Soft-token authentication system

US 10,263,782 B2
Filed: 10/12/2011
Issued: 04/16/2019
Est. Priority Date: 10/12/2011
Status: Active Grant

First Claim

Patent Images

1. A system establishing credentials for a mutual authentication between a user device and a remote service, the system comprising:

a user device that is configured to communicate with a remote service via a communication link between the user device and the remote service, the user device comprising;

a memory that stores;

a shared secret which is a random number that is known by both the user device and the remote service, wherein the shared secret is stored on a soft-token as a hidden secret such that the shared secret is encrypted by a cryptographic hash of a Personal Identification Number (“

PIN”

) of the user such that decryption with any PIN hash will produce a plausible secret value; and

instructions for a challenge response sequence between the user device and the remote service to verify the shared secret,wherein, as part of the challenge response sequence between the user device and the remote service to verify the shared secret, the user device and the remote service negotiate a new value for the shared secret.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for authenticating a user and his local device to a secured remote service with symmetrical keys, which utilizes a PIN from the user and a unique random value from the local device in such a way that prevents the remote service from ever learning the user'"'"'s PIN, or a hash of that PIN. The system also provides mutual authentication, verifying to the user and local device that the correct remote service is being used. At the same time, the system protects against PIN guessing attacks by requiring communication with the said remote service in order to verify if the correct PIN is known. Also, the system works in such a way as to change the random value stored on the user'"'"'s local device after each authentication session.

Citations

19 Claims

1. A system establishing credentials for a mutual authentication between a user device and a remote service, the system comprising:
- a user device that is configured to communicate with a remote service via a communication link between the user device and the remote service, the user device comprising;
  
  a memory that stores;
  
  a shared secret which is a random number that is known by both the user device and the remote service, wherein the shared secret is stored on a soft-token as a hidden secret such that the shared secret is encrypted by a cryptographic hash of a Personal Identification Number (“
  
  PIN”
  
  ) of the user such that decryption with any PIN hash will produce a plausible secret value; and
  
  instructions for a challenge response sequence between the user device and the remote service to verify the shared secret,wherein, as part of the challenge response sequence between the user device and the remote service to verify the shared secret, the user device and the remote service negotiate a new value for the shared secret.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the new value for the shared secret is a random value each time that the soft-token is used for authentication.
  - 3. The system of claim 1, further comprising:
    - the remote service, wherein the remote service comprises a memory that also stores instructions for the challenge response sequence; and
      
      wherein the user'"'"'s PIN or a hash thereof, never exists on the remote service.
  - 4. The system of claim 1, wherein the instructions for the challenge and response sequence comprise instructions to verify to the user device that the user device is connected to a correct remote service.
  - 5. The system of claim 1, wherein the instructions for the challenge and response sequence comprise instructions to authenticate the user device to the remote service and also verify to the remote service that a correct PIN has been entered by a user.
  - 6. The system of claim 1, wherein the instructions for the challenge and response sequence comprise instructions to ensure that the user'"'"'s PIN, or any hash value derived therefrom, is never communicated to the remote service.
  - 7. The system of claim 1, wherein the instructions for the challenge response sequence comprise instructions to, by the user device:
    - receive, from the remote service, an authentication challenge based on the shared secret;
      
      in response to receiving the authentication challenge, generate a response using the shared secret as a symmetrical key, create an other authentication challenge, and send the response and the other authentication challenge to the remote service;
      
      receive, from the remote service, a response to the other authentication challenge; and
      
      in response to receiving the response to the other authentication challenge, determine if the remote service has the shared secret by verifying the response to the other authentication challenge.
  - 8. The system of claim 7, wherein the remote service comprises a memory that stores instructions for the challenge response sequence, andwherein the instructions of the remote service for the challenge response sequence further comprise instructions to, by the remote service:
    - determine if the user device has the shared secret by verifying the response generated by the user device;
      
      generate the response to the other authentication challenge; and
      
      transmit the response to the other authentication challenge to the user device.

