Double authentication system for electronically signed documents

US 10,158,490 B2
Filed: 08/17/2015
Issued: 12/18/2018
Est. Priority Date: 08/17/2015
Status: Active Grant

First Claim

Patent Images

1. A double authentication system (“

DAS”

) for electronically signing a first data from a user, wherein the user has a smart card having a personal identification number (“

PIN”

), the DAS comprising;

a client module, wherein the client module is software located within a computer and the client module is in signal communication with the smart card;

a server having a high assurance signing service (“

HASS”

) module, whereinthe computer is remote from the server,the HASS module is remote from and in signal communication with the client module, andthe HASS module is software that is capable of executing a plurality of instructions,whereby the server is capable of receiving the first data from the user via the client module, and, in response, query the user for a confirmation that the first data is to be electronically signed; and

a hardware security module (“

HSM”

), whereinthe HSM is remote from the computer,the HSM is in signal communication with the HASS module, has a private key, is configured toreceive a HSM package from the HASS module,in response, produce a HSM encrypted hash value with the private key of the HSM, andtransmit the HSM encrypted hash value to the HASS module,wherein the HASS module is further configured toproduce the HSM package from at least the first data,produce a HSM signed package that includes the HSM package combined with the HSM encrypted hash value, andtransmit the HSM signed package to the client module,wherein the client module is configured toquery the user for the PIN of the smart card,in response, transmit the HSM signed package to the smart card for production of a smart card (“

SC”

) encrypted hash value,receive the SC encrypted hash value, andtransmit the SC encrypted hash value to the HASS module, andwherein the HASS module is configured toreceive the SC encrypted hash value and,in response, produce a high assurance signed package (“

HAS package”

) that is passed to the user by way of the client module.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a double authentication system (“DAS”) for electronically signing a first data from a user having a smart card, where the smart card has a personal identification number (“PIN”). As an example, the DAS may include a client module, high assurance signing service (“HASS”) module, and hardware security module (“HSM”).

Citations

18 Claims

1. A double authentication system (“
- DAS”
  
  ) for electronically signing a first data from a user, wherein the user has a smart card having a personal identification number (“
  
  PIN”
  
  ), the DAS comprising;
  
  a client module, wherein the client module is software located within a computer and the client module is in signal communication with the smart card;
  
  a server having a high assurance signing service (“
  
  HASS”
  
  ) module, whereinthe computer is remote from the server,the HASS module is remote from and in signal communication with the client module, andthe HASS module is software that is capable of executing a plurality of instructions,whereby the server is capable of receiving the first data from the user via the client module, and, in response, query the user for a confirmation that the first data is to be electronically signed; and
  
  a hardware security module (“
  
  HSM”
  
  ), whereinthe HSM is remote from the computer,the HSM is in signal communication with the HASS module, has a private key, is configured toreceive a HSM package from the HASS module,in response, produce a HSM encrypted hash value with the private key of the HSM, andtransmit the HSM encrypted hash value to the HASS module,wherein the HASS module is further configured toproduce the HSM package from at least the first data,produce a HSM signed package that includes the HSM package combined with the HSM encrypted hash value, andtransmit the HSM signed package to the client module,wherein the client module is configured toquery the user for the PIN of the smart card,in response, transmit the HSM signed package to the smart card for production of a smart card (“
  
  SC”
  
  ) encrypted hash value,receive the SC encrypted hash value, andtransmit the SC encrypted hash value to the HASS module, andwherein the HASS module is configured toreceive the SC encrypted hash value and,in response, produce a high assurance signed package (“
  
  HAS package”
  
  ) that is passed to the user by way of the client module.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The DAS of claim 1, wherein the HSM package includesa time-stamp,an identity of the user, anda public key of the HSM.
  - 3. The DAS of claim 1, wherein the HASS module is configured to utilize a public key of the HSM to generate the HSM signed package.
  - 4. The DAS of claim 1, wherein the first data originates at the client module.
  - 5. The DAS of claim 4, wherein the HSM is also located within the server.
  - 6. The DAS of claim 1, wherein the HAS package includes the HSM signed package and the SC encrypted hash value.
  - 7. The DAS of claim 1, wherein the PIN is biometric data associated with the user.

