WO2020082020A1 - Secure digital wallet processing system - Google Patents

Secure digital wallet processing system Download PDF

Info

Publication number
WO2020082020A1
WO2020082020A1 PCT/US2019/057062 US2019057062W WO2020082020A1 WO 2020082020 A1 WO2020082020 A1 WO 2020082020A1 US 2019057062 W US2019057062 W US 2019057062W WO 2020082020 A1 WO2020082020 A1 WO 2020082020A1
Authority
WO
WIPO (PCT)
Prior art keywords
distributed ledger
public address
private key
ledger transaction
cryptocurrency
Prior art date
Application number
PCT/US2019/057062
Other languages
French (fr)
Inventor
Sercan KARAOGLU
Mohammed Chakib BOUDA
Original Assignee
Bell Identification B.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bell Identification B.V. filed Critical Bell Identification B.V.
Priority to SG11202103833XA priority Critical patent/SG11202103833XA/en
Priority to US17/285,249 priority patent/US20210374724A1/en
Priority to EP19872361.1A priority patent/EP3867849B1/en
Priority to CN201980068910.4A priority patent/CN113015991A/en
Publication of WO2020082020A1 publication Critical patent/WO2020082020A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/367Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
    • G06Q20/3674Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes involving authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/363Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes with the personal data of a user
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/367Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
    • G06Q20/3678Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes e-cash details, e.g. blinded, divisible or detecting double spending
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3827Use of message hashing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/389Keeping log of transactions for guaranteeing non-repudiation of a transaction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q2220/00Business processing using cryptography

