Secure distributed authentication data

US 10,462,112 B1
Filed: 01/09/2019
Issued: 10/29/2019
Est. Priority Date: 01/09/2019
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for secure authentication for access to a restricted resource, the operations comprising:

receiving a request for access to the restricted resource by a client identity;

identifying asserted authentication data associated with the request;

generating, in response to the request, an encryption key, the encryption key being uniquely generated based on the asserted authentication data;

generating, in response to the request, a non-restorable digital representation of the asserted authentication data;

retrieving an encrypted digital representation of authentication data associated with the client identity, wherein;

the encrypted digital representation of authentication data is retrieved as a plurality of data portions stored in a plurality of data storage locations; and

retrieving the encrypted digital representation of authentication data comprises reconstructing the encrypted digital representation of authentication data from at least a portion of the plurality of data portions;

decrypting the retrieved encrypted digital representation of authentication data using the encryption key to produce a decrypted digital representation of authentication data;

comparing the decrypted digital representation of authentication data to the generated digital representation of the asserted authentication data; and

generating a token for use in an authentication process for the client identity upon determining, based on the comparing, a match between the stored digital representation of authentication data and the digital representation of the asserted authentication data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed embodiments relate to systems and methods for secure distributed authentication data. Techniques include identifying asserted authentication data associated with the request, generating an encryption key based on the asserted authentication data, generating a non-restorable digital representation of the asserted authentication data, retrieving an encrypted non-restorable digital representation of authentication data associated with the client identity, decrypting the retrieved encrypted non-restorable digital representation of authentication data using the encryption key, comparing the decrypted non-restorable digital representation of authentication data to the non-restorable digital representation of asserted authentication data; and providing a token for use in an authentication process for the client identity upon determining, based on a match between the stored non-restorable digital representation of authentication data and the non-restorable digital representation of version of the asserted authentication data.

Citations

18 Claims

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for secure authentication for access to a restricted resource, the operations comprising:
- receiving a request for access to the restricted resource by a client identity;
  
  identifying asserted authentication data associated with the request;
  
  generating, in response to the request, an encryption key, the encryption key being uniquely generated based on the asserted authentication data;
  
  generating, in response to the request, a non-restorable digital representation of the asserted authentication data;
  
  retrieving an encrypted digital representation of authentication data associated with the client identity, wherein;
  
  the encrypted digital representation of authentication data is retrieved as a plurality of data portions stored in a plurality of data storage locations; and
  
  retrieving the encrypted digital representation of authentication data comprises reconstructing the encrypted digital representation of authentication data from at least a portion of the plurality of data portions;
  
  decrypting the retrieved encrypted digital representation of authentication data using the encryption key to produce a decrypted digital representation of authentication data;
  
  comparing the decrypted digital representation of authentication data to the generated digital representation of the asserted authentication data; and
  
  generating a token for use in an authentication process for the client identity upon determining, based on the comparing, a match between the stored digital representation of authentication data and the digital representation of the asserted authentication data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory computer readable medium of claim 1, wherein generating the non-restorable digital representation of the asserted authentication data is performed using a hash function algorithm.
  - 3. The non-transitory computer readable medium of claim 1, wherein the request for access to the restricted resource includes the asserted authentication data.
  - 4. The non-transitory computer readable medium of claim 1, wherein the encryption key is a symmetric key.
  - 5. The non-transitory computer readable medium of claim 1, wherein the operations further comprise transmitting the token to at least one of:
    - the client identity or a third-party authentication service.
  - 6. The non-transitory computer readable medium of claim 1, wherein the asserted authentication data is signed with a private key associated with the client identity and the operations further comprise:
    - verifying the client identity based on the asserted authentication data using a public key associated with the client identity.
  - 7. The non-transitory computer readable medium of claim 1, wherein the asserted authentication data is encrypted with a public key associated with the authentication system and the operations further comprise:
    - decrypting the asserted authentication data using a private key associated with the authentication system.
  - 8. The non-transitory computer readable medium of claim 1, wherein the operations further comprise:
    - receiving an original authentication data associated with the client identity;
      
      generating an original non-restorable digital representation of authentication data based on the original authentication data;
      
      generating an original encryption key based on the original authentication data;
      
      encrypting the original digital representation of authentication data using the original encryption key to generate the encrypted digital representation of authentication data; and
      
      storing the encrypted digital representation of authentication data.
  - 9. The non-transitory computer readable medium of claim 8, wherein storing the encrypted digital representation of authentication data includes separating the encrypted digital representation of authentication data into the plurality of data portions and storing the plurality of data portions across a plurality of storage resources.

10. A computer-implemented method for secure authentication for access to a restricted resource, the method comprising:
- receiving a request for access to the restricted resource by a client identity;
  
  identifying asserted authentication data associated with the request;
  
  generating, in response to the request, an encryption key, the encryption key being uniquely generated based on the asserted authentication data;
  
  generating, in response to the request, a non-restorable digital representation of the asserted authentication data;
  
  retrieving an encrypted digital representation of authentication data associated with the client identity, wherein;
  
  the encrypted digital representation of authentication data is retrieved as a plurality of data portions stored in a plurality of data storage locations; and
  
  retrieving the encrypted digital representation of authentication data comprises reconstructing the encrypted digital representation of authentication data from at least a portion of the plurality of data portions;
  
  decrypting the retrieved encrypted digital representation of authentication data using the encryption key to produce a decrypted digital representation of authentication data;
  
  comparing the decrypted digital representation of authentication data to the generated digital representation of the asserted authentication data; and
  
  generating a token for use in an authentication process for the client identity upon determining, based on the comparing, a match between the stored digital representation of authentication data and the digital representation of the asserted authentication data.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer-implemented method of claim 10, wherein generating the non-restorable digital representation of the asserted authentication data is performed using a hash function algorithm.
  - 12. The computer-implemented method of claim 10, wherein the request for access to the restricted resource includes the asserted authentication data.
  - 13. The computer-implemented method of claim 10, wherein the encryption key is a symmetric key.
  - 14. The computer-implemented method of claim 10, further comprising transmitting the token to at least one of:
    - the client identity or a third-party authentication service.
  - 15. The computer-implemented method of claim 10, wherein the asserted authentication data is signed with a private key associated with the client identity and the method further comprises:
    - verifying the client identity based on the asserted authentication data using a public key associated with the client identity.
  - 16. The computer-implemented method of claim 10, wherein the asserted authentication data is encrypted with a public key associated with the authentication system and the method further comprises:
    - decrypting the asserted authentication data using a private key associated with the authentication system.
  - 17. The computer-implemented method of claim 10, further comprising:
    - receiving an original authentication data associated with the client identity;
      
      generating an original non-restorable digital representation of authentication data based on the original authentication data;
      
      generating an original encryption key based on the original authentication data;
      
      encrypting the original digital representation of authentication data using the original encryption key to generate the encrypted digital representation of authentication data; and
      
      storing the encrypted digital representation of authentication data.
  - 18. The computer-implemented method of claim 17, wherein storing the encrypted digital representation of authentication data includes separating the encrypted digital representation of authentication data into the plurality of data portions and storing the plurality of data partitions across a plurality of storage resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberArk Software Ltd.
Original Assignee
CyberArk Software Ltd.
Inventors
Makmel, Gil, Gamliel, Or
Primary Examiner(s)
Sholeman, Abu S

Application Number

US16/243,730
Time in Patent Office

293 Days
Field of Search

713168
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 9/0861   Generation of secret inform...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

Secure distributed authentication data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Secure distributed authentication data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links