System and method for delegating trust to a new authenticator

US 10,268,811 B2
Filed: 03/18/2014
Issued: 04/23/2019
Est. Priority Date: 03/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method for enabling one or more new authenticators being implemented in hardware of a new client device, the method comprising:

the one or more new authenticators determining a number (N) of keys or key pairs contained in registration data associated with a trusted authenticator on a trusted client device, wherein the number N is equal to a number of keys or key pairs that have been registered with a relying party for the trusted authenticator and that also are on the trusted client device, wherein the relying party is remote from the trusted client device and the new client device, wherein the trusted client device and the new client device are mobile devices, and wherein the determination further comprises;

the one or more new authenticators communicating with the trusted authenticator to obtain the number of keys or key pairs in the registration data;

the one or more new authenticators generating N new keys or key pairs of the one or more new authenticators;

the one or more new authenticators providing the N new keys or one of each of the N new key pairs to the trusted authenticator, wherein the trusted authenticator signs each of the N new keys using a key, which corresponds to registration of the trusted authenticator with the relying party, and wherein the trusted authenticator inserts a timestamp into each signature during the signing; and

the one or more new authenticators receiving N signatures from the trusted authenticator, wherein the N signatures are based on the N new keys or the one of each of the N new key pairs; and

the one or more new authenticators performing one or more verification transactions with the relying party based on the N signatures and using the timestamps.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, method, and machine readable medium are described for delegating trust to a new client device or a new authenticator on a trusted device. For example, one embodiment of a method comprises: implementing a series of trust delegation operations to transfer registration data associated with one or more trusted authenticators on a trusted client device to one or more new authenticators on a new client device or on the trusted client device.

Citations

20 Claims

1. A method for enabling one or more new authenticators being implemented in hardware of a new client device, the method comprising:
- the one or more new authenticators determining a number (N) of keys or key pairs contained in registration data associated with a trusted authenticator on a trusted client device, wherein the number N is equal to a number of keys or key pairs that have been registered with a relying party for the trusted authenticator and that also are on the trusted client device, wherein the relying party is remote from the trusted client device and the new client device, wherein the trusted client device and the new client device are mobile devices, and wherein the determination further comprises;
  
  the one or more new authenticators communicating with the trusted authenticator to obtain the number of keys or key pairs in the registration data;
  
  the one or more new authenticators generating N new keys or key pairs of the one or more new authenticators;
  
  the one or more new authenticators providing the N new keys or one of each of the N new key pairs to the trusted authenticator, wherein the trusted authenticator signs each of the N new keys using a key, which corresponds to registration of the trusted authenticator with the relying party, and wherein the trusted authenticator inserts a timestamp into each signature during the signing; and
  
  the one or more new authenticators receiving N signatures from the trusted authenticator, wherein the N signatures are based on the N new keys or the one of each of the N new key pairs; and
  
  the one or more new authenticators performing one or more verification transactions with the relying party based on the N signatures and using the timestamps.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as in claim 1 further comprising:
    - the trusted authenticator transferring each of the signatures and registration data associated with the relying party to the one or more new authenticators.
  - 3. The method as in claim 2 further comprising:
    - the one or more new authenticators integrating the registration data and signatures within a local secure database.
  - 4. The method as in claim 3, wherein the performing the one or more verification transactions with the relying party comprises:
    - the one or more new authenticators establishing a connection with the relying party;
      
      the one or more new authenticators identifying the registration data, one of the N new keys, and the corresponding signature in the local secure database; and
      
      the one or more new authenticators performing one or more verification transactions with the relying party using the registration data, the one of the N new keys, and the corresponding signature.
  - 5. The method as in claim 4 wherein at least one of the verification transactions comprises reading the timestamps and determining whether the timestamp is sufficiently new to allow the one or more new authenticators to be enabled.
  - 6. The method as in claim 5 wherein the verification transactions include the one or more new authenticators transmitting a response to the relying party comprising an attestation over the one of the N new keys, the corresponding signature, and a new signature generated with the one of the N new keys.
  - 7. The method as in claim 6 wherein the attestation over the one of the N new keys comprises a signature generated over the one of the N new keys.
  - 8. The method as in claim 6 wherein the new signature is generated over a challenge sent by the relying party.
  - 9. The method as in claim 6 wherein the response further includes an identification code usable by the relying party to identify and locate a trusted key associated with the trusted client device.
  - 10. The method as in claim 9 further comprising:
    - verifying the signature at the relying party using the trusted key.
  - 11. The method as in claim 10 wherein the trusted key comprises a public key associated with the trusted client device or the trusted authenticator.

