Transaction and payment system security remote authentication/validation of transactions from a transaction provider

US 7,693,797 B2
Filed: 06/21/2004
Issued: 04/06/2010
Est. Priority Date: 06/21/2004
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

generating in a remote server and in an at least one local server a list of valid authentication tokens based on secret keys shared between the remote server and the at least one local server and a seed with an authentication algorithm;

requesting, by a mobile terminal, a transaction token from the remote server;

selecting, by the remote server, an authentication token from the list of valid authentication tokens in the remote server;

purchasing, by the mobile terminal, the selected authentication token;

transmitting the purchased authentication token to the mobile terminal;

receiving, by the at least one local server, the purchased authentication token;

comparing by the at least one local server the purchased authentication token to the list of valid authentication tokens in the at least one local server;

authenticating the purchased token by determining, by the local server, that the purchased token matches an authentication token in the list of valid authentication tokens in the at least one local server; and

based on the determination that the received token is valid, accepting, by the at least one local server, the purchased token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mobile terminal is equipped for SMS payment and service authentication with a remote transaction provider. The remote provider uses common secrets & a seed in a keyed Hash Machine Address Code (HMAC) executing a Message Digest Algorithm to generate a list of authentication token (username-password) for the purchase of services an/or goods. The common secrets and seed are shared with local redemption devices which also generate the list of authentication token. A subscriber conducts payment with the remote transaction provider and receives an authentication token corresponding to the purchased service. The subscriber provides the authentication token to the redemption device which compares the authentication token with sets of valid authentication tokens generated by the redemption terminal. If the comparison indicates a match, the redemption device provides the service to the subscriber.

47 Citations

View as Search Results

53 Claims

1. A method, comprising:
- generating in a remote server and in an at least one local server a list of valid authentication tokens based on secret keys shared between the remote server and the at least one local server and a seed with an authentication algorithm;
  
  requesting, by a mobile terminal, a transaction token from the remote server;
  
  selecting, by the remote server, an authentication token from the list of valid authentication tokens in the remote server;
  
  purchasing, by the mobile terminal, the selected authentication token;
  
  transmitting the purchased authentication token to the mobile terminal;
  
  receiving, by the at least one local server, the purchased authentication token;
  
  comparing by the at least one local server the purchased authentication token to the list of valid authentication tokens in the at least one local server;
  
  authenticating the purchased token by determining, by the local server, that the purchased token matches an authentication token in the list of valid authentication tokens in the at least one local server; and
  
  based on the determination that the received token is valid, accepting, by the at least one local server, the purchased token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The method of claim 1, wherein the list of valid authentication tokens are periodically updated.
  - 3. The method of claim 2, wherein the list of valid tokens are periodically updated by changing at least the seed specify a date and time period for the authentication algorithm.
  - 4. The method of claim 1 further comprising;
    - installing a communication connection between the remote and the at least one local servers which is non-continuous in operation.
  - 5. The method of claim 4, wherein the non-continuous communication connection is used for transferring from the remote server one or more seed updates to the at least one local servers.
  - 6. The method of claim 1, further comprising:
    - requesting, by the local server, mobile user identification information from the mobile terminal in exchange of providing the services and/or good to the mobile terminal.
  - 7. The method of claim 1, wherein the non-continuous communication connection is used for transferring from the at least one local servers to the remote server information relating to authentication token usage.
  - 8. The method of claim 7, wherein the authentication token usage includes at least one of a mobile terminal identification information and mobile terminal user identification information.
  - 9. The method of claim 4, wherein the non-continuous communication connection is secure.
  - 10. The method of claim 1, further comprising:
    - installing the authentication token into an electronic ticket.
  - 11. The method of claim 1, further comprising:
    - authenticating the authentication token using RFID.
  - 12. The method of claim 1, further comprising;
    - generating the list of authentication tokens by recursively applying a keyed HMAC function to the common keys and seed.
  - 13. The method of claim 1, further comprising:
    - modifying the authentication tokens via the seed to be time based.
  - 14. The method of claim 1, further comprising:
    - updating the common secret keys and seed in the remote server and the local server.
  - 15. The method of claim 1, further comprising:
    - using SMS messaging in submitting the request to the remote server.
  - 16. The method of claim 1, further comprising:
    - using short range communication to transfer the authentication token to the local server.
  - 17. The method of claim 1, further comprising:
    - limiting validity of the authentication token to a time period.
  - 18. The method of claim 1, further comprising:
    - tying an accepted authentication token to a MAC hardware address of a requester.
  - 19. The method of claim 17, further comprising:
    - dividing the time period into several sub-timing periods.
  - 20. The method of claim 19, further comprising:
    - assigning separate authentication tokens to each sub-timing period.
  - 21. The method of claim 20, further comprising:
    - calculating the separate authentication token for sub-timing periods based on the order number or the time-period of the sub-timing period.
  - 22. The method of claim 1, wherein the list of valid authentication tokens includes tokens for a current sub-timing period and tokens for a sub-timing period before and a sub-timing period after the current time period to ensure the correct validity period for the token/ticket.
  - 23. The method of claim 1, wherein the seed is assigned a date (d) in the future.
  - 24. The method of claim 23, wherein the seed is further assigned a time period (p).
  - 25. The method of claim 1, wherein the tokens are given out by the remote server in random order for single use.
  - 26. The method of claim 1, wherein the token contains two-4-character hex strings, one as a username and one as a password.
  - 27. The method of claim 1, wherein the local server compares a token to all possible tokens in time period (1) defined by a date (d);
    - a period (p) and (r) a factor providing authentication periods overlap compensating for an assumed synchronization mismatch between the local server and the remote server clocks.

