AUTHENTICATION SYSTEM AND METHOD FOR SERVER-BASED PAYMENTS
First Claim
Patent Images
1. A method of performing a payment transaction employing two-factor authentication, the method comprising:
- engaging in cryptographic processing with a cryptographic function having a secret key encoded therein, the cryptographic function stored in a computing device, the secret key serving as a first authentication factor; and
utilizing a second authentication factor in performing the payment transaction.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of performing a payment transaction employing a two-factor authentication mechanism. The method includes engaging in cryptographic processing with a cryptographic function having a secret key encoded therein. The cryptographic function is stored in a computing device. The secret key serves as a first authentication factor. The method further includes utilizing a second authentication factor in performing the payment transaction.
-
Citations
23 Claims
-
1. A method of performing a payment transaction employing two-factor authentication, the method comprising:
-
engaging in cryptographic processing with a cryptographic function having a secret key encoded therein, the cryptographic function stored in a computing device, the secret key serving as a first authentication factor; and utilizing a second authentication factor in performing the payment transaction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of performing a sequence of payment transactions using a computing device, the sequence of payment transactions including a first payment transaction and a second payment transaction, the second payment transaction immediately following the first payment transaction in the sequence of payment transactions, each of said payment transactions including a respective device authentication stage and a respective user authentication stage, the method comprising:
-
performing the device authentication stage of the first payment transaction; using a first session cryptographic key to perform the user authentication stage of the first payment transaction; as part of the user authentication stage of the first payment transaction, receiving an input to be used for generating a second session cryptographic key; using the second session cryptographic key as an input value for a cryptographic operation performed as part of the device authentication stage of the second payment transaction; and using a third session cryptographic key to perform the user authentication stage of the second payment transaction;
the first, second and third session cryptographic keys all different from each other. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method of performing a current payment transaction, the method comprising:
-
transmitting an authentication request from a computing device to a remote server, the authentication request including;
user identification data that identifies a user of the computing device, device identification data that identifies the computing device, and a first challenge value, the first challenge value randomly generated in the computing device for the authentication request;engaging in a TLS (transport layer security) handshake process with the remote server to initiate a tunneling communication channel between the computing device and the remote server;
the TLS handshake process including receiving a response from the remote server, the response including a second challenge value, a digital certificate and an identification of a cryptographic processing algorithm proposed by the remote server;
the TLS handshake process further including selecting a cryptographic processing algorithm that matches the cryptographic processing algorithm proposed by the remote server;
the TLS handshake process further including verifying the digital certificate received from the remote server;
the TLS handshake process further including accessing a public encryption key associated with the remote server;
the TLS handshake process further including randomly generating a secret value;
the TLS handshake process further including encrypting the secret value with the public encryption key to generate a digital envelope;
the TLS handshake process further including transmitting the digital envelope to the remote server;
the TLS handshake process further including receiving a server authenticity proof value from the remote server;
the TLS handshake process further including computing a secure channel key K based on the secret value, the first challenge value and the second challenge value;
the TLS handshake process further including verifying the server authenticity proof value via a cryptographic process having as inputs the secure channel key K, the first challenge value and the second challenge value;engaging in a device authentication process stage with the remote server using the secure channel key K, the device authentication process stage including retrieving from an encrypted database stored in the computing device a first hash value, a first encrypted single-use key and a third challenge value, the first encrypted single-use key having been received by the computing device in a user authentication process stage of a previous payment transaction, the previous payment transaction having immediately preceded the current payment transaction in a sequence of payment transactions performed by the computing device;
the first encrypted single-use key having been encrypted using a transport key that is identical to a key encoded in a payment application stored in the computing device, the third challenge value having been received by the computing device from the remote server in connection with the user authentication stage of the previous payment transaction;
the first hash value having been calculated by applying a first hash function to device fingerprint data and a first salt value;
the device authentication process stage further including using the key encoded in the payment application to decrypt the encrypted first single use key;
the device authentication process stage further including generating a first cryptogram based on inputs that include a first session key, the second challenge value and a transaction counter value;
the first session key derived from the decrypted first single-use key, the first hash value and the third challenge value;
the device authentication process stage further including transmitting the first cryptogram from the computing device to the remote server;following the device authentication process stage, engaging in a user authentication process stage of the current payment transaction, using the secure channel key K;
the user authentication stage of the current payment transaction including receiving from the remote server a second encrypted single-use key, a third encrypted single-use key and a fourth challenge value;
the user authentication stage of the current payment transaction further including storing the second encrypted single-use key and the fourth challenge value in the encrypted database;
the user authentication stage of the current payment transaction further including retrieving a second salt value from the encrypted database;
the user authentication stage of the current payment transaction further including prompting a user to enter a PIN (personal identification number);
the user authentication stage of the current payment transaction further including receiving user input that indicates the user'"'"'s PIN;
the user authentication stage of the current payment transaction further including using the key encoded in the payment application to decrypt the encrypted third single-use key;
the user authentication stage of the current payment transaction further including generating a second cryptogram based on inputs that include a second session key, the fourth challenge value, and transaction data;
said second session key derived from said decrypted third single-use key using said user input;
the user authentication stage of the current payment transaction further including transmitting the second cryptogram from the computing device to the remote server; andreceiving access via the computing device to the user'"'"'s digital wallet. - View Dependent Claims (19, 20)
-
-
21. A method comprising;
-
performing authentication services in a server computer with respect to a first payment transaction and a second payment transaction, said first and second payment transactions requested by a computing device, said first payment transaction immediately preceding the second payment transaction in a sequence of payment transactions requested by the computing device; said authentication services including; (i) a device authentication process stage of the first payment transaction, the server computer receiving and verifying a first cryptogram during said device authentication process stage of the first payment transaction; (ii) a user authentication process stage of the first payment transaction, the server computer (a) calculating a first single-use key and a second single-use key; and
(b) transmitting the first and second single-use keys to the computing device as part of the user authentication process stage of the first payment transaction;(iii) a device authentication process stage of the second payment transaction, the server computer receiving and verifying a second cryptogram during said device authentication process stage of the second payment transaction;
said verifying of the second cryptogram including calculating a first session key;
said first session key identical to a second session key that was used by the server computer to generate the second single-use key calculated during the user authentication process stage of the user authentication process stage of the first payment transaction; and(iv) a user authentication process stage of the second payment transaction. - View Dependent Claims (22, 23)
-
Specification