Transaction & payment system securing remote authentication/validation of transactions from a transaction provider

US 20050283444A1
Filed: 06/21/2004
Published: 12/22/2005
Est. Priority Date: 06/21/2004
Status: Active Grant

First Claim

Patent Images

1. A method for payment and service authentication in a mobile environment, comprising:

sharing common secret keys and a seed between a remote server and at least one local server for use in connection with an authentication algorithm;

generating in the remote server and in the at least one local server a list of valid authenticated tokens for the purchase of services and/or goods and based on the shared common secret keys and seed with the authentication algorithm;

requesting and providing payment for the services and/or goods from the remote server by a mobile terminal;

selecting an authentication token from the list of valid authenticating tokens in the remote server;

returning the selected authentication token to the mobile terminal;

submitting, by the mobile terminal, the authentication token to one of the at least one local servers for the purchase of services and/or goods;

comparing the authentication token to the list of valid authentication tokens in the local server; and

providing the services and/or goods to the mobile terminal if the authentication token matches an authentication token in the list of valid authentication tokens in the at least one local server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mobile terminal is equipped for SMS payment and service authentication with a remote transaction provider. The remote provider uses common secrets & a seed in a keyed Hash Machine Address Code (HMAC) executing a Message Digest Algorithm to generate a list of authentication token (username-password) for the purchase of services an/or goods. The common secrets and seed are shared with local redemption devices which also generate the list of authentication token. A subscriber conducts payment with the remote transaction provider and receives an authentication token corresponding to the purchased service. The subscriber provides the authentication token to the redemption device which compares the authentication token with sets of valid authentication tokens generated by the redemption terminal. If the comparison indicates a match, the redemption device provides the service to the subscriber.

119 Citations

74 Claims

1. A method for payment and service authentication in a mobile environment, comprising:
- sharing common secret keys and a seed between a remote server and at least one local server for use in connection with an authentication algorithm;
  
  generating in the remote server and in the at least one local server a list of valid authenticated tokens for the purchase of services and/or goods and based on the shared common secret keys and seed with the authentication algorithm;
  
  requesting and providing payment for the services and/or goods from the remote server by a mobile terminal;
  
  selecting an authentication token from the list of valid authenticating tokens in the remote server;
  
  returning the selected authentication token to the mobile terminal;
  
  submitting, by the mobile terminal, the authentication token to one of the at least one local servers for the purchase of services and/or goods;
  
  comparing the authentication token to the list of valid authentication tokens in the local server; and
  
  providing the services and/or goods to the mobile terminal if the authentication token matches an authentication token in the list of valid authentication tokens in the at least one local server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The method of claim 1, wherein the list of valid authentication tokens are periodically updated.
  - 3. The method of claim 2, wherein the list of valid tokens are periodically updated by changing at least the seed for the authentication algorithm.
  - 4. The method of claim 1 further comprising;
    - installing a communication connection between the remote and the at least one local servers which is non-continuous in operation.
  - 5. The method of claim 4, wherein the non-continuous communication connection is used for transferring from the remote server one or more seed updates to the at least one local servers.
  - 6. The method of claim 1, further comprising:
    - requesting, by the local server, mobile user identification information from the mobile terminal in exchange of providing the services and/or good to the mobile terminal.
  - 7. The method of claim 1, wherein the non-continuous communication connection is used for transferring from the at least one local servers to the remote server information relating to authentication token usage.
  - 8. The method of claim 7, wherein the authentication token usage includes at least one of a mobile terminal identification information and mobile terminal user identification information.
  - 9. The method of claim 4, wherein the non-continuous communication connection is secure.
  - 10. The method of claim 1, further comprising:
    - installing the authentication token into an electronic ticket.
  - 11. The method of claim 1, further comprising:
    - authenticating the authentication token using RFID.
  - 12. The method of claim 1, further comprising;
    - generating the list of authentication tokens by recursively applying a keyed HMAC function to the common keys and seed.
  - 13. The method of claim 1, further comprising:
    - modifying the authentication tokens via the seed to be time based.
  - 14. The method of claim 1, further comprising:
    - updating the common secret keys and seed in the remote server and the local server.
  - 15. The method of claim 1, further comprising using SMS messaging in submitting the request to the remote server.
  - 16. The method of claim 1, further comprising:
    - using short range communication to transfer the authentication token to the local server.
  - 17. The method of claim 1, further comprising:
    - limiting validity of the authentication token to a time period.
  - 18. The method of claim 1, further comprising:
    - tying an accepted authentication token to a MAC hardware address of a requester.
  - 19. The method of claim 17, further comprising:
    - dividing the time period into several sub-timing periods.
  - 20. The method of claim 19, further comprising:
    - assigning separate authentication tokens to each sub-timing period.
  - 21. The method of claim 20, further comprising:
    - calculating the separate authentication token for sub-timing periods based on the order number or the time-period of the sub-timing period.
  - 22. The method of claim 1, wherein the list of valid authentication tokens includes tokens for a current sub-timing period and tokens for a sub-timing period before and a sub-timing period after the current time period to ensure the correct validity period for the token/ticket.
  - 23. The method of claim 1, wherein the seed is assigned a date (d) in the future.
  - 24. The method of claim 23, wherein the seed is further assigned a time period (p).
  - 25. The method of claim 1, wherein the tokens are given out by the remote server in random order for single use.
  - 26. The method of claim 1, wherein the token contains two-4-character hex strings, one as a username and one as a password.
  - 27. The method of claim 1, wherein the local server compares a token to all possible tokens in time period (l) defined by a date (d);
    - a period (p) and (r) a factor providing authentication periods overlap compensating for an assumed synchronization mismatch between the local server and the remote server clocks.

