Method and apparatus for access authentication entity

US 20040128508A1
Filed: 02/03/2003
Published: 07/01/2004
Est. Priority Date: 08/06/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method of authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising the steps of:

(a) the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining at least one record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record, associating a public key of a respective public-private key pair of the requesting entity with the record;

(b) after initializing the account the requesting entity originating an electronic message and generating a digital signature using a private key of the requesting entity'"'"'s public-private key pair, and sending the digitally signed electronic message to the access authentication component with the unique identifier of the requesting entity;

(a) the access authentication component authenticating the electronic message using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message; and

(b) upon the successful authentication of the electronic message, the access authentication component authenticating the requesting entity for access to the controlled resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for authenticating a requesting entity for access to a controlled resource using one or more authentication factors communicated electronically regarding a security account record in an access authentication component (11). Each record being retrievable based on a unique identifier associated with the requesting entity (30) and a public key of a respective public-private key pair of the requesting entity. The requesting entity originates a digitally signed electronic message including an access request and the unique identifier. The access authentication component (34) retrieves the public key by using the unique identifier to authenticate the electronic message. An access authentication signal can be used for granting access to the requesting entity. The message authentication can include authenticating a security profile of a device and one or more types of verification data of the requesting entity and combinations thereof (24). Business rule can be established to require a reconfirmation of the security profile or resubmission of the verification status or a new/different verification status for a new transaction during a session or following a perset session expiration period.

261 Citations

122 Claims

1. A method of authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising the steps of:
- (a) the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining at least one record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record, associating a public key of a respective public-private key pair of the requesting entity with the record;
  
  (b) after initializing the account the requesting entity originating an electronic message and generating a digital signature using a private key of the requesting entity'"'"'s public-private key pair, and sending the digitally signed electronic message to the access authentication component with the unique identifier of the requesting entity;
  
  (a) the access authentication component authenticating the electronic message using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message; and
  
  (b) upon the successful authentication of the electronic message, the access authentication component authenticating the requesting entity for access to the controlled resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, including providing the requesting entity with a device and including the public-private key pair in the device.
  - 3. The method of claim 1, including the requesting entity establishing an account in the controlled resource.
  - 4. The method of claim 3, including an instruction regarding the controlled resource account in the electronic message.
  - 5. The method of claim 4, including executing the instruction regarding the controlled resource account contained in the electronic message.
  - 6. The method of claim 1, including granting access to the controlled resource in response to authenticating the requesting entity.
  - 7. The method of claim 1, including authenticating the electronic message after retrieving the public key from the database using the unique identifier.
  - 8. The method of claim 1, including storing the security account record in an account database.

9. A method of authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component controlling the controlled resource, comprising the steps of:
- (a) the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining at least one record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record, associating a public key of a respective public-private key pair of the requesting entity with the record;
  
  (b) after initializing the account, the requesting entity entering personal verification data and verifying the data to form at least one verification status;
  
  (c) the requesting entity then originating an electronic message including the verification status and generating a digital signature using the private key of the requesting entity'"'"'s public-private key pair, and sending the digitally signed electronic message to the access authentication component with the unique identifier of the requesting entity;
  
  (d) the access authentication component authenticating the electronic message and the verification status using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message; and
  
  (e) upon the successful authentication of the electronic message and the verification status, the access authentication component authenticating the requesting entity for access to the controlled resource.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, including providing the requesting entity with a device and including the public-private key pair in the device.
  - 11. The method of claim 9, including the requesting entity establishing an account in the controlled resource.
  - 12. The method of claim 11, including an instruction regarding the controlled resource account in the electronic message.
  - 13. The method of claim 12, including executing the instruction regarding the controlled resource account contained in the electronic message.
  - 14. The method of claim 9, including granting access to the controlled resource in response to authenticating the requesting entity.
  - 15. The method of claim 9, including authenticating the electronic message after retrieving the public key from the database using the unique identifier.
  - 16. The method of claim 9, including storing the security account record in an account database.
  - 17. The method of claim 9, including personalizing the device by storing data relating to the requesting entity.

