A method as claimed in claim 6 wherein once a certain number of failures due to an uncorrected password or pass phrase have occurred, the users account associated with the private key is deactivated.
  - 8. A method as claimed in claim 7 wherein upon deactivation of the account, the server will refuse to provide the decryption key.
  - 9. A method as claimed in claim 1 wherein the user private key is stored in the PEAD encrypted with a symmetric key scheme.
  - 10. A method as claimed in claim 9 wherein the symmetric key scheme is 3DES.
  - 11. A method as claimed in claim 10 wherein the 3DES key is stored in the remote server associated with an authorization test password or pass phrase for the user.
  - 12. A method as claimed in claim 11 wherein whenever the user needs to authorize a transaction, the user inputs the password or pass phrase at a keyboard at the PEAD.
  - 13. A method as claimed in claim 12 where upon the password or pass phrase being keyed into the PEAD, it is transmitted to the remote server, the remote server returning the symmetric key to the PEAD for decrypting the private key.
  - 14. A method as claimed in claim 13 wherein after finishing the signing process, both the 3DES key and the plain private key, the password or pass phrase entered by the user are deleted from the PEAD.
  - 15. A method as claimed in claim 14 wherein the remote server will monitor and detect any unauthorized attempted access of the symmetric key stored at the server, and notifies the PEAD user through e-mail alert, phone call or message alert.
  - 17. A method as claimed in claim 16 wherein the request includes transmitting a user password or pass phrase.
  - 18. A method as claimed in claim 17 wherein the password or pass phrase is keyed in at the electronic authorization system.
  - 19. A method as claimed in claim 18 wherein if the password or pass phrase provided to the server is incorrect, the electronic authorization system is informed and the event is recorded.
  - 20. A method as claimed in claim 19 wherein once a certain number of failures due to an uncorrected password or pass phrase have occurred, the users account associated with the private key is deactivated.
  - 21. A method as claimed in claim 20 wherein upon deactivation of the account, the server will refuse to provide the decryption key.

2. In an electronic authorization system without tamper proof storage of a user'"'"'s private key, a method for approving a transaction request originating from an electronic transaction system, comprising:
- receiving at said electronic authorization system first digital data, said first digital data representing said transaction request; and
  
  if said transaction request is approved by a user of said electronic authorization system, decrypting the user private key using a decryption key from a remote server, transmitting a second digital data to said electronic transaction system, said second digital data being encrypted by said user private key.
- View Dependent Claims (16, 22, 23, 24, 25, 26, 27, 28)
- - 16. A method as claimed in claim 2 wherein decrypting the user private key includes sending a request from the electronic authorization system to the server including a password from the user of the electronic authorization system.
  - 22. A method as claimed in claim 2 wherein the user private key is stored in the electronic authorization system encrypted with a symmetric key scheme.
  - 23. A method as claimed in claim 22 wherein the symmetric key scheme is 3DES.
  - 24. A method as claimed in claim 23 wherein the 3DES key is stored in the remote server associated with an authorization test password or pass phrase for the user.
  - 25. A method as claimed in claim 24 wherein whenever the user needs to authorize a transaction, the user inputs the password or pass phrase at a keyboard at the electronic authorization system.
  - 26. A method as claimed in claim 25 where upon the password or pass phrase being keyed into the electronic authorization system, it is transmitted to the remote server, the remote server returning the symmetric key to the electronic authorization system for decrypting the private key.
  - 27. A method as claimed in claim 26 wherein after finishing the signing process, both the 3DES key and the plain private key, the password or pass phrase entered by the user are deleted from the electronic authorization system.
  - 28. A method as claimed in claim 27 wherein the remote server will monitor and detect any unauthorized attempted access of the symmetric key stored at the server, and notifies the electronic authorization system user through e-mail alert, phone call or message alert.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServStor Technologies, LLC (IP Investments Group LLC)
Original Assignee
Otomaku Properties Ltd LLC (Intellectual Ventures LLC)
Inventors
Grizzard, James A., Wang, Ynjiun P., Ding, Joshua C.

Granted Patent

US 8,225,089 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

G06Q 20/00   Payment architectures, sche...

G06Q 20/02   involving a neutral party, ...

G06Q 20/18   involving self-service term...

G06Q 20/322   Aspects of commerce using m...

G06Q 20/327   Short range or proximity pa...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/3415   Cards acting autonomously a...

G06Q 20/363   with the personal data of a...

G06Q 20/3674   involving authentication

G06Q 20/3823   combining multiple encrypti...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/40975   using encryption therefor

G07F 19/20   Automatic teller machines [...

G07F 7/0866   by active credit-cards adap...

G07F 7/0886   the card reader being porta...

G07F 7/1008   Active credit-cards provide...

G07F 7/1016   Devices or methods for secu...

G07F 7/1025   Identification of user by a...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless

H04L 2463/102 : applying security measure f...

H04L 63/0428 : wherein the data content is...

H04L 63/0442 : wherein the sending and rec...

H04L 63/0853 : using an additional device,...

H04L 9/0897 : involving additional device...

H04L 9/3226 : using a predetermined code,...

H04L 9/3234 : involving additional secure...

H04L 9/3247 : involving digital signatures

View All

Electronic transaction systems and methods therefor

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic transaction systems and methods therefor

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links