AUTHENTICATION METHOD, SYSTEM AND SERVER COMPUTER.

专利摘要:
authentication method, server system and computer a system, method, and server computer configured to authenticate a consumer device. the consumer device is authenticated via a mobile terminal gateway using challenge response authentication. if the consumer device is successfully authenticated, a secure channel is established between the consumer device and the first entity. the secure channel allows secure communication between the consumer device and the first entity.
公开号:BR112012022921A2
申请号:R112012022921-4
申请日:2011-03-31
公开日:2021-03-30
发明作者:Christian Aabye；Sasikumar Kannappan
申请人:Visa International Service Association；
IPC主号:

专利说明:

, "AUTHENTICATION METHOD, SYSTEM AND SERVER COMPUTER"
CROSS REFERENCES FOR RELATED REQUESTS The present order is a non-provisional order and claims 5 priority for US Provisional Order No. 61 / 319,698, filed
W on March 31, 2010, the entire content of which is incorporated herein by reference for all purposes. . KNOWLEDGE The use of mobile terminal devices has rapidly increased in recent years. For example, mobile terminal device users now have the ability to make payments using their mobile terminal phone. While mobile terminal payments provide a convenient tool for a consumer, mobile terminal payments can also pose security concerns. Sensitive information, 15 such as personal consumer information, bank account information, etc. may be prone to interception. In addition, if the mobile terminal device is lost or stolen, such information can be used by an unauthorized user. In addition, as mobile terminal payment applications evolve, there is a need not only to protect information sent from the mobile terminal device, but also to protect information sent to the mobile terminal device during transmission. For example, when payments are made using a physical card with a built-in chip, the issuer associated with the payment card can update data on the chip during the course of a payment transaction. Chip data can be retrieved in the payment transaction response that contains data or authentication scripts to update risk parameters and payment counters in the chip's payment application. These issuer's updates require the card to be inserted into a contact point of sale terminal. If a mobile terminal device is used as a payment device, the mobile terminal device cannot be inserted into a point of sale terminal to conduct a contact point of sale transaction and to receive updates from the issuer. Therefore, there is an additional need for an issuer update solution for mobile terminal devices that are used as payment devices. P- Modalities of the present technology address these and other problems.
10 BRIEF SUMMARY Aspects of the intangibilities of the present technology are generally related to improved systems and methods for authentication. Such systems and methods improve the security of information transferred to and from a mobile terminal device by authenticating the mobile terminal device via a third-party mobile terminal gate before information is transmitted. One modality of technology is directed at an authentication method. The method includes sending a challenge message from a mobile terminal gateway to a device 20 consumer message, the challenge message being sent in response to a communication request message, characterized by the fact that the consumer device is configured for use with a payment device. challenge from the consumer device at the gateway of 25 mobile terminal in response to the message they act defiantly. The method also includes sending the challenge response message from the mobile terminal gateway to a key management center, characterized by the fact that the key management center is designed to manage session keys for communication with the consumer device. The key management center checks the challenge response message and allows a communication transaction between a first entity and the consumer device if the challenge response message is valid.
The first entity can be, for example, an imminent entity associated with the
5 consumer device.
Another modality of the technology is directed at a - method of authenticating.
The method includes receiving a challenge response message at a key management center from a consumer device via a mobile terminal gate, the message
10 challenge response being received in response to a challenge message sent through the mobile terminal gate to the consumer device, characterized by the fact that the consumer device is configured for use as a payment device.
The method also includes determining whether the challenge response message is valid and sending a
15 secure channel response message from the key management center to the consumer device if the challenge response message is valid.
The secure channel response message allows communication between the consumer device and a first entity.
Another modality of technology is directed at a
20 system.
The system includes a mobile terminal gateway and a key management center.
The mobile terminal gateway is configured to send a challenge message to a consumer device and receive a challenge response message from the consumer device in response to the challenge message, characterized
25 by the fact that the consumer device is configured for use as a payment device.
The key management center is in communication with the mobile terminal gateway and is configured to receive the challenge response message from the mobile terminal gateway, determine whether the challenge response message is valid, and send a secure channel response message to the consumer device if the challenge response message is valid. The secure channel response message allows communication between the consumer device and a first entity. 5 Another modality of the technology is directed at a server computer. The server computer comprises a processor and a computer readable storage medium having code embedded in it, characterized by the fact that the code is configured to cause the processor to effect a method. The method includes receiving a challenge response message 10 from a consumer device via a mobile terminal gateway, the challenge response message being received in response to a challenge message sent through the mobile terminal gateway for the consumer device, characterized by the fact that the consumer device is configured for use as a payment device. The method further includes determining whether the challenge response message is valid and sending a secure channel response message to the consumer device if the challenge response message is valid. The secure channel response message allows communication between the consumer device and a first entity.
20 These and other modalities of technology are described in further detail below.
BRIEF DESCRIPTION OF THE DRAWINGS FIG.I illustrates a flow diagram of the transaction within a mobile terminal crossing gate context.
FIG. 2 illustrates a detailed flow diagram of the functionality of the mobile terminal pass-through gate and the key management center.
FIG. 3 illustrates an example of protocols used for communication.
FIG. 4 represents a block diagram of an example of a consumer device. FIG. 5 illustrates an exemplary flow diagram for provisioning a consumer device. FIG. 6 represents an exemplary flow diagram for authentication in a distributed system. FIG. 7 represents an exemplary flow diagram for
W authentication in an integrated system. FIG. 8 illustrates an exemplary flow diagram for establishing a secure session using a new TCP connection. FIG. 9 illustrates an exemplary flow diagram for establishing a secure session using an existing TCP connection. F'IG. 10 represents an exemplary block diagram of a computer device. 15 DETAILED DESCRIPTION Modalities disclosed here are directed to techniques for authenticating a consumer device to create a secure channel for communication between the consumer device and a first entity. The consumer device can be, for example, a mobile terminal phone 20, which can be configured for use as a payment device that is associated with a payment processing network. The consumer device can be provisioned with payment-related applications and can be authenticated via a third-party mobile terminal gateway using challenge response authentication. As a specific example, when the consumer device requests communication with a particular entity (eg an issuing bank) via the application on the consumer device, a communication request is sent to the mobile terminal gateway. In response, the mobile terminal gateway sends a challenge message to the consumer device. The consumer resumes a challenge response message to the mobile terminal crossing gate via the application on the consumer device. The mobile terminal gateway gate sends the challenge response to a key management center for validation. 5 The ehave management center manages session keys for consumer device communications with different entities and can be associated with a payment processing network. The key management center determines whether the challenge response message received is valid. If the challenge response message is valid, the secure channel response message is resumed to the mobile terminal gateway and the consumer device via the mobile terminal gateway. The secure channel response message includes a session key that allows the consumer device to communicate with the first entity via a secure channel for any of a number of 15 types of communications. For example, if the first entity is the issuing bank associated with the consumer device, the secure channel could be used to send updates from the issuer to the consumer device.
Modes of the present technology provide a number of 20 advantages. the mobile architecture terminal crossing gate provides night security by authenticating the consumer device before allowing communication. In addition, establishing a secure channel with session keys provides increased protection for the information being transmitted via the channel. Additionally, because the architecture of the 25-foot mobile gate to create the secure channel is centralized, the architecture provides flexibility for various entities that may wish to transmit information to and from the consumer device.
Before discussing the specific modalities of the technology, an additional description of some terms can be provided to better understand the modalities of the technology. An "issuer" can be any banker who issues and maintains a consumer's financial bank account. An "acquirer" can be any bank that provides and maintains a financial bank account for the merchant. A "payment processing network" may include data processing subsystems, networks, and operations used to support and deliver authorization services, exception filing services, and clearing and settlement services.
10 An "authorization request message" can be a message that includes information such as, for example, a consumer device form factor or an issuer bank account identifier.
An identifier of the issuer's bank account can be an identifier of the payment bank account associated with a payment device 15 (eg a consumer device). The authorization request message may request that a payment device issuer authorize a transaction. An authorization request message according to a fad. The technology's age may comply with ISO 8583, which is a standard for systems that exchange electronic transactions made by the bank account holder using payment devices.
A "server computer" can be a powerful computer or a cluster of computers. For example, the server computer can be a large main & ame, a cluster of minicomputers, or a group of servers operating as a unit. In one example, the server computer can be a database server coupled with a Web server.
FIG. l represents a flow diagram of the transaction within a mobile terminal gateway gate context. For the sake of simplicity of discussion, only one of each component is shown. It is understood, however, that modalities of technology can inelude more than one of each component. Additionally, some modalities of the technology may include less than all the components shown in Fig. 1. In addition, the components in Fig. 1 can communicate via any suitable means of communication (including Intemet), using any communication protocol. adequate. FIG. 1 represents an example of the system in which a mobile terminal crossing gate and a
