US009189787B1
`
`a2) United States Patent
`US 9,189,787 B1
`(0) Patent No.:
`Nov. 17, 2015
`(45) Date of Patent:
`Kohet al.
`
`(54)
`
`(71)
`
`(72)
`
`METHOD AND APPARATUS FOR
`CONDUCTING E-COMMENCE AND
`M-COMMENCE
`
`Applicant: RFCyber Corporation, Fremont, CA
`(US)
`
`Inventors: Liang Seng Koh, Fremont, CA (US);
`Futong Cho, Milpitas, CA (US); Hsin
`Pan, Fremont, CA (US); Fuliang Cho,
`San Jose, CA (US)
`
`(73)
`
`Assignees: Rich House Global Technology Ltd.,
`Shenzhen (CN); RFCyber Corp.,
`Fremont, CA (US)
`
`(*)
`
`Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 24 days.
`
`(21)
`
`Appl. No.: 13/903,420
`
`(22)
`
`Filed:
`
`May 28, 2013
`
`(63)
`
`(51)
`
`Related U.S. Application Data
`
`Continuation of application No. 13/400,038, filed on
`Feb. 18, 2012, now Pat. No. 8,448,855, which is a
`continuation of application No. 11/534,653, filed on
`Sep. 24, 2006, now Pat. No. 8,118,218.
`
`Int. Cl.
`G0620/00
`G06Q 20/36
`
`(2012.01)
`(2012.01)
`
`(52) U.S.CL
`CPC veeccsssssssssssssssssseeeseeesee G06Q 20/3672 (2013.01)
`(58) Field of Classification Search
`CPC..... G06Q 20/04; G06Q 20/12; G06Q 20/341;
`G06Q 20/32; G06Q 20/382; G06Q 20/3672
`USPC weeeeeesecteeeees 235/451, 492; 340/572.1, 572.3
`See application file for complete search history.
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`2/2000 Moulartet al. oo. 380/44
`6,031,912 A *
`2005/0222961 Al* 10/2005 Staibetal. we 705/64
`
`* cited by examiner
`
`Primary Examiner — Christopher Stanford
`(74) Attorney, Agent, or Firm — Wuxi Sino IP Agency,Ltd.;
`Joe Zheng
`
`ABSTRACT
`(57)
`Techniques for funding an electronic purse (e-purse) are dis-
`closed. According to one aspect of the invention, a mecha-
`nism is provided to enable a portable device to conduct trans-
`actions over an open network with a paymentserver without
`compromising security. In one embodiment, a device is
`loaded with an e-purse manager. The e-purse manager is
`configured to managevarious transactions and functions as a
`mechanism to access an e-purse therein. The e-purse is
`funded by interactions among the e-purse manager, a pay-
`mentserver and a financial institution (its server) that main-
`tains an accounttherefor.
`
`19 Claims, 9 Drawing Sheets
`
`356
`
`and an e-purse applet in the device
`v
`-~— 360
`Use application security domain to establish a security channel
`between an existing transportation SAM and an e-purse appletin the device
`¥
`
`
`[iitiatepersonalization|350
`
`Initiate personalization -~—— 352
`
`¥
`
`
`Read off a tag ID from the card ~~—- 354
`
`y
`Use application security domain to establish a security channel
`between an new e-purse SAM and an e-purse applet in the device
`¥
`
` Generate e-purse operation keys and pins between the new e-purse SAM
`aT 358
`
`
`
`
` Generate transformed keys of an emulator via the existing SAM and the tag IDL}. 3g9
`
`between the existing SAM and the emulator
`
` ¥.
`
` ¥
`
`[~— 364
`
`Generate MF passwordsvia an existing SAM and the tag ID
`between the existing SAM and an e-purse appletin the device
`
`
`Set the e-purse to a state of “personalized”
`
`368
`
`
`
`IPR2022-00413
`Apple EX1043 Page1
`
`IPR2022-00413
`Apple EX1043 Page 1
`
`

`

`U.S. Patent
`
`Nov. 17, 2015
`
`Sheet 1 of 9
`
`US 9,189,787 B1
`
`104
`
`
`
`E-Pursesecurity
`
`102
`
`
`
`Physicalsecurity
`
`FIG.1A
`
`IPR2022-00413
`Apple EX1043 Page 2
`
`100
`
`>_
`
`=>o
`
`©C
`
`c© = O
`
`o—
`
`© O
`
`O®”— oo
`
`d)
`
`IPR2022-00413
`Apple EX1043 Page 2
`
`