12. A system comprising:
- a trusted authenticator implemented in hardware of a first device;
  
  one or more new authenticators that is implemented in hardware of a second device; and
  
  a relying party remote from the first and second devices;
  
  wherein the one or more new authenticators to be enabled, wherein the enabling operations comprises;
  
  the one or more new authenticators determining a number (N) of keys or key pairs contained in registration data associated with the trusted authenticator on a trusted client device, wherein the number N is equal to a number of keys or key pairs that have been registered with the relying party for the trusted authenticator and that also are on the trusted client device, wherein the trusted client device and the new client device are mobile devices, and wherein the determination further comprises;
  
  the one or more new authenticators communicating with the trusted authenticator to obtain the number of keys or key pairs in the registration data;
  
  the one or more new authenticators generating N new keys or key pairs of the one or more new authenticators;
  
  the one or more new authenticators providing the N new keys or one of each of the N new key pairs to the trusted authenticator, wherein the trusted authenticator signs each of the N new keys using a key, which corresponds to registration of the trusted authenticator with the relying party, and wherein the trusted authenticator inserts a timestamp into each signature during from the signing;
  
  the one or more new authenticators receiving N signatures from the trusted authenticator, wherein the N signatures are based on the N new keys or the one of each of the new N key pairs; and
  
  the one or more new authenticators performing one or more verification transactions with the relying party based on the N signatures and using the timestamps.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system as in claim 12 wherein the enabling further comprises:
    - the one or more new authenticators integrating the registration data and signatures within a local secure database.
  - 14. The system as in claim 13 wherein the performing the one or more verification transactions with the relying party comprises:
    - the one or more new authenticators establishing a connection with the relying party;
      
      the one or more new authenticators identifying the registration data, one of the N new keys, and the corresponding signature in the local secure database; and
      
      the one or more new authenticators performing one or more verification transactions with the relying party using the registration data, the one of the N new keys, and the corresponding signature.
  - 15. The system as in claim 14 wherein the verification transactions include transmitting a response to the relying party comprising an attestation over the one of the N new keys, the corresponding signature, and a new signature generated with the one of the N new keys.
  - 16. The system as in claim 15 wherein the attestation over the one of the N new keys comprises a signature generated over the one of the N new keys.
  - 17. The system as in claim 15 wherein the new signature is generated over a challenge sent by the relying party.
  - 18. The system as in claim 15 wherein the response further includes an identification code usable by the relying party to identify and locate a trusted key associated with the trusted client device.
  - 19. The system as in claim 18 further comprising:
    - verification logic to verify the signature at the relying party using the trusted key.
  - 20. The system as in claim 19 wherein the trusted key comprises a public key associated with the trusted client device or the trusted authenticator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nok Nok Labs Incorporated
Original Assignee
Nok Nok Labs Incorporated
Inventors
Baghdasaryan, Davit
Primary Examiner(s)
Popham, Jeffrey D.

Application Number

US14/218,692
Publication Number

US 20140289509A1
Time in Patent Office

1,862 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2115   Third party

G06Q 20/204   comprising interface for re...

G06Q 20/3224   Transactions dependent on l...

G06Q 20/3274   using a pictured code, e.g....

G06Q 20/3278   RFID or NFC payments by mea...

G06Q 20/4012   Verifying personal identifi...

G06Q 20/40145   Biometric identity checks

G06Q 20/42   Confirmation, e.g. check or...

G06Q 20/425   using two different network...

G07F 19/20   Automatic teller machines [...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 2463/102   applying security measure f...

H04L 63/0492   by using a location-limited...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/20   for managing network securi...

H04L 9/0819   Key transport or distributi...

H04L 9/0822 : using key encryption key

H04L 9/0841 : involving Diffie-Hellman or...

H04L 9/3231 : Biological data, e.g. finge...

H04L 9/3247 : involving digital signatures

H04L 9/3297 : involving time stamps, e.g....

H04W 12/06 : Authentication

H04W 12/065 : Continuous authentication

View All

System and method for delegating trust to a new authenticator

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for delegating trust to a new authenticator

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links