Definitions

  • the present disclosure is generally related to computer systems, and is more specifically related to systems and methods implementing a secure digital wallet processing system.
  • FIG. 1 schematically illustrates a component diagram of an example secure digital wallet processing system performing the functions described herein.
  • FIG. 2 schematically illustrates a component diagram of an example secure digital wallet processing system performing the functions described herein.
  • FIG. 3 schematically illustrates a component diagram of another example secure digital wallet processing system performing the functions described herein.
  • FIG. 4 schematically illustrates a component diagram of another example secure digital wallet processing system performing the functions described herein.
  • FIG. 5 depicts a flow diagram of one illustrative example of method of implementing a secure digital wallet, in accordance with one or more aspects of the present disclosure.
  • FIG. 6 depicts a flow diagram of one illustrative example of method of cryptographic key management, in accordance with one or more aspects of the present disclosure.
  • Fig. 7 depicts a high-level architecture of an example secure digital wallet processing system performing the functions described herein.
  • Fig. 8 depicts a high-level functional diagram of an example secure digital wallet processing system performing the functions described herein.
  • Fig. 9 depicts a high-level functional diagram of various subsystems of an example secure digital wallet processing system performing the functions described herein.
  • Fig. 10 depicts a high-level interaction diagram of an example secure digital wallet processing system performing the functions described herein.
  • Fig. 11 depicts a buy order workflow performed by an example secure digital wallet processing system performing the functions described herein.
  • Fig. 12 depicts a sell order workflow performed by an example secure digital wallet processing system performing the functions described herein.
  • FIG. 13 schematically illustrates a diagrammatic representation of an example computing system which may perform the methods described herein.
  • Secure digital wallet processing systems and methods described herein address the need for a secure key management protocol for distributed ledger processing systems where the complexity of cryptography is hidden behind easy to integrate application programming interfaces (APIs).
  • the secure digital wallet processing system may provide financial institutions (e.g., banks) with services to securely manage blockchain transactions for their customers.
  • the secure digital wallet processing system may store one or more types of cryptocurrencies (e.g., Bitcoin, Ethereum, etc.) and allow the buying, selling, transfer, and trading of these cryptocurrencies.
  • the secure digital wallet processing system may manage cryptography and data segmentation for client processing systems (i.e., clients), such as mobile or desktop computing devices, using distributed ledger processing systems.
  • An example distributed ledger processing system may implement a blockchain, i.e., an immutable (append-only) database in which transaction records are grouped in transaction blocks, such that each block stores a cryptographic hash of the previous block.
  • the transaction blocks are stored by multiple nodes.
  • a consensus protocol may be implemented for validating transaction records.
  • the blockchain may implement a proof-of-work consensus protocol, which requires that a node, before broadcasting a block of transaction records, compute a value of a cryptographic nonce such that a certain hash function applied to the block would produce a pre-determined result.
  • a client may request transactional information to be encrypted by the secure digital wallet processing system and delivered by the secure digital wallet processing system to a distributed ledger or off-chain ledger processing system.
  • Data related to the transaction may be made available via distributed systems (either the ledger itself or a file system) as encrypted and restricted payloads, using internal key management and restriction resources of the secure digital wallet processing system.
  • Transactional information and its related payloads may be verified and made available to permissioned party’s using application programming interfaces (APIs) of the secure digital wallet processing system, or via limited use keys (distributed by the secure digital wallet processing system to secure environments of the client) and direct access of the client to distributed systems.
  • APIs application programming interfaces
  • the client may use this concept to configure key management and restriction features, to influence the accessibility of transactional information and its related data during operation.
  • Fig. 1 schematically illustrates a component diagram of an example secure digital wallet processing system performing the functions described herein.
  • the secure digital wallet processing system 100 provides APIs 110 to one or more identity provider processing systems 120 (e.g., financial institution processing system), one or more service client processing systems 130 (e.g., processing systems of customers the financial institutions), and one or more secure processing environments 140 of the service client processing systems.
  • the APIs may be web service APIs accessible over a computer network and may conform to the Open API standard.
  • the secure digital wallet processing system 100 services transactions from the client processing systems using a distributed ledger network 150 of distributed ledger processing systems, off-chain ledger processing systems 152, and/or distributed file system processing systems 155.
  • the key management system 158 provides a key management protocol service 160 that provides identify, authentication, digital signature, key generation and provisioning, authorization, and verification services to the client processing systems including multi-tenancy support.
  • the key management protocol service 160 operates using one or more hardware security modules (HSMs), also known as Tamper Resistant Devices (TRDs), that generate and store cryptographic information such as public and private keys 165 or addresses in a secure manner.
  • HSMs use warm storage devices 170 and cold storage devices 172 to manage the security of the cryptographic information.
  • the warm and cold storage devices store private digital assets (e.g., public and private keys and / or addresses) of users of the client processing systems.
  • Cold storage devices 172 store the cryptographic information while it is not in use by the HSMs, and the cryptographic information is moved from the cold storage devices 172 to the warm storage devices 170 to allow the HSMs to perform cryptographic operations on the cryptographic information.
  • the key management protocol service 160 manages the transfer of cryptographic information between warm storage 170 and cold storage 172 and performs life cycle management of cryptographic keys stored 165 in the warm storage 170 and cold storage 172.
  • the key management protocol service 160 also operates using a permissions database 180 that stores client permissions of the service client processing systems and uses the client permissions in key management operations and transactions to restrict the use of the operations and transactions as specified by the permission.
  • the key management protocol service 160 creates, updates, and delete permissions stored in the permissions database 180.
  • the key management protocol service may employ the secure key distribution module 182 for providing limited use cryptographic keys 185 to the secure processing environments 140 of the service client processing systems for use by the service client processing systems with the distributed ledger network 150 of distributed ledger processing systems, the off-chain ledger processing systems 152, and/or the distributed file system processing systems 155.
  • the key management protocol service 160 performs life cycle management of the limited use keys 185 including the provisioning and replenishment of these keys.
  • the secure digital wallet processing system 100 may further provide distributed ledger network integration services to allow communication between the secure digital wallet processing system and one or more private or public distributed ledger networks 150 of distributed ledger processing systems. These integration services may be used by the service client processing systems 130 to perform transactions on the various distributed ledger processing systems.
  • the secure digital wallet processing system 100 may further provide off-chain network integration services to allow communication between the secure digital wallet processing system 100 and one or more private or public off-chain ledger networks 152A-152Z of off-chain processing systems. These integration services may be used by the service client processing systems 130 to perform transactions on the various off-chain processing systems 152.
  • the secure digital wallet processing system 100 may further provide distributed file system integration services to allow communication between the secure digital wallet processing system 100 and one or more private or public distributed file systems 155. These integration services may be used by the service client processing systems to perform transactions on the various distributed file systems.
  • the key management protocol service 160 creates transactions or asset data 190 responsive to requests from the service client processing systems 130.
  • the key management protocol service 160 may create the transactions or asset data 190A-190N with public data only, with public and private data, with private (encrypted) data on a distributed ledger processing system 150, with private data on a distributed file system 155, with private data on an off-chain ledger, or with any suitable combinations of the above.
  • the key management protocol service 160 may ensure the privacy of transaction data by encrypting the data with an encryption key before submitting the transaction to a distributed ledger processing system 150.
  • the key management protocol service 160 may also verify or access transactions or asset data 190A-190N responsive to requests from the service client processing systems 130.
  • Fig. 2 schematically illustrates a component diagram of another example secure digital wallet processing system performing the functions described herein.
  • the secure digital wallet processing system 200 provides APIs 210 to one or more identity provider processing systems 220 (e.g., financial institution processing system) and one or more service client processing systems 230 (e.g., processing systems of customers the financial institutions, shown as a mobile device in Fig. 2).
  • identity provider processing systems 220 e.g., financial institution processing system
  • service client processing systems 230 e.g., processing systems of customers the financial institutions, shown as a mobile device in Fig. 2.
  • the secure digital wallet processing system 220 services transactions from the client processing systems using a block chain network 250 of distributed ledger processing systems.
  • the secure digital wallet processing system 220 provides a key management protocol service 260 that provides identify, authentication, digital signature, key generation and provisioning, authorization, and verification services to the client processing systems 230 including multi-tenancy support.
  • the key management protocol service 260 operates using one or more HSMs 262 that generate and store cryptographic information such as public and private keys or addresses in a secure manner.
  • the HSMs 262 store the cryptographic information in a key management system (KMS) database (DB) 264 that includes warm and cold storage devices as described above with reference to Fig. 1.
  • KMS key management system
  • DB database
  • the secure digital wallet processing system 200 stores cryptocurrency private keys in the KMS DB 264 and uses the private keys to generate one or more public addresses to provide to the service client processing system 230.
  • the service provider gateway 268 receives a create public address request with an authentication token and a customer identifier and forwards the request to the order processor 270.
  • the order processor 270 causes the blockchain connector 272 validate the customer using the authenticator 274, which accesses a customer identifier public address database 276 on the identity provider processing system 220 (or another suitable processing system not shown) to do so. If the customer is successfully validated, the blockchain connector 272 requests a public address for the customer from the CryptoWs service 278.
  • the CryptoWs service 278 causes the HSM 262 to retrieve the customer’s private key from the KMS database 264, generates a public address from the private key using a cryptographic operation, stores the public address with the private key in the KMS database 264, and provides the public address to the blockchain connector 272.
  • the blockchain connector 272 stores the public address in the customer identifier public address database 276 of the identity provider processing system 220 and provides the public address to the service client processing system 230.
  • the secure digital wallet processing system 200 creates transactions for a customer using the public address.
  • the service provider gateway 268 receives a transaction request with an authentication token and a customer identifier and forwards the request to the order processor 270.
  • the order processor 270 causes the blockchain connector 272 validate the customer using the authenticator as described above. If the customer is successfully validated, the blockchain connector 272 requests a transaction to be created for the customer by the CryptoWs service 278.
