Systems and methods for data access control of personal user data using a short-range transceiver

US 11,030,339 B1
Filed: 04/30/2020
Issued: 06/08/2021
Est. Priority Date: 04/30/2020
Status: Active Grant

First Claim

Patent Images

1. A data access control system, comprising:

a database storing information comprising a user identifier and a user key associated with a user, and a service provider identifier and a service provider key associated with a service provider;

a server configured for data communication with a client device associated with the service provider via a network;

a contactless card associated with the user, the contactless card comprising a communications interface, a processor, and a memory, the memory storing an applet, a user token, and personal user data associated with the user, wherein the personal user data is encrypted using the user key;

a client application comprising instructions for execution on the client device, the client application configured to;

in response to a tap action between the contactless card and the client device;

receive the user token from the contactless card, and transmit to the server a service provider token, the user token, and a request for a data access key, wherein the service provider token is associated with the service provider;

receive from the server the data access key;

receive from the contactless card the encrypted personal user data; and

using the data access key, decrypt the encrypted personal user data;

and,a processor in data communication with the server and the database, the processor configured to;

receive from the client device the service provider token, the user token, and the request for the data access key;

identify the service provider based on the service provider token;

identify the user based on the user token;

verify that the service provider is authorized to receive access to the personal user data;

retrieving, by the processor, the user key from the database;

generate the data access key from the user key; and

transmit to the client device the data access key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for controlling data access through the interaction of a short-range transceiver, such as a contactless card, with a client device are presented. An exemplary system and method may include establishing a database storing identifiers and keys for users and service providers, receiving from a client device of the service provider, via a network, a service provider token and a request for a data access key, the request generated in response to a tap action between a contactless card associated with a user and the client device, verifying the service provider is authorized to receive access to personal user data encrypted and stored on the contactless card, generating a data access key based on a user key, and transmitting to the service provider client device, via the network, the data access key, such that the client device may decrypt the personal user data obtained from the contactless card.

1 Citation

19 Claims

1. A data access control system, comprising:
- a database storing information comprising a user identifier and a user key associated with a user, and a service provider identifier and a service provider key associated with a service provider;
  
  a server configured for data communication with a client device associated with the service provider via a network;
  
  a contactless card associated with the user, the contactless card comprising a communications interface, a processor, and a memory, the memory storing an applet, a user token, and personal user data associated with the user, wherein the personal user data is encrypted using the user key;
  
  a client application comprising instructions for execution on the client device, the client application configured to;
  
  in response to a tap action between the contactless card and the client device;
  
  receive the user token from the contactless card, and transmit to the server a service provider token, the user token, and a request for a data access key, wherein the service provider token is associated with the service provider;
  
  receive from the server the data access key;
  
  receive from the contactless card the encrypted personal user data; and
  
  using the data access key, decrypt the encrypted personal user data;
  
  and,a processor in data communication with the server and the database, the processor configured to;
  
  receive from the client device the service provider token, the user token, and the request for the data access key;
  
  identify the service provider based on the service provider token;
  
  identify the user based on the user token;
  
  verify that the service provider is authorized to receive access to the personal user data;
  
  retrieving, by the processor, the user key from the database;
  
  generate the data access key from the user key; and
  
  transmit to the client device the data access key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The data access control system of claim 1, wherein the user token comprises the user key, and the processor is further configured to authenticate the user based on the user key.
  - 3. The data access control system of claim 1, wherein the service provider token comprises the service provider key, and the processor is further configured to authenticate the service provider based on the service provider key.
  - 4. The data access control system of claim 1, wherein:
    - the service provider token comprises the service provider key; and
      
      the data access key is generated from the user key and the service provider key.
  - 5. The data access control system of claim 1, wherein the client application is further configured to display the decrypted personal user data on the client device.
  - 6. The data access control system of claim 5, wherein the client application is further configured to:
    - store the data access key on the client device; and
      
      only display the decrypted personal user data on the client device if the data access key remains stored on the client device.
  - 7. The data access control system of claim 1, wherein:
    - the memory of the contactless card further stores basic user data associated with the user, the basic user data encrypted with a basic service provider key; and
      
      the client application is further configured to;
      
      receive from the contactless card the encrypted basic user data; and
      
      using the basic service provider key, decrypt the encrypted basic user data.
  - 8. The data access control system of claim 7, wherein the client application is further configured to:
    - receive from the server the basic service provider key; and
      
      store the basic service provider key in a memory of the client device.
  - 9. The data access control system of claim 8, wherein:
    - the client application is further configured to transmit to the server a request for the basic service provider key, the request for the basic service provider key being independent of the tap action between the contactless card and the client device; and
      
      the processor is further configured to;
      
      verify that the service provider is authorized to receive the basic service provider key; and
      
      transmit to the client device the basic service provider key.
  - 10. The data access control system of claim 9, wherein the basic service provider key is valid only for a predetermined period of time.