W key management can be implemented. FIG. l shows a system that can be used in one mode of technology. The system includes an access device 106, such as a contactless payment point of sale (POS) terminal, at a merchant and an acquirer 110 associated with the merchant. In a typical payment transaction, a consumer can purchase goods or services from the merchant via the access device 106 15 using a consumer mobile terminal device 104. The acquirer 110 can communicate with an issuer 114 via a payment processing network. 112. The consumer can be an individual or an organization, such as a company that is able to buy goods or services.
20 Consumer device 104 can be in any form suitable for contactless payment. For example, suitable consumer devices can be hand held and compact so that they can fit in a wallet and / or the consumer's pocket (eg, pocket size). The consumer device 104 typically comprises a processor, a memory, input device, output devices, and near field communication devices (NFC), all of which are operatively coupled to the processor. Specific examples of consumer devices may include forms of portable communication devices, such as cell phones or cordless phones, tablets,
smart phones, personal digital assistants (PDAS), location radios, portable computers, and the like.
In some embodiments, consumer device 104 can be associated with multiple financial bank accounts, as well as being associated with different accounts
5 payment bank (eg, credit, debit, or prepaid). Likewise, it is possible for the consumer to have multiple consumer devices 104 - which are associated with the same underlying financial bank accounts. "A payment processing network 112 may include data processing subsystems, networks, and operations used to
10 support and provide authorization services, exception filing services, and clearing and settlement services.
An exeplar payment processing network may include VisaNet "ú Payment processing networks such as VisaNet" M are capable of processing credit card transactions, credit card transactions, and other types of transactions
15 commercials.
VisaNetTM in particular includes a Visa Integrated Payments (VIP) system that processes authorization requests and a Base II system that performs clearing and settlement services.
In addition, the payment processing network 112 can include a server computer and can use any suitable wireless wired network, including the
20 Intemet.
The merchant may have, or may receive communications from, an access device 106 that can interact with consumer device 104, such as a contactless POS device.
The access device 106 according to technology modalities can be in any form
25 suitable for accessing data on a consumer contactless device.
Examples of access devices may include POS devices, cell phones, PDAs, personal computers (PCs), tablet PCs, specialized portable readers, set-top boxes, electronic cash registers, automatic teller machines (ATMs), virtual cash registers ,
kiosks, security systems, access systems, and the like. Access device 106 may include any mode of operation with or without suitable contact (e.g., radio frequency (RF) antennas, NFC devices, etc.).
5 In a typical purchase transaction, the consumer purchases a good or service via the merchant's access device 106 using the consumer device 104. The consumer device 104 can
To interact with an access device 106 such as a non-contact POS terminal at the merchant. For example, the consumer can pick up a cordless phone 10 and pass it close to a contactless reader at a POS terminal. An authorization request message is then passed on from access device 106 to acquirer 110, after receiving the authorization request message on acquirer 110, the authorization request message is then sent to a network. payment processing 112. Payment processing network 112 then passes on the authorization request message to issuer 114 of consumer device 104. After issuer 114 receives the authorization request message 20, issuer 114 sends a message authorization response back to the payment processing network 1 12 to indicate whether or not the current transaction is authorized (or not authorized). The payment processing network 112 then passes the authorization reply message back to the acquirer 110. The acquirer llO 25 then sends the reply message back to the merchant. After the merchant receives the authorization reply message, the access device 106 at the merchant can then provide the authorization reply message to the consumer. The response message can be displayed by the access device 106 or can be printed on a receipt. At the end of the day, a normal clearing and settlement process can be completed by a payment processing network 112. a clearing process is the process of exchanging financial details 5 between an acquirer and an issuer to facilitate posting to a bank account and the reconciliation of the consumer's settlement position. Clearing and settlement can take place simultaneously.
Typically, the merchant sends the clearing information to the buyer at the end of the day, and the buyer and lender can subsequently lO facilitate the clearing and settlement process. The mobile terminal gateway 152 and the mobile terminal key management center 150 can be used when messages over the air (OTA) need to be sent between consumer device 104 and a first entity. The mobile terminal 15 mobile gate 152 provides the communication link for consumer devices over which services may already be offered by entities such as issuers, payment processing networks, and other processors. The mobile terminal gateway 152 can facilitate a challenge response authentication of the consumer device 104. If the consumer device 152 is authenticated, the key management center 150 can provide session keys for a secure communication channel . The secure communication channel allows the consumer device 104 to securely access the services provided by the payment processing network 112. More details on the functionality of the 25 mobile terminal crossing gate 152 and the key management center 150 are provided below . FIG. 2 illustrates a detailed flow diagram of the functionality of the mobile terminal gateway 152 and the key management center 150. As discussed above, the mobile terminal gateway 152 and the key management center 150 provide security. for the services offered to the consumer on the consumer device 104. It should be noted that there may be differences in the architecture of Fig. 2 depending on a variety of factors. For example, 5 there may be differences depending on whether the POS infrastructure is one that works online for the issuer for transaction authorization or one that supports authorized offline transactions. In addition, it should be noted that m while FIG. 2 shows OTA provisioning, other modalities may use pre-provisioned consumer devices.
10 A mobile terminal crossing gate 152 is a platform capable of providing services over a secure channel. The mobile terminal gateway gate 152 supports contactless payments from mobile terminals, such as those shown in Fig. 1, and is used in a way that allows the addition of reliable support services as the need arises. In order to provide services for a consumer device 104 that securely supports contactless payments, the mobile terminal gateway gate 152 supports two pairs of request response messages. A pair of request response messages is used to prepare the secure channel. This pair of messages allows the consumer device 104 and the mobile terminal pass gate 152 to exchange initial information. The second pair of request response messages is used to establish the secure channel. This pair of messages allows the consumer device 104 and the mobile terminal pass 25 to mutually authenticate and allows the consumer device to receive session keys from the mobile terminal pass gate 152. Once the secure channel is established, session keys are used to protect the confidentiality and integrity of messages used by supported services as appropriate to the needs of that service. A transaction flow can be initiated via either a "pull" or "push" situation. In a "pull" situation, the transaction is initiated by the consumer via interaction with the consumer device application or the consumer device itself due to a specific payment application state (eg, when management parameters offline risk factors are low). In a "push" situation, the
The issuer initiates a transaction flow by sending a "push" message to the consumer device 106. However, the basic transaction flow is similar regardless of how it is initiated. That is, a secure channel is first prepared and established, and then a specific service is requested using the established secure channel. The mobile terminal payment application (MPA) 154 is a payment application that is installed on a secure element chip 15 (SE) within an NFC 104 enabled consumer device. MPA 154 provides the functionality to manage and maintain the consumer payment information and support contactless payments from the mobile terminal. During the payment transaction, the MPA 154 changes with the access device 106 over the contactless interface to maintain the mobile terminal payment transaction. The entity issuing MPA 154 to consumer device 104 is typically a member of a payment processing network 112. In one embodiment, the entity issuing aMPA 154 is issuer 114. MPA 154 also interfaces with the terminal application 25 mobile (MA) 156 on consumer device 104. MA 156 is the consumer device application that provides a user interface for consumer interaction (eg, to enter and view information). In addition, MA 156, communicates with MPA 154 to retrieve and retrieve information while processing any of a number of services
L__ 14 offered to the consumer via consumer device 104 (eg, issuer update processing). In addition, MA 1 56 can communicate with the mobile terminal gateway gate 152 to send and receive OTA messages.
5 MPA 154 and MA 156 can use data encryption standards such as, for example, RSA with a key of at least 1024 bits, triple data encryption standard (DES), 128-bit advanced encryption standard of
T 128 bits (AES), an RC4 sequence encryption algorithm using a minimum key length of 128 bits, etc. These encryption standards 10 can be used to create a secure session.
The SE is used by the consumer device 104 to host and store data and applications that require a high degree of security. The SE is provided to the consumer device 104 by the SE 125 issuer. The SE 125 issuer may not necessarily be a member of a payment processing network 112 or the same entity as the payment instrument issuer 114 (for example, MPA 154 in consumer device 106). For example, the SE 125 issuer may be a network operator of mobile communication terminals (MNO).
MPA 154 can be installed within the SE to manage and 20 secure payments. The entity issuing the MPA 154 may need a key and / or a token to install and customize the MPA 154 on the SE. These keys can. generally be managed in the interest of the issuer by a custom bureau or Trusted Service Manager (TSM) 120. That is, these keys can be provided by the issuer from SE125 25 to TSM 120 (S404).
The TSM 120 offers services to suppose financial services of mobile terminals. The basic features that can be provided by the TSM 120 include the ability to manage SE keys to install and configure .MPA 154 over the air. The TSM 120 can also be integrated with issuer systems to activate and customize the MPA 154 with consumer payment information (S402). Upon receipt of the activation request, the TSM 120 can provision the MA 156 and MPA 154 over the air (S406 and S408). The TSM 120 can also block or 5 unlock the SE in the consumer device 104 (S410). Once activated, the TSM 120 can send an activation confirmation to the mobile terminal pass-through gate 152 (S412). Additionally, the TSM 120 can provide ongoing SE platform management and support.
