Methods for secure cryptogram generation
First Claim
1. A computer-implemented method comprising:
- determining, by a user device, an ephemeral key pair comprising an ephemeral public key and an ephemeral private key;
sending, by the user device, a provisioning request message including the ephemeral public key to a provisioning server computer;
receiving, by the user device, a provisioning response message including encrypted credentials from the provisioning server computer;
determining, by the user device, a response shared secret using the ephemeral private key and a static server public key;
decrypting, by the user device, the encrypted credentials using the response shared secret to determine credentials;
obtaining key derivation parameters from the credentials; and
deriving a first cryptogram key from the response shared secret using the key derivation parameters, the first cryptogram key operable to generate a first cryptogram for use in a first secure communication with a validation server computer.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments of the invention introduce efficient methods for securely generating a cryptogram by a user device, and validating the cryptogram by a server computer. In some embodiments, a secure communication can be conducted whereby a user device provides a cryptogram without requiring the user device to persistently store an encryption key or other sensitive data used to generate the cryptogram. For example, the user device and server computer can mutually authenticate and establish a shared secret. Using the shared secret, the server computer can derive a session key and transmit key derivation parameters encrypted using the session key to the user device. The user device can also derive the session key using the shared secret, decrypt the encrypted key derivation parameters, and store the key derivation parameters. Key derivation parameters and the shared secret can be used to generate a single use cryptogram key. The cryptogram key can be used to generate a cryptogram for conducting secure communications.
-
Citations
38 Claims
-
1. A computer-implemented method comprising:
-
determining, by a user device, an ephemeral key pair comprising an ephemeral public key and an ephemeral private key; sending, by the user device, a provisioning request message including the ephemeral public key to a provisioning server computer; receiving, by the user device, a provisioning response message including encrypted credentials from the provisioning server computer; determining, by the user device, a response shared secret using the ephemeral private key and a static server public key; decrypting, by the user device, the encrypted credentials using the response shared secret to determine credentials; obtaining key derivation parameters from the credentials; and deriving a first cryptogram key from the response shared secret using the key derivation parameters, the first cryptogram key operable to generate a first cryptogram for use in a first secure communication with a validation server computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer-implemented method comprising:
-
receiving, by a server computer, a provisioning request message including an ephemeral public key from a user device; determining, by the server computer, a request shared secret using the ephemeral public key and a static server private key; generating, by the server computer, a response shared secret using the static server private key and the ephemeral public key; obtaining key derivation parameters for deriving a first cryptogram key from the response shared secret; encrypting, by the server computer, credentials using the response shared secret to determine encrypted response data, the credentials including the key derivation parameters; and sending, by the server computer, to the user device, a provisioning response message including the encrypted response data. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A computer system, comprising:
-
a memory that stores computer-executable instructions; and a processor configured to access the memory and execute the computer-executable instructions to; determine an ephemeral key pair comprising an ephemeral public key and an ephemeral private key; send a provisioning request message including the ephemeral public key to a provisioning server computer; receive a provisioning response message including encrypted credentials from the provisioning server computer; determine a response shared secret using the ephemeral private key and a static server public key; decrypt the encrypted credentials using the response shared secret to determine credentials; obtain key derivation parameters from the credentials; and derive a first cryptogram key from the response shared secret using the key derivation parameters, the first cryptogram key operable to generate a first cryptogram for use in a first secure communication with a validation server computer. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A computer system, comprising:
-
a memory that stores computer-executable instructions; and a processor configured to access the memory and execute the computer- executable instructions to; receive a provisioning request message including an ephemeral public key from a user device; determine a request shared secret using the ephemeral public key and a static server private key; generate a response shared secret using the static server private key and the ephemeral public key; obtain key derivation parameters for deriving a first cryptogram key from the response shared secret; encrypt credentials using the response shared secret to determine encrypted response data, the credentials including the key derivation parameters; and send, to the user device, a provisioning response message including the encrypted response data. - View Dependent Claims (34, 35, 36, 37, 38)
-
Specification