`

`U.S. Patent
`
`Nov. 17, 2015
`
`Sheet 2 of 9
`
`US 9,189,787 B1
`
`OLL
`
`
`
`9|Bulgainoexy
`
`uoHoUNL
`
`9[6ulsesind-F
`
`OL
`
`s6e}
`
`GbSls
`
`s6e]sso00e
`
`Jedsey
`
`aye
`
`VILL
`
`uoHoUNL
`0]SPUBLULUOD
`sesjoe
`
`
`
`NddvJOsousnbes
`
`peseq
`
`pueq
`
`
`
`esind-9juaws|dul
`
`yJOMOU
`
`0}SPUBLULUOD
`JOWVS
`
`
`
`seyonssuoljesado
`
`aseyoind‘peo|
`
`esind-9
`
`JOAJOS
`
`clLL
`
`IPR2022-00413
`Apple EX1043 Page 3
`
`IPR2022-00413
`Apple EX1043 Page 3
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Nov. 17, 2015
`
`Sheet 3 of 9
`
`US 9,189,787 B1
`
`002
`
`CL?Wvs
`
`9inpor|
`
`esindy
`
`junoes
`
`
`
`juabeqoyIOMIJOUJUSWAeY
`
`
`
`breOdUOOleSJO@AJOSpue
`
`
`
`BOJSLULUODPaseq-pue|
`
`
`
`JO}sempueyBuisixy
`
`ul(uoleyodsuedy
`
`
`
`JOs9u0}s‘6'9)
`
`
`
`Jepesldisu
`
`
`
`
`JUSLULOJIAUSPSSO|OUSBIIBWILWOI-F
`
`SOJOLWULUOD-/\|
`
`
`
`BdeLJS}UISSBJOeJUOD|
`
`
`
`jeuonounl9jBuispuesyews
`
`
`
`
`
`
`
`
`
`joooj0/dpuedojooo010/d
`
`
`
`202peoewsZ"£5)|jfymauoUd|/9D
`
`9|npow
`
`uoyINGja\dde
`
`YIMdO
`
`90zplomssed
`
`4W0}ss999e
`
`asind-4
`
`IPR2022-00413
`Apple EX1043 Page 4
`
`IPR2022-00413
`Apple EX1043 Page 4
`
`
`
`
`

`

`U.S. Patent
`
`Nov. 17, 2015
`
`Sheet 4 of 9
`
`US 9,189,787 B1
`
`VeOs
`
`VLE
`
`Joyejnue
`
`3|Npo/
`
`beeeeeeeeeee
`
`
`!Jebeuewpied|:
`
`
`ble |[Z1Eyaddy
`
`esund-J
`
`
`
`80€|sodsuew)UONEZI|EUOSJ8d
`
`
`
`
`Lone,uoneaddy
`
`00&
`
`Bunsixy
`
`pezuouiny
`
`JSUUOSISA
`
`-3]MON
`
`asind
`
`VS
`
`3|Nnpoy|
`
`Jaepeay
`
`dlsy
`
`OLE
`
`IPR2022-00413
`Apple EX1043 Page 5
`
`IPR2022-00413
`Apple EX1043 Page 5
`
`
`
`

`

`U.S. Patent
`
`Nov. 17, 2015
`
`Sheet 5 of 9
`
`US 9,189,787 B1
`
`OE
`
`
`
`80€)sodsuesy
`
`Bunsixy
`
`9g|NPoW
`
`UoNe}
`
`Vs
`
`
`
`!JoBeuewpied3
`
`pueYJOM}eU
`
`juawAed
`
`SIOAIOS
`
`-qMON
`
`9sind
`
`9g|NPoW
`
`Vs
`
`esind-J
`
`!yolddy!
`
`JOIPIN
`
` CCE
`
`Joye;nwe
`
`GéSls
`
`peereeeeeeeeeeeeee
`
`IPR2022-00413
`Apple EX1043 Page 6
`
`IPR2022-00413
`Apple EX1043 Page 6
`
`€
`
`

