METHODS FOR SECURE CREDENTIAL PROVISIONING
First Claim
Patent Images
1. A computer-implemented method, comprising:
- determining, by a user device, a one-time user public key;
sending, by the user device to a provisioning server computer, a provisioning request message including the one-time user public key;
receiving, by the user device, an encrypted provisioning response message from the provisioning server computer, the encrypted provisioning response message comprising encrypted credential data;
determining, by the user device, a response shared secret using a static server public key;
determining, by the user device, a response session key from the response shared secret, the response session key usable for decrypting the encrypted provisioning response message;
decrypting, by the user device, the encrypted provisioning response message using the response session key to determine the encrypted credential data;
determining, by the user device, a storage protection key from the response shared secret, the storage protection key being different from the response session key and usable for decrypting the encrypted credential data;
encrypting, by the user device, the storage protection key with a key encryption key to generate an encrypted storage protection key;
storing, by the user device, the encrypted storage protection key; and
storing, by the user device, the encrypted credential data.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments can provide methods for securely provisioning sensitive credential data, such as a limited use key (LUK) onto a user device. In some embodiments, the credential data can be encrypted using a separate storage protection key and decrypted only at the time of a transaction to generate a cryptogram for the transaction. Thus, end-to-end protection can be provided during the transit and storage of the credential data, limiting the exposure of the credential data only when the credential data is required, thereby reducing the risk of compromise of the credential data.
173 Citations
24 Claims
-
1. A computer-implemented method, comprising:
-
determining, by a user device, a one-time user public key; sending, by the user device to a provisioning server computer, a provisioning request message including the one-time user public key; receiving, by the user device, an encrypted provisioning response message from the provisioning server computer, the encrypted provisioning response message comprising encrypted credential data; determining, by the user device, a response shared secret using a static server public key; determining, by the user device, a response session key from the response shared secret, the response session key usable for decrypting the encrypted provisioning response message; decrypting, by the user device, the encrypted provisioning response message using the response session key to determine the encrypted credential data; determining, by the user device, a storage protection key from the response shared secret, the storage protection key being different from the response session key and usable for decrypting the encrypted credential data; encrypting, by the user device, the storage protection key with a key encryption key to generate an encrypted storage protection key; storing, by the user device, the encrypted storage protection key; and storing, by the user device, the encrypted credential data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 15, 16, 17, 18, 19, 20)
-
-
11. A computer-implemented method, comprising:
-
receiving by a server computer from a user device, a provisioning request message including a one-time user public key; generating, by the server computer, a response shared secret using a static server private key and the one-time user public key; identifying, by the server computer, credential data to be included in a provisioning response message; determining, by the server computer, a response session key from the response shared secret, the response session key usable for encrypting the provisioning response message; determining, by the server computer, a storage protection key from the response shared secret, the storage protection key being different from the response session key and usable for encrypting the credential data; encrypting, by the server computer, the credential data using the storage protection key to generate encrypted credential data; encrypting, by the server computer, the provisioning response message using the response session key to generate encrypted provisioning response message, wherein the provisioning response message includes the encrypted credential data; and sending, by the server computer to the user device, the encrypted provisioning response message. - View Dependent Claims (12, 13, 14)
-
-
21. A computer-implemented method, comprising:
-
determining, by a user device, a one-time user public key; determining, by a user device, a storage protection public key; sending, by the user device to a provisioning server computer, a provisioning request message including the one-time user public key and the storage protection public key; receiving, by the user device, an encrypted provisioning response message from the provisioning server computer, the encrypted provisioning response message comprising encrypted credential data, wherein the encrypted credential data is encrypted using the storage protection public key; determining, by the user device, a response shared secret using a static server public key; determining, by the user device, a response session key from the response shared secret, the response session key usable for decrypting the encrypted provisioning response message; decrypting, by the user device, the encrypted provisioning response message using the response session key to determine the encrypted credential data; and storing, by the user device, the encrypted credential data. - View Dependent Claims (22, 23, 24)
-
Specification