Consuiners devices 104 that support contactless payments 10 from mobile terminals using the EMV contactless communication protocol (EMV-CCP), which is based on ISO 14443, in order to interact with merchant 106 access devices. This capability it is typically found implementing NFC. The NFC capability in the consumer device 104 could be enabled by a built-in NFC chip 15 or by the addition of a memory card or extended accessory that contains the NFC chip. In addition, the consumer device 104 typically includes the self or embedded in the handset or the subscriber's identity module (SIM). The SE can also be included in an add-on device such as a Micro-Secure Digital 20 (microSD) card. As discussed above, the mobile terminal gateway gate 152 allows consumer devices 104 to have access services from the electronic terminal 114 via the payment processing network 112, such as, for example, issuer updates. The gateway 25 mobile terminal 152 provides a secure channel over which information can be transmitted securely via the consumer device 106 and over the network of mobile and Intemet communication terminals. Mobile terminal crossing gates 152 can be implemented by issuers, acquirers, third party service providers, or TSMs 120.
The mobile terminal gateway gate 152 uses the key management center 150 to configure a mutually secure authenticated channel under a circumstance of MPA 154 on consumer device 104. As part of this process, encryption keys can be used to allow for authentication of MPA 154 to the center of. key management 150, the circumstance of the MPA 154 is personalized with unique keys from a specific device of the issuer of the master keys. These master keys are shared between the issuer's personalization host and the key management center 150. These 10 keys may differ from the keys used to authenticate the issuer's chip or script payment transactions and are used for the purpose of establishing the secure. The issuer's authorization host does not require any access to these encryption keys to establish the secure channel. Because the consumer device 104 can access services 15 via the payment processing network 112 using the mobile terminal gateway 152, the payment processing network 112 and the mobile terminal gateway 152 are provisioned such that they can work together. In one embodiment, the payment processing network 112 can provide the mobile terminal gateway gate 152 with a client certificate that is presented during the establishment of a mutually authenticated secure socket layer (SSL) channel. The mobile terminal crossing gate 152 can install and store this certificate in a key storage location. In addition, a user name and password can be created and provided for the mobile terminal gateway gate 152 from the payment processing network 112. This user name and password can be used during message authentication and can be passed as part of web service requests.
The payment processing network 112 can also provide the mobile terminal pass gate 152 with a client certificate that is presented in the web service request. The key management center 150 can use this client certificate to apply cryptography to specific parts of the web service response to undo the encryption through the mobile terminal 152 gate.
F FIG. 3 illustrates an example of protocols used for communication. Consumer device 104 has the ability to and establish wireless communication with remote systems. The MA 156 and MPA 154 on the consuinidor device 104 can use this capability to communicate with the mobile terminal pass gate 152. The mobile terminal pass gate 152 can support the transnection control protocol (TCP) such that MA 1 56 can exchange binary messages with the mobile terminal gateway gate 152. The TCP socket can provide a reliable connection over an underlying W1-Fi or MNO network. The end point for a TCP socket is defined by an Internet Protocol (IP) address and logical port number. A message exchange is carried out with a simple byte sequence between the issuer and the recipient. The socket connection is established and then used as the transport for a message exchange. The TCP connection can be provided over any 20 data network accessible to the consumer device 104, such as General Packet Radio Service (GPRS) and third-generation (3G) networks for connectivity via MNO 132 or via a W1-Fi network for connectivity through an alternative service provider on Intemet 130, for example. FIG. 4 represents a block diagram of an exemplary consumer device 104. The consumer device 104 may comprise a computer readable medium L04 (b) and a body 104 (h) as shown in Fig. 4. (FIG. 4 shows a number of components, and the consumer devices 104 accordingly. with embodiments of the invention may comprise any suitable combination or subset of such components). Computer readable medium 104 (jb) may be present within body 104 (h), or may be detachable from it. The body 104 (h) can be in the form of a plastic substrate, casing, or other structure. The computer readable medium 104 (b) can be a memory that stores data and can be 5 in any suitable form including a magnetic strip, a memory chip, uniquely derived keys (such as those described above), encryption algorithms, etc. Memory also preferably
B stores information such as financial information, traffic information (eg, on a subway or train ticket), access information 10 (eg, on access badges), etc. Financial information may include information such as bank account information, bank identification number (BIN), debit or credit card number information, bank account balance information, expiration data, consumer information such as name , birth data, etc. Any of these 15 information can be transmitted by the consumer device 104. In addition, the consumer device 104 can also include the SE 104 (J), as described above. Information in memory can also be in the form of data tracks that are traditionally associated with credit cards. Such 20 tracks include Track 1 and Track 2. Track I ("International Air Transport Association") stores more information than Track 2, and contains the cardholder's name as well as bank account number and other discretionary data. This trail is sometimes used by airline companies when securing reservations with a credit card. Track 2 25 ("American Banking Association") is currently most commonly used. This is the track that is read by ATMs and credit card verifiers. The ABA (American Banks Association) has designated the specifications for this trail and all banks worldwide must comply with it. It contains a cardholder's bank account, PIN with encryption applied, plus other discretionary data. The consumer device 104 may further include a non-contact element 10 04 (g), which is typically implemented in the form of a semiconductor chip (or other data storage element) 5 with an associated wireless transfer element (e.g. ., data transmission), such as an antenna. Contactless element 104 (g) is associated with - (eg, embedded within) the "consumer 104" device and data or
B control instructions transmitted via a cellular network can be applied to the element without contact 1044 (g) by means of a non-contact element interface (not shown). The non-contact element interface works to allow the exchange of data and / or control instructions between the circuit set of the mobile terminal device (and then the cellular network) and an optional non-contact element 104 (g). Contactless element 104 (g) is capable of transferring and receiving 15 data using an NFC capability (or NFC medium) typically according to a standardized protocol or data transfer mechanism (eg, ISO 14443 / NFC). NFC capability is a short-range communications capability, such as RFID, BluetoothTM, red, or other data transfer capability that can be used to exchange 20 data between consumer device 104 and an interrogation device. Accordingly, the consumer device 104 is capable of communicating and transferring control data, and / or instructions via both the cellular network and close-range communications capability. Consumer device 104 may also include a processor 104 (C) (e.g., a microprocessor) to process the settings of consumer device 104 and a monitor 104 (d) to allow a consumer to view phone numbers and another information and messages. The consumer device 104 may also include input elements 104 (e) to allow a consumer to enter information into the device, a loudspeaker.
speaker 104 (f) to allow the consumer to hear voice communication communication, music, etc., and a microphone 104 (i) to allow the consumer to transmit his or her voice through consumer device 104. Consumer device 104 may also include an antenna 104 (a) for wireless data transfer (eg, data transmission) - FIG. 5 illustrates an exemplary flow diagram for 'provisioning a consumer device 104. Provisioning of consumer device 104- can be initiated with or without consumer action and based on the requirements of the issuer 114 company. In step 1 of Fig. 5, consumer 102 can register the contactless mobile terminal payment service.
Issuer 114's system processes this request and takes appropriate action.
In step 2, issuer 114's system sends the activation request to TSM 120 with the appropriate personalization data.
In step 3, TSM 120 processes requests from the issuer
15 114, supplies MPA 154 and MA 156, and customizes them.
In step 4, TSM 120 confirms that activation is complete with all required subscriber information with the mobile terminal gateway 152. Updating provisioning-related information and eliminating circumstances of MPA 154 and MA 156 can happen in the
20 same pattern with the procurement process.
Passage gates of mobile terminals 152 can be implemented using two different approaches.
A distributed mobile terminal gateway is a mobile terminal gateway in which the key management center 150 is a separate entity from the
25 mobile terminal pass gate 152. An integrated mobile terminal pass gate is a mobile terminal pass gate in which the key management center 150 is integrated with the mobile terminal pass gate 152. FIG. 6 represents an example of a distributed mobile terminal gate. In a distributed approach, the key management center 150 is managed by the payment processing network 112. Therefore, the key management center 150 in conjunction with the payment processing network 112 provides authentication services for both, the mobile terminal crossing gate 152 and the MPA 154, allowing the MPA 154 to have access services from multiple “mobile terminal crossing gates without the issuer 114 having to
W share encryption keys to create a secure channel with each mobile terminal gateway provider. The encryption keys 10 from issuer 114 are securely stored in the key management center 150 operated by the payment processing network 112. As shown in Fig. 6, authentication starts when consumer device 104 sends a challenge message order 15 for the mobile terminal passage gate 152 (S502). The request challenge message is a message that indicates that the consumable device 104 wishes to communicate with a first entity (e.g. an issuer). The request challenge message may include SE data 'for consumer device 104. In response, the mobile terminal gateway 20 sends a challenge message to consumer device 104 (S504). The challenge message can include a question for consumer device 104. Consumer device 104 can respond to the challenge message by resuming a challenge response message, along with a challenge message, for the gateway of 25 mobile terminal. 152 (S506). The challenge response message may include a response to the question posed by the challenge message. The mobile terminal crossing gate 152 sends a web message authentication service request to the key management center 150 on the Intemet (S508). The web authentication service request is used to mutually authenticate the mobile terminal gateway gate 152 with the key management center 150 via SSL in both directions.
The web authentication service request message may also include a challenge response message and a challenge message received from the consumer device.
, - 104. These credentials may be encrypted by the mobile terminal.l pass gate 152 before sereni sent to the key management center 150. Additionally, the web authentication service request message may include an identifier of MPA 154 of 10 consumable device 104 and the client certificate for the mobile terminal crossing gate 152. In one embodiment, a simple object access protocol (SOAP) envelope can be used for the request message web authentication service icon.
The key management center 150 will verify that the challenge response message is a valid response to the challenge message.