  • the CryptoWs service causes 278 the HSM 262 to retrieve the customer’s private key from the KMS database 264, generates a transaction by signing the transaction with the private key using a cryptographic operation, and returns the signed transaction to the blockchain connector 272.
  • the blockchain connector 272 provides the signed transaction to the blockchain network 250 thus causing the transaction to be executed.
  • the transaction may be a buy order, a sell order, or a transfer to or from another party, for example, and may include computer executable code (e.g., a Smart Contract) that specifies conditions for the transaction.
  • computer executable code e.g., a Smart Contract
  • FIG. 3 schematically illustrates a component diagram of another example secure digital wallet processing system performing the functions described herein.
  • the secure digital wallet processing system 300 communicates with a bank server and identify provider processing system 310 and a bank mobile application processing system 315 through APIs 320A-320N.
  • the secure digital wallet processing system 300 also communicates with one or more crypto blockchain networks 325, one or more payment service providers 330, and one or more cryptocurrency exchanges 335.
  • the secure digital wallet processing system 300 is a solution that provides consumers of banks or merchants with a digital wallet, capable of holding multiple crypto currencies, which are secured in a crypto vault and can be used for trading.
  • the solution supports multiple blockchain networks and exchanges.
  • Cryptocurrency account(s) and trading functionality can be used via the consumer’s banking application 315.
  • a consumer indicates they want to use the cryptocurrency features, they can start trading using supported crypto currencies for which the cryptographic material is securely stored in the crypto vault.
  • Fig. 4 schematically illustrates a component diagram of another example secure digital wallet processing system performing the functions described herein.
  • the secure digital wallet processing system 400 stores computer executable instructions to provide the following services to a consumer processing system: create a new consumer, automatically create funding accounts, get details of a consumer (e.g., fiat and cryptocurrency account details and / or payment methods), create a new cryptocurrency account, get details of a new account, create a new payment method, update and verify a new payment method, create a cryptocurrency buy order using either a fiat currency or another cryptocurrency, create a cryptocurrency sell order and receive either a fiat currency or another cryptocurrency in return, get order information for one or more orders, transfer a cryptocurrency to or from another party, and get cryptocurrency exchange information (e.g., cryptocurrency tickers).
  • cryptocurrency tickers e.g., cryptocurrency tickers
  • the secure digital wallet processing system 400 also stores computer executable instructions to retrieve definitions such as exchanges, assets, and asset pairs.
  • the secure digital wallet processing system further stores computer executable instructions to provide the following interface services to one or more cryptocurrency networks 410A-410Z (e.g., Ethereum, Bitcoin, etc.).
  • cryptocurrency networks 410A-410Z e.g., Ethereum, Bitcoin, etc.
  • the embodiments of a secure digital wallet processing system described above enable the secure storage and transfer of cryptocurrencies and other digital assets using proven, bank- grade, field-deployed tokenization and encryption technology. These secure digital wallet processing system enables banks, exchanges and investment portals to leverage tokens to secure the purchase, storage, exchange and sale of cryptocurrencies.
  • Blockchain is gaining increased traction across industries with the decentralized public-ledger framework opening new use cases daily, extending beyond cryptocurrency into financial services, retail, real estate, healthcare and insurance. While it provides a trusted and immutable record, the blockchain is not completely secure. Blockchain stores assets of value, like cryptocurrency, at an address in a public ledger using a private key. Much like a card or account number to access funds, that key is all that is required to access that digital asset, and if it is lost or stolen, that value is gone. Multi-signature enhances the level of security by introducing additional distributed keys for recovery and authentication of transactions, but still relies upon the use of original keys that are vulnerable to attack. Given the high-value financial and safety-critical nature of some proposed use cases, it is imperative that nothing alters data prior to its placement on the blockchain.
  • the secure digital wallet processing systems combine multi-signature with proven, bank-grade tokenization technology to enhance security, confidentiality and privacy by replacing sensitive credentials—such as private keys for blockchain and cryptocurrency— with a non sensitive equivalent token that is unique to each transaction.
  • sensitive credentials such as private keys for blockchain and cryptocurrency
  • tokens cannot be used by a third party to conduct transactions if intercepted.
  • tokenization mitigates fraud risk and protects the underlying value of credentials. This reduces cryptocurrency security risks, which have led to enormous losses, adverse brand impact and suspensions of trading.
  • the secure digital wallet processing systems features include: [0050] Tokenized Security - Replace sensitive private keys with domain-specific tokens to purchase, trade and store cryptocurrency to limit vulnerabilities and improved trust.
  • Multi-Signature - Multi-signature wallets require at least two signatures to confirm a transaction, increasing security and preventing fraud, while enabling faster transactions.
  • Segregated Wallets Combine the security benefits of an offline cold wallet with the convenience of an online wallet through multi-factor authenticated access to an online segregated wallet.
  • the secure digital wallet processing systems can support a white-label application (app) or a software development kit (SDK), allowing consumers to easily access and trade cryptocurrency through their usual mobile and desktop banking portals.
  • app white-label application
  • SDK software development kit
  • Fig. 5 depicts a flow diagram of one illustrative example of method 500 of implementing a secure digital wallet, in accordance with one or more aspects of the present disclosure.
  • Method 500 and/or each of its individual functions, routines, subroutines, or operations may be performed by one or more general purpose or specialized computer systems (e.g., example computer system 1000 of Fig. 13).
  • method 500 may be performed by a single processing thread.
  • method 500 may be performed by two or more processing threads, each thread executing one or more individual functions, routines, subroutines, or operations of the method.
  • the processing threads implementing method 500 may be synchronized (e.g., using semaphores, critical sections, and/or other thread synchronization mechanisms).
  • the computer system implementing the method receives a distributed ledger transaction and a public address identifying the user initiating the transaction.
  • the distributed ledger transaction is a cryptocurrency buy or sell order, a
  • the computer system validates the distributed ledger transaction.
  • the computer system retrieves, from the key management system, the private key corresponding to the public address.
  • the computer system decrypts the retrieved private key.
  • the computer system signs the distributed ledger transaction by the decrypted private key.
  • the computer system communicates the signed distributed ledger transaction to a distributed ledger, and the method terminates.
  • Fig. 6 depicts a flow diagram of one illustrative example of method 600 of cryptographic key management, in accordance with one or more aspects of the present disclosure.
  • Method 600 and/or each of its individual functions, routines, subroutines, or operations may be performed by one or more general purpose or specialized computer systems (e.g., example computer system 1000 of Fig. 13).
  • method 600 may be performed by a single processing thread.
  • method 600 may be performed by two or more processing threads, each thread executing one or more individual functions, routines, subroutines, or operations of the method.
  • the processing threads implementing method 600 may be synchronized (e.g., using semaphores, critical sections, and/or other thread synchronization mechanisms).
  • the computer system implementing the method receives a private key associated with a user.
  • the computer system causes an HSM to generate a public address by performing a cryptographic operation on the private key.
  • the computer system encrypts the private key and the public address.
  • the computer system communicates the private key to the user.
  • the computer system stores, in a secure database, the encrypted private key in association with the public address, and the method terminates.
  • Fig. 13 schematically illustrates a diagrammatic representation of a computing system 1000, within which a set of instructions, for causing the computing device to perform the methods described herein, may be executed.
  • Computing system 1000 may be connected to other computing devices in a LAN, an intranet, an extranet, and/or the Internet.
  • the computing device may operate in the capacity of a server machine in client-server network environment.
  • the computing device may be provided by a personal computer (PC), a set-top box (STB), a server, a network router, switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.
  • PC personal computer
  • STB set-top box
  • server a server
  • network router switch or bridge
  • the example computing system 1000 may include a processor (also referred to as “central processing unit” (CPU)) 1002, which in various illustrative examples may be a general purpose or specialized processor comprising one or more processing cores.
  • the example computing system 1000 may further comprise a main memory 1004 (e.g ., synchronous dynamic random access memory (DRAM), read-only memory (ROM)), a static memory 1006 (e.g., flash memory and a data storage device 1018), which may communicate with each other via a bus 1030.
  • the processing device 1002 may be configured to execute methods for performing the operations and steps described herein.
  • the example computing system 1000 may further include a network interface device 1008 which may communicate with a network 1020.
  • the example computing system 1000 also may include a video display unit 1010 (e.g, a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 1012 (e.g, a keyboard), and a cursor control device 1014 (e.g, a mouse).
  • a video display unit 1010 e.g, a liquid crystal display (LCD) or a cathode ray tube (CRT)
  • an alphanumeric input device 1012 e.g, a keyboard
  • a cursor control device 1014 e.g, a mouse
  • the video display unit 1010, the alphanumeric input device 1012, and the cursor control device 1014 may be combined into a single component or device (e.g, an LCD touch screen).
  • the data storage device 1018 may include a computer-readable storage medium 1028 on which may be stored one or more sets of instructions 1032 implementing any one or more of the methods or functions described herein, including method 500 of implementing a secure digital wallet and/or method 600 of cryptographic key management.
  • Instructions 1032 implementing the methods or functions described herein may also reside, completely or at least partially, within the main memory 1004 and/or within the processing device 1002 during execution thereof by the example computing system 1000, hence the main memory 1004 and the processing device 1002 may also constitute or comprise computer-readable media.
  • the instructions may further be transmitted or received over the network 1020 via the network interface device 1008.
  • the term“computer-readable storage medium” should be taken to include a single medium or multiple media (e.g, a centralized or distributed database and/or associated caches and servers) that store the one or more sets of instructions.
  • the term “computer-readable storage medium” shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform the methods described herein.
  • the term“computer-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical media and magnetic media.
  • terms such as “updating”, “identifying”, “determining”, “sending”, “assigning”, or the like refer to actions and processes performed or implemented by computing devices that manipulates and transforms data represented as physical (electronic) quantities within the computing device's registers and memories into other data similarly represented as physical quantities within the computing device memories or registers or other such information storage, transmission or display devices.
  • the terms “first,” “second,” “third,” “fourth,” etc. as used herein are meant as labels to distinguish among different elements and may not necessarily have an ordinal meaning according to their numerical designation.
  • Examples described herein also relate to a system for performing the methods described herein.
  • This system may be specially constructed for the required purposes, or it may comprise a general purpose computing device selectively programmed by a computer program stored in the computing device.
  • a computer program may be stored in a computer-readable non-transitory storage medium.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Computer Security & Cryptography (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

