System and method for key management for issuer security domain using global platform specifications

摘要

Disclosed herein are systems, methods, and non-transitory computer-readable storage media for key management for Issuer Security Domain (ISD) using GlobalPlatform Specifications. A client receives from a server an authorization to update a first ISD keyset. The client encrypts, via a client-side secure element, a second ISD keyset with a server public key. The client sends the encrypted second ISD keyset to the server for updating the first ISD keyset with the encrypted second ISD keyset. Prior to updating, the client generates the first ISD keyset at a vendor and sends the first ISD keyset to the client-side secure element and sends the first ISD keyset encrypted with the server public key to the server. The disclosed method allows for updating of an ISD keyset of which only the client-side secure element and a server have knowledge.

主权项

1. A method, comprising:
receiving, at a client device and from a server, an authorization to update a first Issuer Security Domain (ISD) encryption keyset at the server; generating, via a secure element on the client device, a second ISD keyset that is to be used to update the first ISD encryption keyset at the server; encrypting, via the secure element on the client device, the second ISD keyset with a server public key to yield an encrypted second ISD keyset; and sending the encrypted second ISD keyset to the server for updating the first ISD encryption keyset at the server with the second ISD keyset, wherein the second ISD keyset replaces the first ISD encryption keyset at the server, and the second ISD keyset is known only to the server and the secure element.