`

`U.S. Patent
`
`Nov. 17, 2015
`
`Sheet 6 of 9
`
`US 9,189,787 B1
`
`0
`9€
`
`c9e
`
`BSE
`
`
`
`SdIA9POy)Ula]ddeasund-9uepue
`
`9721)/U]
`q|6e1su)puewysBunsixe3}BIAJole|neUeJoSABYyPSWWOJSUEL]8]2JBUes)
`
`99d1Aap9U}UIJa]ddeasind-9uepueWSUONevodsueyBunsixeueUaaMjeq
`
`
`INVSesund-9Mau8u)UseMmjegsuUIdpueshayUOl]eJadoasind-9ayessusy
`
`
`
`
`
`SdIASPOu)UlJa|ddeasund-auepueWSesund-3meuUeUsEeMjIEq
`
`jeuUeYSANOS&USI|Ge}]S9O}UlEWOpAluNoesUONeol|ddeasp
`
`
`
`jeuUeYoAyLNDGS2USI|GeISE0}UIEWOPAjindesUONeaI|\ddeasp
`
`
`
`SdIASPOU)UlJa]ddeesind-9uepueWYSsBulsixesy]uUsemiegq
`
`
`
`
`q|6e)ou)puewy¥sSunsixeueelAspiomssed4)seus
`
`
`Joye|NWeay}pueWySBuisixeeu}Uaemjeq
`
`
`
`uo!eZI|BUOSIad
`
`puedoay}WO!Gg}Be}eJopeay
`
`Je‘VA
`
`
`
`
`
`goc,PaeziJeuOsiad,JO9121SeBO]SSind-9394)19S
`
`QNa4
`
`IPR2022-00413
`Apple EX1043 Page 7
`
`IPR2022-00413
`Apple EX1043 Page 7
`
`
`

`

`U.S. Patent
`
`Nov. 17, 2015
`
`Sheet 7 of 9
`
`US 9,189,787 B1
`
`OO0r
`
`
`
`vorpleaBulla]UdJaye19|pIwWeeIAJSanbaue9}211U]
`
`
`
`
`
`
`
`80¢}8|pPlwWBy}0]BsuOdsaueBSasoduOdesund-F
`
`
`
`esuodse8u}
`
`é,PSIJIBA
`
`
`
`
`
`ja\ddeesind-e0}jsenbeespussja/pI|\
`
`
`
`
`
`Jabeuewasindau}$$990e0}Nid
`
`
`
`PaIJUBAJI‘yUegBulosuodse0]senbsu
`
`
`
`clyJaJSUed]PUN,ea1elNUIpueJUNODDeBulpuodseiiooeBALWa/;
`
`
`
`
`
`VyS/d
`
`
`
`
`
`yuegdU}WOU,asuodseleBSAIsDOY
`
`IPR2022-00413
`Apple EX1043 Page 8
`
`IPR2022-00413
`Apple EX1043 Page 8
`
`
`
`

`

`U.S. Patent
`
`Nov. 17, 2015
`
`Sheet 8 of 9
`
`US 9,189,787 B1
`
`GySls
`
`glyasind-998U}0}W8U]PUSSPUSPUBLUWODAGdy10e1X9puedisJ9/PI|/\
`
`
`
`ZZJOAIOSJUsWAed9}0}ISENbSYIOMISUeCUI
`
`
`au}PueMUO4
`asuodsasAGdvVUeS8l1E|NWIO!1eU}19/P!WSU}O}1949!)eSB]eIBUdS
`
`
`
`
`SPUBLUWOOSpUuaspUeAjONUBUINeAGdV8}SAlJaABsund-y
`
`
`
`
`UONPOIJIIBA912]JO}poulejes$1esuodselAdaeu}Jaye
`
`
`oBessewyOMJOUeBUlpappequiaesuOodseJ
`
`
`
`
`
`}9|pilWJo}aBessewsnjejs|nysseoonseajeJAUay)
`
`
`Bo}uonoesuesesayepdnpueJoejnwe9U)0}
`
`eX
`
`IPR2022-00413
`Apple EX1043 Page 9
`
`IPR2022-00413
`Apple EX1043 Page 9
`
`

`

`U.S. Patent
`
`Nov. 17, 2015
`
`Sheet 9 of 9
`
`US 9,189,787 B1
`
`cv
`
`Ovr
`
`vv
`
`Buloueul4
`
`yueg
`
`
`
`yiomyeujUsWAed
`
`
`
`SJBAJOSPUL
`
`}9|P!lu 9sind
` Joyejnue
`
`siNpoW
`
`NVS
`
`
`
`JySIA
`
`IPR2022-00413
`Apple EX1043 Page 10
`
`IPR2022-00413
`Apple EX1043 Page 10
`
`

