As user devices such as NFC-enabled mobile phones and contactless cards continue to increase in popularity, maintaining the security of payment transactions continues to be a concern. For instance, in order to conduct a payment transaction, it is typically necessary to authenticate a user and transmit information to a server. However, an attacker may attempt to eavesdrop on the transaction (e.g., by conducting a man-in-the-middle attack). Thus, an attacker may attempt to intercept identification data, such as a user device identifier, or authentication data, such as a password, transmitted by the user. If determined, this data could be used for illicit purposes.
Further complicating matters is the security of the user device itself. In some cases, the user device may be compromised or otherwise untrustworthy, so that it would be inadvisable to store persistent or static secure credentials such as a user private key on the device. Conducting secure and authenticated communication in such circumstances may pose a challenge.
Additionally complicating matters is the unlikely event that a private key, such as a private key stored on a user device or a private key stored on a server computer, is compromised. In such circumstances, it is desirable for a secure system to exhibit forward secrecy: the compromise of the private key should not lead to the compromise of past secure communication between the entities.
Embodiments of the present invention address these and other problems individually and collectively.