Server-assisted authentication

US 10,091,190 B2
Filed: 12/11/2015
Issued: 10/02/2018
Est. Priority Date: 12/11/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a user device, a request to access a website server, the request including a password of the user;

generating, in response to receiving the request to access the website server and by the user device, a first set of account data;

transmitting, by the user device, a subset of the first set of account data to a key server sub-system, wherein the subset of the first set of account data includes an authentication token request transcript, wherein the authentication token request transcript is a message and a dataset, and wherein the message and the dataset are derived, at least in part, from the password;

receiving, by the user device and from the key server sub-system, a first authentication token segment;

generating, by the user device, a second authentication token segment;

generating, by the user device, a full authentication token based, at least in part, on;

a first set of authentication key segments of a plurality of authentication key segments, the authentication token request transcript,the first authentication token segment; and

the second authentication token segment;

transmitting, by the user device, the full authentication token to the website server; and

granting, by the key server sub-system, access for the user device to the website server, wherein the transmitting the full authentication token further comprises transmitting a message to website server, wherein storing a subset of the first set of account data further includes storing a second set of authentication key segments, a device secret, an account identifier, and a public key, wherein a first set of account data includes a password that includes a low entropy value, wherein the low entropy password is a voiceprint, a fingerprint, and a retinal scan, wherein generating a second set of account data, responsive to a request from a user to access a website server, further comprises;

validating the authentication token using the public key and the message;

receiving a checker from the key server sub-system to verify proper receipt of the subset of the first set of transmitted account data, wherein the verification is verifying the full authentication token based, at least in part, on a comparison between a generated checker and the received checker;

storing the subset of the first set of account data; and

deleting a portion of the subset of the first set of account data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authentication of a device through a constructed authentication token. Components of an authentication key are distributed across at least a device and a server, diminishing a likelihood that an individual account is compromised by an attack.

Citations

16 Claims

1. A method comprising:
- receiving, by a user device, a request to access a website server, the request including a password of the user;
  
  generating, in response to receiving the request to access the website server and by the user device, a first set of account data;
  
  transmitting, by the user device, a subset of the first set of account data to a key server sub-system, wherein the subset of the first set of account data includes an authentication token request transcript, wherein the authentication token request transcript is a message and a dataset, and wherein the message and the dataset are derived, at least in part, from the password;
  
  receiving, by the user device and from the key server sub-system, a first authentication token segment;
  
  generating, by the user device, a second authentication token segment;
  
  generating, by the user device, a full authentication token based, at least in part, on;
  
  a first set of authentication key segments of a plurality of authentication key segments, the authentication token request transcript,the first authentication token segment; and
  
  the second authentication token segment;
  
  transmitting, by the user device, the full authentication token to the website server; and
  
  granting, by the key server sub-system, access for the user device to the website server, wherein the transmitting the full authentication token further comprises transmitting a message to website server, wherein storing a subset of the first set of account data further includes storing a second set of authentication key segments, a device secret, an account identifier, and a public key, wherein a first set of account data includes a password that includes a low entropy value, wherein the low entropy password is a voiceprint, a fingerprint, and a retinal scan, wherein generating a second set of account data, responsive to a request from a user to access a website server, further comprises;
  
  validating the authentication token using the public key and the message;
  
  receiving a checker from the key server sub-system to verify proper receipt of the subset of the first set of transmitted account data, wherein the verification is verifying the full authentication token based, at least in part, on a comparison between a generated checker and the received checker;
  
  storing the subset of the first set of account data; and
  
  deleting a portion of the subset of the first set of account data.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - verifying the full authentication token based, at least in part, on a comparison of the first set of account data against a second set of account data;
      
      wherein;
      
      the first set of account data further includes a double-hashed password, and the double-hashed password is generated by hashing a hashed password, wherein the result is combined with a salt, wherein the hashing is performed using a hashing function, and wherein the salt is the authentication token request transcript.
  - 3. The method of claim 1, further comprising:
    - transmitting a subset of a second set of account data, wherein the subset of the second set of account data;
      