`

`US 9,189,787 B1
`
`1
`METHOD AND APPARATUS FOR
`CONDUCTING E-COMMENCE AND
`M-COMMENCE
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`This application is a continuation of U.S. patent applica-
`tion Ser. No. 13/400,038,filed on Feb. 18, 2012, now U.S. Pat.
`No. 8,448,855, which is a continuation of U.S. patent appli-
`cation Ser. No. 11/534,653, filed on Sep. 24, 2006, now U.S.
`Pat. No. 8,118,218.
`
`BACKGROUND
`
`15
`
`1. Technical Field
`The present invention is generally related to commerce
`over networks. Particularly, the present inventionis related to
`electronic purses that can be advantageously used in portable
`devices configured for both electronic commerce (a.k.a.,
`e-commerce) and mobile commerce(a.k.a., m-commerce).
`2. Description of the Related Art
`Single functional cards have been successfully used in
`enclosed environments such as transportation systems. One
`example of such single functional cards is MIFAREthatis the
`most widely installed contactless smart card technology in
`the world. With more than 500 million smart card ICs and 5
`million reader components sold, MIFAREhasbeen selected
`as the most successful contactless smart card technology.
`MIFAREis the perfect solution for applications like loyalty
`and vending cards, roadtolling,city cards, access control and
`gaming.
`It is noticed that such enclosed systemsare difficult to be
`expanded into other areas such as e-commerce and m-com-
`merce because stored values and transaction information are
`stored in data storage of each tag that is protected by a set of
`keys. The natureofthe tag is that the keys needto be delivered
`to the card for authentication before data can be accessed
`
`during a transaction. This constraint makes systems using
`such technologydifficult to be expanded to an open environ-
`ment such as the Internet for e-commerce and cellular net-
`
`40
`
`45
`
`50
`
`55
`
`works for m-commerce as the key delivery over a public
`domain network causes security concerns.
`There is, thus, a need for a mechanism in devices, espe-
`cially portable devices, functioning as an electronic purse
`(e-purse) to be able to conduct transactions over an open
`network with a payment server without compromising secu-
`rity.
`
`SUMMARY
`
`This section is for the purpose of summarizing some
`aspects ofembodimentsofthe present invention and to briefly
`introduce some preferred embodiments. Simplifications or
`omissions in this section as well as thetitle and the abstract of
`this disclosure may be madeto avoid obscuring the purpose of
`the section,thetitle and the abstract. Such simplifications or
`omissions are not intended to limit the scope of the present
`invention.
`
`Broadly speaking, the invention is related to a mechanism
`provided to devices, especially portable devices, functioning
`as an electronic purse (e-purse) to be able to conduct trans-
`actions over an open network with a paymentserver without
`compromising security. According to one aspect of the
`present invention,a device is loaded with an e-purse manager.
`The e-purse manageris configured to manage varioustrans-
`actions and functions as a mechanism to access an emulator
`
`2
`therein. The transactions may be conducted over a wired
`networkor a wireless network.
`
`According to another aspect of the present invention, a
`three-tier security model is proposed, based on which the
`present invention is contemplated to operate. The three-tier
`security model includes a physical security, an e-purse secu-
`rity andacard managersecurity, concentrically encapsulating
`one with another. Security keys (either symmetric or asym-
`metric) are personalized within the three-tier security model
`so as to personalize an e-purse and perform secured transac-
`tion with a paymentserver. In one embodiment, the essential
`data to be personalized into an e-purse include one or more
`operation keys (e.g., a load key and a purchase key), default
`PINs, administration keys (e.g., an unblock PIN key and a
`reload PIN key), and passwords(e.g., from Mifare). During a
`transaction, the security keys are used to establish a secured
`channel between an embeddede-purse and an SAM (Security
`Authentication Module) or backendserver.
`The invention may be implemented in numerous ways,
`including a method, system, and device. In one embodiment,
`the present invention is a method for providing an e-purse, the
`method comprises providing a portable device embedded
`with a smart card module pre-loaded with an emulator, the
`portable device including a memory space loaded with a
`midletthat is configuredto facilitate communication between
`an e-purse applet therein and a paymentserver over a wireless
`network, wherein the portable device further includes a con-
`tactless interfacethat facilitates communication between the
`
`e-purse applet therein and the paymentserver, and personal-
`izing the e-purse applet by reading off data from the smart
`card to generate one or more operation keys that are subse-
`quently used to establish a secured channel between the
`e-purse and a SAM or a paymentserver.
`According to another embodiment, the present invention is
`a system for providing an e-purse, the system comprises a
`portable device embedded with a smart card module pre-
`loaded with an emulator, the portable device including a
`memory space loaded with a midlet that is configured to
`facilitate wireless communication between an e-purse applet
`therein and a payment server over a wireless network, the
`portable device further including a contactless interface that
`facilitates communication between the e-purse applet therein
`and the paymentserver, the payment server associated with
`an issuer of the e-purse, and a SAM module configured to
`enable the e-purse, wherein the SAM module is behind the
`payment server when the e-purse is caused to communicate
`with the payment server via the midlet over a wireless net-
`work (M-commercein FIG.2) or via the agent on a PC over
`a wired network (E-commercein FIG.2).
`Accordingly one of the objects of the present inventions is
`to provide a mechanism to be embeddedin devices, especially
`portable devices, to function as an electronic purse (e-purse)
`to be able to conduct transactions over an open network with
`a paymentserver without compromising security.
`Other objects, features, and advantages of the present
`invention will become apparent upon examining the follow-
`ing detailed description of an embodimentthereof, taken in
`conjunction with the attached drawings.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The invention will be readily understood by the following
`detailed description in conjunction with the accompanying
`drawings, wherein like reference numerals designate like
`structural elements, and in which:
`
`IPR2022-00413
`Apple EX1043 Page 11
`
`IPR2022-00413
`Apple EX1043 Page 11
`
`