Systems and methods for implementing a secure digital wallet processing system. An example method comprises: receiving, by a computer system, a distributed ledger transaction and a public address; retrieving, from a key management system, a private key corresponding to the public address, wherein the key management system comprises a hardware security module (HSM) that generated the public address from the private key; signing the distributed ledger transaction by the private key; and providing the signed distributed ledger transaction to a distributed ledger.

Description

SECURE DIGITAL WALLET PROCESSING SYSTEM
TECHNICAL FIELD
[0001] The present disclosure is generally related to computer systems, and is more specifically related to systems and methods implementing a secure digital wallet processing system.
BACKGROUND
[0002] Software solutions using cryptography and distribution of information, and in particular, various distributed ledger implementations, are getting more traction. Such systems may be employed for cryptocurrency emission, storage, and exchange between users.
BRIEF DESCRIPTION OF THE DRAWINGS
[0003] The present disclosure is illustrated by way of examples, and not by way of limitation, and may be more fully understood with references to the following detailed description when considered in connection with the figures, in which:
[0004] Fig. 1 schematically illustrates a component diagram of an example secure digital wallet processing system performing the functions described herein.
[0005] Fig. 2 schematically illustrates a component diagram of an example secure digital wallet processing system performing the functions described herein.
[0006] Fig. 3 schematically illustrates a component diagram of another example secure digital wallet processing system performing the functions described herein.
[0007] Fig. 4 schematically illustrates a component diagram of another example secure digital wallet processing system performing the functions described herein.
[0008] Fig. 5 depicts a flow diagram of one illustrative example of method of implementing a secure digital wallet, in accordance with one or more aspects of the present disclosure.
[009] Fig. 6 depicts a flow diagram of one illustrative example of method of cryptographic key management, in accordance with one or more aspects of the present disclosure.
[0010] Fig. 7 depicts a high-level architecture of an example secure digital wallet processing system performing the functions described herein.
[0011] Fig. 8 depicts a high-level functional diagram of an example secure digital wallet processing system performing the functions described herein. [0012] Fig. 9 depicts a high-level functional diagram of various subsystems of an example secure digital wallet processing system performing the functions described herein.
[0013] Fig. 10 depicts a high-level interaction diagram of an example secure digital wallet processing system performing the functions described herein.
[0014] Fig. 11 depicts a buy order workflow performed by an example secure digital wallet processing system performing the functions described herein.
[0015] Fig. 12 depicts a sell order workflow performed by an example secure digital wallet processing system performing the functions described herein.
[0016] Fig. 13 schematically illustrates a diagrammatic representation of an example computing system which may perform the methods described herein.
DETAILED DESCRIPTION
[0017] Since cryptography will generally stay in the realm of specialization there is a need to decrease its complexity without reducing its security.
[0018] Secure digital wallet processing systems and methods described herein address the need for a secure key management protocol for distributed ledger processing systems where the complexity of cryptography is hidden behind easy to integrate application programming interfaces (APIs). The secure digital wallet processing system, for example, may provide financial institutions (e.g., banks) with services to securely manage blockchain transactions for their customers. The secure digital wallet processing system may store one or more types of cryptocurrencies (e.g., Bitcoin, Ethereum, etc.) and allow the buying, selling, transfer, and trading of these cryptocurrencies.
[0019] The secure digital wallet processing system may manage cryptography and data segmentation for client processing systems (i.e., clients), such as mobile or desktop computing devices, using distributed ledger processing systems. An example distributed ledger processing system may implement a blockchain, i.e., an immutable (append-only) database in which transaction records are grouped in transaction blocks, such that each block stores a cryptographic hash of the previous block. The transaction blocks are stored by multiple nodes. A consensus protocol may be implemented for validating transaction records. In one example, the blockchain may implement a proof-of-work consensus protocol, which requires that a node, before broadcasting a block of transaction records, compute a value of a cryptographic nonce such that a certain hash function applied to the block would produce a pre-determined result. In various other implementations, other consensus protocols may be employed by systems and methods described herein. [0020] A client may request transactional information to be encrypted by the secure digital wallet processing system and delivered by the secure digital wallet processing system to a distributed ledger or off-chain ledger processing system. Data related to the transaction may be made available via distributed systems (either the ledger itself or a file system) as encrypted and restricted payloads, using internal key management and restriction resources of the secure digital wallet processing system.
[0021] Transactional information and its related payloads may be verified and made available to permissioned party’s using application programming interfaces (APIs) of the secure digital wallet processing system, or via limited use keys (distributed by the secure digital wallet processing system to secure environments of the client) and direct access of the client to distributed systems.
[0022] The client may use this concept to configure key management and restriction features, to influence the accessibility of transactional information and its related data during operation.
[0023] Fig. 1 schematically illustrates a component diagram of an example secure digital wallet processing system performing the functions described herein. The secure digital wallet processing system 100 provides APIs 110 to one or more identity provider processing systems 120 (e.g., financial institution processing system), one or more service client processing systems 130 (e.g., processing systems of customers the financial institutions), and one or more secure processing environments 140 of the service client processing systems. The APIs may be web service APIs accessible over a computer network and may conform to the Open API standard.
[0024] The secure digital wallet processing system 100 services transactions from the client processing systems using a distributed ledger network 150 of distributed ledger processing systems, off-chain ledger processing systems 152, and/or distributed file system processing systems 155. To do so, the key management system 158 provides a key management protocol service 160 that provides identify, authentication, digital signature, key generation and provisioning, authorization, and verification services to the client processing systems including multi-tenancy support.
[0025] The key management protocol service 160 operates using one or more hardware security modules (HSMs), also known as Tamper Resistant Devices (TRDs), that generate and store cryptographic information such as public and private keys 165 or addresses in a secure manner. The HSMs use warm storage devices 170 and cold storage devices 172 to manage the security of the cryptographic information. The warm and cold storage devices store private digital assets (e.g., public and private keys and / or addresses) of users of the client processing systems. Cold storage devices 172 store the cryptographic information while it is not in use by the HSMs, and the cryptographic information is moved from the cold storage devices 172 to the warm storage devices 170 to allow the HSMs to perform cryptographic operations on the cryptographic information. The key management protocol service 160 manages the transfer of cryptographic information between warm storage 170 and cold storage 172 and performs life cycle management of cryptographic keys stored 165 in the warm storage 170 and cold storage 172.
[0026] The key management protocol service 160 also operates using a permissions database 180 that stores client permissions of the service client processing systems and uses the client permissions in key management operations and transactions to restrict the use of the operations and transactions as specified by the permission. The key management protocol service 160 creates, updates, and delete permissions stored in the permissions database 180.
[0027] The key management protocol service may employ the secure key distribution module 182 for providing limited use cryptographic keys 185 to the secure processing environments 140 of the service client processing systems for use by the service client processing systems with the distributed ledger network 150 of distributed ledger processing systems, the off-chain ledger processing systems 152, and/or the distributed file system processing systems 155. The key management protocol service 160 performs life cycle management of the limited use keys 185 including the provisioning and replenishment of these keys.
[0028] The secure digital wallet processing system 100 may further provide distributed ledger network integration services to allow communication between the secure digital wallet processing system and one or more private or public distributed ledger networks 150 of distributed ledger processing systems. These integration services may be used by the service client processing systems 130 to perform transactions on the various distributed ledger processing systems.
[0029] The secure digital wallet processing system 100 may further provide off-chain network integration services to allow communication between the secure digital wallet processing system 100 and one or more private or public off-chain ledger networks 152A-152Z of off-chain processing systems. These integration services may be used by the service client processing systems 130 to perform transactions on the various off-chain processing systems 152.
