Hardware token self enrollment process

US 20030005291A1
Filed: 06/14/2002
Published: 01/02/2003
Est. Priority Date: 12/20/2000
Status: Active Grant

First Claim

Patent Images

1. A method for initializing and distributing hardware tokens comprising the steps of:

initializing a hardware token processor with non-user specific certificates;

distributing the hardware token processors to potential users;

allowing a new user to register a hardware token processor together with their specific user identification information;

generating new certificates for the new user; and

storing said new certificates for said new user in the hardware token processor submitted for registration by said new user.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Intelligent hardware token processors (5) are capable of sending and receiving encrypted messages. Generic initialization with non-user-specific certificates comprising public and private keys allows a certificate authority (210) to securely communicate with the hardware token. New users enrolling with the certificate server (210) have their hardware tokens securely reprogrammed with user specific certificates.

75 Citations

View as Search Results

28 Claims

1. A method for initializing and distributing hardware tokens comprising the steps of:
- initializing a hardware token processor with non-user specific certificates;
  
  distributing the hardware token processors to potential users;
  
  allowing a new user to register a hardware token processor together with their specific user identification information;
  
  generating new certificates for the new user; and
  
  storing said new certificates for said new user in the hardware token processor submitted for registration by said new user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method of claim 1 wherein the hardware token processor comprises:
    - non-volatile random access memory;
      
      instruction unit that executes instruction sequences stored in memory;
      
      encasement that houses the non-volatile random access memory and instruction unit; and
      
      interface unit that penetrates said encasement and allows the instruction unit to communicate with external equipment.
  - 3. The method of claim 2 wherein the hardware token processor further comprises:
    - intrusion detection unit that detects the compromise of the encasement and erases the contents of the non-volatile memory in response thereto.
  - 4. The method of claim 2 wherein the hardware token processor further comprises:
    - math accelerator that is tailored to execute mathematical instructions.
  - 5. The method of claim 2 wherein the interface unit is a one-wire interface.
  - 6. The method of claim 1 further comprising the step of distributing a plurality of hardware token processor interface units to potential users.
  - 7. The method of claim 1 further comprising the step of Installing a hardware token reader on a plurality of user computers.
  - 8. The method of claim 1 wherein the step of initializing a hardware token processor with non-user specific certificates is accomplished using a bulk programmer.
  - 9. The method of claim 8 wherein the bulk programmer is controlled by a hardware token processor initialization workstation.
  - 10. The method of claim 8 wherein the hardware token processor initialization workstation creates initialization data for each hardware token processor initialized.
  - 11. The method of claim 8 wherein the hardware token processor initialization workstation obtains initialization data from an external source by means of computer readable media.
  - 12. The method of claim 11 wherein the computer readable media comprises a computer network or a trusted computer network.
  - 13. The method of claim 1 wherein the step of initializing a hardware token processor further comprises the steps of:
    - creating a unique identifier for the hardware token processor;
      
      generating a personal identification number for a potential user in a random manner;
      
      generating a personal identification number for an administrative user in a random manner;
      
      generating a user certificate and a user certification number key pair for the hardware token processor;
      
      generating a server certificate and a server certification number key pair for the hardware token processor;
      
      storing said unique identifier, said personal identification numbers for both a potential user and an administrative user, and said user and server key pairs in a recognition database;
      
      storing said unique identifier, said personal identification numbers for both a potential user and an administrative user in the hardware token processor;
      
      storing said user certificate in the hardware token processor; and
      
      storing said server certification number in the hardware token processor.
  - 14. The method of claim 13 further comprising the step of setting an initialization Boolean flag in the hardware token processor to indicate that the hardware token processor has been initialized.
  - 15. The method of claim 13 wherein the recognition database comprises a unique record for each hardware token processor initialized and wherein each of said records comprises the following fields:
    - hardware token processor identifier field that is used to store a unique identifier for each hardware token processor initialized;
      
      administrative personal identification number field that is used to store a randomly generated personal identification number for an administrative user;
      
      user personal identification number field that is used to store a randomly generated personal identification number for a user;
      
