Patents by Inventor Soumendra Bhattacharya
Soumendra Bhattacharya has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10503913Abstract: Techniques for establishing mutual authentication of software layers of an application are described. During initialization of the application, the software layers execute a binding algorithm to exchange secrets to bind the software layers to one another. During subsequent runtime of the software application, the software layers execute a runtime key derivation algorithm to combine the secrets shared during initialization with dynamic time information to generate a data encryption key. The software layers can then securely transfer data with each other by encrypting and decrypting data exchanged between the software layers using the dynamically generated data encryption key.Type: GrantFiled: March 11, 2016Date of Patent: December 10, 2019Assignee: Visa International Service AssociationInventors: Rasta Mansour, Soumendra Bhattacharya, Robert Youdale
-
Patent number: 10461933Abstract: Embodiments can provide methods for securely provisioning sensitive credential data, such as a limited use key (LUK) onto a user device. In some embodiments, the credential data can be encrypted using a separate storage protection key and decrypted only at the time of a transaction to generate a cryptogram for the transaction. Thus, end-to-end protection can be provided during the transit and storage of the credential data, limiting the exposure of the credential data only when the credential data is required, thereby reducing the risk of compromise of the credential data.Type: GrantFiled: January 27, 2016Date of Patent: October 29, 2019Assignee: Visa International Service AssociationInventors: Eric Le Saint, Soumendra Bhattacharya
-
Publication number: 20190306152Abstract: In certificate chain validation, a parent certificate is used to validate a child certificate. The child certificate can indicate which parent certificate can be used to validate it. In some situations, a child certificate may not contain a certificate authority identifier that can be used to identify the parent certificate. Instead, the child certificate can contain a hash value of a modulus of the parent public key that can be used to identify the parent certificate. The hash value of the modulus of the parent public key can be associated with the parent public key. As such, the parent public key used in certificate chain validation of the child certificate can be identified using the hash value of the modulus of the parent public key.Type: ApplicationFiled: June 17, 2019Publication date: October 3, 2019Inventors: Soumendra Bhattacharya, Mohit Gupta
-
Patent number: 10375057Abstract: In certificate chain validation, a parent certificate is used to validate a child certificate. The child certificate can indicate which parent certificate can be used to validate it. In some situations, a child certificate may not contain a certificate authority identifier that can be used to identify the parent certificate. Instead, the child certificate can contain a hash value of a modulus of the parent public key that can be used to identify the parent certificate. The hash value of the modulus of the parent public key can be associated with the parent public key. As such, the parent public key used in certificate chain validation of the child certificate can be identified using the hash value of the modulus of the parent public key.Type: GrantFiled: January 27, 2017Date of Patent: August 6, 2019Assignee: Visa International Service AssociationInventors: Soumendra Bhattacharya, Mohit Gupta
-
Publication number: 20190173672Abstract: Systems and methods are provided for confidential communication management. For example, a client computer can determine a client key pair comprising a client private key and a client public key. The client computer can further determine a protected server key identifier, identify a server public key associated with the protected server key identifier, and generating a shared secret using the server public key and the client private key. The client computer can further encrypt message data using the shared secret and sending, to a server computer, a message including the encrypted message data, the protected server key identifier, and the client public key. The protected server key identifier can be associated with the server computer and can be usable by the server computer to identify a server private key to be used in decrypting the encrypted message data.Type: ApplicationFiled: January 25, 2019Publication date: June 6, 2019Inventors: Eric Le Saint, Soumendra Bhattacharya
-
Publication number: 20190124057Abstract: A portable communication device may include a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment. The secure application may receive, from the mobile application, a storage request to store sensitive data. The storage request may include an encrypted data type identifier and an encrypted sensitive data. The secure application may decrypt the encrypted data type identifier and the encrypted sensitive data using a transport key, and re-encrypt the sensitive data using a storage key. The re-encrypted sensitive data can then be stored in a memory of the portable communication device which is outside the trusted execution environment.Type: ApplicationFiled: October 19, 2018Publication date: April 25, 2019Inventors: Sergey Smirnoff, Soumendra Bhattacharya
-
Patent number: 10218502Abstract: Systems and methods are provided for confidential communication management. For example, a client computer can determine a client key pair comprising a client private key and a client public key. The client computer can further determine a protected server key identifier, identify a server public key associated with the protected server key identifier, and generating a shared secret using the server public key and the client private key. The client computer can further encrypt message data using the shared secret and sending, to a server computer, a message including the encrypted message data, the protected server key identifier, and the client public key. The protected server key identifier can be associated with the server computer and can be usable by the server computer to identify a server private key to be used in decrypting the encrypted message data.Type: GrantFiled: March 8, 2018Date of Patent: February 26, 2019Assignee: VISA INTERNATIONAL SERVICE ASSOCIATIONInventors: Eric Le Saint, Soumendra Bhattacharya
-
Patent number: 10187363Abstract: A portable communication device may include a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment. The secure application may receive, from the mobile application, a storage request to store sensitive data. The storage request may include an encrypted data type identifier and an encrypted sensitive data. The secure application may decrypt the encrypted data type identifier and the encrypted sensitive data using a transport key, and re-encrypt the sensitive data using a storage key. The re-encrypted sensitive data can then be stored in a memory of the portable communication device which is outside the trusted execution environment.Type: GrantFiled: December 31, 2015Date of Patent: January 22, 2019Assignee: VISA INTERNATIONAL SERVICE ASSOCIATIONInventors: Sergey Smirnoff, Soumendra Bhattacharya
