Abstract: The techniques described herein provide for authentication of a reader device over a wireless protocol (e.g., NFC or Bluetooth, BLE). The mobile device can receive and store the static public key of the reader device and one or more credentials, each credential specifying access to an electronic lock. The mobile device can receive an ephemeral reader public key, a reader identifier, and a transaction identifier. The mobile device can generate session key using the ephemeral mobile private key and the ephemeral reader public key and send the ephemeral mobile public key to the reader device. The reader device can receive the ephemeral mobile public key and sign and transmit a signature message to the mobile device. The mobile device can validate a reader signature and generate an encrypted credential that the reader can use to access an electronic lock. The reader device can authenticate the mobile device for mutual authentication.

Abstract: During operation, an electronic device may provide, to a second electronic device, an invitation to share a digital car key associated with a user of the electronic device and a vehicle, where the invitation includes information for creating another instance of the digital car key on the second electronic device. Then, the electronic device may receive, from the second electronic device, a message accepting the invitation, where the message includes a certificate associated with the other instance of the digital car key on the second electronic device. Moreover, the electronic device may provide, to the second electronic device, an approved version of the certificate with a digital signature of the user. Next, the electronic device may provide, to the computer, an instruction to share the digital car key with a set of electronic devices, which is associated with a second user of the second electronic device.

Abstract: A device implementing an express credential transaction system includes at least one processor configured to receive an indication that a payment applet for a service provider has been provisioned on a secure element of the device with a first attribute indicating that the payment applet can be utilized for a transaction without authentication associated with the transaction. The processor is configured to set the first attribute of the payment applet to indicate that authentication is required to utilize the payment applet when another payment applet for the service provider provisioned on the secure element of the device has an attribute that indicates the other payment applet can be utilized for the transaction without user authentication. The at least one processor is configured to control whether the user authentication is requested when utilizing the payment applet or the other payment applet, respectively, in transactions.

Abstract: Techniques are disclosed relating to authenticate a user with a mobile device. In one embodiment, a computing device includes a short-range radio and a secure element. The computing device reads, via the short-range radio, a portion of credential information stored in a circuit embedded in an identification document issued by an authority to a user for establishing an identity of the user. The computing device issues, to the authority, a request to store the credential information, the request specifying the portion of the credential information. In response to an approval of the request, the computing device stores the credential information in the secure element, the credential information being usable to establish the identity of the user. In some embodiments, the identification document is a passport that includes a radio-frequency identification (RFID) circuit storing the credential information, and the request specifies a passport number read from the RFID circuit.

Abstract: Techniques are disclosed relating to secure data storage. In various embodiments, a mobile device includes a wireless interface, a secure element, and a secure circuit. The secure element is configured to store confidential information associated with a plurality of users and to receive a request to communicate the confidential information associated with a particular one of the plurality of users. The secure element is further configured to communicate, via the wireless interface, the confidential information associated with the particular user in response to an authentication of the particular user. The secure circuit is configured to perform the authentication of the particular user. In some embodiments, the mobile device also includes a biosensor configured to collect biometric information from a user of the mobile device. In such an embodiment, the secure circuit is configured to store biometric information collected from the plurality of users by the biosensor.

Abstract: An electronic device that at least semi-automatically performs car-key pairing is described. During operation, the electronic device may perform wireless pairing with a second electronic device (e.g., a vehicle), where the wireless pairing establishes a connection between the electronic device and the second electronic device. Moreover, during the wireless pairing, the electronic device may receive information associated with the car-key pairing of the electronic device and the second electronic device. Then, after the wireless pairing is completed, the electronic device may determine that the car-key pairing is supported or available based at least in part on the information.

Abstract: During operation, an electronic device may provide, to a second electronic device, an invitation to share a digital car key associated with a user of the electronic device and a vehicle, where the invitation includes information for creating another instance of the digital car key on the second electronic device. Then, the electronic device may receive, from the second electronic device, a message accepting the invitation, where the message includes a certificate associated with the other instance of the digital car key on the second electronic device. Moreover, the electronic device may provide, to the second electronic device, an approved version of the certificate with a digital signature of the user. Next, the electronic device may provide, to the computer, an instruction to share the digital car key with a set of electronic devices, which is associated with a second user of the second electronic device.

