公开(公告)号：WO2018236908A1

公开(公告)日：2018-12-27

申请号：PCT/US2018/038339

申请日：2018-06-19

Applicant: VISA INTERNATIONAL SERVICE ASSOCIATION

Inventor： LE SAINT, Eric ,  MOHASSEL, Payman

IPC: H04L9/08

Abstract: Embodiments of the invention can establish secure communications using a single non-traceable request message from a first computer and a single non-traceable response message from a second computer. Non-traceability may be provided through the use of blinding factors. The request and response messages can also include signatures that provide for non-repudiation. In addition, the encryption of the request and response message is not based on the static keys pairs, which are used for validation of the signatures. As such, perfect forward secrecy is maintained.

公开(公告)号：WO2016123264A1

公开(公告)日：2016-08-04

申请号：PCT/US2016/015218

申请日：2016-01-27

Applicant: VISA INTERNATIONAL SERVICE ASSOCIATION

Inventor： LE SAINT, Eric ,  BHATTACHARYA, Soumendra

IPC: H04L9/08 ,  H04L9/30 ,  H04L9/32

CPC classification number: H04L9/3226 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/0841 ,  H04L9/0861 ,  H04L9/0891 ,  H04L9/0894 ,  H04L9/321 ,  H04L2209/56

Abstract: Embodiments can provide methods for securely provisioning sensitive credential data, such as a limited use key (LUK) onto a user device. In some embodiments, the credential data can be encrypted using a separate storage protection key and decrypted only at the time of a transaction to generate a cryptogram for the transaction. Thus, end-to-end protection can be provided during the transit and storage of the credential data, limiting the exposure of the credential data only when the credential data is required, thereby reducing the risk of compromise of the credential data.

Abstract translation: 实施例可以提供用于将敏感凭证数据（例如有限使用密钥（LUK））安全地提供到用户设备上的方法。 在一些实施例中，凭证数据可以使用单独的存储保护密钥进行加密，并且仅在交易时被解密以生成交易的密码。 因此，可以在凭证数据的传送和存储期间提供端到端保护，仅在需要证书数据时限制凭证数据的暴露，从而降低凭证数据的危害的风险。

公开(公告)号：WO2017106793A1

公开(公告)日：2017-06-22

申请号：PCT/US2016/067386

申请日：2016-12-16

Applicant: VISA INTERNATIONAL SERVICE ASSOCIATION

Inventor： LE SAINT, Eric

IPC: H04L29/06

CPC classification number: H04L63/0428 ,  H04L9/0841 ,  H04L63/0281 ,  H04L63/06

Abstract: Embodiments extend protocols for secure communication between two parties to allow a party to securely communicate with multiple parties using a single message. For example, the sending party can determine a unique shared secret for each recipient and encrypt data for a recipient using a session key generated from the corresponding shared secret. The encrypted data can be combined into a single message, and each recipient can decrypt only the subset of the message that it is authorized to.

Abstract translation: 实施例扩展用于双方之间的安全通信的协议，以允许一方使用单个消息与多方进行安全通信。 例如，发送方可以为每个接收方确定唯一的共享秘密，并使用从相应的共享秘密产生的会话密钥来加密接收方的数据。 加密的数据可以合并为单个消息，每个收件人只能解密授权的消息子集。

公开(公告)号：WO2017004470A1

公开(公告)日：2017-01-05

申请号：PCT/US2016/040590

申请日：2016-06-30

Applicant: VISA INTERNATIONAL SERVICE ASSOCIATION

Inventor： LE SAINT, Eric

IPC: H04L29/06 ,  H04L9/08

CPC classification number: H04L9/0844 ,  H04L9/0869 ,  H04L9/14 ,  H04L9/3242 ,  H04L9/3265 ,  H04L9/3268 ,  H04L9/3273 ,  H04L63/0428 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/0869 ,  H04L2209/04 ,  H04L2209/08 ,  H04L2209/38 ,  H04L2209/56

Abstract: Embodiments of the invention relate to systems and methods for confidential mutual authentication. A first computer may blind its public key using a blinding factor. The first computer may generate a shared secret using its private key, the blinding factor, and a public key of a second computer. The first computer may encrypt the blinding factor and a certificate including its public key using the shared secret. The first computer may send its blinded public key, the encrypted blinding factor, and the encrypted certificate to the second computer. The second computer may generate the same shared secret using its private key and the blinded public key of the first computer. The second computer may authenticate the first computer by verifying its blinded public key using the blinding factor and the certificate of the first computer. The first computer authenticates the second computer similarly.

