User authentication based on multiple asymmetric cryptography key pairs

US 10,356,088 B1
Filed: 06/19/2017
Issued: 07/16/2019
Est. Priority Date: 01/25/2017
Status: Active Grant

First Claim

Patent Images

1. A user authentication method for an information system comprising the steps of:

receiving a login attempt at a server from a remote user device;

based on the login attempt, accessing a first public key and a second public key, both associated with a user, wherein the first and second public keys are each associated with a corresponding private key of an asymmetric cryptographic key pair;

generating first and second new random challenge messages;

encrypting the first challenge message using the first public key;

encrypting the second challenge message using the second public key;

sending the first and second encrypted challenge messages to the remote user device;

receiving a reply message from the remote user device;

verifying the reply message, including determining whether both of the first and second challenge messages were successfully decrypted; and

based on verifying the reply message, permitting login to the server without requiring a password.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An ID service provisioned on a server interacts with a corresponding ID app installed on a user device such as a smart phone for secure user authentication (login). A user acquires two asymmetric encryption keys pairs. One of the private keys is secured on SIM on the user device, and the other one stored in the ID app on the user device. At login attempt, the ID service generates two random challenge messages, and encrypts each of them with one of the public keys. Decryption of one challenge is conducted by the SIM and decryption of the other is done by the ID app. A token based on the two decrypted challenge results is returned to the ID service. Alternatively, a single challenge can be double-wrapped with the two keys. The verifies the results and enables secure login without requiring a password.

Citations

13 Claims

1. A user authentication method for an information system comprising the steps of:
- receiving a login attempt at a server from a remote user device;
  
  based on the login attempt, accessing a first public key and a second public key, both associated with a user, wherein the first and second public keys are each associated with a corresponding private key of an asymmetric cryptographic key pair;
  
  generating first and second new random challenge messages;
  
  encrypting the first challenge message using the first public key;
  
  encrypting the second challenge message using the second public key;
  
  sending the first and second encrypted challenge messages to the remote user device;
  
  receiving a reply message from the remote user device;
  
  verifying the reply message, including determining whether both of the first and second challenge messages were successfully decrypted; and
  
  based on verifying the reply message, permitting login to the server without requiring a password.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 and further comprising:
    - at the server, accessing a fragment of the private key associated with the first public key;
      
      at the server, partially decrypting the first encrypted challenge message using the fragment to form a partial result; and
      
      sending the partial result to the remote user device for use in completely decrypting the first encrypted challenge message.
  - 3. The method of claim 2 wherein:
    - one of the asymmetric cryptographic key pairs is generated using ElGamal technology; and
      
      the other one of the asymmetric cryptographic key pairs is generated using RSA technology.
  - 4. The method of claim 3 wherein the asymmetric cryptographic key pair is generated using ElGamal technology.
  - 5. The method of claim 2 wherein the reply message includes a token authenticator based on the first and second challenge messages.
  - 6. The method of claim 2 and further comprising:
    - at the server, storing a timestamp associated with at least one of the first and second challenge messages;
      
      after receiving the reply message, comparing a current time to the timestamp; and
      
      based on the comparison, denying the requested login in a case that an elapsed time measured from the timestamp to receiving the reply message exceeds a predetermined time to live.
  - 7. The method of claim 2 wherein the reply message includes a token authenticator, and verifying the reply message includes validating the token authenticator.
  - 8. The method of claim 2 wherein the reply message includes a token authenticator value based on a predetermined cryptographic [one-way] hash function of the first and second decryption results.

9. A user authentication method for an information system comprising the steps of:
- receiving a login attempt at a server from a remote user device;
  
  based on the login attempt, accessing a first public key and a second public key, both associated with a user, wherein the first and second public keys are each associated with a corresponding private key of an asymmetric cryptographic key pair;
  
  generating a first new random challenge message;
  
  encrypting the first challenge message using the first public key;
  
  wrapping the encrypted first challenge message using the second public key;
  
  sending the double wrapped encrypted challenge message to the remote user device;
  
  receiving a reply message from the remote user device;
  
  verifying the reply message, including determining whether the double wrapped challenge message was successfully decrypted; and
  
  based on verifying the reply message, permitting login to the server without requiring a password.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9 and further comprising:
    - at the server, accessing a fragment of the private key associated with first public key;
      
      at the server, partially decrypting the first encrypted challenge message using the fragment to form a partial result; and
      
      sending the partial result to the remote user device for use in decrypting the challenge message.
  - 11. The method of claim 9 wherein:
    - one of the asymmetric cryptographic key pairs is generated using ElGamal technology; and
      
      the other one of the asymmetric cryptographic key pairs is generated using RSA technology.
  - 12. The method of claim 11 wherein the asymmetric cryptographic key pair is generated using ElGamal technology.
  - 13. The method of claim 9 wherein the reply message includes a token authenticator based on decrypting the challenge message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Peddada, Prasad, Elgamal, Taher
Primary Examiner(s)
Patel, Haresh N

Application Number

US15/627,031
Time in Patent Office

757 Days
Field of Search

713171
US Class Current
CPC Class Codes

G06F 21/31   User authentication

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 9/14   using a plurality of keys o...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

H04W 12/06   Authentication

User authentication based on multiple asymmetric cryptography key pairs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

User authentication based on multiple asymmetric cryptography key pairs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links