Abstract: The techniques described herein provide for authentication of a reader device over a wireless protocol (e.g., NFC or Bluetooth, BLE). The mobile device can receive and store the static public key of the reader device and one or more credentials, each credential specifying access to an electronic lock. The mobile device can receive an ephemeral reader public key, a reader identifier, and a transaction identifier. The mobile device can generate session key using the ephemeral mobile private key and the ephemeral reader public key and send the ephemeral mobile public key to the reader device. The reader device can receive the ephemeral mobile public key and sign and transmit a signature message to the mobile device. The mobile device can validate a reader signature and generate an encrypted credential that the reader can use to access an electronic lock. The reader device can authenticate the mobile device for mutual authentication.

Abstract: Techniques are disclosed relating to authenticate a user with a mobile device. In one embodiment, a computing device includes a short-range radio and a secure element. The computing device reads, via the short-range radio, a portion of credential information stored in a circuit embedded in an identification document issued by an authority to a user for establishing an identity of the user. The computing device issues, to the authority, a request to store the credential information, the request specifying the portion of the credential information. In response to an approval of the request, the computing device stores the credential information in the secure element, the credential information being usable to establish the identity of the user. In some embodiments, the identification document is a passport that includes a radio-frequency identification (RFID) circuit storing the credential information, and the request specifies a passport number read from the RFID circuit.

Abstract: A user device including near-field communication (NFC) circuitry may receive a polling message from an NFC terminal. The user device may obtain information based at least in part on the polling message. The user device may determine a characteristic of the NFC terminal based at least in part on the information. The characteristic may be indicative of a radio frequency (RF) field strength of the NFC terminal. The user device may adjust an RF setting of the NFC circuitry based at least in part on the characteristic. The RF setting may correspond to an RF sensitivity of the NFC circuitry.

Abstract: The techniques described herein provide for authentication of a reader device over a wireless protocol (e.g., NFC or Bluetooth, BLE). The mobile device can receive and store the static public key of the reader device and one or more credentials, each credential specifying access to an electronic lock. The mobile device can receive an ephemeral reader public key, a reader identifier, and a transaction identifier. The mobile device can generate session key using the ephemeral mobile private key and the ephemeral reader public key and send the ephemeral mobile public key to the reader device. The reader device can receive the ephemeral mobile public key and sign and transmit a signature message to the mobile device. The mobile device can validate a reader signature and generate an encrypted credential that the reader can use to access an electronic lock. The reader device can authenticate the mobile device for mutual authentication.

Abstract: A device implementing a scalable wireless transaction system includes at least one processor configured to receive, from a wireless transaction system server, a list of wireless transaction group identifiers, and an indication of at least one applet associated with each of the wireless transaction group identifiers. The at least one processor is further configured to receive, from a wireless transaction device, a polling frame that includes one of the wireless transaction device group identifiers. The at least one processor is further configured to select an applet provisioned on a device secure element that is assigned to the wireless transaction group identifier, the assigning being based at least in part on the received list. The at least one processor is further configured to utilize the selected applet to perform a wireless transaction with the wireless transaction device.

Abstract: Techniques are disclosed relating to secure data storage. In various embodiments, a mobile device includes a wireless interface, a secure element, and a secure circuit. The secure element is configured to store confidential information associated with a plurality of users and to receive a request to communicate the confidential information associated with a particular one of the plurality of users. The secure element is further configured to communicate, via the wireless interface, the confidential information associated with the particular user in response to an authentication of the particular user. The secure circuit is configured to perform the authentication of the particular user. In some embodiments, the mobile device also includes a biosensor configured to collect biometric information from a user of the mobile device. In such an embodiment, the secure circuit is configured to store biometric information collected from the plurality of users by the biosensor.