18. A method of authenticating a requesting entity for continuing access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, the requesting entity initially entering personal verification data and verifying the data to form a verification status and having sent the verification status to the access authentication component, the access authentication component having evaluated the verification status and authenticated access to the controlled resource for the requesting entity, the access authentication component maintaining business rules and now requesting in accordance with one of the rules that the verification status be reconfirmed by the requesting entity, comprising the steps of:
- (a) the access authentication component sending a message requesting the current verification status from the requesting entity;
  
  (b) the requesting entity resending the current verification status to the access authentication component;
  
  (c) the access authentication component receiving the current verification status;
  
  (d) the access authentication component evaluating the current verification status with the status required by the business rule; and
  
  (e) upon the successful authentication of the verification status, the access authentication component authenticating the requesting entity for continuing access to the controlled resource.
- View Dependent Claims (19, 20, 22)
- - 19. The method of claim 18, including providing the requesting entity with a device and including the public-private key pair in the device.
  - 20. The method of claim 18, including the requesting entity establishing an account in the controlled resource.
  - 22. The method of claim 18, including storing the security account record in an account database.

23. A method of initially authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising the steps of:
- (a) the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining at least one record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record, associating a public key of a respective public-private key pair of the requesting entity with the record;
  
  (b) after initializing the account, the requesting entity entering personal verification data and verifying the data to form a verification status;
  
  (c) the requesting entity then sending the verification status to the access authentication component with the unique identifier of the requesting entity;
  
  (d) the access authentication component authenticating the verification status using the requesting entity'"'"'s unique identifier; and
  
  (e) upon the successful authentication of the verification status, the access authentication component authenticating the requesting entity for access to the controlled resource.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The method of claim 23, including providing the requesting entity with a device and including the public-private key pair in the device.
  - 25. The method of claim 23, including the requesting entity establishing an account in the controlled resource.
  - 26. The method of claim 23, including authenticating the electronic message after retrieving the public key from the database using the unique identifier.
  - 27. The method of claim 23, including storing the security account record in an account database.

28. A method of authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising the steps of;
- b) providing the requesting entity with a device having a security profile associated therewith and including a public-private key pair in the device;
  
  b) the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining at least one record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record, associating the public key of the respective public-private key pair of the requesting entity with the record;
  
  b) after initializing the account, the requesting entity then originating and digitally signing an electronic message using the device private key of the requesting entity'"'"'s public-private key pair, and sending the electronic message to the access authentication component with the unique identifier of the requesting entity;
  
  b) the access authentication component authenticating the electronic message and the security profile using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message; and
  
  b) upon the successful authentication of the electronic message and approval of the security profile for the controlled resource, the access authentication component authenticating the requesting entity for access to the controlled resource.
- View Dependent Claims (29, 30, 31, 32, 33, 34)
- - 29. The method of claim 28, including the requesting entity establishing an account in the controlled resource.
  - 30. The method of claim 29, including an instruction regarding the controlled resource account in the electronic message.
  - 31. The method of claim 30, including executing the instruction regarding the controlled resource account contained in the electronic message.
  - 32. The method of claim 28, including granting access to the controlled resource in response to authenticating the requesting entity.
  - 33. The method of claim 28, including authenticating the electronic message after retrieving the public key from the database using the unique identifier.
  - 34. The method of claim 28, including storing the security account record in an account database.

35. A method of authenticating a requesting entity for continuing access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, the requesting entity having a device with a security profile associated therewith and including a public-private key pair in the device, the access authentication component having evaluated the security profile status and authenticated access to the controlled resource for the requesting entity, the access authentication component maintaining business rules and now requesting in accordance with one of the rules that the security profile be reconfirmed by the requesting entity, comprising the steps of:
- (a) the access authentication component obtaining the security profile associated with the device;
  
  the access authentication component obtaining the security profile associated with the device;
  
  (b) the access authentication component evaluating the current security profile with the security profile required by the business rule; and
  
  (c) upon the successful evaluation of the security profile, the access authentication component authenticating the requesting entity for continuing access to the controlled resource.
- View Dependent Claims (36, 37, 38, 39)
- - 36. The method of claim 35, including the requesting entity establishing an account in the controlled resource.
  - 37. The method of claim 36, including establishing a session with the controlled resource account.
  - 38. The method of claim 37, including reconfirming the security profile to continue the session in the controlled resource account.
  - 39. The method of claim 35, including storing the security profile in a secure database.

