AUTHENTICATION SYSTEM AND METHOD FOR SERVER-BASED PAYMENTS

US 20170017957A1
Filed: 07/17/2015
Published: 01/19/2017
Est. Priority Date: 07/17/2015
Status: Active Grant

First Claim

Patent Images

1. A method of performing a payment transaction employing two-factor authentication, the method comprising:

engaging in cryptographic processing with a cryptographic function having a secret key encoded therein, the cryptographic function stored in a computing device, the secret key serving as a first authentication factor; and

utilizing a second authentication factor in performing the payment transaction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of performing a payment transaction employing a two-factor authentication mechanism. The method includes engaging in cryptographic processing with a cryptographic function having a secret key encoded therein. The cryptographic function is stored in a computing device. The secret key serves as a first authentication factor. The method further includes utilizing a second authentication factor in performing the payment transaction.

Citations

23 Claims

1. A method of performing a payment transaction employing two-factor authentication, the method comprising:
- engaging in cryptographic processing with a cryptographic function having a secret key encoded therein, the cryptographic function stored in a computing device, the secret key serving as a first authentication factor; and
  
  utilizing a second authentication factor in performing the payment transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the second authentication factor is a biometric characteristic of a user of the computing device.
  - 3. The method of claim 1, wherein the second authentication factor is a secret code known to the user of the competing device.
  - 4. The method of claim 3, wherein the computing device is selected from the group consisting of:
    - a mobile telephone, a personal computer, and a tablet computer.
  - 5. The method of claim 4, wherein said secret key was encoded in the cryptographic function during initialization of a payment application that runs in the computing device.
  - 6. The method of claim 5, wherein the secret key was randomly generated by the payment application during said initialization.
  - 7. The method of claim 5, wherein said cryptographic processing includes using the secret key to decrypt an encrypted single use-key transmitted from a remote server to the computing device as part of the payment transaction.
  - 8. The method of claim 1, wherein a user of the computing device is permitted, during the payment transaction, to access a digital wallet assigned to the user and hosted in a remote wallet server.

9. A method of performing a sequence of payment transactions using a computing device, the sequence of payment transactions including a first payment transaction and a second payment transaction, the second payment transaction immediately following the first payment transaction in the sequence of payment transactions, each of said payment transactions including a respective device authentication stage and a respective user authentication stage, the method comprising:
- performing the device authentication stage of the first payment transaction;
  
  using a first session cryptographic key to perform the user authentication stage of the first payment transaction;
  
  as part of the user authentication stage of the first payment transaction, receiving an input to be used for generating a second session cryptographic key;
  
  using the second session cryptographic key as an input value for a cryptographic operation performed as part of the device authentication stage of the second payment transaction; and
  
  using a third session cryptographic key to perform the user authentication stage of the second payment transaction;
  
  the first, second and third session cryptographic keys all different from each other.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, further comprising:
    - storing the input to be used for generating the second session cryptographic key in the computing device for a period of time, said period of time after completion of the first payment transaction and before commencement of the second payment transaction.
  - 11. The method of claim 10, further comprising:
    - receiving a challenge value in the computer device as part of the user authentication stage of the first payment transaction;
      
      the challenge value provided to the computing device by a remote server.
  - 12. The method of claim 10, further comprising:
    - using the challenge value as an input value for a cryptographic operation performed as part of the device authentication stage of the second payment transaction.
  - 13. The method of claim 12, further comprising:
    - storing the challenge value in the computing device during said period of time.
  - 14. The method of claim 9, further comprising:
    - decrypting a first single-use key to obtain the first session cryptographic key, the first single-use key provided to the computing device from a remote server in connection with the first payment transaction;
      
      decrypting a second single-use key to obtain the second session cryptographic key, the second single-use key provided to the computing device from the remote server as part of the first payment transaction.
  - 15. The method of claim 9, wherein the computing device is selected from the group consisting of:
    - a mobile telephone, a personal computer, and a tablet computer.
  - 16. The method of claim 9, wherein a secret code is input into the computing device in connection with the respective user authentication stages of the first and second payment transactions, said secret code used by the computing device as an input value for respective cryptographic processes performed by the computing device in connection with the respective user authentication stages of the first and second payment transactions.
  - 17. The method of claim 9, wherein a user of the computing device is permitted, during the first and second payment transactions, to access a digital wallet assigned to the user and hosted in a remote wallet server.

18. A method of performing a current payment transaction, the method comprising:
- transmitting an authentication request from a computing device to a remote server, the authentication request including;
  
  user identification data that identifies a user of the computing device, device identification data that identifies the computing device, and a first challenge value, the first challenge value randomly generated in the computing device for the authentication request;
  
  engaging in a TLS (transport layer security) handshake process with the remote server to initiate a tunneling communication channel between the computing device and the remote server;
  
  the TLS handshake process including receiving a response from the remote server, the response including a second challenge value, a digital certificate and an identification of a cryptographic processing algorithm proposed by the remote server;
  
  the TLS handshake process further including selecting a cryptographic processing algorithm that matches the cryptographic processing algorithm proposed by the remote server;
  
  the TLS handshake process further including verifying the digital certificate received from the remote server;
  
  the TLS handshake process further including accessing a public encryption key associated with the remote server;
  