28. A system for payment and service authentication in a mobile environment, comprising:
- sharing means for sharing common secret keys and a seed between a remote server and at least one local server for use in connection with an authentication algorithm;
  
  generating means for generating in the remote server and in the at least one local server a list of valid authenticating tokens for the purchase of services and/or goods and based on the shared common secret keys and seed with the authentication algorithm;
  
  requesting and providing means for requesting and providing payment for the services and/or goods from the remote server by a mobile terminal;
  
  selecting means for selecting an authentication token from the list of valid authenticating tokens in the remote server;
  
  returning means for returning the selected authentication token to the mobile terminal;
  
  submitting means, by the mobile terminal, for submitting the authentication token to one of the at least one local servers for the purchase of services and/or goods;
  
  comparing means for comparing the authentication token to the list of valid authentication tokens in the local server; and
  
  providing means for providing the services and/or goods to the mobile terminal if the authentication token matches an authentication token in the list of valid authentication tokens in the at least one local server.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 29. The system of claim 28, wherein the list of valid authentication tokens are periodically updated.
  - 30. The system of claim 29, wherein the list of valid tokens are periodically updated by changing at least the seed for the authentication algorithm.
  - 31. The system of claim 28, further comprising:
    - installing means for installing a communication connection between the remote and the at least one local servers which is non-continuous in operation.
  - 32. The system of claim 31, wherein the non-continuous communication connection is used for transferring from the remote server one or more seed updates to the at least one local servers.
  - 33. The method of claim 28, further comprising:
    - requesting means requesting, by the local server, mobile user identification information from the mobile terminal in exchange of providing the services and/or the goods to the mobile terminal.
  - 34. The system of claim 28, wherein the non-continuous communication connection is used for transferring from the at least one local servers to the remote server information relating to authentication token usage.
  - 35. The system of claim 34, wherein the authentication token usage includes at least one of a mobile terminal identification information and mobile terminal user identification information.
  - 36. The system of claim 31, wherein the non-continuous communication connection is secure.
  - 37. The system of claim 28, wherein the authentication token is installed in a ticket.
  - 38. The system of claim 28, wherein the generating means generates the list of authentication tokens by recursively applying a keyed HMAC function to the common keys and seed.
  - 39. The system of claim 28, further comprising:
    - modifying means modifying the authentication token via the seed to be time based.
  - 40. The system of claim 28, further comprising:
    - updating means updating the common secret keys and seed in the remote server and the local server.
  - 41. The system of claim 28, further comprising terminal means enabled for submitting the SMS request to the remote server.
  - 42. The system of claim 28, further comprising:
    - terminal means enabled for short range communication to transfer the authentication token to the local server.
  - 43. The system of claim 28, further comprising:
    - limiting means limiting validity of the authentication token to a time period.
  - 44. The system of claim 28, further comprising:
    - tying means tying an accepted authentication token to a MAC hardware address of a requester.
  - 45. The system of claim 43, further comprising:
    - dividing means dividing the time period into several sub-timing periods.
  - 46. The system of claim 45, further comprising:
    - assigning means assigning separate authentication tokens to each sub-timing period.
  - 47. The system of claim 45, further comprising:
    - calculating means calculating the separate authentication token for sub-timing periods based on the order number or the time-period of the sub-timing period.
  - 48. The system of claim 28, wherein the list of valid authentication tokens includes tokens for a current sub-timing period and tokens for a sub-timing period before and a sub-timing period after the current time period to ensure the correct validity period for the token/ticket.
  - 49. The system of claim 28, wherein the seed is assigned a date (d) in the future.
  - 50. The system of claim 49, wherein the seed is further assigned a time period (p).
  - 51. The system of claim 29, wherein the tokens are given out by the remote server in random order for single use.
  - 52. The system of claim 28, wherein the token contains two-4-character hex strings, one as a username an one as a password.
  - 53. The system of claim 28, wherein the local server compares a token to all possible tokens in time period (l) defined by a date (d);
    - a period (p) and (r) a factor providing authentication period over lap compensating for an assumed synchronization mismatch between the local server and the remote server clocks.