Abstract translation: 本发明的实施例涉及用于机密相互认证的系统和方法。 第一台计算机可能会使用盲人因素来遮挡其公钥。 第一台计算机可以使用其私钥，盲目因素和第二台计算机的公钥来生成共享密钥。 第一台计算机可以使用共享密钥加密盲人因素和包括其公开密钥的证书。 第一台计算机可能将其盲密码公钥，加密盲目因子和加密证书发送到第二台计算机。 第二台计算机可以使用其私钥和第一台计算机的盲密码生成相同的共享密钥。 第二台计算机可以通过使用盲目因子和第一台计算机的证书验证其盲密码公钥来验证第一台计算机。 第一台计算机类似地认证第二台计算机。

公开(公告)号：WO2016131056A1

公开(公告)日：2016-08-18

申请号：PCT/US2016/018106

申请日：2016-02-16

Applicant: VISA INTERNATIONAL SERVICE ASSOCIATION

Inventor： LE SAINT, Eric ,  BHATTACHARYA, Soumendra

IPC: H04L29/06 ,  H04L9/06

CPC classification number: H04L9/0844

Abstract: Systems and methods are provided for confidential communication management. For instance, a server computer can include a protected server key identifier in a response message to a client computer. The protected server key identifier can include a server key identifier that identifies a server private key used to encrypt the response message. The client computer can pass the protected server key back in a subsequent request, so that the server computer can identify the proper server private key to use for decrypting the request message. In another example, a message may include encrypted protocol data (e.g., cipher suite) and separately encrypted payload data. The encrypted payload data can include a plurality of individually encrypted payload data elements.

Abstract translation: 提供系统和方法进行机密通信管理。 例如，服务器计算机可以在客户计算机的响应消息中包括受保护的服务器密钥标识符。 受保护的服务器密钥标识符可以包括标识用于加密响应消息的服务器专用密钥的服务器密钥标识符。 客户端计算机可以将受保护的服务器密钥返回到后续请求中，以便服务器计算机可以识别用于解密请求消息的正确的服务器私钥。 在另一示例中，消息可以包括加密的协议数据（例如，加密套件）和单独加密的有效载荷数据。 加密的有效载荷数据可以包括多个单独加密的有效载荷数据元素。

公开(公告)号：WO2021022221A1

公开(公告)日：2021-02-04

申请号：PCT/US2020/044631

申请日：2020-07-31

Applicant: VISA INTERNATIONAL SERVICE ASSOCIATION

Inventor： MARTIN, Philippe ,  REZAEI, Fahimeh ,  KEKICHEFF, Marc ,  LE SAINT, Eric

IPC: H04L9/08 ,  H04L9/14

Abstract: Systems and methods are disclosed for performing a secure exchange of encryption keys (e.g., public keys) between two devices. One or more initialization keys are stored at both devices. In some embodiments, at least one device (e.g., a reader device) stores the initialization key(s) (e.g., a symmetric key, an asymmetric key pair) in local memory as part of performance of a manufacturing process for the device. The second device (e.g., a thin client device) may receive the initialization key(s) from an acceptance cloud (e.g., a server computer configured to perform terminal processing). The initialization key(s) are utilized to perform a secure exchange of the devices' respective public keys. Once these public keys are exchanged, the devices may proceed to establishing a secure connection with which subsequent operations may be performed.

公开(公告)号：WO2019190522A1

公开(公告)日：2019-10-03

申请号：PCT/US2018/025089

申请日：2018-03-29

Applicant: VISA INTERNATIONAL SERVICE ASSOCIATION

Inventor： LE SAINT, Eric ,  KUMARASWAMY, Subramanian

IPC: H04L9/32 ,  H04L29/06

Abstract: Methods and systems for consensus-based online authentication are provided. An encryption device may be authenticated based on an authentication cryptogram generated by the encryption device. The encryption device may transmit a request for security assessment to one or more support devices. The support devices may individually assess the encryption device, other security devices, and contextual information. The support devices may choose to participate in a multi-party computation with the encryption device based on the security assessments. Support devices that choose to participate may transmit one or more secret shares or partial computations to the encryption device. The encryption device may use the secret shares or partial computations to generate an authentication cryptogram. The authentication cryptogram may be transmitted to a decryption device, which may decrypt the authentication cryptogram, evaluate its contents, and authenticate the encryption device based on its contents.