`

`US 9,189,787 B1
`
`3
`FIG. 1A showsa three-tier security model based on which
`the present invention is contemplated to operate according to
`one embodimentthereof;
`FIG. 1B showsa data flow in accordance withthethree-tier
`security model amongthree entities;
`FIG. 2 shows an exemplary architecture diagram according
`to one embodimentofthe present invention;
`FIG. 3A a block diagram of related modules interacting
`with each other to achieve whatis referred to herein as e-purse
`personalization by an authorized person as shownin FIG.2;
`FIG. 3B showsa block diagram ofrelated modules inter-
`acting with each other to achieve whatis referred to herein as
`e-purse personalization by a user of the e-purse as shown in
`FIG.2;
`FIG. 3C showsa flowchart or process of personalizing an
`e-purse according to one embodiment of the present inven-
`tion;
`FIG. 4A and FIG.4B show togethera flowchart or process
`of financing an e-purse according to one embodimentof the
`present invention; and
`FIG. 4C shows an exemplary block diagram of related
`blocksinteracting with each otherto achieve the process FIG.
`4A.
`
`DETAILED DESCRIPTION OF THE INVENTION
`
`In the following description, numerousspecific details are
`set forth to provide a thorough understanding of the present
`invention. The present invention may be practiced without
`these specific details. The description and representation
`herein are the means used by those experiencedor skilled in
`the art to effectively convey the substance of their work to
`others skilled in theart. In other instances, well-known meth-
`ods, procedures, components, and circuitry have not been
`described in detail since they are already well understood and
`to avoid unnecessarily obscuring aspects ofthe present inven-
`tion.
`Reference herein to “one embodiment” or “an embodi-
`
`10
`
`20
`
`25
`
`30
`
`ment” meansthat a particular feature, structure, or character-
`istic described in connection with the embodiment can be
`
`40
`
`includedin at least one implementation of the invention. The
`appearances of the phrase “in one embodiment”in various
`places in the specification are not necessarily all referring to
`the same embodiment,norare separate or alternative embodi-
`ments mutually exclusive of other embodiments. Further, the
`order of blocksin process, flowcharts or functional diagrams
`representing one or more embodiments do not inherently
`indicate any particular order nor imply limitations in the
`invention.
`
`Embodimentsofthe present invention are discussed herein
`with reference to FIGS. 1A-4C. However, those skilled in the
`art will readily appreciate that the detailed description given
`herein with respect to these figures is for explanatory pur-
`poses only as the invention extends beyond these limited
`embodiments.
`FIG. 1A showsa three-tier security model 100 based on
`which the present
`invention is contemplated to operate
`according to one embodimentthereof. The three-tier security
`model 100 includes physical security 102, e-purse security
`104 and card managersecurity 106.
`Physical security 102 refers to a security mechanism pro-
`vided by a single functional card to protect data stored on the
`card. The card may be hardware implemented or software
`emulated running on a type of media. Data on a single func-
`tion card is protected by a set of access keys. These keys are
`configured onto the card when the card is issued. To avoid
`obscuring aspects ofthe present invention, the process ofhow
`
`45
`
`55
`
`60
`
`65
`
`4
`the keys are configured onto the cards is to be omitted. For
`accessing the data, related keys are delivered to a reader for
`authentication.
`
`E-purse security 104 defines a set of protocols that enable
`micro paymenttransactions to be carried out in both wired
`and wireless environments. With an electronic purse (a.k.a.,
`e-purse) stored on a smart card, a set of keys (either symmet-
`ric or asymmetric) is personalized into the purse when the
`purse is being issued. During a transaction, the purse uses a
`set of respective keys for encryption and MAC computation
`in order to secure the message channel betweenthe purse and
`the SAM or backendservers. For a single functional card, the
`e-purse security 104 will act as gates to protect actual opera-
`tions performed on a single functional card. During person-
`alization, the single functional card access keys(or its trans-
`formation) are personalized into the purse with the purse
`transaction keys.
`Card ManagerSecurity 106, referring to a general security
`framework of a preload operating system in a smart card,
`provides a platform for PIN managementandsecurity chan-
`nels (security domains) for card personalization. This plat-
`form via a card managercan be usedto personalize a purse in
`one embodiment. One example of the card manager security
`106 is whatis referred to as a Global Platform (GP) that is a
`cross-industry membership organization created to advance
`standards for smart card growth. A GP combinestheinterests
`of smart card issuers, vendors, industry groups, public entities
`and technology companies to define requirements and tech-
`nology standards for multiple application smart cards. In one
`embodiment, a global platform security is used to personalize
`a smart card. As a result, both e-purse keys and card access
`keys are personalized into the target tag.
`FIG. 1B showsa data flow in accordancewiththe three-tier
`security model amongthree entities a land-based SAM or a
`network e-purse server 112, e-purse 114 acting as a gate
`keeper, and a single function tag 116. According to one
`embodiment of the present
`invention, communications
`between the land-based SAM or the network e-purse server
`112 and the e-purse 114 are conducted in sequenceof a type
`of commands(e.g., APDU) while communications between
`the e-purse 114 andthe single function tag 116 are conducted
`in sequence of another type of commands, wherein the
`e-purse 114 acts as the gate keeper to ensure only secured and
`authorized data transactions could happen.
`In reference to FIG. 1A,the physical security is realized in
`an emulator. As used herein, an emulator means a hardware
`device or a program that pretends to be another particular
`device or program that other components expect to interact
`with. The e-purse security is realized between one or more
`applets configured to provide e-purse functioning and a pay-
`mentserver. The card managersecurity (e.g., global platform
`security) is realized via a card manager to update security
`keys to establish appropriate channels for
`interactions
`betweenthe server andthe applets, wherein the e-purse applet
`(s) acts as a gatekeeper to regulate or control
`the data
`exchange.
`According to one embodiment, a smart card has a pre-
`loaded smart card operating system that provides security
`framework to control the access to the smart card (e.g., an
`installation of external applications into the smart card). In
`order to managethe life cycle of an external application, a
`card manager module is configured by using the smart card
`security framework. For instance, a Java-based smart card,
`SmartMX,is preloaded with an operating system JCOP 4.1.
`The Global Platform 2.1 installed on the SmartMX performs
`the card managerfunctionality.
`
`IPR2022-00413
`Apple EX1043 Page 12
`
`IPR2022-00413
`Apple EX1043 Page 12
`
`

