Abstract: A device implementing a trusted device establishment system includes at least one processor configured to receive, via a direct wireless connection and from an other device, a public key associated with the other device and an indication of a data item previously provided to the other device via an out-of-band channel. The at least one processor is further configured to verify that the indication of the data item corresponds to the data item previously provided to the other device, and store, in a secure memory region, the public key in association with an identifier corresponding to the other device when the indication of the data item is verified. The at least one processor is further configured to authorize the public key to access a secure device based at least in part on the public key being stored in the secure memory region.

Abstract: Techniques are disclosed relating to electronic security, e.g., for authenticating a mobile electronic device to allow access to system functionality (e.g., physical access to the system, starting an engine/motor, etc.). In some embodiments, a system and mobile device exchange public keys of public key pairs during a pairing process. In some embodiments, an asymmetric transaction process includes generating a shared secret using a key derivation function over a key established using a secure key exchange (e.g., elliptic curve Diffie-Hellman), and verifying a signature of the system before transmitting any information identifying the mobile device. In various embodiments, disclosed techniques may increase transaction security and privacy of identifying information.

Abstract: Techniques are disclosed relating to sharing access to electronically-secured property. In some embodiments, a first computing device having a first secure element receives, from a second computing device associated with an owner of the electronically-secured property, an indication that the second computing device has transmitted a token to server computing system, the token permitting a user of the first computing device access to the electronically-secured property. Based on the received indication, the first computing device sends a request for the transmitted token to the server computing system and, in response to receiving the requested token, securely stores the received token in the first secure element of the first computing device. The first computing device subsequently transmits the stored token from the first secure element of the first device to the electronically-secured property to obtain access to the electronically-secured property based on the token.

Abstract: Techniques are disclosed relating to secure data storage. In various embodiments, a mobile device includes a wireless interface, a secure element, and a secure circuit. The secure element is configured to store confidential information associated with a plurality of users and to receive a request to communicate the confidential information associated with a particular one of the plurality of users. The secure element is further configured to communicate, via the wireless interface, the confidential information associated with the particular user in response to an authentication of the particular user. The secure circuit is configured to perform the authentication of the particular user. In some embodiments, the mobile device also includes a biosensor configured to collect biometric information from a user of the mobile device. In such an embodiment, the secure circuit is configured to store biometric information collected from the plurality of users by the biosensor.

Abstract: The present disclosure includes an electronic device for selecting a credential based at least in part on location information. The electronic device can include a secure transaction subsystem and a processor. The secure transaction subsystem can be configured to store a plurality of credentials. The processor can be communicatively coupled to the secure transaction subsystem and configured to receive the location information from one or more radios. Further, the processor can be configured to determine that a distance between the electronic device and a terminal is less than a predetermined distance based on the location information. In response to determining the distance between the electronic device and the terminal is less than the predetermined distance, the processor can be configured to select the credential from the plurality of credentials based at least in part on the type of terminal.

Abstract: Systems, methods, and computer-readable media for preserving trust data during operating system updates of a secure element of an electronic device are provide. An update package is received to update an existing secure element operating system to a new secure element operating system by exporting trust data from the existing secure element operating system, after the exporting, uninstalling the existing secure element operating system, migrating the exported trust data using a migration operating system when a data format version of the existing secure element operating system is different than a data format version of the new secure element operating system, installing the new secure element operating system, and importing the migrated trust data into the installed new secure element operating system.

Abstract: The present disclosure includes an electronic device for processing a wireless transaction. The electronic device includes a wireless communication interface, a memory, and a processor configured to execute an applet. The wireless communication interface is configured to communicate with a transaction terminal. The memory is configured to store a first set of data for enabling a transaction between the electronic device and the transaction terminal, and a second set of data different from the first set of data. The applet is configured to receive a first request for conducting the transaction. The applet is configured to transmit a first message including or based on the first set of data. The applet is configured to receive a second request for retrieving at least part of the second set of data. The applet is configured to determine whether release of at least part of the second set of data has been authorized.

Abstract: A device implementing a digital credential revocation system includes at least one processor configured to maintain a valid digital credential list, a revocation list, and a synchronization counter value. The at least one processor is configured to transmit a request to synchronize the valid digital credential list with an electronic device, the request including the valid digital credential list and the revocation list.

Abstract: A device implementing a trusted device establishment system includes at least one processor configured to receive, via a direct wireless connection and from an other device, a public key associated with the other device and an indication of a data item previously provided to the other device via an out-of-band channel. The at least one processor is further configured to verify that the indication of the data item corresponds to the data item previously provided to the other device, and store, in a secure memory region, the public key in association with an identifier corresponding to the other device when the indication of the data item is verified. The at least one processor is further configured to authorize the public key to access a secure device based at least in part on the public key being stored in the secure memory region.

Abstract: Techniques are disclosed relating to authenticate a user with a mobile device. In one embodiment, a computing device includes a short-range radio and a secure element. The computing device reads, via the short-range radio, a portion of credential information stored in a circuit embedded in an identification document issued by an authority to a user for establishing an identity of the user. The computing device issues, to the authority, a request to store the credential information, the request specifying the portion of the credential information. In response to an approval of the request, the computing device stores the credential information in the secure element, the credential information being usable to establish the identity of the user. In some embodiments, the identification document is a passport that includes a radio-frequency identification (RFID) circuit storing the credential information, and the request specifies a passport number read from the RFID circuit.

