Secure remote user authentication leveraging public key cryptography and key splitting
First Claim
1. An electronic user authentication method comprising the steps of:
- receiving a login request at an information system, wherein the login request is received over a network from a registered remote user device;
based on the login request, identifying a public key associated with a user;
generating a random challenge;
encrypting the challenge using the public key to form an encrypted challenge;
providing the encrypted challenge to the remote user device;
accessing a fragment of a private key, wherein the private key is associated with the identified public key as an asymmetric cryptographic key pair;
partially decrypting the encrypted challenge using the fragment of the private key to form a first result;
providing the first result to the remote user device;
receiving a reply message from the remote user device, the reply message including a token authenticator value that demonstrates that the challenge was successfully decrypted; and
responsive to a determination that the challenge was successfully decrypted, permitting the requested login to the information system.
2 Assignments
0 Petitions
Accused Products
Abstract
An ID service on an app server interacts with a corresponding identity app installed on a user device such as a smart phone. At setup, the ID service receives the user'"'"'s public key and only a segment of the corresponding private key. A special challenge message is created and partially decrypted using the private key segment on the server side, and then decryption is completed on the client app using the remaining segment(s) of the private key to recover the challenge. A token authenticator based on the result of the decryption is sent back to the identity service, for it to verify validity of the result and, if it is valid, enable secure login without requiring a password.
-
Citations
26 Claims
-
1. An electronic user authentication method comprising the steps of:
-
receiving a login request at an information system, wherein the login request is received over a network from a registered remote user device; based on the login request, identifying a public key associated with a user;
generating a random challenge;encrypting the challenge using the public key to form an encrypted challenge;
providing the encrypted challenge to the remote user device;accessing a fragment of a private key, wherein the private key is associated with the identified public key as an asymmetric cryptographic key pair; partially decrypting the encrypted challenge using the fragment of the private key to form a first result; providing the first result to the remote user device; receiving a reply message from the remote user device, the reply message including a token authenticator value that demonstrates that the challenge was successfully decrypted; and responsive to a determination that the challenge was successfully decrypted, permitting the requested login to the information system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
in a client device— acquiring an asymmetric key consisting of a public key and a private key; associating the public key and the private key with a user of the client device; splitting the private key into plural private key fragments, so that a sum of the plural private key fragments equals the private key, wherein the private key is split into three fragments, a first one of the three fragments is secured on the client device, a second one of the three fragments is stored outside of the client device; and
a third one of the three fragments is provided to the identity service;and registering the user with an identity service; wherein registering the user includes providing the public key, and the plural private key fragment(s) excluding the at least one of the private key fragments secured on the client device, to the identity service for use in securely authenticating the user. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A network-based information system, comprising:
-
an application server; a user identity service operable on the application server to manage user access to the information system; a datastore accessible to the identity service, the datastore storing, for at least one user, a public key and a fragment of a private key associated with the public key; and a client application executable on a client machine, the client application configured for communication with the user identity service over a network; wherein the identity service is configured to— receive a login request from the client application; responsive to the login request, generate a random challenge; encrypt the challenge using the public key to form an encrypted challenge; partially decrypt the encrypted challenge to form a partial result; transmit the encrypted challenge and the partial result to the client application;
receive a reply from the client application;check the reply to determine whether the challenge was correctly decrypted; and conditioned on a determination that the challenge was correctly decrypted, permitting the requested login of the user to the information system. - View Dependent Claims (22)
-
-
23. A non-transitory computer readable medium storing instructions executable by a processor to cause the processor to:
-
receive a login request at a database system, wherein the login request is received over a network from a registered remote user device;
based on the login attempt, identify a public key associated with a user;
generate a random challenge;encrypt the challenge using the public key to form an encrypted challenge;
transmit the encrypted challenge to the remote user device;access a fragment of a private key associated with the identified public key;
partially decrypt the encrypted challenge using the fragment to form a first result;transmit the first result to the remote user device; receive a reply message from the remote user device; based on the reply message, determine whether the encrypted challenge was successfully decrypted; and responsive to a determination that the challenge was successfully decrypted, permit the requested login to the database system without requiring a password. - View Dependent Claims (24, 25, 26)
-
Specification