If the credentials of the consumer device have been encrypted through the mobile terminal gate 152, the key management center 150 will undo the encryption before verifying them.
The cliave management center 150 will process the request by sending 20 an authentication web response message to the mobile terminal pass gate 152 upon verification (S5 10). In one embodiment, the key management center 150 can apply encryption to the response message from the web authentication service before sending it to the mobile terminal gateway gate 152. The response message from the web authentication service 25 will indicate whether the challenge response message is valid or not.
In one embodiment, the response message from the web authentication service can include an encrypted data XML element with an RSA encryption method, which is used to apply encryption to the session keys for the secure channel.
The mobile terminal gateway gate 150 will process the response by sending a secure channel response message to the consumer device 104 which indicates whether a secure channel can be established (S512). If the response message from the web authentication service 5 has been encrypted by the key management center 150, the mobile terminal crossing gate 152 can undo the encryption. in the message before processing the response.
The secure channel can be - established if the challenge response is valid.
However, if the mobile terminal pass-through session is closed before the secure channel is configured, the mobile terminal pass-through 152 may not send the response message to consumer device 104. If the mobile terminal pass is closed due to an error after the secure channel is configured and the TCP connection is not already closed, the mobile terminal pass gate 152 can send a general error response 15 to the consumer device 104 and close the mobile terminal crossing gate session.
The mobile terminal pass gate 152 can receive a SOAP message if the key management center 150 encounters errors.
If the mobile terminal gate] 52 receives this message, the mobile terminal gate 152 can record error information for future auditing and verification purposes.
Communication between the consumer device 104 and the mobile terminal pass gate 152 uses TCP socket interaction.
After authentication, the consumer device 104 and the mobile terminal gate 152 must communicate via a secure channel. 25 Communication between the mobile terminal passage gate 152 and the consumer device 104 takes place via Intemet.
If authentication is successful, the key management center 150 sends session keys to the mobile terminal pass gate 152 and to the consumer device 104 via the mobile terminal pass gate 152. The session keys are used to establish secure channel using any encryption techniques, as discussed above.
The consumer device 104 can then communicate with the first entity via the mobile terminal passage gate 152 through the
5 secure channel.
The different types of communication with the first entity will be described in more detail below. ~ FIG. 7 represents an example of an integrated mobile terminal crossing gate 151. In an integrated mobile terminal crossing gate 151, the key management center 150 is hermetically sealed
10 integrated with the mobile terminal pass-through 152. The consumer device 104 and the integrated mobile terminal pass-through 151 communicate using a TCP connection.
This implementation may require an issuer 114 to provide the session keys for the integrated mobile terminal crossing gate 151. Since a terminal crossing gate
15 integrated mobile 151 can provide encryption key handling and additional authentication services, the integrated mobile terminal pass gate 151 may also require the application of additional physical and logical security requirements.
As shown in Fig. 7 and similar to Fig. 6, the message
Request challenge 20 is sent from the consumer device 104 to the integrated mobile terminal pass gate 151 (S602). In response, the integrated mobile terminal passage gate 151 resumes the challenge message for consumer device 104 (S104). The consumer device resumes the challenge response message together
25 with the challenge message for the integrated mobile terminal passagein gate 151 (S606). The integrated mobile terminal crossing gate 151 detains whether the challenge response message is valid.
The integrated mobile terminal pass gate 151 then sends the secure channel response message to the consumer device 104 (S608). The secure channel response message indicates whether the challenge response message was valid.
For both the distributed mobile terminal pass gate of Fig. 6 and the integrated mobile terminal pass gate of Fig. 7, a secure cane is prepared and established to enable consumer device 5 to communicate securely with a first entity. The mobile terminal crossing gate 152 can prepare the secure channel - checking the components of the request failure message sent from the consumer device 104 to the mobile terminal crossing gate 152, such as verifying whether the application identifier of the terminal 10 mobile terminal associated with MPA 154 received in the request challenge message is registered for use with the mobile terminal passagein gate 152, verifying the center identifier. key management extracted from the 'mobile terminal application identifier, etc. If the mobile terminal crossing gate 152 encounters an error, the mobile terminal crossing gate 152 can close the mobile terminal crossing gate session. If the challenge request message is valid, the mobile terminal pass gate 152 will create a challenge message and send the challenge message to the consumer device 104 (S504 of Fig. 6 20 and S604 of Fig. 7) . If the secure channel is successfully prepared, the secure channel can be established through the mobile terminal gateway gate 152 and the key management center 150. Consumer device 102 sends a challenge response message to the gateway. mobile terminal pass 152. Mobile terminal pass gate 152 will validate the format of a challenge response message received from consumer device 104 (S506 of Fig. 6 and S606 of Fig. 7). If a message format is invalid, the mobile terminal gateway 152 can close the mobile terminal gateway.
If the message format is valid, the key management center 150 can validate the message. challenge response from consumer device 104. If the challenge response message is invalid, the mobile terminal gate 152 can close 5 sessions of the mobile terminal gateway. If the challenge response message is valid, key management center 150 can. derive a session keys for the secure channel. Session keys will be
W sent to the mobile terminal gateway 152 and the consumer device 104 via a secure channel 10 response message. The session keys sent to the mobile terminal gateway gate 152 can be encrypted differently than the session keys sent to the consumer device 104. If the mobile terminal gateway 152 experiences an error for which a message format cannot be derived or if the mobile terminal gateway 152 decides to close the mobile terminal gateway gate session (eg, due to the session termination), the mobile gateway gateway mobile terminal 152 can resume a general error response. FIG. 8 illustrates an exemplary flow diagram for establishing a secure session using a new TCP connection. As discussed above, when a consumer device 104 wishes to communicate with a first entity via the mobile terminal pass gate 152, consumer device 104 must first establish a secure session. The mobile terminal crossing gate 152 manages and maintains a session during the configuration of the secure channel and also during service invocation by the consumer device 104. The mobile terminal crossing gate 152 can maintain a secure session using or a session that can be resumed or a session that cannot be resumed. The resumable session can be maintained over multiple TCP connections, while the non-resumable session is restricted to a TCP connection. Once a mobile terminal crossing gate session has been established with MPA 154 and MA 156, the mobile terminal crossing bridge 152 can close the mobile terminal crossing gate session 5 if messages are received out of order- For example, if the challenge response message is received before a request challenge ^ message, the mobile terminal pass gate 152 may
W close the mobile terminal passage gate section. Additionally, the mobile terminal gateway gate session can be closed if the challenge response message is not received within a period of time (eg, 10 seconds) after the challenge message is sent to the device. consumer 104.
Typically, the mobile terminal gateway gate session is closed after the service response is sent via the mobile terminal gateway gate 152. However, in one embodiment, the consumer device 104 may request that the gateway gate session mobile terminal ticket is kept active for the subsequent service request.
If the mobile terminal gateway gate session is kept active, it is possible that the TCP connection will drop before the consumer device 20 can send the subsequent service request. If this occurs and the consumer device has requested a resumable session, then the consumer device can open a new TCP socket connection and send the new service request indicating the existing session ID. If the mobile terminal gateway gate session was not able to be resumed, then the consumer device needs to repeat the secure channel configuration on a new TCP connection before it can send the service request.
In Fig. 8, the mobile terminal gate 152 determines whether a message format or envelope for a message received via a new TCP connection connection is valid (S202). If a message envelope is not valid, the mobile terminal gateway gate 152 will close the TCP connection (S204). If a message envelope is valid, the mobile terminal pass gate 152 will know that the message ID is valid (S206). This message ID is verified to determine what type of message is being sent. The message ID can be invalid for a new TCP connection if it is a
A challenge response message sent from the consumer device 104 to the mobile terminal gateway gate 152, since a challenge response message must be sent via an existing TCP connection that was initiated when a challenge message request form was sent to the mobile terminal gateway gate 152. This ensures that the consumer device 104 is the same device that requested the communication. If the message ID indicates that the message is a challenge response message, the message ID is not valid, and the mobile terminal gateway gate 152 will close the TCP connection (S208). If the message ID indicates that the message is a service request message (ie, not a challenge request message or a challenge response message), mobile terminal gateway 20 will check the message ID again to determine that it is a known message ID (S210). If the message ID is unknown, the mobile terminal gateway gate 152 will close the TCP connection (S212). If the message ID is known, the mobile terminal pass gate 152 will check the start indicator field on the message envelope (S214). If the start indicator field indicates that the resumable session cannot be maintained, the mobile terminal passenger gate 152 will close the TCP connection (S216). If the start indicator field indicates that the resumable session can be maintained, the mobile terminal gateway 152 will check the session identifier on the message envelope to determine whether the session identifier matches the session identifier for an existing mobile terminal crossing gate section (S2l8). If there is no match, the mobile terminal gate will close the TCP connection (S220). If there is an incident, the mobile terminal gateway gate 152 will then check whether the existing mobile terminal gate · session already has an active TCP connection (S222). If there is already an active TCP connection, then the mobile terminal gateway gate 152 will close the new TCP connection (S224). If there is not already an active TCP connection for the existing mobile terminal gateway session, then the mobile terminal gateway gate 152 will attach the new TCP connection to the existing and coincident mobile terminal gateway session (S226). At this point, the mobile terminal crossing gate 152 can proceed with request processing (S228). If in S206 the message ID indicates that the message is a request defect message, the mobile terminal crossing gate 152 will check the value of the start indicator on the message envelope (S230) .If the value of the start indicator indicates a session that can be resumed and the mobile terminal crossing gate 152 maintains a session that cannot be resumed, or if the start indicator value indicates a session that cannot be resumed and the mobile terminal gateway gate 152 maintains a resumable session, the mobile terminal gateway gate 152 will close the TCP connection (S244). start indicator value indicates a session that cannot be resumed and the mobile terminal gateway can maintain a session that cannot be resumed, a session that cannot be resumed will be created (S232). r at the beginning indicates a session that can be resumed and the mobile terminal passenger gate can maintain a session that can be resumed, a session that can be resumed will be erected (S234). Once either a non-resumable session or a resumable session is successfully created, the mobile terminal crossing gate 152 will check whether the mobile terminal application identifier (ie 5 MPA 154) is active in another session (S236). If the ideI1tific.ador of the% mobile terminal application is active in another session, the gate.
