Dual-Interface Key Management

US 20110035604A1
Filed: 10/20/2010
Published: 02/10/2011
Est. Priority Date: 10/21/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving key-management information at an access card;

storing the key-management information in a memory of the access card, whereinsaid storing stores the key-management information as stored key-management information,the access card is configured such that the stored key-management information cannot be modified in response to information received via a first interface of the access card,the key-management information is received via a second interface of the access card, andthe second interface is distinct from the first interface;

generating an access request based at least in part on the stored key-management information; and

transmitting the access request from the access card via the first interface.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device includes a first interface, a second interface, a memory, and a processor coupled to the first and second interfaces and to the memory. The processor is configured to receive key-management information via the second interface, and to store the key-management information in a protected portion of the memory as stored key-management information. The processor is also configured to perform a challenge-response authentication interaction via the first interface. The challenge-response authentication interaction is based at least in part on the stored key-management information. The device is configured to prevent data in the protected portion of the memory from being modified in response to information received via the first interface.

Citations

20 Claims

1. A method comprising:
- receiving key-management information at an access card;
  
  storing the key-management information in a memory of the access card, whereinsaid storing stores the key-management information as stored key-management information,the access card is configured such that the stored key-management information cannot be modified in response to information received via a first interface of the access card,the key-management information is received via a second interface of the access card, andthe second interface is distinct from the first interface;
  
  generating an access request based at least in part on the stored key-management information; and
  
  transmitting the access request from the access card via the first interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein:
    - the first interface is a contactless interface;
      
      the second interface is a contact interface; and
      
      the key-management information comprises a key used in the generating the access request.
  - 3. The method of claim 2, wherein:
    - the key-management information comprises at least one of;
      
      a key lifetime information for the key,a revocation condition for the key,information describing a communication protocol for the access request, orauthorization rights information for a user of the access card; and
      
      the transmitting the key-management information comprises transmitting a card credential and an unencrypted copy of a card key via the contact interface to the access card.
  - 4. The method of claim 2, wherein:
    - the key-management information comprises information used to increase a funds balance value stored on the access card; and
      
      the generating the access request access request decreases the funds balance value.
  - 5. The method of claim 2, wherein:
    - the access card is configured to perform authentications for login requests to a computing system;
      
      the authentications require communication via the contact interface; and
      
      the storing the key-management information comprises;
      
      in response to each of the authentications, renewing a physical-access key in the memory.
  - 6. The method of claim 2, further comprising:
    - receiving a challenge data according to an authentication protocol from a provider of the key-management information; and
      
      processing the challenge data to obtain at least a portion of the key-management information.
  - 7. The method of claim 2, further comprising:
    - generating a card credential, wherein;
      
      the generating the card credential comprises encrypting a card key using a server encryption key,the card key is usable for a challenge-response interaction,the key-management information comprises the card credential and an unencrypted copy of the card key,the access request comprises a request for authentication,storing the card credential in the access card;
      
      receiving a challenge data in an authentication protocol;
      
      generating a candidate response based at least in part onthe challenge data, andthe card key as stored in the memory, whereinthe access request comprises the card credential and the candidate response.

8. A device comprising:
- a first interface;
  
  a second interface, distinct from the first interface;
  
  a memory; and
  
  a processor coupled to the first interface, the second interface, and the memory, whereinthe processor is configured to receive key-management information via the second interface,the processor is configured to store the key-management information in a protected portion of the memory as stored key-management information,the processor is configured to perform a challenge-response authentication interaction via the first interface,the challenge-response authentication interaction is based at least in part on the stored key-management information, andthe device is configured to prevent data in the protected portion of the memory from being modified in response to information received via the first interface.
- View Dependent Claims (9, 10)
- - 9. The device of claim 8, comprising a physical-access card, whereinthe processor comprises hardware configured to prevent access from the first interface to the protected portion of the memory;
    - the first interface is a contactless interface;
      
      the second interface is a contact interface; and
      
      the key-management information comprises a time-limited key for the challenge-response authentication interaction.
  - 10. The device of claim 8, comprising a mobile communications device, wherein:
    - the first interface is a near-field communication (NFC) interface of the mobile communications device, andthe second interface is a mobile telephony interface of the mobile communications device.