54. A medium, executable in a computer system, for payment and service authentication in a mobile environment, the medium, comprising:
- program code for selecting and storing common secret keys and a seed in a remote server for use in an authentication algorithm;
  
  program code for generating in the remote server a list of username-passwords as authentication token applicable for the purchase of services and/or goods and based on the common secret keys and seed;
  
  program code for storing and executing the authentication algorithm in at least one local server to generate and store the list of authentication token in the local server;
  
  program code for requesting and providing payment for services from the remote server;
  
  program code for generating in the remote server an authentication token from the list and tied to the request;
  
  program code for submitting the authentication token to the local server for the purchase of services and/or good;
  
  program code for comparing the authentication token to the list of authentication token generated in the local server from the common secrets and the seed; and
  
  program code for providing the service and/or goods if the authentication token matches an authentication token in the list.
- View Dependent Claims (56)
- - 56. The medium of claim 54, further comprising:
    - program code for requesting, by the local server, mobile user identification information from the mobile terminal in exchange of providing the service and/or the goods to the mobile terminal.

55. A medium, executable in a computer system, for payment and service authentication in a mobile environment, the medium comprising:
- program code for sharing common secret keys and a seed between a remote server and at least one local server for use in connection with an authentication algorithm;
  
  program code for generating in the remote server and in the at least one local server a list of valid authenticating tokens for the purchase of services and/or goods and based on the shared common secret keys and seed with the authentication algorithm;
  
  program code for requesting and providing payment for the services and/or goods from the remote server by a mobile terminal;
  
  program code for selecting an authentication token from the list of valid authenticating tokens in the remote server;
  
  program code for returning the selected authentication token to the mobile terminal;
  
  program code for submitting, by the mobile terminal, the authentication token to one of the at least one local servers for the purchase of services and/or goods;
  
  program code for comparing the authentication token to the list of valid authentication tokens in the local server; and
  
  program code for providing the services and/or goods to the mobile terminal if the authentication token matches an authentication token in the list of valid authentication tokens in the at least one local server.
- View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64)
- - 57. The medium of claim 55, further comprising;
    - program code for installing a communication connection between the remote and the at least one local servers which is non-continuous in operation.
  - 58. The medium of claim 57, wherein the non-continuous communication connection is used for transferring from the remote server one or more seed updates to the at least one local servers.
  - 59. The medium of claim 57, wherein the non-continuous communication connection is used for transferring from the at least one local servers to the remote server information relating to authentication token usage.
  - 60. The medium of claim 55, wherein the authentication token usage includes at least one of a mobile terminal identification information and mobile terminal user identification information.
  - 61. The medium of claim 57, wherein the non-continuous communication connection is secure.
  - 62. The medium of claim 55, further comprising:
    - program code for installing the authentication token into an electronic ticket.
  - 63. The medium of claim 55, further comprising:
    - program code for authenticating the authentication token using RFID.
  - 64. The medium of claim 55, further comprising:
    - program code for updating the common secret keys and seed in the remote server and the local server.