[0030] The secure digital wallet processing system 100 may further provide distributed file system integration services to allow communication between the secure digital wallet processing system 100 and one or more private or public distributed file systems 155. These integration services may be used by the service client processing systems to perform transactions on the various distributed file systems.
[0031] The key management protocol service 160 creates transactions or asset data 190 responsive to requests from the service client processing systems 130. The key management protocol service 160 may create the transactions or asset data 190A-190N with public data only, with public and private data, with private (encrypted) data on a distributed ledger processing system 150, with private data on a distributed file system 155, with private data on an off-chain ledger, or with any suitable combinations of the above. For example, the key management protocol service 160 may ensure the privacy of transaction data by encrypting the data with an encryption key before submitting the transaction to a distributed ledger processing system 150.
[0032] The key management protocol service 160 may also verify or access transactions or asset data 190A-190N responsive to requests from the service client processing systems 130.
[0033] Fig. 2 schematically illustrates a component diagram of another example secure digital wallet processing system performing the functions described herein. The secure digital wallet processing system 200 provides APIs 210 to one or more identity provider processing systems 220 (e.g., financial institution processing system) and one or more service client processing systems 230 (e.g., processing systems of customers the financial institutions, shown as a mobile device in Fig. 2).
[0034] The secure digital wallet processing system 220 services transactions from the client processing systems using a block chain network 250 of distributed ledger processing systems.
To do so, the secure digital wallet processing system 220 provides a key management protocol service 260 that provides identify, authentication, digital signature, key generation and provisioning, authorization, and verification services to the client processing systems 230 including multi-tenancy support.
[0035] The key management protocol service 260 operates using one or more HSMs 262 that generate and store cryptographic information such as public and private keys or addresses in a secure manner. The HSMs 262 store the cryptographic information in a key management system (KMS) database (DB) 264 that includes warm and cold storage devices as described above with reference to Fig. 1.
[0036] The secure digital wallet processing system 200 stores cryptocurrency private keys in the KMS DB 264 and uses the private keys to generate one or more public addresses to provide to the service client processing system 230. The service provider gateway 268 receives a create public address request with an authentication token and a customer identifier and forwards the request to the order processor 270. The order processor 270 causes the blockchain connector 272 validate the customer using the authenticator 274, which accesses a customer identifier public address database 276 on the identity provider processing system 220 (or another suitable processing system not shown) to do so. If the customer is successfully validated, the blockchain connector 272 requests a public address for the customer from the CryptoWs service 278. The CryptoWs service 278 causes the HSM 262 to retrieve the customer’s private key from the KMS database 264, generates a public address from the private key using a cryptographic operation, stores the public address with the private key in the KMS database 264, and provides the public address to the blockchain connector 272. The blockchain connector 272 stores the public address in the customer identifier public address database 276 of the identity provider processing system 220 and provides the public address to the service client processing system 230.
[0037] The secure digital wallet processing system 200 creates transactions for a customer using the public address. The service provider gateway 268 receives a transaction request with an authentication token and a customer identifier and forwards the request to the order processor 270. The order processor 270 causes the blockchain connector 272 validate the customer using the authenticator as described above. If the customer is successfully validated, the blockchain connector 272 requests a transaction to be created for the customer by the CryptoWs service 278. The CryptoWs service causes 278 the HSM 262 to retrieve the customer’s private key from the KMS database 264, generates a transaction by signing the transaction with the private key using a cryptographic operation, and returns the signed transaction to the blockchain connector 272. The blockchain connector 272 provides the signed transaction to the blockchain network 250 thus causing the transaction to be executed. The transaction may be a buy order, a sell order, or a transfer to or from another party, for example, and may include computer executable code (e.g., a Smart Contract) that specifies conditions for the transaction.
[0038] All or selected features of the secure digital wallet processing system embodiment of Fig. 1 may be incorporated into the secure digital wallet processing system embodiment of Fig.
2. Likewise, all or selected features of the secure digital wallet processing system embodiment of Fig. 2 may be incorporated into the secure digital wallet processing system embodiment of Fig. 2.
[0039] Fig. 3 schematically illustrates a component diagram of another example secure digital wallet processing system performing the functions described herein. The secure digital wallet processing system 300 communicates with a bank server and identify provider processing system 310 and a bank mobile application processing system 315 through APIs 320A-320N.
The secure digital wallet processing system 300 also communicates with one or more crypto blockchain networks 325, one or more payment service providers 330, and one or more cryptocurrency exchanges 335.
[0040] The secure digital wallet processing system 300 is a solution that provides consumers of banks or merchants with a digital wallet, capable of holding multiple crypto currencies, which are secured in a crypto vault and can be used for trading. The solution supports multiple blockchain networks and exchanges.
[0041] Cryptocurrency account(s) and trading functionality can be used via the consumer’s banking application 315. When a consumer indicates they want to use the cryptocurrency features, they can start trading using supported crypto currencies for which the cryptographic material is securely stored in the crypto vault.
[0042] All or selected features of the secure digital wallet processing system embodiments of Figs. 1 and / or 2 may be incorporated into the secure digital wallet processing system
embodiment of Fig. 3. Likewise, all or selected features of the secure digital wallet processing system embodiment of Fig. 3 may be incorporated into the secure digital wallet processing system embodiments of Figs. 1 and / or 2.
[0043] Fig. 4 schematically illustrates a component diagram of another example secure digital wallet processing system performing the functions described herein. The secure digital wallet processing system 400 stores computer executable instructions to provide the following services to a consumer processing system: create a new consumer, automatically create funding accounts, get details of a consumer (e.g., fiat and cryptocurrency account details and / or payment methods), create a new cryptocurrency account, get details of a new account, create a new payment method, update and verify a new payment method, create a cryptocurrency buy order using either a fiat currency or another cryptocurrency, create a cryptocurrency sell order and receive either a fiat currency or another cryptocurrency in return, get order information for one or more orders, transfer a cryptocurrency to or from another party, and get cryptocurrency exchange information (e.g., cryptocurrency tickers). The secure digital wallet processing system 400 also stores computer executable instructions to retrieve definitions such as exchanges, assets, and asset pairs. The secure digital wallet processing system further stores computer executable instructions to provide the following interface services to one or more cryptocurrency networks 410A-410Z (e.g., Ethereum, Bitcoin, etc.).
[0044] All or selected features of the secure digital wallet processing system embodiments of Figs. 1, 2, and / or 3 may be incorporated into the secure digital wallet processing system embodiment of Fig. 4. Likewise, all or selected features of the secure digital wallet processing system embodiment of Fig. 4 may be incorporated into the secure digital wallet processing system embodiments of Figs. 1, 2, and / or 3.
[0045] Various embodiments of secure digital wallet processing systems are described above. Variations of each of the embodiments are possible and contemplated. In addition, all or selected features of one embodiment may be incorporated into other embodiments.
[0046] The embodiments of a secure digital wallet processing system described above enable the secure storage and transfer of cryptocurrencies and other digital assets using proven, bank- grade, field-deployed tokenization and encryption technology. These secure digital wallet processing system enables banks, exchanges and investment portals to leverage tokens to secure the purchase, storage, exchange and sale of cryptocurrencies.
[0047] Blockchain is gaining increased traction across industries with the decentralized public-ledger framework opening new use cases daily, extending beyond cryptocurrency into financial services, retail, real estate, healthcare and insurance. While it provides a trusted and immutable record, the blockchain is not completely secure. Blockchain stores assets of value, like cryptocurrency, at an address in a public ledger using a private key. Much like a card or account number to access funds, that key is all that is required to access that digital asset, and if it is lost or stolen, that value is gone. Multi-signature enhances the level of security by introducing additional distributed keys for recovery and authentication of transactions, but still relies upon the use of original keys that are vulnerable to attack. Given the high-value financial and safety-critical nature of some proposed use cases, it is imperative that nothing alters data prior to its placement on the blockchain.