11. A method for controlling data access, comprising:
- establishing a database storing information comprising a user identifier and a user key associated with a user, and a service provider identifier and a first service provider key associated with a service provider;
  
  receiving from a first client device associated with the service provider, via a network, a service provider token and a request for a data access key to access personal user data stored on a contactless card associated with the user, the personal user data encrypted using the user key, the request generated in response to a tap action between the contactless card and the first client device, the request accompanied by a user token stored on the contactless card;
  
  identifying the service provider based on the service provider token;
  
  identifying the user based on the user token;
  
  verifying that the service provider is authorized to receive access to personal user data stored on the contactless card;
  
  retrieving the user key from the database;
  
  generating the data access key based on the user key; and
  
  transmitting to the first client device the data access key.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, wherein the user token includes the user key, the method further comprising authenticating the user based on the user key.
  - 13. The method of claim 11, wherein the service provider token comprises the first service provider key, the method further comprising authenticating the service provider based on the first service provider key.
  - 14. The method of claim 13, wherein the data access key is generated based on the user key and the first service provider key.
  - 15. The method of claim 13, further comprising receiving from a second client device a second service provider key, wherein the data access key is generated based on the user key, the first service provider key and the second service provider key.
  - 16. The method of claim 15, wherein the second service provider key is transmitted by the second client device in response to a tap action between the contactless card and the second client device.
  - 17. The method of claim 11, wherein the database further stores updated personal user data associated with the user, the method further comprising:
    - encrypting the updated personal user data using the user key; and
      
      transmitting to the first client device the encrypted updated personal user data.

18. A method for controlling data access, comprising:
- establishing a database storing information comprising a user identifier and a user key associated with a user, and a service provider identifier and a service provider key associated with a service provider;
  
  providing a contactless card comprising a communications interface, a processor, and a memory, the memory storing an applet and a user token, wherein the communications interface is configured to support at least one of near field communication, Bluetooth, or Wi-Fi, and wherein the contactless card is associated with the user;
  
  providing a client application comprising instructions for execution on a client device associated with the service provider, the client application configured to;
  
  in response to a tap action between the contactless card and the client device;
  
  receive the user token from the contactless card, and transmit via a network, to a server, a service provider token, the user token, and a request for a data access key, wherein the service provider token is associated with the service provider;
  
  receive from the server the data access key and a link to a data repository storing encrypted personal user data associated with the user, wherein the data access key is generated based on the user key;
  
  transmit to the data repository, via the link, a request for the encrypted personal user data;
  
  receive from the data repository the encrypted personal user data; and
  
  using the data access key, decrypt the encrypted personal user data;
  
  receiving from the client device, via the network, a service provider token and the request for the data access key to access the personal user data associated with the user, the request accompanied by the user token;
  
  identifying the service provider based on the service provider token;
  
  identifying the user based on the user token;
  
  verifying that the service provider is authorized to receive access to the personal user data associated with the user;
  
  generating the link to the data repository storing the encrypted personal user data;
  
  retrieving the user key from the database;
  
  generating the data access key based on the user key; and
  
  transmitting to the client device the data access key and the link to the data repository storing the encrypted personal user data.
- View Dependent Claims (19)
- - 19. The method of claim 18, wherein the data access key is generated based on the user key and the service provider key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
Ilincic, Rajko, Rule, Jeffrey
Primary Examiner(s)
Doan, Trang T

Application Number

US16/863,750
Time in Patent Office

404 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/35   communicating wirelessly

G06F 21/44   Program or device authentic...

G06F 21/602   Providing cryptographic fac...

G06F 21/6245   Protecting personal data, e...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 9/0819   Key transport or distributi...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04W 12/033   of the user plane, e.g. use...

H04W 12/06   Authentication

H04W 12/08   Access security

Systems and methods for data access control of personal user data using a short-range transceiver

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

1 Citation

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for data access control of personal user data using a short-range transceiver

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1 Citation

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links