      includes, at least, a second set of authentication key segments of the plurality of authentication key segments, anddoes not include, at least, the first set of authentication key segments.
  - 4. The method of claim 3, wherein:
    - the subset of the first set of account data further includes a first account identifier, andthe subset of the second set of account data further includes a second account identifier.
  - 5. The method of claim 3, further comprising:
    - generating the second set of account data that includes a second password and a second message by performing a hash function on a hashed password, wherein the second message is based, in part, on a set of communications with the website server;
      
      wherein;
      
      the second set of account data further includes a hashed password.
  - 6. The method of claim 5, wherein generating the second set of account data includes:
    - generating the hashed password by hashing the second password, wherein the result is combined with a salt, wherein the hashing is performed using a hashing function;
      
      wherein;
      
      the salt is a pseudo-randomly generated value, andthe second password is received from a user.

7. A computer program product comprising:
- one or more non-transitory computer-readable storage media and program instructions stored on at least one of the one or more non-transitory computer-readable storage media, the program instructions executable by a processor, the program instructions comprising;
  
  program instructions to receive, by a user device, a request to access a website server, the request including a password of the user;
  
  program instructions to generate, in response to receiving the request to access the website server and by the user device, a first set of account data;
  
  program instructions to transmit, by the user device, a subset of the first set of account data to a key server sub-system, wherein the subset of the first set of account data includes an authentication token request transcript, wherein the authentication token request transcript is a message and a dataset, and wherein the message and the dataset are derived, at least in part, from the password;
  
  program instructions to receive, by the user device and from the key server sub-system, a first authentication token segment;
  
  program instructions to generate, by the user device, a second authentication token segment;
  
  program instructions to, by the user device, a full authentication token based, at least in part, on;
  
  a first set of authentication key segments of a plurality of authentication key segments,the authentication token request transcript,the first authentication token segment; and
  
  the second authentication token segment;
  
  program instructions to, by the user device, the full authentication token to the website server; and
  
  program instructions to grant, by the key server sub-system, access for the user device to the website server, wherein transmitting the full authentication token further comprises transmitting a message to website server, wherein storing a subset of the first set of account data further includes storing a second set of authentication key segments, a device secret, an account identifier, and a public key, wherein a first set of account data includes a password that includes a low entropy value, wherein the low entropy password is a voiceprint, a fingerprint, and a retinal scan, wherein generating a second set of account data, responsive to a request from a user to access a website server, further comprises;
  
  program instructions to validate the authentication token using the public key and the message;
  
  program instructions to receive a checker from the key server sub-system to verify proper receipt of the subset of the first set of transmitted account data, wherein the verification is verifying the full authentication token based, at least in part, on a comparison between a generated checker and the received checker;
  
  program instructions to store the subset of the first set of account data;
  
  program instructions to delete a portion of the subset of the first set of account data.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7, further comprising:
    - program instructions to receive a checker from the key server sub-system to verify proper receipt of the subset of the first set of transmitted account data, wherein the verification is verifying the full authentication token based, at least in part, on a comparison between a generated checker and the received checker;
      
      program instructions to generate a first set of account data responsive to a request from a user to access the website server;
      
      wherein;
      
      the first set of account data further includes a double-hashed password, andthe double-hashed password is generated by hashing a hashed password, wherein the result is combined with a salt, wherein the hashing is performed using a hashing function, and wherein the salt is the authentication token request transcript.
  - 9. The computer program product of claim 7, further comprising:
    - program instructions to transmit a subset of a second set of account data, wherein the subset of the second set of account data;
      
      includes, at least, a second set of authentication key segments of the plurality of authentication key segments, anddoes not include, at least, the first set of authentication key segments.
  - 10. The computer program product of claim 9, wherein:
    - the subset of the first set of account data further includes a first account identifier, andthe subset of the second set of account data further includes a second account identifier.
  - 11. The computer program product of claim 9, further comprising:
    - program instructions to generate a second set of account data that includes a second password and a second message by performing a hash function on a hashed password, wherein the second message is based, in part, on a set of communications with the website server;
12. The computer program product of claim 11, further comprising:
- program instructions to generate the hashed password by hashing the second password, wherein the result is combined with a salt, wherein the hashing is performed using a hashing function;
  
  wherein;
  
  the salt is a pseudo-randomly generated value, andthe second password is received from a user.