11. A system comprising:
- means for receiving key-management information at an access card, whereinthe access card comprisesa first interface,a second interface, distinct from the first interface, anda memory, andthe key-management information is received via the second interface;
  
  means for storing the key-management information in the memory, whereinthe means for storing stores the key-management information as stored key-management information, andthe access card is configured such that the stored key-management information cannot be modified in response to information received via the first interface;
  
  means for generating an access request based at least in part on the stored key-management information; and
  
  means for transmitting the access request from the access card via the first interface.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11, wherein:
    - the first interface is a contactless interface;
      
      the second interface is a contact interface; and
      
      the key-management information comprises a key used in the generating the access request.
  - 13. The system of claim 12, wherein:
    - the key-management information comprises information used to increase a funds balance value stored on the access card; and
      
      the generating the access request access request decreases the funds balance value.
  - 14. The system of claim 12, wherein:
    - the access card is configured to perform authentications for login requests to a computing system;
      
      the authentications require communication via the contactless interface; and
      
      the storing the key-management information comprises;
      
      in response to each of the authentications, renewing a physical-access key in the memory.
  - 15. The system of claim 12, wherein:
    - receiving a challenge data according to an authentication protocol from a provider of the key-management information; and
      
      processing the challenge data to obtain at least a portion of the key-management information.
  - 16. The system of claim 12, wherein:
    - generating a card credential, wherein;
      
      the generating the card credential comprises encrypting a card key using a server encryption key,the card key is usable for a challenge-response interaction,the key-management information comprises the card credential and an unencrypted copy of the card key,the access request comprises a request for authentication,storing the card credential in the access card;
      
      receiving a challenge data in an authentication protocol;
      
      generating a candidate response based at least in part onthe challenge data, andthe card key as stored in the memory, whereinthe access request comprises the card credential and the candidate response.

17. A computer-readable storage medium having encoded thereon instruction executable by one or more processors to perform acts comprising:
- receiving key-management information at an access card, whereinthe access card comprisesa first interface,a second interface, distinct from the first interface, anda memory, andthe key-management information is received via the second interface;
  
  storing the key-management information in the memory, whereinthe storing stores the key-management information as stored key-management information, andthe access card is configured to prevent the stored key-management information from being modified in response to information received via the first interface;
  
  generating an access request based at least in part on the stored key-management information; and
  
  transmitting the access request from the access card via the first interface.

18. A system comprising:
- an interface;
  
  a memory; and
  
  a processor coupled to the interface and to the memory, wherein the processor is configured toreceive challenge data according to an authentication protocol via the interface,process the challenge data to obtain key-management information from the challenge data, andstore the key-management information in the memory.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, whereinthe challenge data is comprised in a public key infrastructure (PKI) authentication request;
    - andthe processor is configured to request a PKI authentication of a provider of the key-management information.
  - 20. The system of claim 19, wherein the processor is configured to:
    - generate a response to the key-management information; and
      
      transmit the response in the form of a second challenge data to the provider of the key-management information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Habraken G. Wouter
Original Assignee
Habraken G. Wouter
Inventors
Habraken, G. Wouter

Granted Patent

US 8,689,013 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/34   involving the use of extern...

G06F 21/35   communicating wirelessly

G06Q 20/327   Short range or proximity pa...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/352   Contactless payments by cards

G06Q 20/409   Device specific authenticat...

G06Q 20/40975   using encryption therefor

G07C 2009/00388   code verification carried o...

G07C 2009/00412   the transmitted data signal...

G07C 2009/00793   by Hertzian waves

G07C 9/22   in combination with an iden...

G07F 7/08   by coded identity card or c...

G07F 7/1008   Active credit-cards provide...

G07F 7/1016   Devices or methods for secu...

Dual-Interface Key Management

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dual-Interface Key Management

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links