8. A method of electronically signing a first data from a user with a double authentication system (“
- DAS”
  
  ), wherein the user has a smart card having a personal identification number (“
  
  PIN”
  
  ), the method comprising;
  
  receiving the first data from the user at a high assurance signing service (“
  
  HASS”
  
  ) module of the DAS, wherein the HASS module is located at a server and the first data originates at a client module located within a computer remote from the HASS module;
  
  querying the user for a confirmation that the first data is to be electronically signed;
  
  generating a hardware security module (“
  
  HSM”
  
  ) package for transmission to a HSM;
  
  generating a HSM encrypted hash value from the HSM package with a private key of the HSM;
  
  generating a HSM signed package, wherein the HSM signed package includes the HSM package and the HSM encrypted hash value;
  
  querying the user for the PIN of the smart card;
  
  receiving a smart card (“
  
  SC”
  
  ) encrypted hash value corresponding to the HSM signed package;
  
  producing a high assurance signed package (“
  
  HAS package”
  
  ) from the HSM signed package and SC encrypted hash value; and
  
  passing the HAS package to the user by way of the client module,wherein querying the user for a confirmation that the first data is to be electronically signed includes generating a first query for the user at the client module,wherein querying the user for the PIN of the smart card includes generating a second query for the user for the PIN at the client module, andwherein generating a HSM encrypted hash value from the HSM package with a private key of the HSM includes generating the HSM encrypted hash value at the HSM and passing the HSM encrypted hash value to the HASS module.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The method of claim 8, further including passing the HSM signed package to the smart card, wherein the smart card produces the SC encrypted hash value corresponding to the HSM signed package.
  - 10. The method of claim 8, wherein the HSM is located at the server.
  - 11. The method of claim 8, further including passing the HSM signed package to the client module.
  - 12. The method of claim 8, further including passing the HSM signed package to the smart card, wherein the smart card produces the SC encrypted hash value corresponding to the HSM signed package.
  - 13. The method of claim 8, wherein generating the HSM signed package includes generating the HSM signed package with a public key of the user combined with the HSM encrypted hash value and the HSM package.
  - 14. The method of claim 8, wherein the HSM signed package includes:
    - a time-stamp,an identity of the user, anda public key of the HSM.
  - 15. The method of claim 8, wherein the HAS package includes the HSM signed package and SC encrypted hash value.
  - 16. The method of claim 8, wherein at the smart card further includes verifying a PIN for accessing the smart card.

17. A non-transitory computer readable medium containing machine readable instructions, that when executed perform a method of electronically signing a first data from a user with a double authentication system (“
- DAS”
  
  ), wherein the user has a smart card having a personal identification number (“
  
  PIN”
  
  ), comprising the steps of;
  
  receiving the first data from the user at a high assurance signing service (“
  
  HASS”
  
  ) module of the DAS, wherein the HASS module is located at a server and the first data originates at a client module within a computer that is remote from the server;
  
  querying the user for a confirmation that the first data is to be electronically signed;
  
  generating a hardware security module (“
  
  HSM”
  
  ) package for transmission to a HSM;
  
  generating a HSM encrypted hash value from the HSM package with a private key of the HSM;
  
  generating a HSM signed package, wherein the HSM signed package includes the HSM package and the HSM encrypted hash value;
  
  querying the user for the PIN of the smart card;
  
  passing the HSM signed package to the smart card, wherein the smart card produces a smart card (“
  
  SC”
  
  ) encrypted hash value corresponding to the HSM signed package;
  
  receiving the smart card SC encrypted hash value; and
  
  producing a high assurance signed package (“
  
  HAS package”
  
  ) from the HSM signed package and SC encrypted hash value, wherein the HAS package includes the HSM signed package and SC encrypted hash value,wherein querying the user for a confirmation that the first data is to be electronically signed includes generating a first query for the user at the client module,wherein querying the user for the PIN of the smart card includes generating a second query for the user for the PIN at the client module, andwherein generating a HSM encrypted hash value from the HSM package with a private key of the HSM includes generating the HSM encrypted hash value at the HSM and passing the HSM encrypted hash value to the HASS module.
- View Dependent Claims (18)
- - 18. The non-transitory computer readable medium of claim 17, further including passing the HSM signed package to the smart card, wherein the smart card produces the SC encrypted hash value corresponding to the HSM signed package.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Schleiff, Martin
Primary Examiner(s)
Okeke, Izunna
Assistant Examiner(s)
Huang, Cheng-Feng

Application Number

US14/827,685
Publication Number

US 20170054561A1
Time in Patent Office

1,219 Days
Field of Search
US Class Current
CPC Class Codes

G06Q 20/409   Device specific authenticat...

H04L 63/0853   using an additional device,...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3226   using a predetermined code,...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3234   involving additional secure...

H04L 9/3242   involving keyed hash functi...

Double authentication system for electronically signed documents

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Double authentication system for electronically signed documents

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links