13. A method comprising:
- receiving, by a key server sub-system, a request to initialize a user account that includes a password of the user;
  
  receiving, by the key server sub-system, a request to generate a first authentication token segment for access to the requested user account;
  
  receiving, by the key server sub-system, a first set of account data generated by a user device and in response to a request to access a website server, wherein the first set of account data includes an authentication token request transcript, wherein the authentication token request transcript is a message and a dataset, and wherein the message and the dataset are derived, at least in part, from the password;
  
  generating, by the key server sub-system and the user device, the first authentication token segment, wherein the first authentication token segment is based, at least in part, on;
  
  a first set of authentication key segments of a plurality of authentication key segments, andthe authentication token request transcript;
  
  the first authentication token segment; and
  
  generating, by the key server sub-system and the user device, a second authentication token segment;
  
  granting, by the key server sub-system, access for the user device to the requested user account;
  
  transmitting, by the key server sub-system, the first authentication token segment to the user device subsystem;
  
  receiving, by the key server sub-system, a second set of account data, wherein the second set of account data includes the first set of authentication key segments; and
  
  verifying the first set of account data based, at least in part, on a comparison of a first double-hashed password to a second double-hashed password;
  
  wherein;
  
  the first set of account data further includes the first double-hashed password,the second double-hashed password is generated by hashing a hashed password, wherein the result is combined with a salt, wherein the hashing is performed using a hashing function, and wherein the salt is the authentication token request transcript, andthe second set of account data further includes the second double-hashed password.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, further comprising:
    - verifying the first set of account data based, at least in part, on a comparison of a first hashed password to a second hashed password;
      
      wherein;
      
      the second set of account data further includes the first hashed password, andthe first set of account data further includes the second hashed password.
  - 15. The method of claim 13, further comprising:
    - verifying the first set of account data based, at least in part, on a comparison of a first account identifier to a second account identifier;
      
      wherein;
      
      the second set of account data further includes the first account identifier, andthe first set of account data further includes the second account identifier.
  - 16. The method of claim 13, wherein transmitting the full authentication token further comprises transmitting a message to website server, wherein storing a subset of the first set of account data further includes storing a second set of authentication key segment, a device secret, an account identifier, and a public key, wherein a first set of account data includes a password that includes a low entropy value, wherein the low entropy password is a voiceprint, a fingerprint, and a retinal scan, wherein generating a second set of account data, responsive to a request from a user to access a website server, further comprises:
    - validating the authentication token using the public key and the message;
      
      receiving a checker from the key server sub-system to verify proper receipt of the subset of the first set of transmitted account data, wherein the verification is verifying the full authentication token based, at least in part, on a comparison between a generated checker and the received checker;
      
      returning the checker to user device sub-system in response to decrypting the checker utilizing a private encryption key, wherein the checker acts as an explicit account creation acknowledgement;
      
      deleting the checker;
      
      storing the subset of the first set of account data to a data storage; and
      
      deleting a portion of the subset of the first set of account data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Camenisch, Jan L., Lehmann, Anja, Neven, Gregory, Preiss, Franz-Stefan, Samelin, Kai W.
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Baum, Ronald

Application Number

US14/966,061
Publication Number

US 20170171185A1
Time in Patent Office

1,026 Days
Field of Search

726 6
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 21/44   Program or device authentic...

G06F 21/604   Tools and structures for ma...

H04L 63/083   using passwords cryptograph...

H04L 9/3213   using tickets or tokens, e....

H04W 12/069   using certificates or pre-s...

Server-assisted authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Server-assisted authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links