Challenge-response access control using context-based proof

US 10,297,094 B2
Filed: 12/29/2017
Issued: 05/21/2019
Est. Priority Date: 04/06/2016
Status: Active Grant

First Claim

Patent Images

1. A method for authorizing access to an asset, in which an access-controlling entity controls access to the asset and a requesting entity wishes access to the asset, said method comprising:

transmitting to the requesting entity a challenge data set;

receiving from the requesting entity a response purportedly corresponding to a representation of the challenge data set in a non-repudiatable form, obtained from an event validation system;

querying the event validation system to determine whether the response does correspond to a correct representation of the challenge data set in the non-repudiatable form; and

authorizing the requesting entity for access only if the response is the same as the correct representation;

in which the event validation system is a keyless, hash tree-based signing infrastructure, further comprising;

inputting the representation of the challenge data set as an input record to the keyless, hash tree-based signing infrastructure and computing a data signature including recomputation parameters to a logically uppermost value in the hash tree, said recomputation parameters encoding information from other data sets than the representation of the challenge data set,whereby determining whether the response does correspond to the correct representation comprises using the recomputation parameters and the purported representation of the challenge data set to recompute upward through the hash-tree based infrastructure, such that the response does correspond to the correct representation if the same uppermost value is attained as when it was computed with the challenge data set submitted by the requesting entity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access by a requesting entity to an asset is authorized by an access-controlling entity, which transmits to the requesting entity a challenge data set and then receives from the requesting entity a response purportedly corresponding to a representation of the challenge data set in a non-repudiatable form, obtained from an event validation system. The access-controlling entity queries the event validation system to determine whether the response does correspond to a correct representation of the challenge data set in the non-repudiatable form, and authorizes the requesting entity for access only if the response is correct representation. Non-repudiation can be established through entry into a blockchain, or using a hash-tree-based digital signature infrastructure.

14 Citations

View as Search Results

22 Claims

1. A method for authorizing access to an asset, in which an access-controlling entity controls access to the asset and a requesting entity wishes access to the asset, said method comprising:
- transmitting to the requesting entity a challenge data set;
  
  receiving from the requesting entity a response purportedly corresponding to a representation of the challenge data set in a non-repudiatable form, obtained from an event validation system;
  
  querying the event validation system to determine whether the response does correspond to a correct representation of the challenge data set in the non-repudiatable form; and
  
  authorizing the requesting entity for access only if the response is the same as the correct representation;
  
  in which the event validation system is a keyless, hash tree-based signing infrastructure, further comprising;
  
  inputting the representation of the challenge data set as an input record to the keyless, hash tree-based signing infrastructure and computing a data signature including recomputation parameters to a logically uppermost value in the hash tree, said recomputation parameters encoding information from other data sets than the representation of the challenge data set,whereby determining whether the response does correspond to the correct representation comprises using the recomputation parameters and the purported representation of the challenge data set to recompute upward through the hash-tree based infrastructure, such that the response does correspond to the correct representation if the same uppermost value is attained as when it was computed with the challenge data set submitted by the requesting entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising reversing the method steps performed by the requesting entity and the access-controlling entity, whereby the requesting entity authorizes the access-controlling entity.
  - 3. The method of claim 1, in which the challenge data set includes at least one value generated external to the requesting entity.
  - 4. The method of claim 1, in which the requesting entity is a body of processor-executable code.
  - 5. The method of claim 4, in which the requesting entity is a browser, the asset is a network-accessed asset, and the access-controlling entity is a server through which the browser requests access.
  - 6. The method of claim 5, in which the asset is a web page.
  - 7. The method of claim 5, in which the asset is a data base.
  - 8. The method of claim 1, in which the access-controlling entity is a user device, the asset is within the device, and the requesting entity is a software entity running on a remote device.

9. A system for authorizing access to an asset, in which an access-controlling entity controls access to the asset and a requesting entity wishes access to the asset, comprising computer-executable code embodied in a non-volatile storage medium, which, when executed by a processor, causes the access-controlling entity:
- to transmit to the requesting entity a challenge data set;
  
  to receive from the requesting entity a response purportedly corresponding to a representation of the challenge data set in a non-repudiatable form, obtained from an event validation system;
  
  to query the event validation system to determine whether the response does correspond to a correct representation of the challenge data set in the non-repudiatable form; and
  
  to authorize the requesting entity for access only if the response is the same as the correct representation;
  
  in which the event validation system is a keyless, hash tree-based signing infrastructure configured;
  
  to input the representation of the challenge data set as an input record to the keyless, hash tree-based signing infrastructure and to compute a data signature including recomputation parameters to a logically uppermost value in the hash tree, said recomputation parameters encoding information from other data sets than the representation of the challenge data set,whereby determining whether the response does correspond to the correct representation comprises using the recomputation parameters and the purported representation of the challenge data set to recompute upward through the hash-tree based infrastructure, such that the response does correspond to the correct representation if the same uppermost value is attained as when it was computed with the challenge data set submitted by the requesting entity.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 10. The system of claim 9, in which the access-controlling entity is configured to respond to a second challenge data set issued by the requesting entity by obtaining from the event validation system a representation of the second challenge data set in the non-repudiatable form, whereby the requesting entity authorizes the access-controlling entity.
  - 11. The system of claim 9, in which the challenge data set includes at least one value generated external to the requesting entity.
  - 12. The system of claim 9, in which the requesting entity is a body of processor-executable code.
  - 13. The system of claim 12, in which the requesting entity is a browser, the asset is a network-accessed asset, and the access-controlling entity is a server through which the browser requests access.
  - 14. The system of claim 13, in which the asset is a web page.
  - 15. The system of claim 13, in which the asset is a data base.
  - 16. The system of claim 9, in which the access-controlling entity is a user device, the asset is within the device, and the requesting entity is a software entity running on a remote device.
  - 17. The system of claim 9, in which the requesting entity is a device associated with an item in a production or supply chain.
  - 18. The system of claim 9, in which the requesting entity is a mobile device.
  - 19. The system of claim 18, in which the mobile device is a smart phone, tablet computer or portable computer.
  - 20. The system of claim 18, in which the mobile device is a vehicle and the asset is entry into a physical region.
  - 21. The system of claim 9, in which the requesting entity is a body of executable code.
  - 22. The system of claim 21, in which the asset is digital information stored in at least one server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Guardtime SA
Original Assignee
Guardtime IP Holdings Limited
Inventors
Day, Garrett, Pearce, Jeffrey, Hamilton, Jr., David E, Zawicki, Kevin, Guseman, Roger
Primary Examiner(s)
Nguyen, Nam V

Application Number

US15/857,635
Publication Number

US 20180144564A1
Time in Patent Office

508 Days
Field of Search

340 521, 713173, 713156, 713171, 713175, 705 59
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/6209   to a single file or object,...

G06F 2221/2103   Challenge-response

G07C 2009/00388   code verification carried o...

G07C 9/00309   operated with bidirectional...

G07C 9/27   with central registration

G07C 9/28   the pass enabling tracking ...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/107   wherein the security polici...

H04L 63/123   received data contents, e.g...

H04L 9/0836   using tree structure or hie...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

H04W 12/08   Access security

H04W 12/63   Location-dependent; Proximi...

Challenge-response access control using context-based proof

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Challenge-response access control using context-based proof

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links