-
Publication number: 20180248857Abstract: An Internet-connected device, such as a car, refrigerator, or even a laptop can use a second device, such as a cell phone, to support cryptographic operations and communication with token service providers or other processing services requiring pre-provisioned capabilities that may include cryptographic secrets. By removing the need to store personally sensitive data in “Internet of Things” (IoT) devices, a user's personal information and other sensitive financial information may be contained to a relatively small number of devices. This may help prevent theft of goods or services by IoT devices that are not always under the close control of the user.Type: ApplicationFiled: February 28, 2017Publication date: August 30, 2018Inventors: Hari Krishna Annam, Mohit Gupta, Soumendra Bhattacharya
-
Publication number: 20180219857Abstract: In certificate chain validation, a parent certificate is used to validate a child certificate. The child certificate can indicate which parent certificate can be used to validate it. In some situations, a child certificate may not contain a certificate authority identifier that can be used to identify the parent certificate. Instead, the child certificate can contain a hash value of a modulus of the parent public key that can be used to identify the parent certificate. The hash value of the modulus of the parent public key can be associated with the parent public key. As such, the parent public key used in certificate chain validation of the child certificate can be identified using the hash value of the modulus of the parent public key.Type: ApplicationFiled: January 27, 2017Publication date: August 2, 2018Inventors: Soumendra Bhattacharya, Mohit Gupta
-
Publication number: 20180198606Abstract: Systems and methods are provided for confidential communication management. For example, a client computer can determine a client key pair comprising a client private key and a client public key. The client computer can further determine a protected server key identifier, identify a server public key associated with the protected server key identifier, and generating a shared secret using the server public key and the client private key. The client computer can further encrypt message data using the shared secret and sending, to a server computer, a message including the encrypted message data, the protected server key identifier, and the client public key. The protected server key identifier can be associated with the server computer and can be usable by the server computer to identify a server private key to be used in decrypting the encrypted message data.Type: ApplicationFiled: March 8, 2018Publication date: July 12, 2018Inventors: Eric Le Saint, Soumendra Bhattacharya
-
Patent number: 9942034Abstract: Systems and methods are provided for confidential communication management. For instance, a server computer can include a protected server key identifier in a response message to a client computer. The protected server key identifier can include a server key identifier that identifies a server private key used to encrypt the response message. The client computer can pass the protected server key back in a subsequent request, so that the server computer can identify the proper server private key to use for decrypting the request message. In another example, a message may include encrypted protocol data (e.g., cipher suite) and separately encrypted payload data. The encrypted payload data can include a plurality of individually encrypted payload data elements.Type: GrantFiled: February 16, 2016Date of Patent: April 10, 2018Assignee: VISA INTERNATIONAL SERVICE ASSOCIATIONInventors: Eric Le Saint, Soumendra Bhattacharya
-
Publication number: 20160267280Abstract: Techniques for establishing mutual authentication of software layers of an application are described. During initialization of the application, the software layers execute a binding algorithm to exchange secrets to bind the software layers to one another. During subsequent runtime of the software application, the software layers execute a runtime key derivation algorithm to combine the secrets shared during initialization with dynamic time information to generate a data encryption key. The software layers can then securely transfer data with each other by encrypting and decrypting data exchanged between the software layers using the dynamically generated data encryption key.Type: ApplicationFiled: March 11, 2016Publication date: September 15, 2016Inventors: Rasta Mansour, Soumendra Bhattacharya, Robert Youdale
-
Publication number: 20160241389Abstract: Systems and methods are provided for confidential communication management. For instance, a server computer can include a protected server key identifier in a response message to a client computer. The protected server key identifier can include a server key identifier that identifies a server private key used to encrypt the response message. The client computer can pass the protected server key back in a subsequent request, so that the server computer can identify the proper server private key to use for decrypting the request message. In another example, a message may include encrypted protocol data (e.g., cipher suite) and separately encrypted payload data. The encrypted payload data can include a plurality of individually encrypted payload data elements.Type: ApplicationFiled: February 16, 2016Publication date: August 18, 2016Inventors: ERIC LE SAINT, SOUMENDRA BHATTACHARYA
-
Publication number: 20160218875Abstract: Embodiments can provide methods for securely provisioning sensitive credential data, such as a limited use key (LUK) onto a user device. In some embodiments, the credential data can be encrypted using a separate storage protection key and decrypted only at the time of a transaction to generate a cryptogram for the transaction. Thus, end-to-end protection can be provided during the transit and storage of the credential data, limiting the exposure of the credential data only when the credential data is required, thereby reducing the risk of compromise of the credential data.Type: ApplicationFiled: January 27, 2016Publication date: July 28, 2016Inventors: Eric Le Saint, Soumendra Bhattacharya
-
Publication number: 20160191236Abstract: A portable communication device may include a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment. The secure application may receive, from the mobile application, a storage request to store sensitive data. The storage request may include an encrypted data type identifier and an encrypted sensitive data. The secure application may decrypt the encrypted data type identifier and the encrypted sensitive data using a transport key, and re-encrypt the sensitive data using a storage key. The re-encrypted sensitive data can then be stored in a memory of the portable communication device which is outside the trusted execution environment.Type: ApplicationFiled: December 31, 2015Publication date: June 30, 2016Inventors: Sergey Smirnoff, Soumendra Bhattacharya