Electronic transaction systems and methods therefor

US 8,016,189 B2
Filed: 12/21/2009
Issued: 09/13/2011
Est. Priority Date: 12/04/1996
Status: Expired due to Fees

First Claim

Patent Images

1. In a portable electronic authorization device (PEAD) with inaccessible storage of a user'"'"'s private key, a method for approving a transaction request originating from an electronic transaction system, comprising:

receiving at said portable electronic authorization device first digital data, said first digital data representing said transaction request; and

in response to receiving approval of said transaction request by a user of said portable electronic authorization device, decrypting the user private key that is inaccessibly stored by the PEAD using a decryption key stored at and transmitted to the PEAD from a remote server, and transmitting a second digital data to said electronic transaction system, said second digital data being encrypted by said user private key but without transmission of the private key alone.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The method includes the steps of receiving at the PEAD first digital data representing the transaction request. The PEAD provides information to the user regarding an ability to approve the transaction request. When the transaction request is approved by the user, the PEAD receives second digital data representing the electronic service authorization token. A remote agent server may provide a bridge between the electronic transaction system and the PEAD. In another embodiment, the private key is stored on the portable device, encrypted. The decryption key is stored outside of the device, at a trusted 3^rdparty location. When the user attempts to make a signature the software sends a request for the decryption key, along with the user'"'"'s password or pass phrase keyed in at the keyboard of the PDA, smart phone, or cell phone, to a server belonging to the trusted 3^rdparty.

Citations

32 Claims

1. In a portable electronic authorization device (PEAD) with inaccessible storage of a user'"'"'s private key, a method for approving a transaction request originating from an electronic transaction system, comprising:
- receiving at said portable electronic authorization device first digital data, said first digital data representing said transaction request; and
  
  in response to receiving approval of said transaction request by a user of said portable electronic authorization device, decrypting the user private key that is inaccessibly stored by the PEAD using a decryption key stored at and transmitted to the PEAD from a remote server, and transmitting a second digital data to said electronic transaction system, said second digital data being encrypted by said user private key but without transmission of the private key alone.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. A method as claimed in claim 1 wherein decrypting the user private key includes sending a request from the PEAD to the server including a password from the user of the PEAD but not including transmission of the user'"'"'s private key to the server.
  - 3. A method as claimed in claim 2 wherein the request includes transmitting a user password or pass phrase.
  - 4. A method as claimed in claim 3 wherein the password or pass phrase is keyed in at the PEAD.
  - 5. A method as claimed in claim 4 wherein in response to providing the incorrect password or pass phrase to the server, informing the PEAD and recording the event.
  - 6. A method as claimed in claim 5 wherein once a certain number of failures due to an uncorrected password or pass phrase have occurred, the users account associated with the private key is deactivated.
  - 7. A method as claimed in claim 6 wherein upon deactivation of the account, the server will refuse to provide the decryption key.
  - 8. A method as claimed in claim 1 wherein the user private key is stored in the PEAD encrypted with a symmetric key scheme.
  - 9. A method as claimed in claim 8 wherein the symmetric key scheme is 3DES.
  - 10. A method as claimed in claim 9 wherein the 3DES key is stored in the remote server associated with an authorization test password or pass phrase for the user.
  - 11. A method as claimed in claim 10 wherein whenever the user needs to authorize a transaction, the user inputs the password or pass phrase at a keyboard at the PEAD.
  - 12. A method as claimed in claim 11 where upon the password or pass phrase being keyed into the PEAD, it is transmitted to the remote server, the remote server returning the symmetric key to the PEAD for decrypting the private key.
  - 13. A method as claimed in claim 12 wherein after finishing the signing process, both the 3DES key and the plain private key, the password or pass phrase entered by the user are deleted from the PEAD.
  - 14. A method as claimed in claim 13 wherein the remote server will monitor and detect any unauthorized attempted access of the symmetric key stored at the server, and notifies the PEAD user through e-mail alert, phone call or message alert.

15. In an electronic authorization system with inaccessible storage of a user'"'"'s private key, at a portable electronic authorization device (PEAD) a method for approving a transaction request originating from an electronic transaction system, comprising:
- receiving at said electronic authorization system first digital data, said first digital data representing said transaction request; and
  
  in response to receiving approval of said transaction request by a user of said electronic authorization system, decrypting the user private key that is inaccessibly stored at the PEAD using a decryption key stored at and transmitted to the PEAD from a remote server, transmitting a second digital data to said electronic transaction system, said second digital data being encrypted by said user private key but without transmission of the private key alone.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. A method as claimed in claim 15 wherein decrypting the user private key includes sending a request from the electronic authorization system to the server including a password from the user of the electronic authorization system.
  - 17. A method as claimed in claim 16 wherein the request includes transmitting a user password or pass phrase.
  - 18. A method as claimed in claim 17 wherein the password or pass phrase is keyed in at the electronic authorization system.
  - 19. A method as claimed in claim 18 wherein in response to providing the incorrect password or pass phrase to the server, informing the electronic authorization system and recording the event.
  - 20. A method as claimed in claim 19 wherein once a certain number of failures due to an uncorrected password or pass phrase have occurred, the users account associated with the private key is deactivated.
  - 21. A method as claimed in claim 20 wherein upon deactivation of the account, the server will refuse to provide the decryption key.
  - 22. A method as claimed in claim 15 wherein the user private key is stored in the electronic authorization system encrypted with a symmetric key scheme.
  - 23. A method as claimed in claim 22 wherein the symmetric key scheme is 3DES.
  - 24. A method as claimed in claim 23 wherein the 3DES key is stored in the remote server associated with an authorization test password or pass phrase for the user.
  - 25. A method as claimed in claim 24 wherein whenever the user needs to authorize a transaction, the user inputs the password or pass phrase at a keyboard at the electronic authorization system.
  - 26. A method as claimed in claim 25 where upon the password or pass phrase being keyed into the electronic authorization system, it is transmitted to the remote server, the remote server returning the symmetric key to the electronic authorization system for decrypting the private key.
  - 27. A method as claimed in claim 26 wherein after finishing the signing process, both the 3DES key and the plain private key, the password or pass phrase entered by the user are deleted from the electronic authorization system.
  - 28. A method as claimed in claim 27 wherein the remote server will monitor and detect any unauthorized attempted access of the symmetric key stored at the server, and notifies the electronic authorization system user through e-mail alert, phone call or message alert.

