Portable secure element

US 8,625,800 B2
Filed: 02/25/2013
Issued: 01/07/2014
Est. Priority Date: 02/28/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for transferring control of a secure memory, comprising:

creating, by a computer, a master key between a first secure services provider and a second secure services provider, wherein the master key facilitates a transfer of control of a secure memory from the first secure services provider to the second secure services provider;

receiving, by the computer, a request to transfer control of the secure memory from the first secure services provider to the second secure services provider;

initiating, by the computer, a secure communication channel with the secure memory, wherein, the secure communication channel is established using an access key known by the first secure services provider that is resident on the secure memory;

communicating, by the computer, an instruction to delete the access key from the secure memory;

creating, by the computer, a temporary key;

communicating, by the computer, the temporary key to the secure memory;

encrypting, by the computer, the temporary key using the master key established between the first secure services provider and the second secure services provider; and

communicating, by the computer, the encrypted temporary key to the second secure services provider for the second secure services provider to access the secure element.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Transferring control of a secure element between TSMs comprises a zone master key established between the TSMs that facilitates encryption of a temporary key. The TSMs create the zone master key prior to initiation of transfer of control. Once transfer of control is initiated, the first TSM establishes a communication channel and deletes its key from the secure element. The first TSM creates a temporary key that is encrypted with the zone master key established between the first TSM and the second TSM. The encrypted temporary key is communicated to the second TSM with a device identifier. The second TSM decrypts the temporary key using the zone master key and identifies the user device using the device identifier. The new TSM establishes a communication channel and deletes the temporary key from the secure element. The new TSM then inputs and saves its key into the secure element.

175 Citations

30 Claims

1. A computer-implemented method for transferring control of a secure memory, comprising:
- creating, by a computer, a master key between a first secure services provider and a second secure services provider, wherein the master key facilitates a transfer of control of a secure memory from the first secure services provider to the second secure services provider;
  
  receiving, by the computer, a request to transfer control of the secure memory from the first secure services provider to the second secure services provider;
  
  initiating, by the computer, a secure communication channel with the secure memory, wherein, the secure communication channel is established using an access key known by the first secure services provider that is resident on the secure memory;
  
  communicating, by the computer, an instruction to delete the access key from the secure memory;
  
  creating, by the computer, a temporary key;
  
  communicating, by the computer, the temporary key to the secure memory;
  
  encrypting, by the computer, the temporary key using the master key established between the first secure services provider and the second secure services provider; and
  
  communicating, by the computer, the encrypted temporary key to the second secure services provider for the second secure services provider to access the secure element.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein the computer is a first secure service provider that operates a first trusted service manager (“
    - TSM”
      
      ).
  - 3. The computer-implemented method of claim 1, wherein creating the master key comprises:
    - generating, by the computer, a first part of the master key;
      
      inputting, by the computer, the first part of the master key into a hardware security module resident on the first secure services provider;
      
      generating, by the computer, a second part of the master key;
      
      inputting, by the computer, the second part of the master key into the hardware security module resident on the first secure services provider;
      
      assembling, by the computer, the first and second master key parts in the hardware security module resident on the first secure services provider; and
      
      destroying, by the computer, the master key parts.
  - 4. The computer-implemented method of claim 1, further comprising terminating, by the computer, the secure communication channel with the secure memory.
  - 5. The computer-implemented method of claim 1, further comprising communicating, by the computer, a user device identifier to the second secure services provider, wherein the user device identifier may be used by the second secure services provider to identify the secure memory.
  - 6. The computer-implemented method of claim 1, wherein communicating the encrypted temporary key to the second secure services provider for the second secure services provider to access the secure element comprises communicating the encrypted temporary key to a mediator secure services provider.
  - 7. The computer-implemented method of claim 1, wherein the second secure services provider is the mediator secure services provider.
  - 8. The computer-implemented method of claim 7, further comprising:
    - decrypting, by the second secure services provider, the temporary key using the master key established between the first secure services provider and the second secure services provider;
      
