SYSTEM AND METHOD FOR KEY MANAGEMENT FOR ISSUER SECURITY DOMAIN USING GLOBAL PLATFORM SPECIFICATIONS

US 20130159710A1
Filed: 12/20/2011
Published: 06/20/2013
Est. Priority Date: 12/20/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving from a server an authorization to update a first Issuer Security Domain encryption keyset;

encrypting, via a secure element on a client device, a second Issuer Security Domain keyset with a server public key to yield an encrypted second Issuer Security Domain keyset; and

sending the encrypted second Issuer Security Domain keyset to the server for updating the first Issuer Security Domain encryption keyset with the encrypted second Issuer Security Domain keyset.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are systems, methods, and non-transitory computer-readable storage media for key management for Issuer Security Domain (ISD) using GlobalPlatform Specifications. A client receives from a server an authorization to update a first ISD keyset. The client encrypts, via a client-side secure element, a second ISD keyset with a server public key. The client sends the encrypted second ISD keyset to the server for updating the first ISD keyset with the encrypted second ISD keyset. Prior to updating, the client generates the first ISD keyset at a vendor and sends the first ISD keyset to the client-side secure element and sends the first ISD keyset encrypted with the server public key to the server. The disclosed method allows for updating of an ISD keyset of which only the client-side secure element and a server have knowledge.

72 Citations

View as Search Results

26 Claims

1. A method comprising:
- receiving from a server an authorization to update a first Issuer Security Domain encryption keyset;
  
  encrypting, via a secure element on a client device, a second Issuer Security Domain keyset with a server public key to yield an encrypted second Issuer Security Domain keyset; and
  
  sending the encrypted second Issuer Security Domain keyset to the server for updating the first Issuer Security Domain encryption keyset with the encrypted second Issuer Security Domain keyset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the Secure Element has at least one security domain, wherein a security domain is one of an Issuer Security Domain, a Controlling Authority Security Domain and a Supplemental Security Domain.
  - 3. The method of claim 2, wherein the Issuer Security Domain is a top level security domain that manages at least one other domain.
  - 4. The method of claim 3, wherein the Issuer Security Domain manages at least one of card content, card life cycle and application life cycle.
  - 5. The method of claim 1, wherein the Secure Element is implemented according to Global Platform Card specifications.
  - 6. The method of claim 1, wherein the Secure Element stores at least one cryptographic key relating to a security domain.
  - 7. The method of claim 6, wherein access to a security domain is limited to processes with access to a cryptographic key for the security domain.
  - 8. The method of claim 1, wherein the Secure Element comprises a dedicated hardware component on a mobile device.
  - 9. The method of claim 8, wherein the server communicates with the secure element via the mobile device.
  - 10. The method of claim 8, wherein the authorization is issued during initial activation of at least one of the mobile device and an application.

11. A method comprising:
- sending, from a server to a client, an authorization to update a first Issuer Security Domain encryption keyset;
  
  receiving, at the server, an encrypted second Issuer Security Domain keyset, generated by a client within a client-side Secure Element; and
  
  updating the first Issuer Security Domain encryption keyset with the encrypted second Issuer Security Domain keyset.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the Secure Element is implemented using Global Platform Card specifications.
  - 13. The method of claim 11, wherein the authorization is based on an Issuer Security Domain keyset initialization script generated at the server, wherein the initialization script is based on an existing encrypted Issuer Security Domain keyset.
  - 14. The method of claim 13, wherein the encrypted Issuer Security Domain keyset is decrypted at the server using a server private encryption key prior to sending the authorization.
  - 15. The method of claim 11, wherein the encrypted second Issuer Security Domain keyset is encrypted using a server public encryption key corresponding to a server private encryption key.

16. A system comprising:
- a processor;
  
  a memory storing instructions for controlling the processor to perform a method comprising;
  
  generating, at a vendor, an Issuer Security Domain encryption keyset;
  
  sending the Issuer Security Domain encryption keyset and a server public key to a Secure Element at a client, wherein the Secure Element implements at least a portion of Global Platform Card specifications;
  
  encrypting, at the vendor, the Issuer Security Domain encryption keyset with the server public key to yield an encrypted keyset; and
  
  sending the encrypted keyset to the server.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, wherein the Secure Element comprises a dedicated hardware component on a mobile device.
  - 18. The system of claim 17, wherein the server services at least one Secure Element on the mobile device identified by a Secure Element identification component.
  - 19. The system of claim 18, wherein each Secure Element has a different Issuer Security Domain encryption keyset, identified by the Secure Element identification component.

20. A non-transitory computer-readable storage medium storing instructions which, when executed by a computing device, cause the computing device to perform steps comprising:
- receiving, at a client having a Secure Element, an Issuer Security Domain encryption keyset and a server public key, wherein the keyset is generated at a vendor; and
  
  storing the Issuer Security Domain encryption keyset and server public key.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The non-transitory computer-readable storage medium of claim 20, wherein the Secure Element has at least one security domain, wherein a security domain is one of an Issuer Security Domain, a Controlling Authority Security Domain and a Supplemental Security Domain.
  - 22. The non-transitory computer-readable storage medium of claim 20, wherein the Secure Element comprises an embedded chip within the client.
  - 23. The non-transitory computer-readable storage medium of claim 20, wherein the Secure Element is implemented according to Global Platform specifications.
  - 24. The non-transitory computer-readable storage medium of claim 20, wherein the Issuer Security Domain encryption keyset is generated as part of a pre-personalization stage.

25. A non-transitory computer-readable storage medium storing instructions which, when executed by a computing device, cause the computing device to perform steps comprising:
- generating an Issuer Security Domain encryption keyset;
  
  sending the Issuer Security Domain encryption keyset and a server public key to a Secure Element embedded within a client;
  
  encrypting the Issuer Security Domain encryption keyset with the server public key to yield an encrypted keyset; and
  
  sending the encrypted keyset to the server.
- View Dependent Claims (26)
- - 26. The non-transitory computer-readable storage medium of claim 25, wherein the Secure Element implements at least a portion of Global Platform Card specifications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Khan, Ahmer A.

Granted Patent

US 9,185,089 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/72   in cryptographic circuits

G06Q 20/3229   Use of the SIM of a M-devic...

G06Q 20/3829   involving key management

H04L 63/062   for key distribution, e.g. ...

H04L 9/0877   using additional device, e....

H04L 9/0891   Revocation or update of sec...

H04L 9/3234   involving additional secure...

H04W 12/04   Key management, e.g. using ...

H04W 12/086   using security domains

H04W 12/35   Protecting application or s...

SYSTEM AND METHOD FOR KEY MANAGEMENT FOR ISSUER SECURITY DOMAIN USING GLOBAL PLATFORM SPECIFICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

72 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR KEY MANAGEMENT FOR ISSUER SECURITY DOMAIN USING GLOBAL PLATFORM SPECIFICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links