AUTHENTICATION FOR A COMMERCIAL TRANSACTION USING A MOBILE MODULE

US 20060235796A1
Filed: 04/18/2006
Published: 10/19/2006
Est. Priority Date: 04/19/2005
Status: Active Grant

First Claim

Patent Images

1-24. -24. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Current embodiments provide for authorization and payment of an online commercial transaction between a purchaser and a merchant including verification of an identity of the purchaser and verification of an ability of the purchaser to pay for the transaction, where the identity provider and the payment provider are often different network entities. Other embodiments also provide for protocols, computing systems, and other mechanisms that allow for identity and payment authentication using a mobile module, which establishes single or multilevel security over an untrusted network (e.g., the Internet). Still other embodiments also provide for a three-way secure communication between a merchant, consumer, and payment provider such that sensitive account information is opaque to the merchant, yet the merchant is sufficiently confident of the consumer'"'"'s ability to pay for requested purchases. In yet another embodiment, electronic billing information is used for authorization, auditing, payment federation, and other purposes.

374 Citations

122 Claims

1-24. -24. (canceled)

25. At a computing device in a distributed network environment, a method of authenticating a mobile module of portable device as being tied to a billing account of a mobile infrastructure in order to allow a user access to services, goods, or both, by validating the mobile module over a network independent of the mobile infrastructure'"'"'s radio network, the method comprising:
- receiving a request to authenticate a mobile module when attempting to gain access to services, goods, or both;
  
  receiving one or more credentials from the mobile module used by a mobile infrastructure in validating billing account information thereof;
  
  sending the one or more credentials to the mobile infrastructure over an independent network separate from the mobile infrastructure'"'"'s radio network; and
  
  receiving over the independent network authentication information corresponding to an activation status for the mobile module'"'"'s billing account on the mobile infrastructure, thus allowing for a portable digital identity for controlling access to the services, goods, or both.
- View Dependent Claims (26, 34, 35)
- - 26. The method of claim 25, wherein the mobile module is a subscriber identity module (SIM) for the mobile infrastructure, and wherein the one or more credentials includes information based on a challenge from the mobile infrastructure and a shared key between the SIM and the mobile infrastructure.
  - 34. The method of claim 25, wherein the method further comprises:
    - based on the activation status of the mobile module, determining if a contract agreement made between a merchant for the services, goods, or both, and the mobile infrastructure requires the user to enter one or more user input credentials for authenticating the user, wherein if true the method further includes;
      
      sending a request to the user to input the one or more user input credentials; and
      
      based on the user input, determining if the user is authorized to access the protected service.
  - 35. The method of claim 34, wherein the user input credentials are stored at one or more of the mobile module, the mobile infrastructure, or a server corresponding to the merchant.

27-29. -29. (canceled)

32. (canceled)
- View Dependent Claims (33)
- - 33. The method of claim 32, wherein the services, goods, or both, have multiple levels of available access, and wherein based on the authentication of the mobile device one or more of the available levels is activated.

36-83. -83. (canceled)

84. In a distributed system, a computing framework used to abstract a host computer from a mobile operator system when connecting a mobile module thereto in order to label the host computer as peripheral equipment rather than a mobile terminal subject to strict requirements of the mobile operator system, the computing framework comprising:
- a subscriber identity module (SIM) that includes information associated with a billing account for a mobile operator system;
  
  a host computer connecting the SIM to the mobile operator system over a network independent of the mobile operator system'"'"'s radio network in order to authenticate the billing account information for the SIM;
  
  a SIM driver attached to the host computer for reading information from the SIM for use in at least authenticating the SIM to the mobile operator system over the independent network; and
  
  an interface acting as a firewall between the SIM and the SIM driver that defines a protocol used to protect the SIM from attack by restricting one or more of a number, sequence, or length, of commands sent between the SIM driver and the SIM.
- View Dependent Claims (91)
- - 91. The computing framework of claim 84, wherein the protocol includes a formal state machine that is used to keep track of the one or more of the number, sequence, or length of the communications between the SIM driver and the SIM.

85-90. -90. (canceled)

92. In a computing system tied to a distributed network, a method of establishing transport level secure communications between a client and a server over an otherwise insecure network by establishing a secure tunneling between a mobile module connected to the client and a mobile infrastructure associated therewith in order to delegate session keys to at least a software stack on the client for one or more of encryption or signing purposes, the method comprising:
- identifying one or more credentials of a mobile module connected to a host computer;
  
  sending the one or more credentials to a mobile infrastructure for authentication of a valid billing account for the mobile module, wherein the request is sent over an independent network separate form a radio network corresponding to the mobile infrastructure; and
  
