METHOD FOR SECURING OVER-THE-AIR COMMUNICATION BETWEEN A MOBILE APPLICATION AND A GATEWAY

US 20160232523A1
Filed: 09/24/2014
Published: 08/11/2016
Est. Priority Date: 09/27/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method for securing transaction messages transiting between a mobile application in a mobile device and a gateway comprising when a transaction is initiated:

incrementing a transaction counter of the mobile application,deriving a session encryption key ENC from the transaction counter value and a gateway encryption key KENC, said gateway encryption key being derived from a first master gateway key,encrypting sensitive data with the session encryption key ENC,elaborating a transaction request message comprising the encrypted sensitive data, the transaction counter value, and an application identifier of the mobile application,sending the transaction request message from the mobile application through the mobile device to the gateway, the gateway being configured to compute the session encryption key from the received transaction request message, anddecrypting the received encrypted data with the computed session encryption key ENC.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention generally relates to systems and methods for performing issuer updates of data stored in a mobile device, a remote authentication, a remote payment transaction or enable the configuration of mobile application functions or operations. More specifically, the present invention relates to a method and system for securing an issuer updates processing for mobile payment application. When an update transaction is initiated, the payment application increments an Application Transaction Counter ATC and derives from this ATC a session keys. Sensitive user credential data are encrypted with the computed session keys before transmission to a gateway which is configured to compute the session keys for decryption. The decrypted user credential data are forwarded to a payment application issuer for updates.

147 Citations

28 Claims

1. A method for securing transaction messages transiting between a mobile application in a mobile device and a gateway comprising when a transaction is initiated:
- incrementing a transaction counter of the mobile application,deriving a session encryption key ENC from the transaction counter value and a gateway encryption key KENC, said gateway encryption key being derived from a first master gateway key,encrypting sensitive data with the session encryption key ENC,elaborating a transaction request message comprising the encrypted sensitive data, the transaction counter value, and an application identifier of the mobile application,sending the transaction request message from the mobile application through the mobile device to the gateway, the gateway being configured to compute the session encryption key from the received transaction request message, anddecrypting the received encrypted data with the computed session encryption key ENC.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method according to claim 1, further comprising:
    - deriving a session integrity key MAC from the transaction counter value and a gateway integrity key KMAC, said gateway integrity key being derived from a second master gateway key,computing a MAC signature value from the session integrity key MAC and at least one part of the contents of the transaction request message,adding said MAC value to the transaction request message during its elaboration,computing, by the gateway, the session integrity key from the received transaction request message and verifying, by the gateway, the MAC signature value of the received transaction request message.
  - 3. The method according to claim 2, wherein the deriving of the gateway encryption key KENC and the gateway integrity key KMAC comprises the following steps:
    - generating the first and second master gateway keys,generating the application identifier for the mobile application,deriving the gateway encryption key KENC from said application identifier, the first master key and a first derivation algorithm,deriving the gateway integrity key KMAC from said application identifier, the second master key and a second derivation algorithm,loading into the mobile application the generated application identifier, the derived gateway encryption key KENC and the derived gateway integrity key KMAC.
  - 4. The method according to claim 2, comprising, computing, by the gateway, the session encryption key KENC and the session integrity key MAC, by:
    - deriving the gateway encryption key KENC and the gateway integrity key KMAC from the received application identifier and respectively from a stored first and second master gateway key and the first and second derivation algorithm,deriving the session encryption key ENC and the session integrity key MAC from the received transaction counter value and respectively from the derived gateway encryption key KENC and the derived gateway integrity key KMAC.
  - 5. The method according to claim 3, wherein the first and the second derivation algorithm are identical.
  - 6. The method according to claim 2, wherein the first and the second master gateway key are identical.
  - 7. The method according to claim 1, wherein the mobile application, comprising the generated application identifier, the gateway encryption key KENC and the gateway integrity key KMAC, is stored into a secure element of the mobile device.
  - 8. The method according to claim 1, wherein the gateway forwards the transaction request message comprising the decrypted sensitive data to an issuer of the mobile application for processing.
  - 9. The method according to claim 1, wherein the transaction is initiated by a user of the mobile device, by the mobile device itself, or when a push message is received by the mobile application.
  - 10. The method according to claim 1, wherein the mobile application is a mobile payment application, the transaction counter is an Application Transaction Counter (ATC) and wherein the transaction request message comprises:
    - the application identifier,the current Application Transaction Counter ATC,the sensitive data comprising the contents of the magnetic-stripe data track(s), fully or partially (track 1, track 2, track
      
      3),dynamic transaction data and static application data enabling the issuer to authenticate the mobile payment application.
  - 11. The method according to claim 10, wherein the transaction initiated is an over-the-air issuer update comprising:
    - updating parameters for the mobile payment application,blocking a payment application on the mobile device,unblocking the mobile payment application,unblocking a PIN on the mobile payment application, and/orchanging the PIN on the mobile payment application.
  - 12. The method according to claim 1, wherein the transaction initiated is an authentication of the mobile communication device by the issuer.
  - 13. The method according to claim 1, wherein the transaction initiated is a payment transaction through the mobile communication device.
  - 14. The method according to claim 1, wherein the gateway communicates with the issuer through a secured processing network.

