Soft-token authentication system
First Claim
1. A system establishing credentials for a mutual authentication between a user device and a remote service, the system comprising:
- a user device that is configured to communicate with a remote service via a communication link between the user device and the remote service, the user device comprising;
a memory that stores;
a shared secret which is a random number that is known by both the user device and the remote service, wherein the shared secret is stored on a soft-token as a hidden secret such that the shared secret is encrypted by a cryptographic hash of a Personal Identification Number (“
PIN”
) of the user such that decryption with any PIN hash will produce a plausible secret value; and
instructions for a challenge response sequence between the user device and the remote service to verify the shared secret,wherein, as part of the challenge response sequence between the user device and the remote service to verify the shared secret, the user device and the remote service negotiate a new value for the shared secret.
4 Assignments
0 Petitions
Accused Products
Abstract
A system for authenticating a user and his local device to a secured remote service with symmetrical keys, which utilizes a PIN from the user and a unique random value from the local device in such a way that prevents the remote service from ever learning the user'"'"'s PIN, or a hash of that PIN. The system also provides mutual authentication, verifying to the user and local device that the correct remote service is being used. At the same time, the system protects against PIN guessing attacks by requiring communication with the said remote service in order to verify if the correct PIN is known. Also, the system works in such a way as to change the random value stored on the user'"'"'s local device after each authentication session.
-
Citations
19 Claims
-
1. A system establishing credentials for a mutual authentication between a user device and a remote service, the system comprising:
a user device that is configured to communicate with a remote service via a communication link between the user device and the remote service, the user device comprising; a memory that stores; a shared secret which is a random number that is known by both the user device and the remote service, wherein the shared secret is stored on a soft-token as a hidden secret such that the shared secret is encrypted by a cryptographic hash of a Personal Identification Number (“
PIN”
) of the user such that decryption with any PIN hash will produce a plausible secret value; andinstructions for a challenge response sequence between the user device and the remote service to verify the shared secret, wherein, as part of the challenge response sequence between the user device and the remote service to verify the shared secret, the user device and the remote service negotiate a new value for the shared secret. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
9. A method for authenticating a user device to a remote service, the method comprising:
by the user device; generating a random number to be used as a shared secret by a user of the user device and the remote service; securely communicating the shared secret to the remote service to store the shared secret on the remote service such that the shared secret can be identified as associated with the user device; encrypting the shared secret on the user device using a cryptographic hash of a Personal Identification Number (“
PIN”
) of the user;storing the encrypted shared secret into memory in the user device; and performing an authentication process comprising receiving a PIN entered by the user and using the entered PIN to produce a plausible secret value which cannot be verified without attempting to authenticate with the remote service, wherein, the authentication process verifies the shared secret, and as part of the authentication process between the user device and the remote service to verify the shared secret, the user device and the remote service negotiate a new value for the shared secret. - View Dependent Claims (10, 11, 12, 13)
-
14. A system establishing credentials for a mutual authentication between a user device and a remote service, the system comprising:
-
the remote service; the user device including a memory and at least one processor, wherein the user device is configured to communicate with the remote service via a communication link between the user device and the remote service; a shared secret which is a random number that is known by both the user device and the remote service, the value of the shared secret changes after each authentication session, wherein the shared secret is encrypted by a cryptographic hash of a Personal Identification Number (“
PIN”
) of a user such that decryption with any PIN hash will produce a plausible secret value; andmemory containing instructions for a mutual authentication sequence between the user device and the remote service to provide mutual authentication. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification