Method and apparatus for secure distribution of authentication credentials to roaming users
First Claim
1. A computer-implemented method for obtaining, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising:
- (a) accessing, over a network, a server to request therefrom a predetermined authentication credential, said authentication credential;
(i) in existence at said server prior to said request therefor, (ii) uniquely identifying a requester thereof, and (iii) suitable for use in conducting an electronic transaction;
(b) receiving, from said server, a challenge soliciting a predetermined response associated with a holder of said authentication credential;
(c) transmitting an answer to said challenge; and
(d) in response to a determination by said server that said answer satisfies said challenge, receiving said authentication credential from said server;
said method being operable in a repeatable, on-demand manner by said requester from a plurality of requester locations.
2 Assignments
0 Petitions
Accused Products
Abstract
A roaming user needing an his authentication credential (e.g., private key) to access a computer server to perform an electronic transaction may obtain the authentication credential in an on-demand fashion from a credential server accessible to the user over a computer network. In this way, the user is free to roam on the network without having to physically carry his authentication credential. Access to the credential may be protected by one or more challenge- response protocols involving simple shared secrets, shared secrets with one-to-one hashing, or biometric methods such as fingerprint recognition. If camouflaging is used to protect the authentication credential, decamouflaging may be performed either at the credential server or at the user'"'"'s computer.
83 Citations
52 Claims
-
1. A computer-implemented method for obtaining, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising:
-
(a) accessing, over a network, a server to request therefrom a predetermined authentication credential, said authentication credential;
(i) in existence at said server prior to said request therefor, (ii) uniquely identifying a requester thereof, and (iii) suitable for use in conducting an electronic transaction;
(b) receiving, from said server, a challenge soliciting a predetermined response associated with a holder of said authentication credential;
(c) transmitting an answer to said challenge; and
(d) in response to a determination by said server that said answer satisfies said challenge, receiving said authentication credential from said server;
said method being operable in a repeatable, on-demand manner by said requester from a plurality of requester locations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 10, 11, 12, 13, 14, 15, 17, 18)
-
-
8. The method of claim I further comprising:
-
(e) using said authentication credential to conduct said electronic transaction; and
(f) deleting said credential from said requestor'"'"'s computing device. - View Dependent Claims (9)
-
-
16. The method of claim l where said challenge and said response are members of a zero knowledge proof protocol.
-
19. An apparatus for obtaining, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising:
-
(a) a network interface configured to;
(i) access, over a network, a server to request therefrom a predetermined authentication credential, said authentication credential;
(A) in existence at said server prior to said request therefor, (B) uniquely identifying a requestor thereof, and (C) suitable for use in conducting an electronic transaction, and (ii) receive, from the server, a challenge soliciting a predetermined response associated with said requestor of said authentication credential;
(b) an user interface configured to receive, from said requestor, an answer to said challenge;
(c) said network interface configured to receive said authentication credential in response to a determination by said server that said answer satisfies said challenge; and
(d) a memory configured to store said authentication credential at said requestor'"'"'s computing device;
said apparatus being usable by said requestor to obtain repeated, on-demand access from a plurality of requestor locations. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A computer-implemented method for providing, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising:
-
(a) receiving from a requester, over a network, a request for a predetermined authentication credential, said authentication credential;
(i) in existence at said server prior to said request therefor, (ii) uniquely identifying a requester thereof, and (iii) suitable for use in conducting an electronic transaction;
(b) transmitting, to said requestor, a challenge soliciting a predetermined response associated with said requestor;
(c) receiving an answer to said challenge;
(d) determining that said answer satisfies said challenge; and
(e) transmitting said authentication credential for said requestor;
said method being operable to process repeated, on-demand authentication credential requests by said requestor at a plurality of requestor locations. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. An apparatus for providing, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising:
-
(a) a network interface configured to;
(i) receive from a requestor, over a network, a request for a predetermined authentication credential, said authentication credential;
(A) in existence at said apparatus prior to said request therefor;
(B) uniquely identifying a requestor thereof; and
(C) suitable for use in conducting an electronic transaction, (ii) transmit a challenge soliciting a predetermined response associated with said requester, and (iii) receive, from said holder, an answer to said challenge;
(b) logic configured to determine whether said answer satisfies said challenge; and
(c) a memory configured to store said authentication credential to be released for said requestor;
said apparatus being operable to process repeated, on-demand authentication credential requests by said requestor at a plurality of requester locations. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52)
-
Specification