[0048] The secure digital wallet processing systems combine multi-signature with proven, bank-grade tokenization technology to enhance security, confidentiality and privacy by replacing sensitive credentials— such as private keys for blockchain and cryptocurrency— with a non sensitive equivalent token that is unique to each transaction. Unlike the private keys used to authorize cryptocurrency transactions, tokens cannot be used by a third party to conduct transactions if intercepted. By replacing sensitive private keys with a limited use token that can include domain controls for device or channel, tokenization mitigates fraud risk and protects the underlying value of credentials. This reduces cryptocurrency security risks, which have led to enormous losses, adverse brand impact and suspensions of trading.
[0049] Designed for cryptocurrencies and other use cases, the secure digital wallet processing systems features include: [0050] Tokenized Security - Replace sensitive private keys with domain-specific tokens to purchase, trade and store cryptocurrency to limit vulnerabilities and improved trust.
[0051] Multi-Signature - Multi-signature wallets require at least two signatures to confirm a transaction, increasing security and preventing fraud, while enabling faster transactions.
[0052] Segregated Wallets - Combine the security benefits of an offline cold wallet with the convenience of an online wallet through multi-factor authenticated access to an online segregated wallet.
[0053] The secure digital wallet processing systems can support a white-label application (app) or a software development kit (SDK), allowing consumers to easily access and trade cryptocurrency through their usual mobile and desktop banking portals.
[0054] Fig. 5 depicts a flow diagram of one illustrative example of method 500 of implementing a secure digital wallet, in accordance with one or more aspects of the present disclosure. Method 500 and/or each of its individual functions, routines, subroutines, or operations may be performed by one or more general purpose or specialized computer systems (e.g., example computer system 1000 of Fig. 13). In some implementations, method 500 may be performed by a single processing thread. Alternatively, method 500 may be performed by two or more processing threads, each thread executing one or more individual functions, routines, subroutines, or operations of the method. In some implementations, the processing threads implementing method 500 may be synchronized (e.g., using semaphores, critical sections, and/or other thread synchronization mechanisms).
[0055] At block 510, the computer system implementing the method receives a distributed ledger transaction and a public address identifying the user initiating the transaction. In various examples, the distributed ledger transaction is a cryptocurrency buy or sell order, a
cryptocurrency transfer to another public address of the same user, or a code implementing a smart contract.
[0056] At block 520, the computer system validates the distributed ledger transaction.
[0057] Responsive to successfully validating the transaction, the computer system, at block 530, retrieves, from the key management system, the private key corresponding to the public address.
[0058] At block 540, the computer system decrypts the retrieved private key.
[0059] At block 550, the computer system signs the distributed ledger transaction by the decrypted private key. [0060] At block 560, the computer system communicates the signed distributed ledger transaction to a distributed ledger, and the method terminates.
[0061] Fig. 6 depicts a flow diagram of one illustrative example of method 600 of cryptographic key management, in accordance with one or more aspects of the present disclosure. Method 600 and/or each of its individual functions, routines, subroutines, or operations may be performed by one or more general purpose or specialized computer systems (e.g., example computer system 1000 of Fig. 13). In some implementations, method 600 may be performed by a single processing thread. Alternatively, method 600 may be performed by two or more processing threads, each thread executing one or more individual functions, routines, subroutines, or operations of the method. In some implementations, the processing threads implementing method 600 may be synchronized (e.g., using semaphores, critical sections, and/or other thread synchronization mechanisms).
[0062] At block 610, the computer system implementing the method receives a private key associated with a user.
[0063] At block 620, the computer system causes an HSM to generate a public address by performing a cryptographic operation on the private key.
[0064] At block 630, the computer system encrypts the private key and the public address.
[0065] At block 640, the computer system communicates the private key to the user.
[0066] At block 650, the computer system stores, in a secure database, the encrypted private key in association with the public address, and the method terminates.
[0067] Fig. 13 schematically illustrates a diagrammatic representation of a computing system 1000, within which a set of instructions, for causing the computing device to perform the methods described herein, may be executed. Computing system 1000 may be connected to other computing devices in a LAN, an intranet, an extranet, and/or the Internet. The computing device may operate in the capacity of a server machine in client-server network environment. The computing device may be provided by a personal computer (PC), a set-top box (STB), a server, a network router, switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single computing device is illustrated, the term“computing device” shall also be taken to include any collection of computing devices that individually or jointly execute a set (or multiple sets) of instructions to perform the methods described herein.
[0068] The example computing system 1000 may include a processor (also referred to as “central processing unit” (CPU)) 1002, which in various illustrative examples may be a general purpose or specialized processor comprising one or more processing cores. The example computing system 1000 may further comprise a main memory 1004 ( e.g ., synchronous dynamic random access memory (DRAM), read-only memory (ROM)), a static memory 1006 (e.g., flash memory and a data storage device 1018), which may communicate with each other via a bus 1030. The processing device 1002 may be configured to execute methods for performing the operations and steps described herein.
[0069] The example computing system 1000 may further include a network interface device 1008 which may communicate with a network 1020. The example computing system 1000 also may include a video display unit 1010 (e.g, a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 1012 (e.g, a keyboard), and a cursor control device 1014 (e.g, a mouse). In one embodiment, the video display unit 1010, the alphanumeric input device 1012, and the cursor control device 1014 may be combined into a single component or device (e.g, an LCD touch screen).
[0070] The data storage device 1018 may include a computer-readable storage medium 1028 on which may be stored one or more sets of instructions 1032 implementing any one or more of the methods or functions described herein, including method 500 of implementing a secure digital wallet and/or method 600 of cryptographic key management. Instructions 1032 implementing the methods or functions described herein may also reside, completely or at least partially, within the main memory 1004 and/or within the processing device 1002 during execution thereof by the example computing system 1000, hence the main memory 1004 and the processing device 1002 may also constitute or comprise computer-readable media. The instructions may further be transmitted or received over the network 1020 via the network interface device 1008.
[0071] While the computer-readable storage medium 1028 is shown in an illustrative example to be a single medium, the term“computer-readable storage medium” should be taken to include a single medium or multiple media (e.g, a centralized or distributed database and/or associated caches and servers) that store the one or more sets of instructions. The term “computer-readable storage medium” shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform the methods described herein. The term“computer-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical media and magnetic media.
[0072] Unless specifically stated otherwise, terms such as "updating", "identifying", "determining", "sending", "assigning", or the like, refer to actions and processes performed or implemented by computing devices that manipulates and transforms data represented as physical (electronic) quantities within the computing device's registers and memories into other data similarly represented as physical quantities within the computing device memories or registers or other such information storage, transmission or display devices. Also, the terms "first," "second," "third," "fourth," etc. as used herein are meant as labels to distinguish among different elements and may not necessarily have an ordinal meaning according to their numerical designation.
[0073] Examples described herein also relate to a system for performing the methods described herein. This system may be specially constructed for the required purposes, or it may comprise a general purpose computing device selectively programmed by a computer program stored in the computing device. Such a computer program may be stored in a computer-readable non-transitory storage medium.
[0074] The methods and illustrative examples described herein are not inherently related to any particular computer or other system. Various general purpose systems may be used in accordance with the teachings described herein, or it may prove convenient to construct more specialized system to perform the required method steps. The required structure for a variety of these systems will appear as set forth in the description above.
[0075] The above description is intended to be illustrative, and not restrictive. Although the present disclosure has been described with references to specific illustrative examples, it will be recognized that the present disclosure is not limited to the examples described. The scope of the disclosure should be determined with reference to the following claims, along with the full scope of equivalents to which the claims are entitled.