29. A computer-readable medium whose contents are capable of causing a portable electronic authorization device (PEAD) with inaccessible storage of a user'"'"'s private key to perform a method for approving a transaction request originating from an electronic transaction system, the method comprising:
- receiving at said portable electronic authorization device first digital data, said first digital data representing said transaction request; and
  
  in response to receiving approval of said transaction request by a user of said portable electronic authorization device, decrypting the user private key that is inaccessibly stored by the PEAD using a decryption key stored at and transmitted to the PEAD from a remote server, and transmitting a second digital data to said electronic transaction system, said second digital data being encrypted by said user private key but without transmission of the private key alone.

30. A computer-readable medium whose contents are capable of causing a portable electronic authorization device (PEAD) in an electronic authorization system with inaccessible storage of a user'"'"'s private key to perform a method for approving a transaction request originating from an electronic transaction system, the method comprising:
- receiving at said electronic authorization system first digital data, said first digital data representing said transaction request; and
  
  in response to receiving approval of said transaction request by a user of said electronic authorization system, decrypting the user private key that is inaccessibly stored at the PEAD using a decryption key stored at and transmitted to the PEAD from a remote server, transmitting a second digital data to said electronic transaction system, said second digital data being encrypted by said user private key but without transmission of the private key alone.

31. A portable electronic authorization device (PEAD) with inaccessible storage of a user'"'"'s private key that approves a transaction request originating from an electronic transaction system, comprising:
- a receiver that receives at said portable electronic authorization device first digital data, said first digital data representing said transaction request; and
  
  a decryption subsystem that, in response to receiving approval of said transaction request by a user of said portable electronic authorization device, decrypts the user private key that is inaccessibly stored by the PEAD using a decryption key stored at and transmitted to the PEAD from a remote server, and transmitting a second digital data to said electronic transaction system, said second digital data being encrypted by said user private key but without transmission of the private key alone.

32. A portable electronic authorization device (PEAD) in an electronic authorization system with inaccessible storage of a user'"'"'s private key that approves a transaction request originating from an electronic transaction system, comprising:
- a receiver that receives at said electronic authorization system first digital data, said first digital data representing said transaction request; and
  
  a decryption subsystem that, in response to receiving approval of said transaction request by a user of said electronic authorization system, decrypts the user private key that is inaccessibly stored at the PEAD using a decryption key stored at and transmitted to the PEAD from a remote server, transmitting a second digital data to said electronic transaction system, said second digital data being encrypted by said user private key but without transmission of the private key alone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServStor Technologies, LLC (IP Investments Group LLC)
Original Assignee
Otomaku Properties Ltd LLC (Intellectual Ventures LLC)
Inventors
Grizzard, James A., Ding, Joshua C., Wang, Ynjiun P.
Primary Examiner(s)
Labaze; Edwyn

Application Number

US12/643,966
Publication Number

US 20110004557A1
Time in Patent Office

631 Days
Field of Search

235/379, 235/380, 235/382, 235/375, 705/50, 705 57- 59, 705/67, 705/75, 713165-168
US Class Current

235/379
CPC Class Codes

G06Q 20/00   Payment architectures, sche...

G06Q 20/02   involving a neutral party, ...

G06Q 20/18   involving self-service term...

G06Q 20/322   Aspects of commerce using m...

G06Q 20/327   Short range or proximity pa...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/3415   Cards acting autonomously a...

G06Q 20/363   with the personal data of a...

G06Q 20/3674   involving authentication

G06Q 20/3823   combining multiple encrypti...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/40975   using encryption therefor

G07F 19/20   Automatic teller machines [...

G07F 7/0866   by active credit-cards adap...

G07F 7/0886   the card reader being porta...

G07F 7/1008   Active credit-cards provide...

G07F 7/1016   Devices or methods for secu...

G07F 7/1025   Identification of user by a...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless

H04L 2463/102 : applying security measure f...

H04L 63/0428 : wherein the data content is...

H04L 63/0442 : wherein the sending and rec...

H04L 63/0853 : using an additional device,...

H04L 9/0897 : involving additional device...

H04L 9/3226 : using a predetermined code,...

H04L 9/3234 : involving additional secure...

H04L 9/3247 : involving digital signatures

View All

Electronic transaction systems and methods therefor

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic transaction systems and methods therefor

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links