40. A method of initially authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising the steps of:
- (a) the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing business rules and maintaining at least one record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record, associating a public key of a respective public-private key pair of the requesting entity with the record;
  
  (b) providing the requesting entity with a device having a security profile associated therewith and including the public-private key pair in the device;
  
  (c) after initializing the account, the requesting entity presenting the device to the access authentication component to obtain access to the controlled resource;
  
  (d) the access authentication component obtaining the security profile of the device;
  
  (e) the access authentication component evaluating the security profile of the device to the security profile required by the business rule; and
  
  (f) upon the successful evaluation of the security profile of the device, the access authentication component authenticating the requesting entity for access to the controlled resource.
- View Dependent Claims (41, 42)
- - 41. The method of claim 40, including the requesting entity establishing an account in the controlled resource.
  - 42. The method of claim 40, including storing the security profile in a secure database.

43. A method of authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising the steps of:
- (a) providing the requesting entity with a device and including a public-private key pair in the device;
  
  (b) the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining at least one record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record, associating the public key of the respective public-private key pair of the requesting entity with the record;
  
  (c) associating a security profile with the device;
  
  (d) after initializing the account, the requesting entity entering personal verification data into the device, the device verifying the data to form a verification status;
  
  (e) the requesting entity then originating and digitally signing an electronic message including the verification status using the device private key of the requesting entity'"'"'s public-private key pair, and sending the electronic message to the access authentication component with the unique identifier of the requesting entity;
  
  (f) the access authentication component authenticating the electronic message, including the verification status and the security profile using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message; and
  
  (g) upon the successful authentication of the electronic message, the verification status and the security profile, the access authentication component authenticating the requesting entity for access to the controlled resource.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51)
- - 44. The method of claim 43, including the requesting entity establishing an account in the controlled resource.
  - 45. The method of claim 44, including an instruction regarding the controlled resource account in the electronic message.
  - 46. The method of claim 45, including executing the instruction regarding the controlled resource account contained in the electronic message.
  - 47. The method of claim 43, including granting access to the controlled resource in response to authenticating the requesting entity.
  - 48. The method of claim 43, including authenticating the electronic message after retrieving the public key from the database using the unique identifier.
  - 49. The method of claim 43, including storing the security account record in an account database.
  - 50. The method of claim 43, including personalizing the device by storing data relating to the requesting entity.
  - 51. The method of claim 43, including storing the security profile in a secure database.

52. A method of authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising the steps of:
- (a) the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining at least one record in an account database, each record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record, associating a public key of a respective public-private key pair of the requesting entity with the record;
  
  (b) providing the requesting entity with a device and including the public-private key pair in the device;
  
  (c) the requesting entity establishing an account in the controlled resource;
  
  (d) after initializing the accounts the requesting entity originating an electronic message including an instruction regarding the controlled resource account and generating a digital signature using a private key of the requesting entity'"'"'s public-private key pair in the device, and sending the digitally signed electronic message from the device to the access authentication component with the unique identifier of the requesting entity;
  
  (e) the access authentication component authenticating the electronic message using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message, after retrieving the public key from the database using the unique identifier;
  
  (f) upon the successful authentication of the electronic message, the access authentication component authenticating the requesting entity for access to the controlled resource;
  
  (g) granting access to the controlled resource in response to authenticating the requesting entity; and
  
  (h) executing the instruction regarding the controlled resource account contained in the electronic message.

53. A method of authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising the steps of:
- (a) the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining at least one record in an account database, each record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record, associating a public key of a respective public-private key pair of the requesting entity with the record;
  
  (b) providing the requesting entity with a device and including the public-private key pair in the device;
  
  (c) personalizing the device by storing data relating to the requesting entity;
  
  (d) the requesting entity establishing an account in the controlled resource;
  
  (e) after initializing the accounts, the requesting entity entering personal verification data and verifying the data to form at least one verification status;
  
  (f) the requesting entity then originating an electronic message including an instruction regarding the controlled resource account and the verification status and generating a digital signature using the private key of the requesting entity'"'"'s public-private key pair in the device, and sending the digitally signed electronic message from the device to the access authentication component with the unique identifier of the requesting entity;
  
  (g) the access authentication component authenticating the electronic message and the verification status using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message, after retrieving the public key from the database using the unique identifier;
  
  upon the successful authentication of the electronic message and the verification status, the access authentication component authenticating the requesting entity for access to the controlled resource;
  
  (h) granting access to the controlled resource in response to authenticating the requesting entity; and
  
  (i) executing the instruction regarding the controlled resource account contained in the electronic message.