Claims

CLAIMS What is claimed is:
1. A method of implementing a secure digital wallet processing system, the method comprising:
receiving, by a computer system, a distributed ledger transaction and a public address; retrieving, from a key management system, a private key corresponding to the public address, wherein the key management system comprises a hardware security module (HSM) that generated the public address from the private key;
signing the distributed ledger transaction by the private key; and
providing the signed distributed ledger transaction to a distributed ledger.
2. The method of claim 1, wherein the distributed ledger transaction is one of: a cryptocurrency buy order, a cryptocurrency sell order, a cryptocurrency transfer to another public address, or a code implementing a smart contract.
3. The method of claim 1, further comprising:
validating the distributed ledger transaction prior to retrieving the private key from the key management system.
4. The method of claim 1, wherein the HSM encrypts the private key and the public address prior to storing in a secure database.
5. The method of claim 1, further comprising:
decrypting the private key prior to signing the distributed ledger transaction.
6. The method of claim 1, further comprising:
generating the public address and providing the public address to a user prior to receiving the distributed ledger transaction.
7. The method of claim 1, wherein the key management system comprises at least one of: a warm storage device or a cold storage device.
8. A system, comprising:
a memory;
a processor coupled to the memory, wherein the processor is configured to:
receive a distributed ledger transaction and a public address; retrieve, from a key management system, a private key corresponding to the public address, wherein the key management system comprises a hardware security module (HSM) that generated the public address from the private key;
sign the distributed ledger transaction by the private key; and
provide the signed distributed ledger transaction to a distributed ledger.
9. The system of claim 8, wherein the distributed ledger transaction is one of: a cryptocurrency buy order, a cryptocurrency sell order, a cryptocurrency transfer to another public address, or a code implementing a smart contract.
10. The system of claim 8, wherein the processor is further configured to:
validate the distributed ledger transaction prior to retrieving the private key from the key management system.
11. The system of claim 8, wherein the HSM encrypts the private key and the public address prior to storing in a secure database.
12. The system of claim 8, wherein the processor is further configured to:
decrypt the private key prior to signing the distributed ledger transaction.
13. The system of claim 8, wherein the processor is further configured to:
generate the public address and providing the public address to a user prior to receiving the distributed ledger transaction.
14. The system of claim 8, wherein the key management system comprises at least one of: a warm storage device or a cold storage device.
15. A non-transitory computer-readable storage medium comprising executable instructions that, when executed by a processing device, cause the processing device to:
receive a distributed ledger transaction and a public address;
retrieve, from a key management system, a private key corresponding to the public address, wherein the key management system comprises a hardware security module (HSM) that generated the public address from the private key;
sign the distributed ledger transaction by the private key; and
provide the signed distributed ledger transaction to a distributed ledger.
16. The non-transitory computer-readable storage medium of claim 15, wherein the distributed ledger transaction is one of: a cryptocurrency buy order, a cryptocurrency sell order, a cryptocurrency transfer to another public address, or a code implementing a smart contract.
17. The non-transitory computer-readable storage medium of claim 15, further comprising executable instructions that, when executed by the processing device, cause the processing device to:
validate the distributed ledger transaction prior to retrieving the private key from the key management system.
18. The non-transitory computer-readable storage medium of claim 15, wherein the HSM encrypts the private key and the public address prior to storing in a secure database.
19. The non-transitory computer-readable storage medium of claim 15, further comprising executable instructions that, when executed by the processing device, cause the processing device to:
decrypt the private key prior to signing the distributed ledger transaction.
20. The non-transitory computer-readable storage medium of claim 15, further comprising executable instructions that, when executed by the processing device, cause the processing device to:
generate the public address and providing the public address to a user prior to receiving the distributed ledger transaction.
PCT/US2019/057062 2018-10-19 2019-10-18 Secure digital wallet processing system WO2020082020A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
SG11202103833XA SG11202103833XA (en) 2018-10-19 2019-10-18 Secure digital wallet processing system
US17/285,249 US20210374724A1 (en) 2018-10-19 2019-10-18 Secure digital wallet processing system
EP19872361.1A EP3867849B1 (en) 2018-10-19 2019-10-18 Secure digital wallet processing system
CN201980068910.4A CN113015991A (en) 2018-10-19 2019-10-18 Secure digital wallet processing system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201862748340P 2018-10-19 2018-10-19
US62/748,340 2018-10-19

Publications (1)

Publication Number Publication Date
WO2020082020A1 true WO2020082020A1 (en) 2020-04-23

Family

ID=70284134

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2019/057062 WO2020082020A1 (en) 2018-10-19 2019-10-18 Secure digital wallet processing system

Country Status (5)

Country Link
US (1) US20210374724A1 (en)
EP (1) EP3867849B1 (en)
CN (1) CN113015991A (en)
SG (1) SG11202103833XA (en)
WO (1) WO2020082020A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3937421A1 (en) * 2020-07-08 2022-01-12 Alipay (Hangzhou) Information Technology Co., Ltd. Blockchain integrated station and cryptographic acceleration card, key management methods and apparatuses
WO2022131410A1 (en) * 2020-12-18 2022-06-23 라인 가부시키가이샤 Cryptocurrency system for separate management of customer assets and cryptocurrency wallet management method
WO2022214806A1 (en) * 2021-04-09 2022-10-13 Vodafone Group Services Limited Blockchain micro transactions

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220405068A1 (en) * 2021-06-16 2022-12-22 Microsoft Technology Licensing, Llc Managing asset packages for interactive bot development
CN113469688A (en) * 2021-07-23 2021-10-01 厦门慢雾科技有限公司 Active risk identification model for private key safety management
CN114723438B (en) * 2022-05-19 2022-09-09 北京第五力科技有限公司 Wallet system and transaction method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103679444A (en) 2012-09-26 2014-03-26 浙江省公众信息产业有限公司 System and method for realizing mobile phone payment by using smart mobile phone card
US20170372417A1 (en) 2016-06-28 2017-12-28 Sivanarayana Gaddam Digital asset account management
US20180131517A1 (en) 2016-11-09 2018-05-10 Sap Se Secure Database Featuring Separate Operating System User