mobile terminal pass 152 will check to see if the other session is in * a channel configuration phase (S238). If sini, the mobile terminal crossing gate 152 will close the new and existing mobile terminal crossing gate sections 10 (S240). If the other session is not in a channel configuration phase, the mobile terminal pass gate 152 will close the new mobile terminal pass gate session (S242). If in S236 the terminal application identifier is not is active in another session, the mobile termination gateway 152 will proceed with request processing (S228) Fig. 9 represents session management processing that occurs when subsequent messages are received over the same socket connection When a new message on an existing TCP connection is received by the mobile terminal passage gate 152 (S302), the 20 mobile terminal gateway 152 will determine whether the message format is valid (S304) . If the message format is invalid, the mobile terminal gateway 152 will close the mobile terminal gateway (S306) session. If the message format is valid, the mobile terminal pass gate 152 will determine whether the session of the mobile terminal pass gate is liable to be resumed (S308). If the session of the mobile terminal gate is liable to be resumed, the mobile terminal gate 152 will check the start indicator in the message to see if it indicates a session that can be resumed (S3 10).
If the start indicator does not indicate a session that can be resumed, the mobile terminal gateway 152 will close the mobile terminal gateway (S312) session. If the start indicator indicates a session that can be resumed, the mobile terminal crossing gate 152 will check if the session identifier in the message matches the
5 session identifier in the session state (S314). If there is no match, the mobile terminal crossing gate 152 will close the session. of the mobile terminal passage gate (S316). If there is a coincidence, the mobile terminal crossing gate 152 will check the length of the message (S3 18). If the length of the message is zero, the mobile terminal pass gate 152 will close the mobile terminal pass gate (S320) session. If the message length is greater than zero, the mobile terminal gateway gate 152 will proceed with the rules related to message processing (S322). If the mobile terminal crossing gate session is not
15 that can be resumed, the mobile terminal passenger gate 152 will check the start indicator in the message to see if it indicates a session that cannot be resumed (S324). If the start indicator does not indicate a session that cannot be resumed, the mobile terminal pass gate 152 will close the mobile terminal pass gate session (S326). If the
20 value of the start indicator indicates a session that cannot be resumed, the mobile terminal passage gate 152 checks the co-length of the message (S318). If the message length is zero, the mobile terminal gateway 152 will close the mobile terminal gateway (S320) session. If the message length is longer than
25 zero, the mobile terminal crossing gate 152 will proceed with the rules related to message processing (S322). Once the secure channel is prepared and successfully established, communication can occur between the consumer device 104 and the first entity.
The first entity can be any entity requiring a secure channel for OTA communication with the consumer device
104. After the successful establishment of a secure channel, consumer device 044 can construct a message containing SE chip data for the first entity and send the message to the mobile terminal pass 5 gate 152. The gate mobile terminal pass 152 can then build and pass on the appropriate request to the. first entity. The mobile terminal gateway gate 152 may need to construct the request message in a manner that the first entity can understand. When the mobile terminal gate 10 52 receives a response from the first entity, the mobile terminal gate 152 can translate the response from the first entity into an OTA message to be resumed to the consumer device 104 In one embodiment, the first entity is an issuer 114.
15 Issuer 114 may wish to control and / or update MPA 154 on consumer device 104. For example, issuer 114 may wish to update MPA 154 with additional information associated with the consumer's payment bank account. For example, consumer device 104 may request an update to MPA 154 when 20 offline risk counters and indicators on MA 156 have reached certain limits, such that MA 156 triggers a mobile terminal update request when an issuer sends a "push" notification of 'talk to me', etc. For issuer updates, the mobile terminal gateway 152 is used to establish the secure connection between MPA 25 154 and associated issuer 114 in order to allow delivery of updates. Updates can also include, but are not limited to, card parameter updates, lock or unlock the MPA 154, disable payment capabilities, unlock or change the access code for the MPA 154, set the access code to a code standard aeesso,
etc.
In addition to an ability to control and / or update MPA 154, the issuer may provide additional resources for value added services.
Issuer 1 14 may allow the consumer to inquire about one or more
5 more of their balances, and the issuer 114 can provide the one or more balances to the consumer device 104 over the secure channel.
Issuer 114 can provide the message indicating filling or adding additional funds and money to a prepaid payment bank account associated with consumer device 104 over the secure channel using the
10 financing bank account linked to the prepaid payment bank account.
Issuer 11.4 can also process a request and provide a dynamic card 2 verification value (CVV2) for use in non-present card (CNP) transactions. The various participants and elements, such as, for example, the gate
15 mobile terminal pass or the key management center, described here with reference to the figures, can operate one or more computer devices to facilitate the settings described here.
Any of the elements in the figures, including any servers or database, can use any suitable number of subsystems to facilitate functions here
20 described.
Examples of such subsystems or components are shown in Fig. 10. The subsystem as shown in Fig. 10 are interconnected via a 475 multipath cable system. Additional subsystems such as a printer 474, keyboard 478, fixed disk 479 (or other
25 memory characterized by the fact that it comprises computer-readable media), monitor 476, which is coupled to the video adapter 482, and others are shown.
Peripherals and input / output (I / O) devices, which couple the 471 I / O controller (which can be a processor or other suitable controller), can be connected to the computer system of any number of meanings known in the art, such as serial port 477. For example, serial port 477 or external interface 481 can be used to connect the computer device to a wide area network such as Intemet, an input mouse device, or a digitizer. The 5-way connection via multiple system communication cable allows the central processor 473 to communicate with each subsystem and to - control the execution of instructions from the system memory 472 or the «fixed disk 479, as well as the exchange of information between subsystems. System memory 472 and / or fixed disk 479 may comprise a computer readable medium 10. Modalities of the technology are not limited to the modalities described a.ciina. For example, although separate functional blocks are shown for an issuer, payment processing network, and acquirer, some entities carry out all of these functions and can be included in the technology modalities. In addition, additional embodiments of the invention can be directed to methods and systems involving e-merchants, and their access devices, as well as issuers. For example, other modalities may include the following additional modalities.
20 A modality can be directed towards communications between the consumer device and the issuer, characterized by the fact that the consumer device can request a balance inquiry and the issuer can resume a bank account balance in response through the secure channel . 25 A mode can be directed towards the mobile terminal crossing gate by closing the secure session if any of a number of errors occur. For example, the secure session of the mobile terminal gateway can be closed if the message format is inappropriate, if the messages received at the mobile terminal gateway are out of order, if the start indicator is invalid, etc. Specific details considering some of the aspects described above are provided above. The specific details of the specific aspects can be combined in any appropriate manner without departing from the spirit and scope of the modalities of the technology. For example, posterior extreme processamento -¶ processing, data analysis analysis, data collection, and other transactions can all be combined in some modalities of «technology. However, other modalities of technology can be directed to specific modalities relating to each individual aspect, or 10 specific combinations of these individual aspects.
It should be understood that the present technology as described above can be implemented in the form of control logic using computer software (stored on a tangible physical medium) in an integrated or modular way. Based on the dissemination and teachings provided here, a person with a simple qualification in the art will know and appreciate other ways and / or methods to implement the present technology using hardware and a combination of hardware and software.
Any of the sofh'vare components or functions described in this application, can be implemented as software code to be executed by a processor "using any suitable computer language such as, for example, Java, C ++ or Perl using, for example, conventional or object-oriented techniques the sofPware code can be stored as a series of instructions, or commands in a computer readable medium, such as a random access memory (RAM), a Read Only Memory (ROM) , a magnetic medium such as a hard disk or a floppy disk, or an optical medium such as a CD-ROM.
Any such computer readable medium may reside on or within a single computing device, and may be present on or within different computing devices within a system or network.
The above description is illustrative and is not restrictive. Many variations of the technology will become apparent to those skilled in the art when reviewing the disclosure. The scope of the technology should therefore be determined not with reference to the above description, but should instead be determined with reference to the appended claims, · together with all of its scope or equivalents. One or more resources from any modality can
K be combined with one or more resources of any other modality without Nigir of the scope of the technology.
10 A quote from "uin", "one", "o", or "a" is intended to mean "one or more" unless specifically stated to the contrary.
All patents, patent applications, publications, and descriptions mentioned above are hereby incorporated by reference in their entirety for all purposes. None is admitted to be of the prior art.