54. A method of authenticating a requesting entity for continuing access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, providing the requesting entity with a device and including the public-private key pair in the device, personalizing the device by storing data relating to the requesting entity, the requesting entity having an account in the controlled resource the requesting entity initially entering personal verification data in the device and the device verifying the data to form a verification status and the device having sent the verification status to the access authentication component, the access authentication component having evaluated the verification status and authenticated access to the controlled resource for the requesting entity, the access authentication component maintaining business rules and now requesting in accordance with one of the rules that the verification status be reconfirmed by the requesting entity, comprising the steps of:
- (a) the access authentication component sending a message requesting the current verification status from the requesting entity;
  
  (b) the requesting entity digitally signing and resending the current verification status in a message to the access authentication component;
  
  (c) the access authentication component receiving and authenticating the message to obtain the current verification status;
  
  (d) the access authentication component evaluating the current verification status with the status required by the business rule; and
  
  (e) upon the successful authentication of the verification status, the access authentication component authenticating the requesting entity for continuing access to the controlled resource account.

55. A method of initially authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising the steps of:
- (a) the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining at least one record in an account database, each record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record, associating a public key of a respective public-private key pair of the requesting entity with the record;
  
  (b) providing the requesting entity with a device and including the public-private key pair in the device;
  
  (c) personalizing the device by storing data relating to the requesting entity;
  
  (d) the requesting entity establishing an account in the controlled resource;
  
  (e) after initializing the account, the requesting entity entering personal verification data and verifying the data to form a verification status;
  
  (f) the requesting entity then sending the verification status to the access authentication component with the unique identifier of the requesting entity;
  
  (g) the access authentication component authenticating the verification status using the requesting entity'"'"'s unique identifier; and
  
  (h) upon the successful authentication of the verification status, the access authentication component authenticating the requesting entity for access to the controlled resource account.

56. A method of authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising the steps of:
- (a) providing the requesting entity with a device having a security profile associated therewith, storing the security profile in a secure database and including a public-private key pair in the device;
  
  (b) the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining at least one record in an account database, each record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record, associating the public key of the respective public-private key pair of the requesting entity with the record;
  
  (c) the requesting entity establishing an account in the controlled resource;
  
  (d) after initializing the account, the requesting entity then originating and digitally signing an electronic message including an instruction regarding the controlled resource account using the device private key of the requesting entity'"'"'s public-private key pair, and sending the electronic message from the device to the access authentication component with the unique identifier of the requesting entity;
  
  (e) the access authentication component obtaining the security profile and authenticating the electronic message and the security profile using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message, after retrieving the public key from the account database using the unique identifier; and
  
  (f) upon the successful authentication of the electronic message and approval of the security profile for the controlled resource, the access authentication component authenticating the requesting entity for access to the controlled resource;
  
  (g) granting access to the controlled resource in response to authenticating the requesting entity; and
  
  (f) executing the instruction regarding the controlled resource account contained in the electronic message.

57. A method of authenticating a requesting entity for continuing access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, the requesting entity having a device with a security profile associated therewith and including a public-private key pair in the device, storing the security profile in a secure database, the access authentication component having evaluated the security profile and authenticated access to a session in an account in the controlled resource for the requesting entity, the access authentication component maintaining business rules and now requesting in accordance with one of the rules that the security profile be reconfirmed by the requesting entity to continue the session with the account, comprising the steps of:
- (a) the access authentication component obtaining the security profile associated with the device;
  
  (b) the access authentication component evaluating the current security profile with the security profile required by the business rule to continue the session with the account; and
  
  (c) upon the successful evaluation of the security profile, the access authentication component authenticating the requesting entity for continuing access to the controlled resource account.

