Abstract: Techniques for establishing mutual authentication of software layers of an application are described. During initialization of the application, the software layers execute a binding algorithm to exchange secrets to bind the software layers to one another. During subsequent runtime of the software application, the software layers execute a runtime key derivation algorithm to combine the secrets shared during initialization with dynamic time information to generate a data encryption key. The software layers can then securely transfer data with each other by encrypting and decrypting data exchanged between the software layers using the dynamically generated data encryption key.

Abstract: Embodiments can provide methods for securely provisioning sensitive credential data, such as a limited use key (LUK) onto a user device. In some embodiments, the credential data can be encrypted using a separate storage protection key and decrypted only at the time of a transaction to generate a cryptogram for the transaction. Thus, end-to-end protection can be provided during the transit and storage of the credential data, limiting the exposure of the credential data only when the credential data is required, thereby reducing the risk of compromise of the credential data.

Abstract: In certificate chain validation, a parent certificate is used to validate a child certificate. The child certificate can indicate which parent certificate can be used to validate it. In some situations, a child certificate may not contain a certificate authority identifier that can be used to identify the parent certificate. Instead, the child certificate can contain a hash value of a modulus of the parent public key that can be used to identify the parent certificate. The hash value of the modulus of the parent public key can be associated with the parent public key. As such, the parent public key used in certificate chain validation of the child certificate can be identified using the hash value of the modulus of the parent public key.

Abstract: In certificate chain validation, a parent certificate is used to validate a child certificate. The child certificate can indicate which parent certificate can be used to validate it. In some situations, a child certificate may not contain a certificate authority identifier that can be used to identify the parent certificate. Instead, the child certificate can contain a hash value of a modulus of the parent public key that can be used to identify the parent certificate. The hash value of the modulus of the parent public key can be associated with the parent public key. As such, the parent public key used in certificate chain validation of the child certificate can be identified using the hash value of the modulus of the parent public key.

Abstract: Systems and methods are provided for confidential communication management. For example, a client computer can determine a client key pair comprising a client private key and a client public key. The client computer can further determine a protected server key identifier, identify a server public key associated with the protected server key identifier, and generating a shared secret using the server public key and the client private key. The client computer can further encrypt message data using the shared secret and sending, to a server computer, a message including the encrypted message data, the protected server key identifier, and the client public key. The protected server key identifier can be associated with the server computer and can be usable by the server computer to identify a server private key to be used in decrypting the encrypted message data.

Abstract: A portable communication device may include a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment. The secure application may receive, from the mobile application, a storage request to store sensitive data. The storage request may include an encrypted data type identifier and an encrypted sensitive data. The secure application may decrypt the encrypted data type identifier and the encrypted sensitive data using a transport key, and re-encrypt the sensitive data using a storage key. The re-encrypted sensitive data can then be stored in a memory of the portable communication device which is outside the trusted execution environment.

Abstract: Systems and methods are provided for confidential communication management. For example, a client computer can determine a client key pair comprising a client private key and a client public key. The client computer can further determine a protected server key identifier, identify a server public key associated with the protected server key identifier, and generating a shared secret using the server public key and the client private key. The client computer can further encrypt message data using the shared secret and sending, to a server computer, a message including the encrypted message data, the protected server key identifier, and the client public key. The protected server key identifier can be associated with the server computer and can be usable by the server computer to identify a server private key to be used in decrypting the encrypted message data.

Abstract: A portable communication device may include a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment. The secure application may receive, from the mobile application, a storage request to store sensitive data. The storage request may include an encrypted data type identifier and an encrypted sensitive data. The secure application may decrypt the encrypted data type identifier and the encrypted sensitive data using a transport key, and re-encrypt the sensitive data using a storage key. The re-encrypted sensitive data can then be stored in a memory of the portable communication device which is outside the trusted execution environment.

Abstract: An Internet-connected device, such as a car, refrigerator, or even a laptop can use a second device, such as a cell phone, to support cryptographic operations and communication with token service providers or other processing services requiring pre-provisioned capabilities that may include cryptographic secrets. By removing the need to store personally sensitive data in “Internet of Things” (IoT) devices, a user's personal information and other sensitive financial information may be contained to a relatively small number of devices. This may help prevent theft of goods or services by IoT devices that are not always under the close control of the user.

Abstract: In certificate chain validation, a parent certificate is used to validate a child certificate. The child certificate can indicate which parent certificate can be used to validate it. In some situations, a child certificate may not contain a certificate authority identifier that can be used to identify the parent certificate. Instead, the child certificate can contain a hash value of a modulus of the parent public key that can be used to identify the parent certificate. The hash value of the modulus of the parent public key can be associated with the parent public key. As such, the parent public key used in certificate chain validation of the child certificate can be identified using the hash value of the modulus of the parent public key.

Abstract: Systems and methods are provided for confidential communication management. For example, a client computer can determine a client key pair comprising a client private key and a client public key. The client computer can further determine a protected server key identifier, identify a server public key associated with the protected server key identifier, and generating a shared secret using the server public key and the client private key. The client computer can further encrypt message data using the shared secret and sending, to a server computer, a message including the encrypted message data, the protected server key identifier, and the client public key. The protected server key identifier can be associated with the server computer and can be usable by the server computer to identify a server private key to be used in decrypting the encrypted message data.

Abstract: Systems and methods are provided for confidential communication management. For instance, a server computer can include a protected server key identifier in a response message to a client computer. The protected server key identifier can include a server key identifier that identifies a server private key used to encrypt the response message. The client computer can pass the protected server key back in a subsequent request, so that the server computer can identify the proper server private key to use for decrypting the request message. In another example, a message may include encrypted protocol data (e.g., cipher suite) and separately encrypted payload data. The encrypted payload data can include a plurality of individually encrypted payload data elements.

Abstract: Techniques for establishing mutual authentication of software layers of an application are described. During initialization of the application, the software layers execute a binding algorithm to exchange secrets to bind the software layers to one another. During subsequent runtime of the software application, the software layers execute a runtime key derivation algorithm to combine the secrets shared during initialization with dynamic time information to generate a data encryption key. The software layers can then securely transfer data with each other by encrypting and decrypting data exchanged between the software layers using the dynamically generated data encryption key.

Abstract: Systems and methods are provided for confidential communication management. For instance, a server computer can include a protected server key identifier in a response message to a client computer. The protected server key identifier can include a server key identifier that identifies a server private key used to encrypt the response message. The client computer can pass the protected server key back in a subsequent request, so that the server computer can identify the proper server private key to use for decrypting the request message. In another example, a message may include encrypted protocol data (e.g., cipher suite) and separately encrypted payload data. The encrypted payload data can include a plurality of individually encrypted payload data elements.

Abstract: Embodiments can provide methods for securely provisioning sensitive credential data, such as a limited use key (LUK) onto a user device. In some embodiments, the credential data can be encrypted using a separate storage protection key and decrypted only at the time of a transaction to generate a cryptogram for the transaction. Thus, end-to-end protection can be provided during the transit and storage of the credential data, limiting the exposure of the credential data only when the credential data is required, thereby reducing the risk of compromise of the credential data.

Abstract: A portable communication device may include a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment. The secure application may receive, from the mobile application, a storage request to store sensitive data. The storage request may include an encrypted data type identifier and an encrypted sensitive data. The secure application may decrypt the encrypted data type identifier and the encrypted sensitive data using a transport key, and re-encrypt the sensitive data using a storage key. The re-encrypted sensitive data can then be stored in a memory of the portable communication device which is outside the trusted execution environment.