Method and system to securely send secrets to users

摘要

Securely providing secret information, such as PINs, to users via an encrypted electronic document is disclosed. The user might receive the encrypted electronic document as an attachment to an e-mail or might access the encrypted electronic document from a web site, as two examples. In order to open the encrypted electronic document, the user may need to provide some information that is on a physical banking card that was issued to the user. Therefore, an extra level of security is provided in that the user needs to be in possession of the physical banking card that may have been delivered by traditional mail, as well as the encrypted electronic document which is delivered via an electronic network.

主权项

1. A method comprising:
sending, from a computer to a first device attached to the computer, a command to a first hardware security module (HSM) executing on the first device attached to the computer to create a first zone within a domain of an issuer of a physical banking card; sending, from the computer to the first device, a command to the first HSM to create a secret password for using the physical banking card; sending, from the computer to a second device attached to the computer, a command to a second hardware security module (HSM) executing on the second device attached to the computer to create a second zone for use within the domain of the issuer of the physical banking card; sending, from the computer to the first device, a command to the first HSM to transfer an encrypted version of the secret password from the first zone to the second zone of the second hardware security module (HSM); sending, from the computer to the second device, a command to the second HSM to decrypt the encrypted version of the secret password in the second zone; accessing, by the computer from the second device, the decrypted secret password from the second HSM; generating, by the computer, an encryption key based on information on the physical banking card; encrypting, by the computer, an electronic document that comprises the decrypted secret password for using the physical banking card with the encryption key; providing the encrypted electronic document to a client device associated with a user that is associated with the physical banking card; performing an authentication process between the client device and a key server in which the client device responds based on the information on the physical banking card; and providing a decryption key for decrypting the encrypted electronic document to the client device in response to the authentication process authenticating the user.