Secure authentication of a user of a device during a session with a connected server

US 10,075,437 B1
Filed: 03/18/2016
Issued: 09/11/2018
Est. Priority Date: 11/06/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for secure authentication of a user to a service for executing a transaction, the method being implemented in a system including:

a user device operated by the user, the user device including a FIDO (Fast IDentity Online)-client using a FIDO interface for encrypted communication of FIDO UAF (Universal Authentical Framework) messages, and a user-agent;

a FIDO-server of a relying party providing the service;

a behaviometric server in communication with the user-agent of the user device and with the FIDO-server using a FIDO-identifier; and

a web server associated with the relying party, the web server being in communication with the FIDO server, the FIDO client, and the behaviometric server,the method comprising;

a. in a preparation stagei. upon user initiation of a session by establishing a TLS-connection between the user device and the web-server, generating a unique session ID;

ii. using a background process running during said session and using said session ID, collecting behavioral input data from at least one user input component of the user device, and storing said behavioral input data in a non-transitory storage medium housed within the user device;

iii. transmitting, from the user agent to the behaviometric server, via said TLS-connection and the web server, a transaction initiation message including the FIDO-identifier and at least a portion of said behavioral input data stored in said non-transitory storage medium; and

b. in an authentication stage;

i. at the behaviometric server comparing said received FIDO-identifier and said received portion of said behavioral input data to a second FIDO-identifier and a second set of behavioral input data collected during prior us of the service by the user;

ii. at the behaviometric server, determining whether said received FIDO identifier matches said second FIDO identifier and whether said portion of said behavioral input data matches said second set of behavioral input data, whereby a match results in an authentication, and a lack of a match results in a rejection of privileged access sought by the user;

iii. if said determining results in said match;

1. transmitting said transaction initiation message from the behaviometric server to the FIDO-server;

2. at the FIDO-server, generating an authentication request including the FIDO-identifier, a transaction message, and a related hash of said transaction message, and transmitting said authentication request to the FIDO-client;

3. at the FIDO client, prompting the user to sign the hash of said transaction message using a private key of an asymmetric key-pair associated with the user;

4. at the FIDO client, in response to the user providing said signed hash of said transaction message, generating an authentication response including said signed hash;

5. transmitting said authentication response from the FIDO client to the FIDO server;

6. at the FIDO server, validating said signed hash of said transaction message included in said authentication response using a public key of said asymmetric key pair associated with the user; and

7. upon validation of said signed hash of said transaction message, executing the transaction of the service.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for secure authentication of a user to a service for executing a transaction, the method being implemented in a system including a user device including a FIDO-client, a FIDO-server of a relying party providing the service, a behaviometric server and a web server associated with the relying party, the method including a preparation stage and an authentication stage. In the preparation stage a TLS-connection is established between the user device and the web-server, behavioral input data is collected from user device, and a transaction initiation message is transmitted to the behaviometric server. In the authentication stage, behaviometric data received in the transaction initiation message is compared to a second set of behaviometric data to determine whether the data matches, and if the data matches, the transaction is authenticated by the FIDO server.

228 Citations

15 Claims

1. A computer-implemented method for secure authentication of a user to a service for executing a transaction, the method being implemented in a system including:
- a user device operated by the user, the user device including a FIDO (Fast IDentity Online)-client using a FIDO interface for encrypted communication of FIDO UAF (Universal Authentical Framework) messages, and a user-agent;
  
  a FIDO-server of a relying party providing the service;
  
  a behaviometric server in communication with the user-agent of the user device and with the FIDO-server using a FIDO-identifier; and
  
  a web server associated with the relying party, the web server being in communication with the FIDO server, the FIDO client, and the behaviometric server,the method comprising;
  
  a. in a preparation stagei. upon user initiation of a session by establishing a TLS-connection between the user device and the web-server, generating a unique session ID;
  
  ii. using a background process running during said session and using said session ID, collecting behavioral input data from at least one user input component of the user device, and storing said behavioral input data in a non-transitory storage medium housed within the user device;
  
  iii. transmitting, from the user agent to the behaviometric server, via said TLS-connection and the web server, a transaction initiation message including the FIDO-identifier and at least a portion of said behavioral input data stored in said non-transitory storage medium; and
  
  b. in an authentication stage;
  
  i. at the behaviometric server comparing said received FIDO-identifier and said received portion of said behavioral input data to a second FIDO-identifier and a second set of behavioral input data collected during prior us of the service by the user;
  
  ii. at the behaviometric server, determining whether said received FIDO identifier matches said second FIDO identifier and whether said portion of said behavioral input data matches said second set of behavioral input data, whereby a match results in an authentication, and a lack of a match results in a rejection of privileged access sought by the user;
  
  iii. if said determining results in said match;
  
  1. transmitting said transaction initiation message from the behaviometric server to the FIDO-server;
  
  2. at the FIDO-server, generating an authentication request including the FIDO-identifier, a transaction message, and a related hash of said transaction message, and transmitting said authentication request to the FIDO-client;
  
  3. at the FIDO client, prompting the user to sign the hash of said transaction message using a private key of an asymmetric key-pair associated with the user;
  
  4. at the FIDO client, in response to the user providing said signed hash of said transaction message, generating an authentication response including said signed hash;
  
