TRUSTED SERVICE MANAGER (TSM) ARCHITECTURES AND METHODS

US 20130198086A1
Filed: 03/11/2013
Published: 08/01/2013
Est. Priority Date: 06/06/2008
Status: Active Grant

First Claim

Patent Images

1. A client device, comprising:

a first secure element comprising a first computer-readable medium having a payment application comprising instructions for causing the client device to initiate a financial transaction, wherein;

the payment application has been securely downloaded to the first secure element from a trusted service manager (TSM); and

the first secure element is programmed to download the payment application in response to determining that the payment application is signed by the TSM;

a second secure element, physically separate from the first secure element, comprisinga second computer-readable medium having a security key, a payment instrument, stored authentication data, and instructions for generating a secure payment information message responsive to the payment application, wherein;

the security key is excluded from the first secure element;

the payment instrument is excluded from the first secure element;

the client device is registered with the TSM only through the second secure element, exclusive of the first secure element, so that registering the client device with the TSM for authentication includes registering and storing the stored authentication data, wherein the stored authentication data is excluded from the first secure element;

the second computer-readable medium includes instructions for;

comparing a user authentication input to the stored authentication data in response to signaling by the payment application andgenerating the secure payment information message in response to an authentication including a match of the user authentication input with the stored authentication data; and

wherein the secure payment information message comprises the payment instrument and is encrypted in accordance with the security key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client device comprises a first secure element and a second secure element. The first secure element comprises a first computer-readable medium having a payment application comprising instructions for causing the client device to initiate a financial transaction. The second secure element comprises a second computer-readable medium having a security key, a payment instrument, stored authentication data and instructions for generating a secure payment information message responsive to the payment application. The secure payment information message comprises the payment instrument and is encrypted in accordance with the security key.

102 Citations

View as Search Results

18 Claims

1. A client device, comprising:
- a first secure element comprising a first computer-readable medium having a payment application comprising instructions for causing the client device to initiate a financial transaction, wherein;
  
  the payment application has been securely downloaded to the first secure element from a trusted service manager (TSM); and
  
  the first secure element is programmed to download the payment application in response to determining that the payment application is signed by the TSM;
  
  a second secure element, physically separate from the first secure element, comprisinga second computer-readable medium having a security key, a payment instrument, stored authentication data, and instructions for generating a secure payment information message responsive to the payment application, wherein;
  
  the security key is excluded from the first secure element;
  
  the payment instrument is excluded from the first secure element;
  
  the client device is registered with the TSM only through the second secure element, exclusive of the first secure element, so that registering the client device with the TSM for authentication includes registering and storing the stored authentication data, wherein the stored authentication data is excluded from the first secure element;
  
  the second computer-readable medium includes instructions for;
  
  comparing a user authentication input to the stored authentication data in response to signaling by the payment application andgenerating the secure payment information message in response to an authentication including a match of the user authentication input with the stored authentication data; and
  
  wherein the secure payment information message comprises the payment instrument and is encrypted in accordance with the security key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The client device of claim 1, further comprising:
    - a user authentication input device for inputting user authentication data;
      
      a secure tunnel circuit for secure input of the authentication data directly to the second secure element;
      
      wherein the second secure element generates the secure payment information message if the user authentication data matches the stored authentication data.
  - 3. The client device of claim 2, wherein the user authentication input device comprises a biometric sensor and the authentication data comprises a biometric signature corresponding to a biometric feature of a user.
  - 4. The client device of claim 3, wherein the biometric sensor comprises one of a finger/thumb-print sensor, a voice recognition sensor or a retina scanner.
  - 5. The client device of claim 2, wherein the user authentication input device comprises a keyboard and the authentication data comprises a personal identifying number (PIN).
  - 6. The client device of claim 3, further comprising a keyboard for entering a PIN, the keyboard being connected to the second secure element by a second secure tunnel circuit.
  - 7. The client device of claim 6, wherein the authentication data comprise biometric data and a stored PIN.
  - 8. The client device of claim 7, further comprising means for switching the client device into a secure payment mode, wherein the second secure tunnel circuit is enabled when the client device is in the secure payment mode.
  - 9. The client device of claim 1, further comprising a communication chip for communicating the secure payment information message responsive to the payment application, wherein the message is transmitted in one of NFC, infrared, Bluetooth or SMS.
  - 10. The client device of claim 1, wherein the secure payment information message is a secure SMS message addressed to a trusted service manager (TSM) and comprising an address for a financial service provider (SP) to which the TSM is to forward the secure payment information message.
  - 11. The client device of claim 10, wherein the payment information is encrypted using AES-256, and an SHA-512 HMAC is attached.

