METHOD AND SYSTEM FOR SECURE AUTHENTICATION

US 20100217999A1
Filed: 03/01/2010
Published: 08/26/2010
Est. Priority Date: 03/31/2003
Status: Active Grant

First Claim

Patent Images

1-32. -32. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method configured to provide secure Personal Identification Number (PIN) based authentication is disclosed. A passcode or PIN associated with a customer value card can be securely authenticated by an issuer prior to authorizing payment. An Access Control Server (ACS) can receive the PIN or passcode from a customer via a secure connection over a public network. The ACS can generate an encrypted PIN and can communicate the encrypted PIN to a remote issuer for authentication. The ACS can use one or more hardware security modules to generate the encrypted PIN. The hardware security modules can be emulated in software or implemented in hardware. The system can be configured such that the PIN is not exposed in an unencrypted form in a communication link or in hardware other than the originating customer terminal.

Citations

52 Claims

1-32. -32. (canceled)

33. A secure passcode authentication system, the system comprising:
- an Access Control Server (ACS) configured to receive a request for passcode authentication of a Primary Account Number (PAN), and configured to request a passcode corresponding to the PAN from a cardholder device, the request including a destination address for the passcode;
  
  a front end Host Security Module (HSM) having said destination address, coupled to the ACS, and configured to receive the passcode from the cardholder device and generate an encrypted passcode using a local encryption key, and configured to return the encrypted passcode to the cardholder device with an instruction to provide the encrypted passcode to the ACS; and
  
  a back end HSM coupled to the ACS, configured to receive the encrypted passcode from the ACS and further configured to recover a clear form of the passcode, generate a back end encrypted passcode, and communicate the back end encrypted passcode to the ACS.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 34. The system of claim 33, wherein the request for passcode authentication comprises a request for a Personal Identification Number (PIN) authentication.
  - 35. The system of claim 33, wherein the ACS is further configured to receive an authentication response message from an authentication network.
  - 36. The system of claim 33, wherein the front end HSM is further configured to generate a hashed message authentication code (HMAC) and the ACS is further configured to include the HMAC in the request for the passcode.
  - 37. The system of claim 36, wherein receiving the passcode at the front end HSM further includes receiving a second HMAC, wherein the front end HSM is further configured to compare the HMAC and the second HMAC to determine if the request for the passcode has been altered.
  - 38. The system of claim 35, wherein the ACS is further configured to request authentication of the backend encrypted passcode from the authentication network.
  - 39. The system of claim 38, wherein the ACS is further configured to send the authentication response to the cardholder device.
  - 40. The system of claim 33, wherein the front end HSM comprises a software HSM.
  - 41. The system of claim 33, wherein the front end HSM comprises a hardware HSM.
  - 42. The system of claim 33, wherein the front end HSM is configured to receive the passcode over a Secure Sockets Layer (SSL) link between the cardholder device and the front end HSM.
  - 43. The system of claim 33, wherein the ACS is not able to access the clear form of the passcode.
  - 44. The system of claim 39, wherein the ACS request for authentication of the backend encrypted passcode is sent to the authentication network through an Internet Payment Gateway Server (IPGS).

45. A method for providing secure passcode authentication, the method comprising:
- receiving a request for passcode authentication of a Primary Account Number (PAN);
  
  requesting a passcode corresponding to the PAN from a cardholder device, the request including a destination address corresponding to a front end Host Security Module (HSM);
  
  receiving an encrypted passcode from the cardholder device, the passcode having been encrypted by the front end HSM;
  
  sending the encrypted passcode to a back end HSM;
  
  receiving a back end encrypted passcode from the back end HSM; and
  
  sending an authentication request including the back end encrypted passcode to an authentication network.
- View Dependent Claims (46, 47, 48)
- - 46. The method of claim 45 further comprising:
    - receiving an authentication response from the authentication network, the authentication response indicating the results of the authentication request; and
      
      sending the authentication response to the cardholder device.
  - 47. The method of claim 45 further comprising:
    - sending transaction details to the front end HSM for use in generating a Hashed Message Authentication Code (HMAC).
  - 48. The method of claim 47 wherein the request for the passcode further includes the HMAC generated by the front end HSM.

49. A non-transitory, tangible, computer readable medium comprising code executable by a processor for implementing a method comprising:
- receiving a request for passcode authentication of a Primary Account Number (PAN);
  
  requesting a passcode corresponding to the PAN from a cardholder device, the request including a destination address corresponding to a front end Host Security Module (HSM);
  
  receiving an encrypted passcode from the cardholder device, the passcode having been encrypted by the front end HSM;
  
  sending the encrypted passcode to a back end HSM;
  
  receiving a back end encrypted passcode from the back end HSM; and
  
  sending an authentication request including the back end encrypted passcode to an authentication network.
- View Dependent Claims (50, 51, 52)
- - 50. The medium of claim 49 further including code for:
    - receiving an authentication response from the authentication network, the authentication response indicating the results of the authentication request; and
      
      sending the authentication response to the cardholder device.
  - 51. The medium of claim 49 further including code for:
    - sending transaction details to the front end HSM for use in generating a Hashed Message Authentication Code (HMAC).
  - 52. The medium of claim 51, wherein the request for the passcode further includes the HMAC generated by the front end HSM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Michael T. Clay, Neal Blackwood, Penny Cornwell, Robert W. Seaton Jr, Terence Spielman
Original Assignee
Michael T. Clay, Neal Blackwood, Penny Cornwell, Robert W. Seaton Jr, Terence Spielman
Inventors
Seaton, Robert W. JR., Blackwood, Neal, Spielman, Terence, Clay, Michael T., Cornwell, Penny

Granted Patent

US 8,359,474 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/185
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 21/6245   Protecting personal data, e...

G06F 2221/2115   Third party

G06Q 20/04   Payment circuits

G06Q 20/12   specially adapted for elect...

G06Q 20/3823   combining multiple encrypti...

G06Q 20/4012   Verifying personal identifi...

G07F 7/1008   Active credit-cards provide...

G07F 7/1016   Devices or methods for secu...

G07F 7/1025   Identification of user by a...

H04L 2463/102   applying security measure f...

H04L 63/083   using passwords cryptograph...

METHOD AND SYSTEM FOR SECURE AUTHENTICATION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR SECURE AUTHENTICATION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links