28. A system, comprising:
- a remote server comprising;
  
  a processor; and
  
  a memory comprised of computer readable instructions, when executed by the processor cause the processor to perform the steps of;
  
  generating in the remote server a list of valid authentication tokens based on secret keys and a seed with an authentication algorithm; and
  
  transmitting a purchased authentication token to a mobile terminal;
  
  at least one local server comprising;
  
  a processor; and
  
  a memory comprised of computer readable instructions, when executed by the processor cause the processor to perform the steps of;
  
  generating in the at least one local server a list of valid authentication tokens based on said secret keys shared between the remote server and the at least one local server and said seed with said authentication algorithm;
  
  receiving , by the at least one local server, the purchased authentication token;
  
  comparing by the at least one local server the purchased authentication token to the list of valid authentication tokens in the at least one local server;
  
  authenticating the purchased token by determining, by the local server, that the purchased token matches an authentication token in the list of valid authentication tokens in the at least one local server; and
  
  based on the determination that the received token is valid, accepting, by the at least one local server, the purchased token;
  
  the mobile terminal comprising;
  
  a processor; and
  
  a memory comprised of computer readable instructions, when executed by the processor cause the processor to perform the steps of;
  
  requesting, by the mobile terminal, a transaction token from the remote server; and
  
  purchasing, by the mobile terminal, the selected authentication token.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 29. The system of claim 28, wherein the list of valid authentication tokens are periodically updated.
  - 30. The system of claim 29, wherein the list of valid tokens are periodically updated by changing at least the seed specifying a future date for the authentication algorithm.
  - 31. The system of claim 28, further comprising:
    - installing means for installing a communication connection between the remote and the at least one local servers which is non-continuous in operation.
  - 32. The system of claim 31, wherein the non-continuous communication connection is used for transferring from the remote server one or more seed updates to the at least one local servers.
  - 33. The method of claim 28, further comprising:
    - said at least one local server configured to request mobile user identification information from the mobile terminal in exchange of providing the services and/or the goods to the mobile terminal.
  - 34. The system of claim 28, wherein the non-continuous communication connection is used for transferring from the at least one local servers to the remote server information relating to authentication token usage.
  - 35. The system of claim 34, wherein the authentication token usage includes at least one of a mobile terminal identification information and mobile terminal user identification information.
  - 36. The system of claim 31, wherein the non-continuous communication connection is secure.
  - 37. The system of claim 28, wherein the authentication token is installed in a ticket.
  - 38. The system of claim 28, wherein the generating means generates the list of authentication tokens by recursively applying a keyed HMAC function to the common keys and seed.
  - 39. The system of claim 28, further comprising:
    - modifying means modifying the authentication token via the seed to be time based.
  - 40. The system of claim 28, further comprising:
    - updating means updating the common secret keys and seed in the remote server and the local server.
  - 41. The system of claim 28, further comprising:
    - terminal means enabled for submitting the SMS request to the remote server.
  - 42. The system of claim 28, further comprising:
    - terminal means enabled for short range communication to transfer the authentication token to the local server.
  - 43. The system of claim 28, further comprising:
    - limiting means limiting validity of the authentication token to a time period.
  - 44. The system of claim 28, further comprising:
    - tying means tying an accepted authentication token to a MAC hardware address of a requester.
  - 45. The system of claim 43, further comprising:
    - dividing means dividing the time period into several sub-timing periods.
  - 46. The system of claim 45, further comprising:
    - assigning means assigning separate authentication tokens to each sub-timing period.
  - 47. The system of claim 45, further comprising:
    - calculating means calculating the separate authentication token for sub-timing periods based on the order number or the time-period of the sub-timing period.
  - 48. The system of claim 28, wherein the list of valid authentication tokens includes tokens for a current sub-timing period and tokens for a sub-timing period before and a sub-timing period after the current time period to ensure the correct validity period for the token/ticket.
  - 49. The system of claim 28, wherein the seed is assigned a date (d) in the future.
  - 50. The system of claim 49, wherein the seed is further assigned a time period (p).
  - 51. The system of claim 29, wherein the tokens are given out by the remote server in random order for single use.
  - 52. The system of claim 28, wherein the token contains two-4-character hex strings, one as a username an one as a password.
  - 53. The system of claim 28, wherein the local server compares a token to all possible tokens in time period (1) defined by a date (d);
    - a period (p) and (r) a factor providing authentication period over lap compensating for an assumed synchronization mismatch between the local server and the remote server clocks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Ekberg, Jan-Erik
Primary Examiner(s)
Hewitt, II, Calvin L
Assistant Examiner(s)
Nigh, James D

Application Number

US10/871,051
Publication Number

US 20050283444A1
Time in Patent Office

2,115 Days
Field of Search

705/1, 705 64- 65, 705/67, 705 75- 79
US Class Current

705/67
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/045   using payment protocols inv...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/367   involving electronic purses...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/38215   Use of certificates or encr...

G06Q 20/3823   combining multiple encrypti...

G06Q 20/385   using an alias or single-us...

G06Q 20/40   Authorisation, e.g. identif...

G07F 7/0886   the card reader being porta...

G07F 7/1008   Active credit-cards provide...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/32   including means for verifyi...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3242   involving keyed hash functi...

Transaction and payment system security remote authentication/validation of transactions from a transaction provider

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Transaction and payment system security remote authentication/validation of transactions from a transaction provider

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links