Methods and systems for secure communications between client applications and secure elements in mobile devices

US 8,904,195 B1
Filed: 08/21/2013
Issued: 12/02/2014
Est. Priority Date: 08/21/2013
Status: Active Grant

First Claim

Patent Images

1. A method for secure communication between a client application on a mobile device and a secure hardware element on the mobile device, comprising:

providing a physical tamper-resistant integrated circuit chip component of the mobile device, the physical tamper-resistant integrated circuit chip component comprising a secure hardware element having a secure element processor coupled to secure element memory;

storing, using the secure element processor, a unique user identifier and a user'"'"'s unique private key on the mobile device only in the secure element memory on the secure hardware element of the mobile device;

storing, using a mobile device processor coupled to mobile device memory, the user'"'"'s unique public key in the mobile device memory on the mobile device;

receiving, using the mobile device processor, entry of the unique user identifier and a request for user access to a client application on the mobile device processor on the mobile device;

encrypting, using the mobile device processor, a client application user access request message consisting at least in part of the entered unique user identifier and a randomly generated session key by the client application on the mobile device processor on the mobile device using the user'"'"'s unique public key stored in the mobile device memory on the mobile device and sending the encrypted request message to the secure element processor on the mobile device;

decrypting, using the secure element processor, the client application user access request message by a secure element application on the secure hardware element on the mobile device with the user'"'"'s unique private key stored on the mobile device only in the secure element memory on the secure hardware element on the mobile device;

comparing, using the secure element processor, the entered unique user identifier retrieved from the decrypted client application user access request message with the unique user identifier stored on the mobile device only in the secure element memory on the secure hardware element on the mobile device;

encrypting, using the secure element processor, a client application user access response message by the secure element application on the secure hardware element of the mobile device with the randomly generated session key retrieved from the decrypted request message and sending the encrypted response message to the client application on the mobile device processor on the mobile device; and

decrypting, using the mobile device processor, the client application user access response message with the randomly generated session key by the client application on the mobile device processor on the mobile device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for secure communication between a client application and a secure element on a mobile device involve, for example, encrypting a request including a randomly generated session key by the client application with a user'"'"'s unique public key and sending the encrypted request to the secure element. The request message is decrypted with a user'"'"'s unique private key on the secure element, a response message is encrypted with the session key retrieved from the decrypted request and sent to the client application, which decrypts the response with the session key.

Citations

24 Claims

1. A method for secure communication between a client application on a mobile device and a secure hardware element on the mobile device, comprising:
- providing a physical tamper-resistant integrated circuit chip component of the mobile device, the physical tamper-resistant integrated circuit chip component comprising a secure hardware element having a secure element processor coupled to secure element memory;
  
  storing, using the secure element processor, a unique user identifier and a user'"'"'s unique private key on the mobile device only in the secure element memory on the secure hardware element of the mobile device;
  
  storing, using a mobile device processor coupled to mobile device memory, the user'"'"'s unique public key in the mobile device memory on the mobile device;
  
  receiving, using the mobile device processor, entry of the unique user identifier and a request for user access to a client application on the mobile device processor on the mobile device;
  
  encrypting, using the mobile device processor, a client application user access request message consisting at least in part of the entered unique user identifier and a randomly generated session key by the client application on the mobile device processor on the mobile device using the user'"'"'s unique public key stored in the mobile device memory on the mobile device and sending the encrypted request message to the secure element processor on the mobile device;
  
  decrypting, using the secure element processor, the client application user access request message by a secure element application on the secure hardware element on the mobile device with the user'"'"'s unique private key stored on the mobile device only in the secure element memory on the secure hardware element on the mobile device;
  
  comparing, using the secure element processor, the entered unique user identifier retrieved from the decrypted client application user access request message with the unique user identifier stored on the mobile device only in the secure element memory on the secure hardware element on the mobile device;
  
  encrypting, using the secure element processor, a client application user access response message by the secure element application on the secure hardware element of the mobile device with the randomly generated session key retrieved from the decrypted request message and sending the encrypted response message to the client application on the mobile device processor on the mobile device; and
  