  the TLS handshake process further including randomly generating a secret value;
  
  the TLS handshake process further including encrypting the secret value with the public encryption key to generate a digital envelope;
  
  the TLS handshake process further including transmitting the digital envelope to the remote server;
  
  the TLS handshake process further including receiving a server authenticity proof value from the remote server;
  
  the TLS handshake process further including computing a secure channel key K based on the secret value, the first challenge value and the second challenge value;
  
  the TLS handshake process further including verifying the server authenticity proof value via a cryptographic process having as inputs the secure channel key K, the first challenge value and the second challenge value;
  
  engaging in a device authentication process stage with the remote server using the secure channel key K, the device authentication process stage including retrieving from an encrypted database stored in the computing device a first hash value, a first encrypted single-use key and a third challenge value, the first encrypted single-use key having been received by the computing device in a user authentication process stage of a previous payment transaction, the previous payment transaction having immediately preceded the current payment transaction in a sequence of payment transactions performed by the computing device;
  
  the first encrypted single-use key having been encrypted using a transport key that is identical to a key encoded in a payment application stored in the computing device, the third challenge value having been received by the computing device from the remote server in connection with the user authentication stage of the previous payment transaction;
  
  the first hash value having been calculated by applying a first hash function to device fingerprint data and a first salt value;
  
  the device authentication process stage further including using the key encoded in the payment application to decrypt the encrypted first single use key;
  
  the device authentication process stage further including generating a first cryptogram based on inputs that include a first session key, the second challenge value and a transaction counter value;
  
  the first session key derived from the decrypted first single-use key, the first hash value and the third challenge value;
  
  the device authentication process stage further including transmitting the first cryptogram from the computing device to the remote server;
  
  following the device authentication process stage, engaging in a user authentication process stage of the current payment transaction, using the secure channel key K;
  
  the user authentication stage of the current payment transaction including receiving from the remote server a second encrypted single-use key, a third encrypted single-use key and a fourth challenge value;
  
  the user authentication stage of the current payment transaction further including storing the second encrypted single-use key and the fourth challenge value in the encrypted database;
  
  the user authentication stage of the current payment transaction further including retrieving a second salt value from the encrypted database;
  
  the user authentication stage of the current payment transaction further including prompting a user to enter a PIN (personal identification number);
  
  the user authentication stage of the current payment transaction further including receiving user input that indicates the user'"'"'s PIN;
  
  the user authentication stage of the current payment transaction further including using the key encoded in the payment application to decrypt the encrypted third single-use key;
  
  the user authentication stage of the current payment transaction further including generating a second cryptogram based on inputs that include a second session key, the fourth challenge value, and transaction data;
  
  said second session key derived from said decrypted third single-use key using said user input;
  
  the user authentication stage of the current payment transaction further including transmitting the second cryptogram from the computing device to the remote server; and
  
  receiving access via the computing device to the user'"'"'s digital wallet.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein the user'"'"'s digital wallet is maintained on the remote server.
  - 20. The method of claim 18, wherein the computing device is selected from the group consisting of:
    - a mobile telephone, a personal computer, and a tablet computer.

21. A method comprising;
- performing authentication services in a server computer with respect to a first payment transaction and a second payment transaction, said first and second payment transactions requested by a computing device, said first payment transaction immediately preceding the second payment transaction in a sequence of payment transactions requested by the computing device;
  
  said authentication services including;
  
  (i) a device authentication process stage of the first payment transaction, the server computer receiving and verifying a first cryptogram during said device authentication process stage of the first payment transaction;
  
  (ii) a user authentication process stage of the first payment transaction, the server computer (a) calculating a first single-use key and a second single-use key; and
  
  (b) transmitting the first and second single-use keys to the computing device as part of the user authentication process stage of the first payment transaction;
  
  (iii) a device authentication process stage of the second payment transaction, the server computer receiving and verifying a second cryptogram during said device authentication process stage of the second payment transaction;
  
  said verifying of the second cryptogram including calculating a first session key;
  
  said first session key identical to a second session key that was used by the server computer to generate the second single-use key calculated during the user authentication process stage of the user authentication process stage of the first payment transaction; and
  
  (iv) a user authentication process stage of the second payment transaction.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, wherein the server computer transmits the first and second single-use keys to the computing device in encrypted form.
  - 23. The method of claim 21, wherein the server computer maintains a digital wallet for a user of the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Original Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Inventors
Radu, Cristian

Granted Patent

US 11,120,436 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06Q 20/326   Payment applications instal...

G06Q 20/36   using electronic wallets or...

G06Q 20/363   with the personal data of a...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/3823   combining multiple encrypti...

G06Q 20/3829   involving key management

G06Q 20/385   using an alias or single-us...

G06Q 20/388   using mutual authentication...

G06Q 20/4012   Verifying personal identifi...

G06Q 20/4014   Identity check for transact...

G06Q 20/40145   Biometric identity checks

G06Q 2220/00   Business processing using c...

H04L 2463/082   applying multi-factor authe...

H04L 63/0861   using biometrical features,...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/35   Protecting application or s...

AUTHENTICATION SYSTEM AND METHOD FOR SERVER-BASED PAYMENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHENTICATION SYSTEM AND METHOD FOR SERVER-BASED PAYMENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links