12. A trusted service manager (TSM) server comprising a computer-readable medium containing instructions to facilitate financial transactions via short message service (SMS) over a network by performing a method comprising:
- generating a random key for a client device;
  
  encrypting the random key using a public certificate of the client device;
  
  sending the random key to the client device for storage in a crypto secure element, wherein;
  
  the client device is registered with the TSM only through the crypto secure element, exclusive of an app secure element that is physically separate from the crypto secure element,the security key and a payment instrument are excluded from the app secure element, so that registering the client device with the TSM for authentication includes registering and storing an authentication data, andthe stored authentication data is excluded from the app secure element;
  
  securely uploading a payment application to the app secure element of the client device from the TSM server, wherein the app secure element is programmed to download the payment application in response to determining that the payment application is signed by the TSM;
  
  receiving an encrypted SMS message comprising a payment certificate and an address of a service provider (SP), wherein the SMS message from the client device is encrypted in accordance with the random key;
  
  decrypting the SMS message using the random key and determining the address of the SP;
  
  re-encrypting the SMS message using a second stored key corresponding to the SP; and
  
  forwarding the re-encrypted SMS message to the SP for completion of a financial transaction.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The trusted service manager server of claim 12, wherein the random key comprises AES-256 and SHA-512.
  - 14. The trusted service manager server of claim 12, wherein the random key is established using the Diffie-Hellman (D-H) key exchange.
  - 15. The trusted service manager server of claim 12, wherein the encrypted SMS message is a secure SMS message addressed to the trusted service manager (TSM) and comprising the address for the financial service provider (SP) to which the TSM is to forward the encrypted SMS message.
  - 16. The trusted service manager server of claim 12, wherein the encrypted SMS message is sent by a secure SMS, wherein when an SMS is sent, the message is encrypted using AES-256, and SHA-512 HMAC is attached.
  - 17. The trusted service manager server of claim 12, wherein:
    - the encrypted SMS message is sent by a secure SMS, wherein when an SMS is sent, the message is encrypted using AES-256, and SHA-512 HMAC is attached, andthe SHA-512 HMAC is 64 bytes in binary and truncation is used to bring data to 32 bytes of BASE-64 encoding.
  - 18. The trusted service manager server of claim 12, wherein:
    - the encrypted SMS message is sent by a secure SMS, wherein when an SMS is sent, the message is encrypted using AES-256, and SHA-512 HMAC is attached, anda counter tags the secure payment information message for replay protection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
eBay Inc.
Inventors
Mardikar, Upendra

Granted Patent

US 9,852,418 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/71
CPC Class Codes

G06Q 20/1085   involving automatic teller ...

G06Q 20/20   Point-of-sale [POS] network...

G06Q 20/204   comprising interface for re...

G06Q 20/3223   Realising banking transacti...

G06Q 20/3227   using secure elements embed...

G06Q 20/3265   characterised by personalis...

G06Q 20/3278   RFID or NFC payments by mea...

G06Q 20/367   involving electronic purses...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/3829   involving key management

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4012   Verifying personal identifi...

G06Q 20/40145   Biometric identity checks

G06Q 40/00   Finance; Insurance; Tax str...

G07C 9/257   electronically G07C9/26 tak...

G07F 7/0826   Embedded security module

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/0823 : using certificates cryptogr...

H04L 63/0861 : using biometrical features,...

H04L 9/3231 : Biological data, e.g. finge...

H04W 12/069 : using certificates or pre-s...

H04W 4/80 : Services using short range ...

View All

TRUSTED SERVICE MANAGER (TSM) ARCHITECTURES AND METHODS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

102 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

TRUSTED SERVICE MANAGER (TSM) ARCHITECTURES AND METHODS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links