`

`US 9,189,787 B1
`
`5
`Referring now to FIG.2, there shows an exemplary archi-
`tecture diagram 200 according to one embodiment of the
`present invention. The diagram 200 includes a cellphone 202
`embedded with a smart card module. An example of such a
`cell phone is a near field communication (NFC) enabled
`cellphone that includes a Smart MX (SMX) module. The
`SMX is pre-loaded with a Mifare emulator 208 (which is a
`single functional card) for storing values. The cellphone is
`equipped with a RFID interface (e.g., ISO 144443) that
`allows the cellphoneto act as a tag. In addition, the SMX is a
`JavaCard that can run Java applets. According to one embodi-
`ment, an e-purse is built on top of the global platform and
`implementedas an applet in SMX. The e-purse is configured
`to be able to access the Mifare data structures with appropri-
`ate transformed passwords based on the access keys.
`In the cellphone 202, a purse manager midlet 204is pro-
`vided. For M-commerce, the midlet 204 acts as an agent to
`facilitate communications between an e-purse applet 206 and
`one or more payment network and servers 210 to conduct
`transactions therebetween. As used herein, a midletis a soft-
`ware component suitable for being executed on a portable
`device. The purse manager midlet 204 is implemented as a
`“midlet” on a Java cellphone, or an “executable application”
`ona PDA device. One of the functions this software compo-
`nent provides is to connect to a wireless network and com-
`municate with an e-purse applet which can reside on either the
`same device or an external smart card. In addition, it is con-
`figured to provide administrative functions such as changing
`a PIN, viewing a purse balance and a history log. In one
`application in which a cardissuer provides an SA module 212
`that
`is used to enable and authenticate any transactions
`between a card and a correspondingserver(also referred to as
`a paymentserver). As shown in FIG. 2, APDU commandsare
`constructed by the servers 210 having access to an SA module
`212, where the APDU stands for Application Protocol Data
`Unit that is a communication unit between a reader anda card.
`
`The structure of an APDU is defined by the ISO 7816 stan-
`dards. Typically, an APDU command is embeddedin network
`messagesanddelivered to the server 210 or the e-purse applet
`206 for processing.
`For e-commerce, a web agent 214 on a computing device
`(not shown)is responsible for interacting with a RFID reader
`and the network server 210. In operation, the agent 214 sends
`the APDU commandsorreceives responses thereto through
`the RFID reader 216 to/from the e-purse applet 206 residing
`in the cellphone 202. On the other hand, the agent 214 com-
`poses network requests (e.g., an HTTP request) and receives
`responses thereto from the paymentserver 210.
`To personalize the cellphone 202, FIG. 3A shows a block
`diagram 300 ofrelated modules interacting with each other to
`achieve what is referred to herein as e-purse personalization
`by an authorized person as shown in FIG. 2. FIG. 3B shows a
`block diagram 320 of related modules interacting with each
`other to achieve what is referred to herein as e-purse person-
`alization by a user of the e-purse as shownin FIG.2.
`FIG. 3C showsa flowchart or process 350 of personalizing
`an e-purse according to one embodimentofthe present inven-
`tion. FIG. 3C is suggested to be understood in conjunction
`with FIG. 3A and FIG. 3B. The process 350 may be imple-
`mented in software, hardware or a combination of both.
`Asdescribed above, an e-purse is built on top of a global
`platform to provide a security mechanism necessary to per-
`sonalize applets designed therefor. In operation, a security
`domain is used for establishing a secured channel between a
`personalization application and the e-purse. According to one
`embodiment, the essential data to be personalized into the
