Field
The present invention relates to application validation, and more particularly to systems, methods, and computer program products for providing key encryption.
Related Art
Applications stored and functioning on mobile devices are increasingly being used to conduct secure communications which require the secure transmission of data between devices.
For example, in a mobile commerce environment, transactions, accounts, products and the like often are stored and processed in or using a mobile wallet application deployed on a mobile device. The mobile wallet application on a mobile device may communicate with a wallet server in order to exchange (e.g., transmit and receive) data and manage aspects of the mobile wallet. These communications often need to be secure, as they may include, for example, sensitive data such as personal or financial data.
For example, in one instance, a user of a mobile wallet application (e.g., on a mobile device) might want to access an issuer's website (e.g., Bank of America, American Express, etc.) via the mobile wallet application interface, rather than through a separate application such as a web browser. To do so, the mobile wallet application must authenticate itself, ideally without having to prompt the user of the mobile wallet application to enter his or her credentials corresponding to the issuer's site each time that access is needed or requested.
Thus, a session single sign-on key is used by the mobile wallet application to authenticate itself to other systems such as a wallet server (in turn, the server notifies the issuer that the client has been authenticated and thus access can be securely provided).
In one example, the sign-on key is encrypted using a hardcoded key that is stored on the mobile wallet application and the wallet server. However, this approach is problematic, because it makes all systems relying on that hardcoded key vulnerable in case the hardcoded key is compromised. Moreover, if the key is changed, this approach requires significant effort to update every system that utilizes the hardcoded key, such as every mobile device having a mobile wallet application. Sending a sign-on key that is not encrypted is not a realistic solution because of security vulnerability problems.
Thus, one technical challenge involves providing a process for encrypting and decrypting a session key at and/or by multiple devices (e.g., a mobile wallet application on a mobile device, a wallet server) which is dynamic (e.g., not common to a large set of clients or servers).