9. A method for authenticating a user device to a remote service, the method comprising:
- by the user device;
  
  generating a random number to be used as a shared secret by a user of the user device and the remote service;
  
  securely communicating the shared secret to the remote service to store the shared secret on the remote service such that the shared secret can be identified as associated with the user device;
  
  encrypting the shared secret on the user device using a cryptographic hash of a Personal Identification Number (“
  
  PIN”
  
  ) of the user;
  
  storing the encrypted shared secret into memory in the user device; and
  
  performing an authentication process comprising receiving a PIN entered by the user and using the entered PIN to produce a plausible secret value which cannot be verified without attempting to authenticate with the remote service,wherein, the authentication process verifies the shared secret, and as part of the authentication process between the user device and the remote service to verify the shared secret, the user device and the remote service negotiate a new value for the shared secret.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein the PIN of the user or a hash of the PIN of the user never exists on the remote service.
  - 11. The method of claim 9, wherein the authentication process verifies the user device to the remote service and verifies the remote service to the user device.
  - 12. The method of claim 9, wherein performing the authentication process further comprises, by the user device:
    - receiving, from the remote service, an authentication challenge based on the shared secret;
      
      in response to receiving the authentication challenge, generating a response using the shared secret as a symmetrical key, creating an other authentication challenge, and sending the response and the other authentication challenge to the remote service;
      
      receiving, from the remote service, a response to the other authentication challenge; and
      
      in response to receiving the response to the other authentication challenge, determining if the remote service has the shared secret by verifying the response to the other authentication challenge.
  - 13. The method of claim 12, wherein performing the authentication process further comprises, by the remote service:
    - determining if the user device has the shared secret by verifying the response generated by the user device;
      
      generating the response to the other authentication challenge; and
      
      transmitting the response to the other authentication challenge to the user device.

14. A system establishing credentials for a mutual authentication between a user device and a remote service, the system comprising:
- the remote service;
  
  the user device including a memory and at least one processor, wherein the user device is configured to communicate with the remote service via a communication link between the user device and the remote service;
  
  a shared secret which is a random number that is known by both the user device and the remote service, the value of the shared secret changes after each authentication session, wherein the shared secret is encrypted by a cryptographic hash of a Personal Identification Number (“
  
  PIN”
  
  ) of a user such that decryption with any PIN hash will produce a plausible secret value; and
  
  memory containing instructions for a mutual authentication sequence between the user device and the remote service to provide mutual authentication.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, further comprising instructions for transmitting secure data via the communication link secured by encrypting the data with the shared secret.
  - 16. The system of claim 14, wherein the PIN of the user or a hash thereof never exists on the remote service.
  - 17. The system of claim 14, wherein the instructions for the mutual authentication sequence comprise instructions to verify to the user device that the user device is connected to a correct remote service.
  - 18. The system of claim 14, wherein the instructions for the mutual authentication sequence comprise instructions to authenticate the user device to the remote service and also verify to the remote service that a correct PIN has been entered by the user.
  - 19. The system of claim 14, wherein the PIN of the user, or any hash value derived therefrom, is never communicated to the remote service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CybrSecurity Corporation.
Original Assignee
Goldkey Corporation
Inventors
Billings, Roger E, Billings, John A
Primary Examiner(s)
Shepperd, Eric W

Application Number

US13/272,033
Publication Number

US 20130097427A1
Time in Patent Office

2,743 Days
Field of Search

713168-169, 713171, 713182, 713189, 713193, 705 64, 705 71- 72, 726 2- 3, 726 5, 726 7, 726 10, 726 16- 17, 726 19- 20, 726 26- 28, 380255, 380259, 380262, 380263, 380273, 380277, 380283, 380 44, 709203, 709227-228, 709237
US Class Current
CPC Class Codes

H04L 9/3228   One-time or temporary data,...

H04L 9/3234   involving additional secure...

H04L 9/3273   for mutual authentication n...

Soft-token authentication system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Soft-token authentication system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links