权利要求:
Claims (20)
[1]
1. Authentication method, characterized by the fact that it comprises: - sending a challenge message from a mobile terminal gate to a consumer device, the challenge message · being sent in response to a request message from «Communion, characterized by the fact that the consumer device is
W configured for use as a payment device; - receiving a response challenge message from the consumer device at the mobile terminal gateway in response to the challenge message; and - send, the challenge response message from the mobile terminal gate to a key management center, characterized by the fact that the key management center is configured to manage session keys for communication with the consumer device, where the key management center verifies the challenge response message and allows a communication transaction between a first entity and the consumer device if the challenge response message is valid.
20
[2]
2. Method according to claim 1, characterized by the fact that the key management center sends the session key to the gateway gate of the mobile terminal and to the consumer device, the session key allowing communication between the first entity and the consumer device.
25
[3]
Method according to claim 2, characterized by the fact that the session key sent to the mobile terminal gateway gate has encryption differently than the session key sent to the consumer device.
[4]
4. Method according to claim 1, characterized by the fact that the first entity is an issuer associated with the consumer device.
[5]
5. Method according to claim 4, characterized by the fact that the communication transaction between the first entity and the consumer device includes updates from the issuer to the device
W of consumer.
[6]
6. Method according to claim 5, characterized by the fact that the issuer's updates include updating parameters for the consumer device, blocking a payment application on the consumer device, unlocking the payment application, disabling payment, unlocking an access code on the consumer device, change the access code on the consumer device, or set the access code to a standard access code.
[7]
7. Method according to claim 4, characterized by the fact that the consumer device is associated with a prepaid payment bank account and characterized by the fact that a communication transaction between the first entity and the consumer device includes adding monetary funds to the prepaid payment bank account using a financing bank account associated with the prepaid payment bank account.
[8]
8. Authentication method, characterized by the fact that it comprises: - receiving a challenge response message at a key management center from a consumer device via a mobile terminal gateway, the challenge response message being received in response to a challenge message sent through the mobile terminal gate to the consumer device, characterized by the fact that the consumer device is configured for use as a payment device;
- determine whether the challenge response message is valid; and send a secure channel response message from the key management center to the consumer device if the challenge response message is valid, the secure channel response message 5 allowing communication between the consumer device and a first = entity.
[9]
9. Method according to claim 8, further characterized by the fact that it comprises sending a session key to the mobile terminal gate and to the consumer device, to the session key allowing communication between the first entity and the device consumer.
[10]
10. Method according to claim 8, characterized by the fact that the first entity. is an issuer associated with the consumer device, the communication between the first entity and the consumer device including updates from the issuer to the consumer device.
[11]
1l. Method according to claim 8, characterized in that the consumer device is associated with a prepaid payment bank account and in which communication between the first entity and the consumer device includes adding funds. money to the prepaid payment bank account using a financing bank account associated with the prepaid payment bank account.
[12]
12. Systenia, characterized by the fact that it comprises: - a mobile terminal gateway, the mobile terminal gateway 25 being configured to send a challenge message to a consumer device and receive a challenge response message from the consumer device in response to the challenge message, wherein the consumer device is configured for use as a payment device; and
- a key management center in communication with the mobile terminal gateway, the key management center being configured to receive the challenge response message from the mobile terminal gateway, to determine whether the response message challenge is valid, and sending a message of
D secure channel response to the consumer device if the challenge response message is valid, the secure channel response message. allowing communication between the consumer device and a first entity.
10
[13]
13. System according to claim 12, characterized by the fact that the key management center manages session keys to create secure channels.
[14]
14. System according to rei "vindication 12, characterized by the fact that the key management center sends a 15-session key to the mobile terminal pass-through gate and to the consumer device, the sent session key. to the mobile terminal gate passing encryption application differently than the session key sent to the consumer device.
[15]
15. System according to claim 12, characterized by the fact that the first entity is an issuer associated with the consumer device and in which the communication between the consumer device and the first entity includes update parameters for the consumer device. consumer, block a payment application on the consumer device, unlock the payment application, disable payment, unlock an access code on the consumer device, change the access code on the consumer device, or set the access code to a standard access code.
[16]
16. Server computer, characterized by the fact that 0uD '"" 8u "
useful a processor; and - a computer-readable storage medium having code embedded in it, the code being configured to make the processor perform a method it understands: 5 - receiving a challenge response message from a consumer device via a gateway mobile terminal, - the challenge response message being received in response to a challenge message sent by the mobile terminal pass gate to the consumer device, where the consumer device is configured for use as a consumer device. payment; - determine whether the challenge response message is valid; and - sending a secure channel response message to the consumer device if the challenge response message is valid, the secure channel response message allowing communication between the consumer device and a first entity.
[17]
17. Server computer according to claim 16, characterized by the fact that the code is further configured to make the user perform the steps of sending a session key to the mobile terminal gateway and the consumer device , the 20 session key allowing communication between the first entity and the consumer.
[18]
18. Server computer according to claim 16, characterized by the fact that the first entity is an issuer associated with the consumer device, the communication between the first entity and the consumer device including updates from the issuer to the consumer device .
[19]
19. Server computer according to claim 16, characterized by the fact that the consumer device is associated with a prepaid payment bank account and in which the communication between the first entity and the consumer device includes adding ends money to the prepaid payment bank account using a financing bank account associated with the prepaid payment bank account.
[20]
20. Server computer according to claim 16, 5 characterized by the fact that the first entity is an issuer associated with the consumer device and in which the communication between the consumer device and the first entity includes update parameters for the
W consumer device, block a payment application on the consumer device, unlock the payment application, disable 10O payment, unlock an access code on the consumer device, change the access code on the consumer device, or configure the access code access to a standard access code.