`purse include one or more operation keys(e.g., a load key and
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`a purchase key), default PINs, administration keys (e.g., an
`unblock PIN key and a reload PIN key), and passwords(e.g.,
`from Mifare).
`It is assumedthat a user desires to personalize an e-purse
`embeddedin a device (e.g., a cellphone). At 352 of FIG. 3C,
`a personalization process is initiated. Depending on imple-
`mentation, the personalization process may be implemented
`in a module in the device and activated manually or automati-
`cally, or a physical process initiated by an authorized person
`(typically associated with a care issuer). As shown in FIG. 3A,
`an authorized personalinitiates a personalization process 304
`to personalize the e-purse for a user thereof via an existing
`new e-purse SA module 306 and a SA module 308 with the
`RFID reader 310 as the interface. The card manager 311
`performs at least two functions: 1. establishing a security
`channel, via a security domain,to install and personalize an
`external application (e.g., e-purse applet) in the card person-
`alization; and 2. creating security means(e.g., PINs) to pro-
`tect the application during subsequent operations. As a result
`ofthe personalization process 304, the e-purse applet 312 and
`the emulator 314 are personalized.
`Similarly, as shown in FIG. 3B, a user of an e-purse desires
`to initiate a personalization process to personalize the e-purse
`wirelessly (e.g., via the m-commercepath of FIG. 2). Differ-
`ent from FIG. 3A, FIG. 3B allowsthe personalization process
`to be activated manually or automatically. For example, there
`is a mechanism on a cellphonethat, if pressed, activates the
`personalization process. Alternatively, a status of “non-per-
`sonalized” may promptto the userto start the personalization
`process. As described above, a midlet 322 in a device acts as
`an agentto facilitate the communication between a payment
`server 324 and the e-purse 312 as well as the emulator 314,
`wherein the paymentserver 324 has the accessto the existing
`new e-purse SA module 306 and an SA module 308. As a
`result of the personalization process, the e-purse applet 312
`and the emulator 314 are personalized.
`Referring now back to FIG. 3C, after the personalization
`process is started, in view of FIG. 3A, the RFID reader 310 is
`activated to read the tag ID and essential data from a card in
`the device at 354. With an application security domain (e.g.,
`a default security setting by a card issuer), a security channel
`is then established at 356 between a new e-purse SAM (e.g.,
`the SAM 306 of FIG. 3A) and an e-purse applet (e.g., the
`e-purse applet 312 of FIG. 3A)in the device.
`Each application security domain of a global platform
`includes three 3DES keys. For example:
`255/1/DES-ECB/
`Keyl:
`404142434445464748494a4b4c4d4e4f
`Key2:
`255/2/DES-ECB/
`404142434445464748494a4b4c4d4e4f
`
`255/3/DES-ECB/
`Key3:
`404142434445464748494a4b4c4d4e4f
`
`A security domain is used to generate session keys for a
`secured session between two entities, such as the card man-
`ager applet and a host application, in which case the host
`application maybe either a desktop personalization applica-
`tion or a networked personalization service provided by a
`backendserver.
`A default application domain can beinstalled by a card
`issuer and assignedto various application/service providers.
`The respective application owner can changethe value of the
`key sets before the personalization process (orat the initial of
`the process). Then the application can use the new set to
`create a security channel for performing the personalization
`process.
`With the security channel is established using the applica-
`tion provider’s application security domain, the first set of
`IPR2022-00413
`Apple EX1043 Page 13
`
`IPR2022-00413
`Apple EX1043 Page 13
`
`