      initiating, by the second secure services provider, a secure communication channel with the secure memory, wherein the secure communication channel is established using the temporary key decrypted by the second secure services provider;
      
      deleting, by the second secure services provider, the temporary key from the secure memory;
      
      creating, by the mediator secure services provider, a second temporary key;
      
      communicating, by the second secure services provider, the second temporary key to the secure memory;
      
      encrypting, by the mediator secure services provide, the second temporary key using a second master key established between the second secure services provider and a third secure services provider; and
      
      communicating, by the mediator secure services provider, the encrypted second temporary key to the third secure services provider for the third secure services provider to access the secure memory.
  - 9. The computer-implemented method of claim 1, wherein the secure memory is a secure element.
  - 10. The computer-implemented method of claim 1, wherein the secure services provider is a trusted service manager.

11. A computer-implemented method for transferring control of a secure memory, comprising:
- creating, by a computer, a first master key between a first secure services provider and a mediator secure services provider, wherein the first master key facilitates a transfer of control of a secure memory from the first secure services provider to the mediator secures vies provider;
  
  creating, by a computer, a second master key between the mediator secure services provider and a second secure services provider, wherein the second master key facilitates a transfer of control of the secure memory from the mediator secure services provider to the second secure services provider;
  
  receiving, by the computer, a first temporary key from the first secure services provider to transfer control of the secure element from the first secure services provider to the mediator secure services provider, wherein the first temporary key is encrypted by the first master key established between the first secure services provider and the mediator secure services provider, and wherein the first temporary key has been saved on the secure memory;
  
  decrypting, by the computer, the first temporary key using the first master key established between the first secure services provider and the mediator secure services provider;
  
  initiating, by the computer, a secure communication channel with the secure memory, wherein the secure communication channel is established using the first temporary key decrypted by the mediator secure services provider;
  
  communicating, by the computer, an instruction to delete the first temporary key from the secure memory;
  
  creating, by the computer, a second temporary key;
  
  communicating, by the computer, the second temporary key to the secure memory;
  
  encrypting, by the computer, the second temporary key using the second master key established between the mediator secure services provider and the second secure services provider; and
  
  communicating, by the computer, the encrypted second temporary key to the second secure services provider for the second secure services provider to access the secure memory.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer-implemented method of claim 11, wherein the computer is a mobile operating network that operates the mediator secure services provider.
  - 13. The computer-implemented method of claim 11, wherein creating one of the first and second master keys comprises:
    - generating, by the computer, a first part of the master key;
      
      inputting, by the computer, the first part of the master key into a hardware security module;
      
      generating, by the computer, a second part of the master key;
      
      inputting, by the computer, the second part of the master key into the hardware security module;
      
      assembling, by the computer, the master key parts in the hardware security module; and
      
      destroying, by the computer, the master key parts.
  - 14. The computer-implemented method of claim 11, further comprising terminating, by the computer, the secure communication channel with the secure memory.
  - 15. The computer-implemented method of claim 11, further comprising communicating, by the computer, a user device identifier to the second secure ices provider, wherein the user device identifier may be used by the second secure services provider to identify the secure memory.

16. A computer program product, comprising:
- a non-transitory computer-readable medium having computer-readable program code embodied therein for transferring control of a secure memory, the computer-readable program code comprising;
  
  computer-readable program code for receiving a first temporary key from a first secure services provider to transfer control of a secure memory from the first secure services provider to a mediator secure services provider;
  
  computer-readable program code for initiating a secure communication channel with the secure memory, wherein the secure communication channel is established using the first temporary key and wherein the first temporary key is resident on the secure memory;
  
  computer-readable program code for creating a second temporary key, wherein the second temporary key is inputted and saved on the secure memory; and
  
  computer-readable program code for communicating the second temporary key to the second secure services provider.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The computer program product of claim 16, further comprising:
    - computer-readable program code for creating a first master key between the first secure services provider to the mediator secure services provider, wherein the master key facilitates a transfer of control of the secure memory from the first secure services provider to the mediator secure services provider; and
      