  based on the authentication, receiving from the mobile module a session key for use in a transport level secure communication over the independent network between the host computer and a server.
- View Dependent Claims (93, 96, 97, 98, 99, 100, 106)
- - 93. The method of claim 92, wherein the mobile module is a subscriber identity module (SIM) for the mobile infrastructure, and wherein the one or more credentials includes information based on a challenge from the mobile infrastructure and a shared key between the SIM and the mobile infrastructure.
  - 96. The method of claim 93, wherein the server is part of a framework that has a trusted relationship with the mobile infrastructure such that the session keys are also passed from the mobile infrastructure to the server for the transport level secure communication with the host computer.
  - 97. The method of claim 96, further comprising:
    - requesting a connection to a third party server not part of the framework;
      
      receiving another session key for secure communication between the host computer and the third party server; and
      
      using the another session key for transport level secure communication with the third party server.
  - 98. The method of claim 97, wherein prior to using the another session key for communicating with the third party, the method further comprises:
    - sending the another session key and a token to the third party server, wherein the third party server validates the another session key by authenticating the token through the trusted server that is part of the framework; and
      
      based on the authentication of the token, using the another session key for secure communication with the third party server.
  - 99. The method of the claim 98, wherein the third party server is a merchant of services, goods, or both, and wherein a user must also authenticate to the third party server by providing user input credentials.
  - 100. The method of claim 99, wherein authentication of the SIM to the mobile infrastructure by validating the billing account thereof is used as verification of a payment funds for the services, goods, or both, when making a purchase from the merchant.
  - 106. The method of claim 93, wherein the session key is received from the mobile infrastructure encrypted by a shared key between the SIM and the mobile infrastructure, wherein prior to receiving the session key from the SIM the method further comprises:
    - sending the encrypted key to the SIM for decryption thereof using the shared key in order to provide the session key to the host computer without compromising the shared key.

94. (canceled)

95. (canceled)

101-105. -105. (canceled)

107-113. -113. (canceled)

114. At a host computer in a distributed computing system, a method of establishing secure communication between the host computer and a server by using a protocol that authenticates a subscriber identity module (SIM) to a mobile infrastructure over a network connection independent from a radio network associated therewith, the method comprising:
- creating a request for a session key which includes a computed challenge response from a subscription identity module (SIM) attached to a host computer attempting to establish a secure communication with a server, wherein the challenge response is used to authenticate the SIM to a mobile infrastructure that holds billing status information thereof;
  
  sending the request for a session key to the server, which has a trusted relationship with the mobile infrastructure, the request for the session key sent over a network independent of a radio network related to the mobile infrastructure;
  
  receiving a response to the request for a session key, which includes the session key and is signed, encrypted, or both, by mobile infrastructure using a shared key, which indicates that the SIM appropriately authenticated to the mobile infrastructure using the challenge response;
  
  sending the session key to the SIM for validation using the shared key, which establishes a tunneled communication between the SIM and the mobile infrastructure; and
  
  upon validation of the session key, allowing the host computer to use the decrypted session key for secure communicating with the server.
- View Dependent Claims (115, 121)
- - 115. The method of claim 114, wherein the response to the request for the session key is signed by the server, the mobile infrastructure, or both.
  - 121. The method of claim 114, wherein upon authenticating the SIM to the mobile infrastructure, the method further comprises the following for authenticating a user to the mobile infrastructure over the independent network:
    - creating a request for a user token used in authenticating a user to one or more of the mobile infrastructure, the server, or other third party services;
      
      sending the request for the user token to the server over the network independent of the radio network related to the mobile infrastructure;
      
      receiving a response to the request for a user token, which includes a challenge generated from the mobile infrastructure;
      
      sending the challenge to the SIM indicating that the challenge corresponds to a user authentication in order to prompt the SIM to request one or more user credentials;
      
      receiving user input specifying the one or more user credentials, which are then forwarded to the SIM for determining an appropriate challenge response;
      
      sending the challenge response that includes the one or more user credentials to the server;
      
      receiving the user token that is signed, encrypted, or both, using the shared key by the mobile infrastructure indicating that the user has appropriately authenticated; and
      
      sending the user token to the SIM for validation using the shared key; and
      
      upon validation of the session key, allowing the host computer to use the user token in subsequent communication to the server or a third party services for secure communications therewith.

116-120. -120. (canceled)

122-190. -190. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Webster-Lam, Chung, Johnson, Bruce E.

Granted Patent

US 8,996,423 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/44
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/12   specially adapted for elect...

G06Q 20/322   Aspects of commerce using m...

G06Q 20/3227   using secure elements embed...

G06Q 20/3229   Use of the SIM of a M-devic...

G06Q 20/3829   involving key management

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4014   Identity check for transact...

G06Q 20/425   using two different network...

G06Q 30/02   Marketing; Price estimation...

G06Q 30/0601   Electronic shopping [e-shop...

AUTHENTICATION FOR A COMMERCIAL TRANSACTION USING A MOBILE MODULE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

374 Citations

122 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHENTICATION FOR A COMMERCIAL TRANSACTION USING A MOBILE MODULE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

374 Citations

122 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links