Abstract: Techniques are disclosed relating to electronic security, e.g., for authenticating a mobile electronic device to allow access to system functionality (e.g., physical access to the system, starting an engine/motor, etc.). In some embodiments, a system and mobile device exchange public keys of public key pairs during a pairing process. In some embodiments, an asymmetric transaction process includes generating a shared secret using a key derivation function over a key established using a secure key exchange (e.g., elliptic curve Diffie-Hellman), and verifying a signature of the system before transmitting any information identifying the mobile device. In various embodiments, disclosed techniques may increase transaction security and privacy of identifying information.

Abstract: A device implementing a scalable wireless transaction system includes at least one processor configured to receive, from a wireless transaction system server, a list of wireless transaction group identifiers, and an indication of at least one applet associated with each of the wireless transaction group identifiers. The at least one processor is further configured to receive, from a wireless transaction device, a polling frame that includes one of the wireless transaction device group identifiers. The at least one processor is further configured to select an applet provisioned on a device secure element that is assigned to the wireless transaction group identifier, the assigning being based at least in part on the received list. The at least one processor is further configured to utilize the selected applet to perform a wireless transaction with the wireless transaction device.

Abstract: Embodiments for providing a timely indication that a wireless transaction has been completed, using a command-based timer solution, are provided. These embodiments include receiving a first command, associated with the wireless transaction, from a reader; initiating, using an applet, a first command-based timer when the first command is received; issuing, using the applet, an activity timeout signal when the first command-based timer expires before a second command is received from the reader; and providing an indication that the wireless transaction has been completed in response to the activity timeout signal. In some embodiments, the command-based timer solution may also include canceling, using the applet, the first command-based timer when the second command is received before the first command-based timer expires; initiating a second command-based timer when the second command is received; and issuing the activity timeout signal when that the second command-based timer expires.

Abstract: The present disclosure includes an electronic device for selecting a credential based at least in part on location information. The electronic device can include a secure transaction subsystem and a processor. The secure transaction subsystem can be configured to store a plurality of credentials. The processor can be communicatively coupled to the secure transaction subsystem and configured to receive the location information from one or more radios. Further, the processor can be configured to determine that a distance between the electronic device and a terminal is less than a predetermined distance based on the location information. In response to determining the distance between the electronic device and the terminal is less than the predetermined distance, the processor can be configured to select the credential from the plurality of credentials based at least in part on the type of terminal.

Abstract: The present disclosure includes an electronic device for processing a wireless transaction. The electronic device includes a wireless communication interface, a memory, and a processor configured to execute an applet. The wireless communication interface is configured to communicate with a transaction terminal. The memory is configured to store a first set of data for enabling a transaction between the electronic device and the transaction terminal, and a second set of data different from the first set of data. The applet is configured to receive a first request for conducting the transaction. The applet is configured to transmit a first message including or based on the first set of data. The applet is configured to receive a second request for retrieving at least part of the second set of data. The applet is configured to determine whether release of at least part of the second set of data has been authorized.

Abstract: Techniques are disclosed relating to authenticate a user with a mobile device. In one embodiment, a computing device includes a short-range radio and a secure element. The computing device reads, via the short-range radio, a portion of credential information stored in a circuit embedded in an identification document issued by an authority to a user for establishing an identity of the user. The computing device issues, to the authority, a request to store the credential information, the request specifying the portion of the credential information. In response to an approval of the request, the computing device stores the credential information in the secure element, the credential information being usable to establish the identity of the user. In some embodiments, the identification document is a passport that includes a radio-frequency identification (RFID) circuit storing the credential information, and the request specifies a passport number read from the RFID circuit.

Abstract: Techniques are disclosed relating to secure data storage. In various embodiments, a mobile device includes a wireless interface, a secure element, and a secure circuit. The secure element is configured to store confidential information associated with a plurality of users and to receive a request to communicate the confidential information associated with a particular one of the plurality of users. The secure element is further configured to communicate, via the wireless interface, the confidential information associated with the particular user in response to an authentication of the particular user. The secure circuit is configured to perform the authentication of the particular user. In some embodiments, the mobile device also includes a biosensor configured to collect biometric information from a user of the mobile device. In such an embodiment, the secure circuit is configured to store biometric information collected from the plurality of users by the biosensor.

Abstract: Systems, methods, and computer-readable media for preserving trust data during operating system updates of a secure element of an electronic device are provided.

Abstract: A device implementing an express credential transaction system includes at least one processor configured to receive an indication that a payment applet for a service provider has been provisioned on a secure element of the device with a first attribute indicating that the payment applet can be utilized for a transaction without authentication associated with the transaction. The processor is configured to set the first attribute of the payment applet to indicate that authentication is required to utilize the payment applet when another payment applet for the service provider provisioned on the secure element of the device has an attribute that indicates the other payment applet can be utilized for the transaction without user authentication. The at least one processor is configured to control whether the user authentication is requested when utilizing the payment applet or the other payment applet, respectively, in transactions.

Abstract: Systems, methods, and computer-readable media for managing credentials are provided. In one example embodiment, a method may include terminating the functionality of a security domain element on an electronic device, communicatively coupling the electronic device to a trusted service manager of the security domain element, and, after the terminating, communicating data from the electronic device to the communicatively coupled trusted service manager, wherein the communicated data is usable by the trusted service manager to determine a stored value of the security domain element. Additional embodiments are also provided.