Family Cites Families (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9602500B2 (en) * 2013-12-20 2017-03-21 Intel Corporation Secure import and export of keying material
WO2015142765A1 (en) * 2014-03-17 2015-09-24 Coinbase, Inc Bitcoin host computer system
CA2985040A1 (en) * 2014-05-06 2015-12-03 Case Wallet, Inc. Cryptocurrency virtual wallet system and method
US20150363772A1 (en) * 2014-06-16 2015-12-17 Bank Of America Corporation Cryptocurrency online vault storage system
US20160092988A1 (en) * 2014-09-30 2016-03-31 Raistone, Inc. Systems and methods for transferring digital assests using a de-centralized exchange
KR20170117096A (en) * 2015-02-09 2017-10-20 티제로 닷컴, 인크. Encryption Integrated Platform
AU2016242888A1 (en) * 2015-03-31 2017-11-16 Nasdaq, Inc. Systems and methods of blockchain transaction recordation
US9735958B2 (en) * 2015-05-19 2017-08-15 Coinbase, Inc. Key ceremony of a security system forming part of a host computer for cryptographic transactions
US11232415B2 (en) * 2015-05-28 2022-01-25 OX Labs Inc. Method for cryptographically managing title transactions
US10778439B2 (en) * 2015-07-14 2020-09-15 Fmr Llc Seed splitting and firmware extension for secure cryptocurrency key backup, restore, and transaction signing platform apparatuses, methods and systems
US10992469B2 (en) * 2015-07-14 2021-04-27 Fmr Llc Seed splitting and firmware extension for secure cryptocurrency key backup, restore, and transaction signing platform apparatuses, methods and systems
US20220327525A1 (en) * 2015-07-14 2022-10-13 Fmr Llc Address Verification, Seed Splitting and Firmware Extension for Secure Cryptocurrency Key Backup, Restore, and Transaction Signing Platform Apparatuses, Methods and Systems
US11270299B2 (en) * 2015-12-07 2022-03-08 Visa International Service Association Methods and systems of using a cryptocurrency system to manage payments and payment alternatives
US9948467B2 (en) * 2015-12-21 2018-04-17 Mastercard International Incorporated Method and system for blockchain variant using digital signatures
US10333705B2 (en) * 2016-04-30 2019-06-25 Civic Technologies, Inc. Methods and apparatus for providing attestation of information using a centralized or distributed ledger
EP3506560A1 (en) * 2017-12-29 2019-07-03 Nagravision S.A. Secure provisioning of keys
US11308487B1 (en) * 2018-02-12 2022-04-19 Gemini Ip, Llc System, method and program product for obtaining digital assets
US11139955B1 (en) * 2018-02-12 2021-10-05 Winklevoss Ip, Llc Systems, methods, and program products for loaning digital assets and for depositing, holding and/or distributing collateral as a token in the form of digital assets on an underlying blockchain
WO2019159172A1 (en) * 2018-02-15 2019-08-22 Puzzzle Cybersecurity Ltd. Cryptocurrency wallet and cryptocurrency account management
US20190268165A1 (en) * 2018-02-27 2019-08-29 Anchor Labs, Inc. Cryptoasset custodial system with different rules governing access to logically separated cryptoassets
US11698979B2 (en) * 2018-03-27 2023-07-11 Workday, Inc. Digital credentials for access to sensitive data
US11323274B1 (en) * 2018-04-03 2022-05-03 Amazon Technologies, Inc. Certificate authority
KR102475434B1 (en) * 2018-04-05 2022-12-06 주식회사 케이티 Security method and system for crypto currency
CN116362747A (en) * 2018-05-01 2023-06-30 浙江浩安信息技术有限公司 Block chain digital signature system
US20190356481A1 (en) * 2018-05-18 2019-11-21 Qredo Ltd. System and method for securing digital assets
SG11202012708SA (en) * 2018-06-28 2021-02-25 Pay Gate Co Ltd Multi-signature security account control system
US20200111080A1 (en) * 2018-10-08 2020-04-09 BitGo Holdings, Inc. Security Secret Interface and Token Wrap Structure Apparatuses, Methods and Systems
US11601264B2 (en) * 2018-10-12 2023-03-07 Tzero Ip, Llc Encrypted asset encryption key parts allowing for assembly of an asset encryption key using a subset of the encrypted asset encryption key parts

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103679444A (en) 2012-09-26 2014-03-26 浙江省公众信息产业有限公司 System and method for realizing mobile phone payment by using smart mobile phone card
US20170372417A1 (en) 2016-06-28 2017-12-28 Sivanarayana Gaddam Digital asset account management
US20180131517A1 (en) 2016-11-09 2018-05-10 Sap Se Secure Database Featuring Separate Operating System User

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3867849A4

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3937421A1 (en) * 2020-07-08 2022-01-12 Alipay (Hangzhou) Information Technology Co., Ltd. Blockchain integrated station and cryptographic acceleration card, key management methods and apparatuses
US11626984B2 (en) 2020-07-08 2023-04-11 Alipay (Hangzhou) Information Technology Co., Ltd. Blockchain integrated station and cryptographic acceleration card, key management methods and apparatuses
WO2022131410A1 (en) * 2020-12-18 2022-06-23 라인 가부시키가이샤 Cryptocurrency system for separate management of customer assets and cryptocurrency wallet management method
WO2022214806A1 (en) * 2021-04-09 2022-10-13 Vodafone Group Services Limited Blockchain micro transactions

Also Published As

Publication number Publication date
SG11202103833XA (en) 2021-06-29
CN113015991A (en) 2021-06-22
EP3867849B1 (en) 2023-11-29
EP3867849A1 (en) 2021-08-25
US20210374724A1 (en) 2021-12-02
EP3867849A4 (en) 2021-12-15

Similar Documents

Publication Publication Date Title
JP6873270B2 (en) Handling of transaction activities based on smart contracts in the blockchain Caution Methods and devices for protecting data
US11743052B2 (en) Platform for generating authenticated data objects
US20220321359A1 (en) Methods and systems for ownership verification using blockchain
US10846663B2 (en) Systems and methods for securing cryptocurrency purchases
US11361316B2 (en) Systems and methods for providing a personal distributed ledger
EP3867849B1 (en) Secure digital wallet processing system
EP3962020B1 (en) Information sharing methods and systems
EP3073670B1 (en) A system and a method for personal identification and verification
CN112567366A (en) System and method for securing an electronic trading platform
US20160162897A1 (en) System and method for user authentication using crypto-currency transactions as access tokens
US20160055482A1 (en) Tokenization in Mobile Environments
KR20210040078A (en) Systems and methods for safe storage services
US20140177825A1 (en) Asymmetric Tokenization
EP3962135B1 (en) Information sharing methods, apparatuses, and devices
US11310244B2 (en) Information sharing methods, apparatuses, and devices
JP2023535013A (en) Quantum secure payment system
US20220245262A1 (en) Secure information storage, transfer and computing
US20220300962A1 (en) Authenticator App for Consent Architecture
US20220286291A1 (en) Secure environment for cryptographic key generation
US20210377039A1 (en) Checkout with mac
US11677728B2 (en) Secure authorization and transmission of data between trustless actors
US20240135364A1 (en) Method for transferring data over a blockchain network for digital transactions
Reitan Privacy Enhancing Features in Blockchain Technologies
KR20230135482A (en) The payment system using biometric information authentication based on DID
GB2616406A (en) Quantum-secure digital currency

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19872361

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2019872361

Country of ref document: EP

Effective date: 20210519