公开(公告)号：WO2017004466A1

公开(公告)日：2017-01-05

申请号：PCT/US2016/040586

申请日：2016-06-30

Applicant: VISA INTERNATIONAL SERVICE ASSOCIATION

Inventor： LE SAINT, Eric ,  JIN, Jing ,  AABYE, Christian

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/30

CPC classification number: H04L9/0844 ,  H04L9/0869 ,  H04L9/14 ,  H04L9/3242 ,  H04L9/3265 ,  H04L9/3268 ,  H04L9/3273 ,  H04L63/0428 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/0869 ,  H04L2209/04 ,  H04L2209/08 ,  H04L2209/38 ,  H04L2209/56

Abstract: Some embodiments provide systems and methods for confidentially and securely provisioning data to an authenticated user device. A user device may register an authentication public key with an authentication server. The authentication public key may be signed by an attestation private key maintained by the user device. Once the user device is registered, a provisioning server may send an authentication request message including a challenge to the user device. The user device may sign the challenge using an authentication private key corresponding to the registered authentication public key, and may return the signed challenge to the provisioning server. In response, the provisioning server may provide provisioning data to the user device. The registration, authentication, and provisioning process may use public key cryptography while maintaining confidentiality of the user device, the provisioning server, and then authentication server.

Abstract translation: 一些实施例提供了用于向认证的用户设备保密地和安全地提供数据的系统和方法。 用户设备可以向认证服务器注册认证公钥。 认证公钥可以由用户设备维护的认证私钥进行签名。 一旦用户设备被注册，配置服务器可以向用户设备发送包括质询的认证请求消息。 用户设备可以使用与注册的认证公钥相对应的认证私钥来签署质询，并且可以将签名的质询返回给供应服务器。 作为响应，供应服务器可以向用户设备提供供应数据。 注册，认证和配置过程可以在维护用户设备，配置服务器，然后认证服务器的机密性的同时使用公钥密码术。

公开(公告)号：WO2015106248A1

公开(公告)日：2015-07-16

申请号：PCT/US2015/011153

申请日：2015-01-13

Applicant: VISA INTERNATIONAL SERVICE ASSOCIATION

Inventor： LE SAINT, Eric

IPC: H04L9/32

CPC classification number: H04L9/0819 ,  H04L9/0844 ,  H04L9/14 ,  H04L63/061 ,  H04L2209/04 ,  H04L2209/16 ,  H04L2209/24 ,  H04L2209/56 ,  H04L2209/805 ,  H04W12/04

Abstract: Systems and methods are provided for protecting identity in an authenticated data transmission. For example, a contactless transaction between a portable user device and an access device may be conducted without exposing the portable user device's public key in cleartext. In one embodiment, an access device may send an access device public key to a portable user device. The user device may return a blinded user device public key and encrypted user device data. The access device may determine a shared secret using the blinded user device public key and an access device private key. The access device may then decrypt the encrypted user device data using the shared secret.

Abstract translation: 提供了系统和方法，用于在认证数据传输中保护身份。 例如，便携式用户设备和访问设备之间的非接触交易可以在不以便利的方式暴露便携式用户设备的公共密钥的情况下进行。 在一个实施例中，接入设备可以向便携式用户设备发送接入设备公钥。 用户设备可以返回盲用户设备公钥和加密的用户设备数据。 接入设备可以使用盲用户设备公钥和接入设备私钥来确定共享秘密。 接入设备然后可以使用共享秘密解密加密的用户设备数据。

公开(公告)号：WO2020101787A1

公开(公告)日：2020-05-22

申请号：PCT/US2019/048991

申请日：2019-08-30

Applicant: VISA INTERNATIONAL SERVICE ASSOCIATION

Inventor： SALAJEGHEH, Mastooreh ,  AGRAWAL, Shashank ,  LE SAINT, Eric ,  MOHASSEL, Payman ,  CHRISTODORESCU, Mihai

IPC: H04L29/06

Abstract: An initiator device can broadcast a witness request to one or more authentication devices. The one or more authentication devices can then determine an assurance level from a range of assurance levels and determine a token share corresponding to the assurance level. The initiator device can then receive, from the one or more authentication devices, at least one witness response comprising the token share corresponding to the assurance level. The initiator device can generate an authentication token using a set of token shares. The initiator device can then transmit the authentication token to an authentication server, wherein the authentication server verifies the authentication token.