  decrypting, using the mobile device processor, the client application user access response message with the randomly generated session key by the client application on the mobile device processor on the mobile device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, wherein encrypting the request message using the user'"'"'s unique public key further comprises encrypting the request message using the user'"'"'s unique public key stored with the client application on the mobile device in advance of the secure communication.
  - 3. The method of claim 1, wherein encrypting and sending the encrypted request message further comprises encrypting and sending a secure authentication request message to the secure element processor on the mobile device.
  - 4. The method of claim 1, wherein encrypting and sending the encrypted request message further comprises encrypting and sending a secure password reset or password change request message to the secure element processor on the mobile device.
  - 5. The method of claim 1, wherein encrypting and sending the encrypted request message further comprises encrypting and sending the encrypted request message in response to receiving entry of a user'"'"'s action by the client application.
  - 6. The method of claim 5, wherein encrypting and sending the encrypted request message in response to receiving entry of the user'"'"'s action further comprises encrypting and sending the encrypted request message in response to receiving entry of a user'"'"'s log-on request by the client application.
  - 7. The method of claim 5, wherein encrypting and sending the encrypted request message in response to receiving entry of the user'"'"'s action further comprises encrypting and sending the encrypted request message in response to receiving entry of the unique user identifier by the client application.
  - 8. The method of claim 1, wherein encrypting and sending the request message consisting at least in part of the randomly generated session key further comprises generating and temporarily storing the randomly generated session key in memory of the mobile device by the client application.
  - 9. The method of claim 8, wherein generating and temporarily storing the randomly generated session key further comprises generating and storing a random 128-bit number for use as the session key in memory of the mobile device by the client application.
  - 10. The method of claim 1, wherein encrypting and sending the request message consisting at least in part of the randomly generated session key further comprises creating the request message consisting at least in part of the randomly generated session key, a request message payload, and a hash of the client application.
  - 11. The method of claim 1, wherein sending the encrypted request message to the secure element processor further comprises sending the encrypted request message by the client application to an applet on the secure element processor.
  - 12. The method of claim 1, wherein decrypting the request message with the user'"'"'s private key further comprises decrypting the request message with the private key of a public-private key pair unique to the user stored on the secure element.
  - 13. The method of claim 1, wherein decrypting the request message with the user'"'"'s private key stored on the secure element further comprises decrypting the request message with the private key that was stored on the secure element using a trusted service manager.
  - 14. The method of claim 13, wherein decrypting the request message with the private key stored on the secure element using the trusted service manager further comprises decrypting the request message with the private key that was stored on the secure element using the trusted service manager as a secure communication hub between the secure element and a financial institution.
  - 15. The method of claim 1, wherein decrypting the request message with the user'"'"'s private key stored on the secure element further comprises decrypting the request message with the user'"'"'s unique private key for the particular user stored on the secure element along with a hash value of the client application binaries and a user'"'"'s identifier.
  - 16. The method of claim 1, wherein decrypting the request message with the user'"'"'s private key stored on the secure element further comprises decrypting the request message with the user'"'"'s private key stored on the secure element by an applet in the secure element.
  - 17. The method of claim 1, wherein encrypting the response message with the randomly generated session key retrieved from the decrypted request message further comprises encrypting the response message with the randomly generated session key by an applet in the secure element.
  - 18. The method of claim 1, wherein encrypting the response message with the randomly generated session key further comprises encrypting the response with a 128-bit randomly generated session key retrieved from the decrypted request message.
  - 19. The method of claim 1, wherein sending the encrypted response message to the client application further comprises sending the encrypted response message to the client application on the mobile device processor by an applet on the secure element.
  - 20. The method of claim 1, wherein decrypting the response message with the randomly generated session key further comprises decrypting the response message with the randomly generated session key temporarily stored by the client application in volatile memory of the mobile device.
  - 21. The method of claim 1, wherein decrypting the response message further comprises decrypting an affirmative response message with the randomly generated session key and allowing a user'"'"'s log-on request based on the affirmative response message.
  - 22. The method of claim 1, wherein decrypting the response message further comprises decrypting a negative response message with the randomly generated session key and denying a user'"'"'s log-on request based on the negative response message.
  - 23. The method of claim 1, further comprising generating and encrypting a close communication command by the client application using the user'"'"'s public key and sending the encrypted command to an applet in the secure element.

24. A system for secure communication between a client application on a mobile device and a secure hardware element on the mobile device, comprising:
- a physical tamper-resistant integrated circuit chip component of the mobile device, the physical tamper-resistant integrated circuit chip component comprising a secure hardware element having a secure element processor coupled to secure element memory, the secure element processor being programmed for;
  
  storing a unique user identifier and a user'"'"'s unique private key on the mobile device only in the secure element memory on the secure hardware element on the mobile device;
  
  a mobile device processor coupled to mobile device memory, the mobile device processor being programmed for;
  
  storing the user'"'"'s unique public key in the mobile device memory on the mobile device;
  
  receiving entry of the unique user identifier and a request for user access to a client application on the mobile device processor on the mobile device;
  
  encrypting a client application user access request message consisting at least in part of the entered unique user identifier and a randomly generated session key by the client application on the mobile device processor on the mobile device using the user'"'"'s unique public key stored in the mobile device memory on the mobile device and sending the encrypted request message to the secure element processor on the mobile device;
  
  the secure element processor being further programmed for;
  
  decrypting the client application user access request message by a secure element application on the secure hardware element on the mobile device with the user'"'"'s unique private key stored on the mobile device only in the secure element memory on the secure hardware element on the mobile device;
  
  comparing the entered unique user identifier retrieved from the decrypted client application user access request message with the unique user identifier stored on the mobile device only in the secure element memory on the secure hardware element on the mobile deviceencrypting a client application user access response message by the secure element application on the secure hardware element of the mobile device with the randomly generated session key retrieved from the decrypted request message and sending the encrypted response message to the client application on the mobile device processor on the mobile device; and
  
  the mobile device processor being further programmed for;
  
  decrypting the client application user access response message with the randomly generated session key by the client application on the mobile device processor on the mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citibank NA (Citigroup Incorporated)
Original Assignee
Citibank NA (Citigroup Incorporated)
Inventors
Rahat, Syed, Browning, Wayne
Primary Examiner(s)
Vaughan, Michael R

Application Number

US13/972,523
Time in Patent Office

468 Days
Field of Search

None
US Class Current

713/194
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 21/606   by securing the transmissio...

G06F 21/86   Secure or tamper-resistant ...

H04L 63/045   wherein the sending and rec...

H04L 63/168   above the transport layer

H04W 12/03   Protecting confidentiality,...

H04W 12/041   Key generation or derivation

Methods and systems for secure communications between client applications and secure elements in mobile devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for secure communications between client applications and secure elements in mobile devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links