Abstract: Secure secrets can be used, in one embodiment, to generate a master key. In one embodiment, a first secret value, generated and stored in a first secure element, can be used with a user's credential (e.g., a user's passcode) to generate, through a first key derivation function, a second secret value. A master key can then be generated through a second key derivation function based on the second secret value and a derived or stored secret such as a device's unique identifier.

Abstract: A device implementing a scalable wireless transaction system includes at least one processor configured to receive, from a wireless transaction system server, a list of wireless transaction group identifiers, and an indication of at least one applet associated with each of the wireless transaction group identifiers. The at least one processor is further configured to receive, from a wireless transaction device, a polling frame that includes one of the wireless transaction device group identifiers. The at least one processor is further configured to select an applet provisioned on a device secure element that is assigned to the wireless transaction group identifier, the assigning being based at least in part on the received list. The at least one processor is further configured to utilize the selected applet to perform a wireless transaction with the wireless transaction device.

Abstract: Techniques are disclosed relating to secure data storage. In various embodiments, a mobile device includes a wireless interface, a secure element, and a secure circuit. The secure element is configured to store confidential information associated with a plurality of users and to receive a request to communicate the confidential information associated with a particular one of the plurality of users. The secure element is further configured to communicate, via the wireless interface, the confidential information associated with the particular user in response to an authentication of the particular user. The secure circuit is configured to perform the authentication of the particular user. In some embodiments, the mobile device also includes a biosensor configured to collect biometric information from a user of the mobile device. In such an embodiment, the secure circuit is configured to store biometric information collected from the plurality of users by the biosensor.

Abstract: Systems, methods, and computer-readable media for preserving trust data during operating system updates of a secure element of an electronic device are provide. An update package is received to update an existing secure element operating system to a new secure element operating system by exporting trust data from the existing secure element operating system, after the exporting, uninstalling the existing secure element operating system, migrating the exported trust data using a migration operating system when a data format version of the existing secure element operating system is different than a data format version of the new secure element operating system, installing the new secure element operating system, and importing the migrated trust data into the installed new secure element operating system.

Abstract: Techniques are disclosed relating to authenticate a user with a mobile device. In one embodiment, a computing device includes a short-range radio and a secure element. The computing device reads, via the short-range radio, a portion of credential information stored in a circuit embedded in an identification document issued by an authority to a user for establishing an identity of the user. The computing device issues, to the authority, a request to store the credential information, the request specifying the portion of the credential information. In response to an approval of the request, the computing device stores the credential information in the secure element, the credential information being usable to establish the identity of the user. In some embodiments, the identification document is a passport that includes a radio-frequency identification (RFID) circuit storing the credential information, and the request specifies a passport number read from the RFID circuit.

Abstract: A device implementing a scalable wireless transaction system includes at least one processor configured to receive, from a wireless transaction system server, a list of wireless transaction group identifiers, and an indication of at least one applet associated with each of the wireless transaction group identifiers. The at least one processor is further configured to receive, from a wireless transaction device, a polling frame that includes one of the wireless transaction device group identifiers. The at least one processor is further configured to select an applet provisioned on a device secure element that is assigned to the wireless transaction group identifier, the assigning being based at least in part on the received list. The at least one processor is further configured to utilize the selected applet to perform a wireless transaction with the wireless transaction device.

Abstract: A device facilitating countersigning updates for multi-chip devices includes at least one processor configured to receive, from a collocated chip, a data item and a software update, the data item being signed using a private key corresponding to a primary entity associated with the collocated chip and the data item comprising an authentication code generated using a symmetric key corresponding to a secondary entity associated with the software update. At least one processor is further configured to verify the data item using a public key associated with the primary entity. At least one processor is further configured to verify the software update based at least in part on the authentication code and using the symmetric key corresponding to the primary entity. At least one processor is further configured to install the software update when both the data item and the software update are verified, otherwise discard the software update.