Credential recovery
First Claim
1. A method of credential recovery, comprising the steps of:
- authenticating a user with a mobile application on a mobile communication device, by entry of a previously registered passcode;
receiving from the user an identification of a forgotten credential to be recovered using the mobile application;
requesting the identified credential from a mobile application server using the mobile application;
securely establishing a session key between the mobile application and the mobile application server;
recovering from a credential depository the credential in encrypted form, encrypted using an encryption key different from the session key and independent from any information received by the mobile application server from the mobile application;
decrypting the credential using said encryption key, and encrypting the credential using the session key, at the mobile application server;
providing the credential encrypted using the session key to the mobile application;
decrypting the credential encrypted using the session key at the mobile application to form a decrypted credential; and
displaying the decrypted credential to the user from the mobile application;
wherein securely establishing a session key comprises generating the session key, encrypting the session key using one of a public key and a private key corresponding to the public key to form an encrypted session key, sending the encrypted session key, and decrypting the encrypted session key using the other of the public key and the private key corresponding to the public key.
3 Assignments
0 Petitions
Accused Products
Abstract
In a credential recovery process, a user is authenticated using an application running on a mobile communications device, and requests recovery of a credential. The application generates a session key encrypted with the public key of a gateway, and sends the encrypted key to the gateway. The gateway recovers the credential from a depository, encrypted using a symmetric key shared with the depository. The gateway decrypts the credential and re-encrypts the credential using the session key. Preferably, the decryption and re-encryption is performed within a hardware secure module within the gateway. The re-encrypted credential is sent to the application, which decrypts the credential and outputs it to the user. In this way, the credential is provided securely to the user and may be made available for use immediately, or nearly so.
-
Citations
16 Claims
-
1. A method of credential recovery, comprising the steps of:
-
authenticating a user with a mobile application on a mobile communication device, by entry of a previously registered passcode; receiving from the user an identification of a forgotten credential to be recovered using the mobile application; requesting the identified credential from a mobile application server using the mobile application; securely establishing a session key between the mobile application and the mobile application server; recovering from a credential depository the credential in encrypted form, encrypted using an encryption key different from the session key and independent from any information received by the mobile application server from the mobile application; decrypting the credential using said encryption key, and encrypting the credential using the session key, at the mobile application server; providing the credential encrypted using the session key to the mobile application;
decrypting the credential encrypted using the session key at the mobile application to form a decrypted credential; anddisplaying the decrypted credential to the user from the mobile application; wherein securely establishing a session key comprises generating the session key, encrypting the session key using one of a public key and a private key corresponding to the public key to form an encrypted session key, sending the encrypted session key, and decrypting the encrypted session key using the other of the public key and the private key corresponding to the public key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of operating a mobile application to recover a forgotten credential on a mobile communication device, comprising the steps of:
-
authenticating a user with the mobile application, by entry of a previously registered passcode; receiving from the user an identification of a forgotten credential to be recovered; requesting the identified credential from a mobile application server; securely establishing a session key with the mobile application server; receiving the credential, encrypted with the session key, from the mobile application server after the mobile application server has received from a credential depository the requested credential in encrypted form, encrypted using an encryption key different from the session key and independent from any information received by the mobile application server from the mobile application, and the mobile application server has decrypted the credential using the encryption key and encrypted the credential using the session key; decrypting the credential using the session key to form a decrypted credential; and displaying the decrypted credential to the user; wherein securely establishing a session key comprises generating the session key, encrypting the session key using one of a public key and a private key corresponding to the public key to form an encrypted session key, sending the encrypted session key, and decrypting the encrypted session key using the other of the public key and the private key corresponding to the public key. - View Dependent Claims (11, 12, 13)
-
-
10. A method comprising:
-
establishing a secure session, using a session key, with a mobile application on a mobile communication device, after the mobile application has authenticated a user of the mobile communication device; receiving a request from the mobile application for a forgotten credential identified by the user of the mobile communication device; transmitting to a credential depository a request to recover the requested credential from a memory in encrypted form, encrypted using an encryption key different from the session key and independent from any information received at the mobile application server from the mobile application; receiving the requested credential from the credential depository in said encrypted form; decrypting the credential using the encryption key and encrypting the credential using the session key; and transmitting the credential encrypted using the session key to the mobile application so that the mobile application can decrypt the encrypted credential using the session key and display the decrypted credential to the user; wherein securely establishing a session key comprises generating the session key, encrypting the session key using one of a public key and a private key corresponding to the public key to form an encrypted session key, sending the encrypted session key, and decrypting the encrypted session key using the other of the public key and the private key corresponding to the public key. - View Dependent Claims (14, 15, 16)
-
Specification