Limited-use keys and cryptograms

US 11,164,176 B2
Filed: 12/19/2014
Issued: 11/02/2021
Est. Priority Date: 12/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method for enhancing security of a communication device when conducting a transaction using the communication device, the method comprising:

encrypting, by a computer system, account information with a first encryption key to generate a second encryption key;

encrypting, by the computer system, key index information using the second encryption key to generate a limited-use key (LUK), wherein the key index information includes a key index having a counter value indicating a number of times that the LUK has been renewed in a predetermined time period, and time information indicating when the LUK is generated, and wherein the LUK is associated with a set of one or more limited-use thresholds that limits usage of the LUK; and

providing, by the computer system, the LUK and the key index to the communication device via an application platform computer;

receiving, by the computer system, the key index information and a transaction cryptogram generated by the communication device, the transaction cryptogram including transaction data encrypted by the LUK;

verifying, by the computer system, that the transaction cryptogram was encrypted using the LUK, and that the LUK has not exceeded the one or more limited-use thresholds, wherein verifying that the transaction cryptogram was encrypted using the LUK includes;

regenerating the transaction cryptogram using the received key index information; and

based on the verifying, authorizing the transaction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for enhancing the security of a communication device when conducting a transaction using the communication device may include encrypting account information with a first encryption key to generate a second encryption key, and encrypting key index information using the second key to generate a limited-use key (LUK). The key index information may include a key index having information pertaining to generation of the LUK. The LUK and the key index can be provided to the communication device to facilitate generation of a transaction cryptogram for a transaction conducted using the communication device, and the transaction can be authorized based on the transaction cryptogram generated from the LUK.

Citations

24 Claims

1. A method for enhancing security of a communication device when conducting a transaction using the communication device, the method comprising:
- encrypting, by a computer system, account information with a first encryption key to generate a second encryption key;
  
  encrypting, by the computer system, key index information using the second encryption key to generate a limited-use key (LUK), wherein the key index information includes a key index having a counter value indicating a number of times that the LUK has been renewed in a predetermined time period, and time information indicating when the LUK is generated, and wherein the LUK is associated with a set of one or more limited-use thresholds that limits usage of the LUK; and
  
  providing, by the computer system, the LUK and the key index to the communication device via an application platform computer;
  
  receiving, by the computer system, the key index information and a transaction cryptogram generated by the communication device, the transaction cryptogram including transaction data encrypted by the LUK;
  
  verifying, by the computer system, that the transaction cryptogram was encrypted using the LUK, and that the LUK has not exceeded the one or more limited-use thresholds, wherein verifying that the transaction cryptogram was encrypted using the LUK includes;
  
  regenerating the transaction cryptogram using the received key index information; and
  
  based on the verifying, authorizing the transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein verifying that the transaction cryptogram was encrypted using the LUK includes:
    - comparing a result of the regenerating to the received transaction cryptogram.
  - 3. The method of claim 1, wherein the transaction is conducted without using a secure element.
  - 4. The method of claim 1, wherein the set of one or more limited-use thresholds limits the number of transactions that can be conducted using the LUK.
  - 5. The method of claim 1, wherein the account information includes a token that is a substitute for an account identifier.
  - 6. The method of claim 1, wherein the first encryption key is a master derivation key associated with an issuer of an account associated with the account information.
  - 7. The method of claim 6, wherein the second encryption key is a unique derivation key for the account.
  - 8. The method of claim 1, wherein encrypting the account information with the first encryption key to generate the second encryption key includes:
    - encrypting the account information using the first encryption key to generate a first portion of the second encryption key;
      
      inverting the account information; and
      
      encrypting the inverted account information using the first encryption key to generate a second portion of the second encryption key.
  - 9. The method of claim 1, wherein encrypting the key index information using the second encryption key to generate the LUK includes:
    - padding the key index with a first value to generate a first padded key index information;
      
      encrypting the first padded key index information to generate a first portion of the LUK;
      
      padding the key index with a second value to generate a second padded key index information; and
      
      encrypting the second padded key index information to generate a second portion of the LUK.
  - 10. The method of claim 1, wherein the transaction cryptogram is generated by:
    - enciphering transaction information using a first portion of the LUK;
      
      deciphering the enciphered transaction information using a second portion of the LUK; and
      
      re-enciphering the deciphered transaction information using the first portion of the LUK.
  - 11. The method of claim 1, wherein the transaction cryptogram is generated by:
    - encrypting a predetermined numeric string using the LUK; and
      
      decimalizing the encrypted predetermined numeric string.
  - 12. The method of claim 11, wherein decimalizing the encrypted predetermined numeric string includes:
    - extracting numeric digits from the encrypted predetermined numeric string to form a first data block;
      
      extracting hexadecimal digits from the encrypted predetermined numeric string and converting each extracted hexadecimal digit into a numeric digit to form a second data block; and
      
      concatenating the first data block and the second data block.