类似技术:

---

公开号 | 公开日 | 专利标题

---

US10140607B2|2018-11-27|Mutual mobile authentication using a key management center

---

JP6531092B2|2019-06-12|How to secure wireless communication between a mobile application and a gateway

---

US20180218358A1|2018-08-02|Trusted service manager | architectures and methods

---

AU2012284047B2|2016-10-06|Mobile device with secure element

---

US7357309B2|2008-04-15|EMV transactions in mobile terminals

---

JP2013529327A|2013-07-18|A secure and sharable payment system using trusted personal devices

---

JP6845853B2|2021-03-24|Systems and methods for self-calculating token vaults

---

AU2017354083A1|2019-06-06|Verifying an association between a communication device and a user

---

BR112021004541A2|2021-06-08|data transmission system, method for transmitting data, and contactless card

---

BR112021005174A2|2021-06-15|counter resynchronization system, method of resynchronizing a counter on a contactless card, and contactless card

---

KR20190082631A|2019-07-10|Method for Providing Asynchronous Reverse Direction Payment by using Affiliated Store's Mobile Device with Radio Signal Sending and Blockchain

---

KR20190083073A|2019-07-11|Method for Providing Asynchronous Reverse Direction Payment based on Application Interlocking by using Radio Signal Device and Blockchain

---

KR20190079452A|2019-07-05|Method for Providing Asynchronous Reverse Direction Payment by using Radio Signal Device and Blockchain

---

KR20190079437A|2019-07-05|Method for Providing Asynchronous Reverse Direction Payment based on Application Interlocking by using Radio Signal Device and Blockchain

---

KR20190079454A|2019-07-05|Method for Providing Asynchronous Reverse Direction Payment by using Radio Signal Device and Blockchain

同族专利:

---

公开号 | 公开日

---

CA2792924C|2018-02-06|

---

US20140122339A1|2014-05-01|

---

RU2663334C1|2018-08-03|

---

AU2011235047A1|2012-09-27|

---

US9009478B2|2015-04-14|

---

US8601266B2|2013-12-03|

---

CN102804682B|2016-03-02|

---

US9898729B2|2018-02-20|

---

AU2011235047B2|2015-02-19|

---

CN108093001B|2021-02-19|

---

US10140607B2|2018-11-27|

---

US20110247063A1|2011-10-06|

---

RU2012139270A|2014-03-20|

---

US20150186868A1|2015-07-02|

---

RU2580809C2|2016-04-10|

---

WO2011123671A3|2012-01-05|

---

CA2792924A1|2011-10-06|

---

US20180130046A1|2018-05-10|

---

WO2011123671A2|2011-10-06|

---

CN102804682A|2012-11-28|

---

CN108093001A|2018-05-29|

---

CN105512543A|2016-04-20|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

---

US5748740A|1995-09-29|1998-05-05|Dallas Semiconductor Corporation|Method, apparatus, system and firmware for secure transactions|

---

US5805702A|1995-09-29|1998-09-08|Dallas Semiconductor Corporation|Method, apparatus, and system for transferring units of value|

---

US6327578B1|1998-12-29|2001-12-04|International Business Machines Corporation|Four-party credit/debit payment protocol|

---

FI110558B|2000-05-24|2003-02-14|Nokia Corp|Method for processing location information of a terminal connected to a packet data network via a cellular network|

---

US7389531B2|2000-06-16|2008-06-17|Entriq Inc.|Method and system to dynamically present a payment gateway for content distributed via a network|