58. A method of initially authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising the steps of:
- (a) the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing business rules and maintaining at least one record in an account database, each record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record, associating a public key of a respective public-private key pair of the requesting entity with the record;
  
  (b) providing the requesting entity with a device having a security profile associated therewith, storing the security profile in a secure database and including the public-private key pair in the device;
  
  (c) after initializing the account, the requesting entity presenting the device to the access authentication component to obtain access to the controlled resource;
  
  (d) the access authentication component obtaining the security profile of the device;
  
  (e) the access authentication component evaluating the security profile of the device to the security profile required by the business rule; and
  
  (f) upon the successful evaluation of the security profile of the device, the access authentication component authenticating the requesting entity for access to the controlled resource.

59. A method of authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising the steps of:
- (a) providing the requesting entity with a device and including a public-private key pair in the device;
  
  (b) the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining at least one record in an account database, each record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record, associating the public key of the respective public-private key pair of the requesting entity with the record;
  
  (c) associating a security profile with the device;
  
  (d) the requesting entity establishing an account in the controlled resource;
  
  (e) after initializing the accounts, the requesting entity entering personal verification data into the device, the device verifying the data to form a verification status;
  
  (f) the requesting entity then originating and digitally signing an electronic message including an instruction regarding the controlled resource account and the verification status using the device private key of the requesting entity'"'"'s public-private key pair in the device, and sending the electronic message from the device to the access authentication component with the unique identifier of the requesting entity;
  
  (g) the access authentication component obtaining the security profile of the device and authenticating the electronic message, including the verification status and the security profile using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message, after retrieving the public key from the database using the unique identifier;
  
  (h) upon the successful authentication of the electronic message, the verification status and the security profile, the access authentication component authenticating the requesting entity for access to the controlled resource;
  
  (i) granting access to the controlled resource in response to authenticating the requesting entity; and
  
  (j) executing the instruction regarding the controlled resource account contained in the electronic message.

60. A data structure for an electronic communication from a requesting entity to an access authentication component, comprising:
- (a) an account identifier identifying an account maintained by the access authentication component;
  
  (b) an access request message for accessing the account; and
  
  (c) a digital signature signed with the private key of the requesting entity;
  
  whereby the access authentication component, in response to receipt of the electronic communication, utilizes the account identifier to retrieve a prestored public key corresponding to the private key of the requesting entity and utilizes the retrieved public key to authenticate the requesting entity.

61. A data structure for an electronic communication from a requesting entity to an access authentication component, comprising:
- (a) an account identifier identifying an account maintained by the access authentication component;
  
  (b) an access request message for accessing the account, including a verification status indicator; and
  
  (c) a digital signature signed with the private key of the requesting entity whereby the access authentication component, in response to receipt of the electronic communication, utilizes the account identifier to retrieve a prestored public key corresponding to the private key of the requesting entity and utilizes the retrieved public key to authenticate the verification status and authenticate the requesting entity.

62. A method for controlling access by a requesting entity to one or more controlled resources via an electronic communication, the electronic communication including at least a digital signature, comprising the steps of:
- (a) in response to a first electronic communication from the requesting entity including a request to access a first controlled resource, authenticating the first electronic communication by validating the digital signature with a public key to determine if the requesting entity is an authenticated entity;
  
  (b) in response to authenticating the first electronic communication, determining a first access permission to the controlled resource with respect to the authenticated entity;
  
  (c) permitting access to the first controlled resource in accordance with the first access permission;
  
  (d) in response to a second electronic communication from the requesting entity including a request to access a second controlled resource, authenticating the second electronic communication by validating the digital signature with a public key to determine if the requesting entity is an authenticated entity;
  
  (e) in response to authenticating the second electronic communication, determining a second access permission to the second controlled resource with respect to the authenticated entity; and
  
  (f) permitting access to the second controlled resource in accordance with the second access permission.