65. Transaction and payment apparatus operating in a mobile environment, comprising:
- means for selecting and storing common secret keys and a seed for use in an authentication algorithm;
  
  first communication means for sharing the common secret keys and the seed with at least one local server;
  
  means for generating a list of valid authentication tokens for services and/or goods available from a supplier based on the common secret keys and the seed with the authentication algorithm;
  
  second communication means implementing short message protocol for communication with remote users accessing the apparatus via a mobile terminal;
  
  transaction server means for processing requests by the users for the available services and/or goods and selecting an authentication token from the list of valid authenticating tokens for the requested services and/or goods after payment by the user; and
  
  transmitting means transmitting the selected authentication token to the user via the second communication means for the requested services and/or goods.

66. Redemption apparatus operating in a mobile environment, comprising a local server for processing and validating tickets/tokens presented by users for available services and/or goods;
- communication means coupled to a transaction server on a non-continuous basis for receiving common secret keys and a seed for use in an authentication algorithm;
  
  generating means generating a list of valid authenticated ticket/tokens for the purchase of services and/or goods based on the shared common secret keys and seed with the authenticating algorithm; and
  
  comparing means for comparing tickets/tokens presented by a user against the list of valid authenticated tickets/token for access to the available services and/or goods in the case of validated tickets/tokens.
- View Dependent Claims (67, 68, 70)
- - 67. The redemption apparatus of claim 66, further comprising;
    - storing means for storing the common secret keys and seed received from the transaction server.
  - 68. The redemption apparatus of claim 66, further comprising:
    - short-range communication means for receiving ticket/token information from a user via a mobile device.
  - 70. The redemption apparatus of claim 66, wherein the local server provides the transaction server with token/ticket misuse information.

69. The redemption apparatus of 66, wherein the comparing means compares a token to all possible tokens in time period (l) defined by a date (d);
- a period (p) and (r) a factor providing authentication periods overlap compensating for an assumed synchronization mismatch between the local server and the transaction server clocks.

71. A mobile terminal for acquiring services and/or goods in a mobile environment, comprising:
- a cellular network interface for communicating with a transaction server over a cellular network for (a) the purchase of authenticated tickets/tokens in electronic form usable for acquiring of services and/or goods, and (b) payment for such services and/or goods in order to receive the authenticated tickets/tokens;
  
  a storage device for storing the authenticated tickets/tokens in the terminal; and
  
  a short-range communication interface for transferring the authenticated tickets/tokens to a local server for acquisition of the services and/or goods after validation of the authenticated tickets/tokens by the local server.
- View Dependent Claims (72, 73, 74)
- - 72. The mobile terminal of claim 71, wherein the authenticated tickets/tokens are stored in a storage device coupled to a RFID.
  - 73. The mobile device of claim 71, wherein the mobile device communicate with the transaction server using short message service.
  - 74. The mobile device of claim 72, wherein the local server transmits a RF interrogating signal to download the authenticated tickets/tokens from the mobile device for processing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Ekberg, Jan-Erik

Granted Patent

US 7,693,797 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/67
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/045   using payment protocols inv...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/367   involving electronic purses...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/38215   Use of certificates or encr...

G06Q 20/3823   combining multiple encrypti...

G06Q 20/385   using an alias or single-us...

G06Q 20/40   Authorisation, e.g. identif...

G07F 7/0886   the card reader being porta...

G07F 7/1008   Active credit-cards provide...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/32   including means for verifyi...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3242   involving keyed hash functi...

Transaction & payment system securing remote authentication/validation of transactions from a transaction provider

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

74 Claims

Specification

Use Cases

Quick Links

Others

Transaction & payment system securing remote authentication/validation of transactions from a transaction provider

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

74 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others