15. A transaction processing system, comprising a mobile application stored into a mobile device, said mobile application being configured to communicate with an issuer via the mobile communication device across a gateway, wherein transaction messages transiting between the mobile application and the gateway during this communication are secured by:
- incrementing a transaction counter of the mobile application,deriving a session encryption key ENC from the transaction counter value and a gateway encryption key KENC, said gateway encryption key being derived from a first master gateway key,encrypting sensitive data with the session encryption key ENC,elaborating a transaction request message comprising the encrypted sensitive data, the transaction counter value, and an application identifier of the mobile application,sending the transaction request message from the mobile application through the mobile device to the gateway, the gateway being configured to compute the session encryption key from the received transaction request message, anddecrypting the received encrypted data with the computed session encryption key ENC
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The transaction processing system of claim 15 wherein the transaction messages transiting between the mobile application and the gateway during this communication are further secured by:
    - deriving a session integrity key MAC from the transaction counter value and a gateway integrity key KMAC, said gateway integrity key being derived from a second master gateway key,computing a MAC signature value from the session integrity key MAC and at least one part of the contents of the transaction request message,adding said MAC value to the transaction request message during its elaboration,computing, by the gateway, the session integrity key from the received transaction request message and verifying, by the gateway, the MAC signature value of the received transaction request message.
  - 17. The transaction processing system of claim 16 wherein the deriving of the gateway encryption key KENC and the gateway integrity key KMAC comprises:
    - generating the first and second master gateway keys,generating the application identifier for the mobile application,deriving the gateway encryption key KENC from said application identifier, the first master key and a first derivation algorithm,deriving the gateway integrity key KMAC from said application identifier, the second master key and a second derivation algorithm,loading into the mobile application the generated application identifier, the derived gateway encryption key KENC and the derived gateway integrity key KMAC.
  - 18. The transaction processing system of claim 16 comprising, computing, by the gateway, the session encryption key KENC and the session integrity key MAC, by:
    - deriving the gateway encryption key KENC and the gateway integrity key KMAC from the received application identifier and respectively from a stored first and second master gateway key and the first and second derivation algorithm,deriving the session encryption key ENC and the session integrity key MAC from the received transaction counter value and respectively from the derived gateway encryption key KENC and the derived gateway integrity key KMAC.
  - 19. The transaction processing system of claim 17 wherein the first and the second derivation algorithm are identical.
  - 20. The transaction processing system of claim 16 wherein the first and the second master gateway key are identical.
  - 21. The transaction processing system of claim 15 wherein the mobile application, comprising the generated application identifier, the gateway encryption key KENC and the gateway integrity key KMAC, is stored into a secure element of the mobile device.
  - 22. The transaction processing system of claim 15 wherein the gateway forwards the transaction request message comprising the decrypted sensitive data to an issuer of the mobile application for processing.
  - 23. The transaction processing system of claim 15 wherein the transaction is initiated by a user of the mobile device, by the mobile device itself, or when a push message is received by the mobile application.
  - 24. The transaction processing system of claim 15 wherein the mobile application is a mobile payment application, the transaction counter is an Application Transaction Counter (ATC) and wherein the transaction request message comprises:
    - the application identifier,the current Application Transaction Counter ATC,the sensitive data comprising the contents of the magnetic-stripe data track(s), fully or partially (track 1, track 2, track
      
      3),dynamic transaction data and static application data enabling the issuer to authenticate the mobile payment application.
  - 25. The transaction processing system of claim 24 wherein the transaction initiated is an over-the-air issuer update comprising:
    - updating parameters for the mobile payment application,blocking a payment application on the mobile device,unblocking the mobile payment application,unblocking a PIN on the mobile payment application, and/orchanging the PIN on the mobile payment application.
  - 26. The transaction processing system of claim 15 wherein the transaction initiated is an authentication of the mobile communication device by the issuer.
  - 27. The transaction processing system of claim 15 wherein the transaction initiated is a payment transaction through the mobile communication device.
  - 28. The transaction processing system of claim 15 wherein the gateway communicates with the issuer through a secured processing network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gemalto SA (Thales SA)
Original Assignee
Gemalto SA (Thales SA)
Inventors
VENOT, Claire, DESJARDINS, Jean-Michel

Application Number

US15/025,280
Publication Number

US 20160232523A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06Q 20/322   Aspects of commerce using m...

G06Q 20/3223   Realising banking transacti...

G06Q 20/3829   involving key management

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 9/16   the keys or algorithms bein...

H04L 9/32   including means for verifyi...

H04L 9/3242   involving keyed hash functi...

H04W 4/60   Subscription-based services...

H04W 88/08   Access point devices

H04W 88/16   Gateway arrangements

METHOD FOR SECURING OVER-THE-AIR COMMUNICATION BETWEEN A MOBILE APPLICATION AND A GATEWAY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

147 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

METHOD FOR SECURING OVER-THE-AIR COMMUNICATION BETWEEN A MOBILE APPLICATION AND A GATEWAY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others