      hardware token processor initialization Boolean field that is set to true after the hardware token processor is initialized;
      
      user certificate field that is used to store a private decryption key used by the hardware token processor to decrypt messages received from a certificate authority;
      
      user certification number field that is used to store a public key used by a certificate authority to encrypt messages that are to be sent to the hardware token processor;
      
      server certificate field that is used to store a private decryption key used by the certificate authority to decrypt messages received from the hardware token processor; and
      
      server certification number field that is used to store a public key used by a hardware token processor to encrypt messages that are to be sent to the certificate authority.
  - 16. The method of claim 15 wherein the recognition database further comprises the following fields:
    - registered field that is set to a null value upon initialization of the hardware token processor and is subsequently set to a date indicative of the date on which the hardware token processor is registered by a user, and user data field that is used to store information about a user once the user has enrolled for authentication service with the certificate authority.
  - 18. The method of claim 17 wherein the user enrollment process comprises the following steps:
    - accepting user identification data from a user;
      
      sending a request to a certificate authority in order to register wherein the request comprises said user identification data and non-user specific certificates; and
      
      registering the user in a recognition database.
  - 19. The method of claim 18 wherein the non-user certificates comprise:
    - user certificate that is a private decryption key used by the hardware token processor to decrypt messages received from the certificate authority;
      
      user certification number that is a public key used by the certificate authority to encrypt messages that are to be sent to the hardware token processor;
      
      server certificate that is a private decryption key used by the certificate authority to decrypt messages received from the hardware token processor; and
      
      server certification number that is a public key used by a hardware token processor to encrypt messages that are to be sent to the certificate authority.
  - 20. The method of claim 18 further comprising the step of setting a Boolean flag in the hardware token processor to indicate that the hardware token processor has been assigned to a user.
  - 21. The method of claim 18 further comprising the step of recording the date that the user registered the hardware token processor.
  - 22. The method of claim 18 wherein the step of accepting user identification data from a user is accomplished by a graphical user interface.
  - 23. The method of claim 18 wherein the step of accepting user identification data from a user is accomplished by a graphical user interface embodied as a web page.
  - 24. The method of claim 18 wherein the step of sending a request to a certificate authority is accomplished by a Java applet attached to a web page.
  - 25. The method of claim 18 wherein the step of registering the user in a recognition database comprises the steps of:
    - receiving a hardware token processor identifier from the hardware token processor;
      
      generating new user-specific certificates and storing those certificates with the hardware token processor identifier;
      
      encrypting the new certificates using the non-user-specific certificate that the hardware token processor was initialized with; and
      
      sending the encrypted new certificate to the hardware token processor.
  - 26. The method of claim 25 wherein the new user-specific certificates comprise:
    - user certificate that is a private decryption key used by the hardware token processor to decrypt messages received from the certificate authority;
      
      user certification number that is a public key used by the certificate authority to encrypt messages that are to be sent to the hardware token processor;
      
      server certificate that is a private decryption key used by the certificate authonty to decrypt messages received from the hardware token processor; and
      
      server certification number that is a public key used by a hardware token processor to encrypt messages that are to be sent to the certificate authority.
  - 27. The method of claim 25 further comprising the steps of:
    - decrypting the new certificate in the hardware token processor; and
      
      replacing the non-user-specific certificates with which the hardware token processor was initialized with the user-specific certificates.
  - 28. The method of claim 25 further comprising the step of storing the user identification data together with the hardware token processor identifier.

17. A method for enrolling for user authentication service with a certificate authority comprising the steps of:
- obtaining a hardware token processor that is initialized with non-user specific certificate;
  
  obtaining a hardware token processor interface unit;
  
  installing said hardware interface unit onto a user'"'"'s computer;
  
  coupling the hardware token processor to said hardware token processor interface unit; and
  
  engaging in a hardware token processor user enrollment process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
AOL LLC (Apollo Global Management, Inc.)
Inventors
Burn, William

Granted Patent

US 7,302,703 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/159
CPC Class Codes

G06F 21/34 involving the use of extern...

Hardware token self enrollment process

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

75 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Hardware token self enrollment process

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others