`

`US 9,189,787 B1
`
`7
`data can be personalizedto the purse applet. The secondset of
`data can also be personalized with the same channel, too.
`However,ifthe data are in separate SAM,then a new security
`channel with the same keyset (or different key sets) can be
`used to personalize the secondset of data.
`Via the new purse SAM 306, a set ofe-purse operation keys
`and pins are generated for data transactions between the new
`e-purse SAM andthe e-purseapplet to essentially personalize
`the e-purse applet at 358.
`is then established at 360
`A second security channel
`between an existing SAM (e.g., the SAM 308 ofFIG. 3A) and
`the e-purse applet (e.g., the e-purse applet 312 of FIG. 3A) in
`the device. At 362, a set of transformed keys is generated
`using the existing SAM andthe tag ID. The generated keys are
`stored in the emulator for subsequent data access authentica-
`tion. At 358, a set of MF passwords is generated using the
`existing SAM andthe tag ID, then is stored into the e-purse
`applet for future data access authentication. Afterit is done,
`the e-purse including the e-purse applet and the correspond-
`ing emulatoris set to a state of “personalized”.
`FIG. 4A and FIG.4B show togethera flowchart or process
`400 of financing an e-purse according to one embodimentof
`the present invention. The process 400 is conducted via the
`m-commerce path of FIG. 2. To better understandthe process
`400, FIG. 4C shows an exemplary block diagram 450 of
`related blocks interacting with each otherto achieve the pro-
`cess 400. Depending on an actual application of the present
`invention, the process 400 may be implemented in software,
`hardware or a combination ofboth.
`
`A useris assumedto have obtained a portable device(e.g.,
`a cellphone)that is configured to include an e-purse. The user
`desires to fund the e-purse from an account associated with a
`bank. At 402, the user enters a set of personalidentification
`numbers (PIN). Assuming the PIN is valid, a purse manger in
`the device is activated andinitiates a request (also referred to
`an OTAtop off request) at 404. The midlet in the device sends
`a request to the e-purse applet at 406, whichis illustrated in
`FIG. 4C where the e-purse manager midlet 434 communi-
`cates with the e-purse applet 436.
`At 408, the e-purse applet composes a responsein respond-
`ing to the request from the midlet. Upon receiving the
`response, the midlet sendsthe responseto a payment network
`andserverovera wireless network. As shown in FIG.4C, the
`e-purse manager midlet 434 communicates with the e-purse
`applet 436 for a response that is then sent to the payment
`network and server 440. At 410, the process 400 needs to
`verify the validity of the response. If the response can not be
`verified, the process 400 stops. Ifthe response can be verified,
`the process 400 moves to 412 where a corresponding account
`at a bank is verified. If the account does exist, a fund transfer
`requestis initiated. At 414, the bank receives the request and
`responds to the request by returning a response. In general,
`the messages exchanged between the payment network and
`server and the bank are compliant with a network protocol
`(e.g., HTTP for the Internet).
`At 416, the response from the bank is transported to the
`payment network and server. The midlet strips and extracts
`the APDU commands from the response and forwards the
`commandsthe e-purse at 418. The e-purse verifies the com-
`mands at 420 and, provided they are authorized, send the
`commandsto the emulator at 420 and, meanwhile updating a
`transaction log. At 422, a ticket is generated to formulate a
`response (e.g., in APDU format) for payment server. As a
`result, the paymentserver is updated with a successful status
`messagefor the midlet, where the APDUresponseis retained
`for subsequentverification at 424.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`8
`As shownin FIG.4C, the payment network and server 440
`receives a response from the purse manager midlet 434 and
`verifies that the response is from an authorized e-purseorigi-
`nally issued therefrom with a SAM module 444. After the
`response is verified, the pay