      computer-readable program code for creating a second master key between the mediator secure services provider to the second secure services provider, wherein the master key facilitates a transfer of control of the secure memory from the mediator secure services provider to the second secure services provider.
  - 18. The computer program product of claim 17, wherein the first temporary key is encrypted by the master key established between the first secure services provider and the mediator secure services provider.
  - 19. The computer program product of claim 17, further comprising computer-readable program code for decrypting the first temporary key using the first master key established between the first secure services provider and the mediator secure services provider.
  - 20. The computer program product of claim 17, further comprising computer-readable program code for encrypting the second temporary key using the master key established between the second secure services provider and the mediator secure services provider prior to communicating the second temporary key to the second secure services provider.
  - 21. The computer program product of claim 17, wherein the computer-readable program code for creating one of the first and second master keys comprises:
    - computer-readable program code for generating a first part of the master key;
      
      computer-readable program code for inputting the first part of the master key into a hardware security module;
      
      computer-readable program code for generating a second part of the master key;
      
      computer-readable program code for inputting the second part of the master key into the hardware security module;
      
      computer-readable program code for assembling the master key parts in the hardware security module; and
      
      computer-readable program code for destroying the master key parts.
  - 22. The computer program product of claim 16, further comprising computer-readable program code for deleting the first temporary key from the secure memory.
  - 23. The computer program product of claim 22, wherein the computer-readable program code for deleting the access key from the secure memory comprises computer-readable program code for communicating an instruction to the secure memory to delete the access key from the secure memory.
  - 24. The computer program product of claim 16, further comprising computer-readable program code for terminating the secure communication channel with the secure memory.
  - 25. The computer program product of claim 16, further comprising computer-readable program code for communicating a user device identifier to the second secure services provider, wherein the user device identifier may be used by the second secure services provider to identify the secure memory.
  - 26. The computer program product of claim 16, wherein the secure memory is a secure element and the secure service provider is a trusted service manager.

27. A system for transferring control of a secure memory, the system comprising:
- a storage device; and
  
  a processor configured to execute computer-executable instructions store the storage device to transfer control of a secure memory, the computer-executable instructions comprising;
  
  instructions for receiving a first temporary key from a first secure services provider to transfer control of a secure memory from the first secure services provider to a mediator secure services provider;
  
  instructions for initiating a secure communication channel with the secure memory, wherein the secure communication channel is established using the first temporary key;
  
  instructions for communicating an instruction to delete the first temporary key from the secure memory;
  
  instructions for creating a second temporary key;
  
  instructions for communicating the second temporary key to the secure memory; and
  
  instructions for communicating the second temporary key to the second secure services provider for the second secure services provider to access the secure memory.
- View Dependent Claims (28, 29, 30)
- - 28. The system of claim 27, the computer-exec instructions further comprising instructions for terminating the secure communication channel with the secure memory.
  - 29. The system of claim 27, the computer-executable instructions further comprising instructions for communicating a user device identifier to the second secure services provider, wherein the user device identifier may be used by the second secure services provider to identify the secure memory.
  - 30. The system of claim 27, wherein the secure memory is a secure element and the secure services provider is a trusted service manager.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Jooste, Sarel Kobus, Joseph, John, Farmer, Shane Alexander
Primary Examiner(s)
Song, Hosuk

Application Number

US13/776,660
Publication Number

US 20130223623A1
Time in Patent Office

316 Days
Field of Search

726 1- 7, 726/9, 726 20- 21, 726 27- 30, 380/270, 380/277, 380/281, 380/284, 380/286, 713/155, 713/164, 713168-170, 713/182, 713/185, 713/189, 713193-194
US Class Current

380/277
CPC Class Codes

G06Q 20/027   involving a payment switch ...

G06Q 20/3227   using secure elements embed...

H04L 2463/062   applying encryption of the ...

H04L 63/062   for key distribution, e.g. ...

H04L 9/0822   using key encryption key

H04L 9/0861   Generation of secret inform...

H04L 9/0877   using additional device, e....

H04W 12/04   Key management, e.g. using ...

H04W 12/35   Protecting application or s...

Portable secure element

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

175 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Portable secure element

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

175 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links