  5. transmitting said authentication response from the FIDO client to the FIDO server;
  
  6. at the FIDO server, validating said signed hash of said transaction message included in said authentication response using a public key of said asymmetric key pair associated with the user; and
  
  7. upon validation of said signed hash of said transaction message, executing the transaction of the service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the FIDO-client comprises said FIDO-UAF-client and the FIDO-server comprises a FIDO-UAF-server.
  - 3. The method of claim 1, wherein the behaviometric-server includes a decryption server therein, and the user-agent sends encrypted data encrypted to the decryption-server for decryption thereby.
  - 4. The method of claim 1, further comprising:
    - prior to step b(iii)(2), sending said transaction message, signed or encrypted by at least one of MAC and a behaviometric-server-certificate, from the behaviometric server to the FIDO-server for generation of said authentification request; and
      
      subsequent to step b(iii)(2), at the FIDO-client, decrypting said transaction message and validating at least one of said MAC and a signature of said behaviometric-server using a symmetric key included with said transaction message or validating said signature of the behaviometric-server using at least one of a public key of the behaviometric-server and a certificate of the behaviometric-server.
  - 5. The method of claim 4, wherein said validating said MAC using said symmetric key comprises validating said MAC using a symmetric key which was at least one of:
    - generated by a Public Key Infrastructure (PKI); and
      
      exchanged to the user device via a Diffie-Hellman key exchange, an elliptic curve Diffie-Hellman exchange, or an ephemeral elliptic curve Diffie-Hellman exchange.
  - 6. The method of claim 1, further comprising, sending to the user device, from the web server, an input form requiring the user to enter a text, thereby to facilitate capture of additional behavior data relating to the user.
  - 7. The method of claim 1, wherein said prompting the user at step b(iii)(3) further comprises requesting that the user enter a PIN related to the user for the service.
  - 8. The method of claim 1, wherein said transmitting at step a(iii) includes transmitting transactional data from the user agent to the behaviometric server, together with transmission of said transaction initiation message.
  - 9. The method of claim 1, wherein the behaviometric-server is functionally associated with a profile database containing behavioral input data relating to users.
  - 10. The method of claim 9, further comprising:
    - creating a unique FIDO-identifier-profile associated with said FIDO identifier and storing said unique FIDO-identifier-profile in said profile database by said behaviometric-server; and
      
      adding behavioral input data, collected during a registration-session of a new FIDO-identifier for access to the service sought by the user, to the FIDO-identifier-profile in the profile database, said adding behavioral input data includescreating said asymmetric key-pair associated with the user, an attestation private key of the user at the user device, and an attestation using an attestation public key of the user'"'"'s public key;
      
      transmitting said attestation public key of the user'"'"'s public key from the FIDO-client to the FIDO-server, and storing said attestation public key at a cryptographic authentication key reference database at the relying party;
      
      at the FIDO-server, creating a registration request to perform a connection-oriented communication between the FIDO-client and the FIDO-server for the duration of the transaction for which privileged access is sought by the user for and received by the FIDO-client,wherein said new FIDO identifier is related to said added behavioral input data.
  - 11. The method of claim 10, wherein said steps of creating a unique FIDO-identifier-profile and of adding behavioral input data during said registration-session are carried out only if new personal data of the user is available.
  - 12. The method of claim 1, wherein said transmitting at step a(iii) includes transmitting said transaction initiation message via said TLS-connection, said transaction initiation message including said FIDO-identifier, transactional information, and at least a portion of said stored behavioral input data.
  - 13. The method of claim 1, wherein at least one of:
    - the behaviometric-server and the FIDO-server share at least one of a processor and a hardware component; and
      
      the behaviometric server is disposed within protected area of the relying party.
  - 14. The method of claim 1, wherein the behaviometric-server and the FIDO-server are distinct servers, wherein the behaviometric server is not disposed within a protected area of the relying party, and wherein the behaviometric server is disposed on a cloud based on the Internet.
  - 15. The method of claim 1, wherein said collecting behavioral input data at step a(ii) comprises collecting at least one electronic input observation derived from interaction of the user with said at least one user input component, said at least one electronic input observation being selected from the group consisting of a keystroke pattern, a keystroke style, keystroke dwell time, keystroke flight time, user touch values, user pressure values, and use of one or more particular applications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BehavioSec Inc.
Original Assignee
BehavioSec Inc.
Inventors
Costigan, Neil, Deutschmann, Ingo, Libell, Tony, Skarpman Munter, Johanna, Nordstrom, Peder
Primary Examiner(s)
Parsons, Theodore C

Application Number

US15/073,743
Time in Patent Office

907 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/32   using biometric data, e.g. ...

G06F 21/34   involving the use of extern...

H04L 2463/082   applying multi-factor authe...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 63/0876   based on the identity of th...

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/1408   by monitoring network traff...

H04L 63/166   at the transport layer

H04L 67/01   Protocols

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

H04L 9/006   involving public key infras...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/3231 : Biological data, e.g. finge...

H04L 9/3242 : involving keyed hash functi...

H04L 9/3247 : involving digital signatures

H04L 9/3271 : using challenge-response

H04W 12/68 : Gesture-dependent or behavi...

View All

Secure authentication of a user of a device during a session with a connected server

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

228 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Secure authentication of a user of a device during a session with a connected server

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

228 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links