13. A computer system for enhancing security of a communication device when conducting transactions using the communication device, the computer system comprising:
- one or more processors; and
  
  one or more memories storing computer-readable code, which when executed by the one or more processors, causes the computer system to perform operations including;
  
  encrypting account information with a first encryption key to generate a second encryption key;
  
  encrypting key index information using the second encryption key to generate a limited-use key (LUK), wherein the key index information includes a key index having a counter value indicating a number of times that the LUK has been renewed in a predetermined time period, and time information indicating when the LUK is generated, and wherein the LUK is associated with a set of one or more limited-use thresholds that limits usage of the LUK;
  
  providing the LUK and the key index to the communication device via an application platform computer;
  
  receiving the key index information and a transaction cryptogram generated by the communication device, wherein the transaction cryptogram includes transaction data encrypted by the LUK;
  
  verifying that the transaction cryptogram was encrypted using the LUK, and that the LUK has not exceeded the one or more limited-use thresholds, wherein verifying that the transaction cryptogram was encrypted using the LUK includes;
  
  regenerating the transaction cryptogram using the received key index information; and
  
  based on the verifying, authorizing the transaction.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The computer system of claim 13, wherein verifying that the transaction cryptogram was encrypted using the LUK includes:
    - comparing a result of the regenerating to the received transaction cryptogram.
  - 15. The computer system of claim 13, wherein the transaction is conducted without using a secure element.
  - 16. The computer system of claim 13, wherein the set of one or more limited-use thresholds limits the number of transactions that can be conducted using the LUK.
  - 17. The computer system of claim 13, wherein the account information includes a token that is a substitute for an account identifier.
  - 18. The computer system of claim 13, wherein the first encryption key is a master derivation key associated with an issuer of an account associated with the account information.
  - 19. The computer system of claim 18, wherein the second encryption key is a unique derivation key for the account.
  - 20. The computer system of claim 13, wherein encrypting the account information with the first encryption key to generate the second encryption key includes:
    - encrypting the account information using the first encryption key to generate a first portion of the second encryption key;
      
      inverting the account information; and
      
      encrypting the inverted account information using the first encryption key to generate a second portion of the second encryption key.
  - 21. The computer system of claim 13, wherein encrypting the key index information using the second encryption key to generate the LUK includes:
    - padding the key index with a first value to generate a first padded key index information;
      
      encrypting the first padded key index information to generate a first portion of the LUK;
      
      padding the key index with a second value to generate a second padded key index information; and
      
      encrypting the second padded key index information to generate a second portion of the LUK.
  - 22. The computer system of claim 13, wherein the transaction cryptogram is generated by:
    - enciphering transaction information using a first portion of the LUK;
      
      deciphering the enciphered transaction information using a second portion of the LUK; and
      
      re-enciphering the deciphered transaction information using the first portion of the LUK.
  - 23. The computer system of claim 13, wherein the transaction cryptogram is generated by:
    - encrypting a predetermined numeric string using the LUK; and
      
      decimalizing the encrypted predetermined numeric string.
  - 24. The computer system of claim 23, wherein decimalizing the encrypted predetermined numeric string includes:
    - extracting numeric digits from the encrypted predetermined numeric string to form a first data block;
      
      extracting hexadecimal digits from the encrypted predetermined numeric string and converting each extracted hexadecimal digit into a numeric digit to form a second data block; and
      
      concatenating the first data block and the second data block.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Ngo, Hao, Aabye, Christian, Sheets, John, Makhotin, Oleg
Primary Examiner(s)
Qayyum, Zeshan

Application Number

US14/577,678
Publication Number

US 20150178724A1
Time in Patent Office

2,510 Days
Field of Search

705 71
US Class Current
CPC Class Codes

G06Q 20/322   Aspects of commerce using m...

G06Q 20/326   Payment applications instal...

G06Q 20/327   Short range or proximity pa...

G06Q 20/3672   initialising or reloading t...

G06Q 20/3829   involving key management

G06Q 20/385   using an alias or single-us...

G06Q 20/389   Keeping log of transactions...

G06Q 2220/00   Business processing using c...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/0428   wherein the data content is...

H04L 9/0869   involving random numbers or...

Limited-use keys and cryptograms

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Limited-use keys and cryptograms

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links