---

US7123719B2|2001-02-16|2006-10-17|Motorola, Inc.|Method and apparatus for providing authentication in a communication system|

---

KR100588620B1|2004-04-27|2006-06-14|주식회사 케이티프리텔|Method and System for processing data call in CDMA network|

---

DE602004012233T2|2004-05-19|2008-06-26|Alcatel Lucent|Method of providing a signing key for digital signing, verification or encryption of data|

---

US7769175B2|2004-11-24|2010-08-03|Research In Motion Limited|System and method for initiation of a security update|

---

US20060235795A1|2005-04-19|2006-10-19|Microsoft Corporation|Secure network commercial transactions|

---

US20090119504A1|2005-08-10|2009-05-07|Riverbed Technology, Inc.|Intercepting and split-terminating authenticated communication connections|

---

CA2648759A1|2006-04-05|2007-10-18|Visa International Service Association|Methods and systems for enhanced consumer payment|

---

CN101056456A|2006-04-10|2007-10-17|华为技术有限公司|Method and secure system for authenticating the radio evolution network|

---

US9177314B2|2006-08-14|2015-11-03|Chijioke Chukwuemeka UZO|Method of making secure electronic payments using communications devices and biometric data|

---

CN101212293B|2006-12-31|2010-04-14|普天信息技术研究院|Identity authentication method and system|

---

CN101657836A|2007-01-09|2010-02-24|维萨美国股份有限公司|Mobile phone payment process including threshold indicator|

---

CN101426190A|2007-11-01|2009-05-06|华为技术有限公司|Service access authentication method and system|

---

CN101261709B|2008-04-21|2015-04-01|中兴通讯股份有限公司|Online payment method and system using the mobile terminal supporting eNFC function|

---

US10706402B2|2008-09-22|2020-07-07|Visa International Service Association|Over the air update of payment transaction data stored in secure memory|

---

US8601266B2|2010-03-31|2013-12-03|Visa International Service Association|Mutual mobile authentication using a key management center|US9047601B2|2006-09-24|2015-06-02|RFCyber Corpration|Method and apparatus for settling payments using mobile devices|

---

US8601266B2|2010-03-31|2013-12-03|Visa International Service Association|Mutual mobile authentication using a key management center|

---

DE102010021256A1|2010-05-21|2011-11-24|Siemens Aktiengesellschaft|Method for the dynamic authorization of a mobile communication device|

---

WO2013067521A2|2011-11-05|2013-05-10|Sequent Software Inc.|System and method for increasing security in internet transactions|

---

US10949815B2|2011-12-13|2021-03-16|Visa International Service Association|Integrated mobile trusted service manager|

---

AU2012352157B2|2011-12-13|2017-09-28|Visa International Service Association|Integrated mobile trusted service manager|

---

US9858560B2|2012-06-28|2018-01-02|Maxim Integrated Products, Inc.|Secure payments with untrusted devices|

---

US9026460B2|2012-06-28|2015-05-05|Bank Of America Corporation|Automatic activation of mobile payment mechanisms based on identified mobile payment types accepted by a merchant|

---

US9247432B2|2012-10-19|2016-01-26|Airwatch Llc|Systems and methods for controlling network access|

---

CN103139210B|2013-02-06|2016-09-14|平安银行股份有限公司|A kind of safety certifying method|

---

US11127001B2|2013-05-09|2021-09-21|Wayne Fueling Systems Llc|Systems and methods for secure communication|

---

AU2014290143C1|2013-07-15|2019-01-03|Visa International Service Association|Secure remote payment transaction processing|

---

KR102222230B1|2013-08-15|2021-03-05|비자 인터네셔널 서비스 어소시에이션|Secure remote payment transaction processing using a secure element|

---

WO2015038551A1|2013-09-10|2015-03-19|Visa International Service Association|Mobile payment application provisioning and personalization on a mobile device|

---

AU2014321178A1|2013-09-20|2016-04-14|Visa International Service Association|Secure remote payment transaction processing including consumer authentication|

---

WO2015065063A1|2013-10-30|2015-05-07|Samsung Electronics Co., Ltd.|Method and apparatus to identity verification using asymmetric keys in wireless direct communication network|

---

US9276910B2|2013-11-19|2016-03-01|Wayne Fueling Systems Llc|Systems and methods for convenient and secure mobile transactions|

---

EP3078220A4|2013-12-02|2017-05-17|Mastercard International Incorporated|Method and system for secure tranmission of remote notification service messages to mobile devices without secure elements|

---

CN103856640B|2014-01-07|2015-07-01|腾讯科技（深圳）有限公司|Method and system for processing user resource information|

---

US10959093B2|2014-05-08|2021-03-23|Visa International Service Association|Method and system for provisioning access data to mobile device|

---

US10070310B2|2014-05-08|2018-09-04|Visa International Service Association|Method and system for provisioning access data to mobile device|

---

US10382580B2|2014-08-29|2019-08-13|Hewlett Packard Enterprise Development Lp|Scaling persistent connections for cloud computing|

---

CN107409079B|2015-01-28|2021-05-07|安博科技有限公司|System and method for global virtual network|

---

CN105991514B|2015-01-28|2019-10-01|阿里巴巴集团控股有限公司|A kind of service request authentication method and device|

---

EP3059919A1|2015-02-19|2016-08-24|Nxp B.V.|Method and system for facilitating network joining|

---

US10373222B1|2015-02-23|2019-08-06|Wells Fargo Bank, N.A.|On-demand financial assessment for testing and purchase of goods|

---

CN114079669A|2015-04-07|2022-02-22|安博科技有限公司|System and method for providing Global Virtual Network |

---

US10169562B2|2015-08-27|2019-01-01|International Business Machines Corporation|Activity recognition to confirm secure authentication of a user|

---

US20170161733A1|2015-12-02|2017-06-08|Mastercard International Incorporated|Method and system for validation of a token requestor|

---

RU2695530C1|2015-12-23|2019-07-23|Сита Информейшн Нетворкинг Компьютинг Айэлэнд Лимитед|Method and system for communication between users and computer systems|

---

CN105631670A|2015-12-31|2016-06-01|深圳前海微众银行股份有限公司|Method and device of cloud end payment|

---

US10423550B2|2017-10-25|2019-09-24|International Business Machines Corporation|Managing efficient selection of a particular processor thread for handling an interrupt|

---

CN109600220B|2018-12-07|2021-08-10|焦少波|Trusted service management method and system for Java card|

---

RU2716207C1|2019-06-05|2020-03-06|федеральное государственное казенное военное образовательное учреждение высшего образования "Краснодарское высшее военное училище имени генерала армии С.М. Штеменко" Министерства обороны Российской Федерации|Method for decentralized distribution of key information|

---

RU2754240C1|2020-12-16|2021-08-30|ОБЩЕСТВО С ОГРАНИЧЕННОЙ ОТВЕТСТВЕННОСТЬЮ "КуРэйт" |Method and system for confirming transactions using a randomly generated graphical key|

法律状态:
2021-04-06| B08F| Application fees: application dismissed [chapter 8.6 patent gazette]|Free format text: REFERENTE A 10A ANUIDADE. |

---

2021-08-10| B08K| Patent lapsed as no evidence of payment of the annual fee has been furnished to inpi [chapter 8.11 patent gazette]|Free format text: REFERENTE AO DESPACHO 8.6 PUBLICADO NA RPI 2622 DE 06/04/2021. |

优先权:

---

申请号 | 申请日 | 专利标题

---

US31969810P| true| 2010-03-31|2010-03-31|

---

US61/319698|2010-03-31|

---

US13/075,592|US8601266B2|2010-03-31|2011-03-30|Mutual mobile authentication using a key management center|

---

US13/075592|2011-03-30|

---

PCT/US2011/030766|WO2011123671A2|2010-03-31|2011-03-31|Mutual mobile authentication using a key management center|

---