63. A system of authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising:
- (a) a requesting entity security account opened with the access authentication component, the access authentication component establishing and maintaining at least one record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record a public key of a respective public-private key pair of the requesting entity associated with the record;
  
  (b) after initializing the account the requesting entity originating an electronic message and generating a digital signature using a private key of the requesting entity'"'"'s public-private key pair, and a component for sending the digitally signed electronic message to the access authentication component with the unique identifier of the requesting entity;
  
  (c) the access authentication component authenticating the electronic message using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message; and
  
  (d) upon the successful authentication of the electronic message, the access authentication component authenticating the requesting entity for access to the controlled resource.
- View Dependent Claims (64, 65, 66, 67, 68, 69, 70)
- - 64. The system of claim 63, including the requesting entity having a device with the public-private key pair in the device.
  - 65. The system of claim 63, including an account established in the controlled resource for the requesting entity.
  - 66. The system of claim 65, including an instruction regarding the controlled resource account in the electronic message.
  - 67. The system of claim 66, including a component for executing the instruction regarding the controlled resource account contained in the electronic message.
  - 68. The system of claim 63, including a component for granting access to the controlled resource in response to authenticating the requesting entity.
  - 69. The system of claim 63, including a component for authenticating the electronic message after retrieving the public key from the database using the unique identifier.
  - 70. The system of claim 63, including the security account record stored in an account database.

71. A system for authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component controlling the controlled resource, comprising:
- a) a requesting entity security account opened with the access authentication component, the access authentication component establishing and maintaining at least one record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record a public key of a respective public-private key pair of the requesting entity associated with the record;
  
  b) after initializing the account, the requesting entity entering personal verification data and a component for verifying the data to form at least one verification status;
  
  (c) the requesting entity then originating an electronic message including the verification status and generating a digital signature using the private key of the requesting entity'"'"'s public-private key pair, and a component for sending the digitally signed electronic message to the access authentication component with the unique identifier of the requesting entity;
  
  (d) the access authentication component authenticating the electronic message and the verification status using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message; and
  
  (e) upon the successful authentication of the electronic message and the verification status, the access authentication component authenticating the requesting entity for access to the controlled resource.
- View Dependent Claims (72, 73, 74, 75, 76, 77, 78, 79)
- - 72. The system of claim 71, including the requesting entity having a device with the public-private key pair in the device.
  - 73. The system of claim 71, including a requesting entity account established in the controlled resource.
  - 74. The system of claim 73, including an instruction regarding the controlled resource account in the electronic message.
  - 75. The system of claim 74, including a component for executing the instruction regarding the controlled resource account contained in the electronic message.
  - 76. The system of claim 73, including a component for granting access to the controlled resource in response to authenticating the requesting entity.
  - 77. The system of claim 73, including a component for authenticating the electronic message after retrieving the public key from the database using the unique identifier.
  - 78. The system of claim 73, including the security account record stored in an account database.
  - 79. The system of claim 73, including personalizing data relating to the requesting entity stored in the device.

80. A system for authenticating a requesting entity for continuing access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, the requesting entity initially entering personal verification data and verifying the data to form a verification status and having sent the verification status to the access authentication component, the access authentication component having evaluated the verification status and authenticated access to the controlled resource for the requesting entity, the access authentication component maintaining business rules and now requesting in accordance with one of the rules that the verification status be reconfirmed by the requesting entity, comprising:
- (a) the access authentication component sending a message requesting the current verification status from the requesting entity;
  
  (b) the requesting entity resending the current verification status to the access authentication component;
  
  (c) the access authentication component receiving the current verification status;
  
  (d) the access authentication component evaluatinging the current verification status with the status required by the business rule; and
  
  (e) upon the successful authentication of the verification status, the access authentication component authenticating the requesting entity for continuing access to the controlled resource.
- View Dependent Claims (21, 81, 82, 83, 84)
- - 21. The method of claim 81, including authenticating the electronic message after retrieving the public key from the database using the unique identifier.
  - 81. The system of claim 80, including the requesting entity having a device with the public-private key pair in the device.
  - 82. The system of claim 80, including a requesting entity account established in the controlled resource.
  - 83. The system of claim 80, including a component for authenticating the electronic message after retrieving the public key from the database using the unique identifier.
  - 84. The system of claim 80, including the security account record stored in an account database.

85. A system for initially authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising:
- (a) a requesting entity security account opened with the access authentication component, the access authentication component establishing and maintaining at least one record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record a public key of a respective public-private key pair of the requesting entity associated with the record;
  
  (b) after initializing the account, the requesting entity entering personal verification data and verifying the data to form a verification status;
  
  (c) the requesting entity then sending the verification status to the access authentication component with the unique identifier of the requesting entity;
  
  (d) the access authentication component authenticating the verification status using the requesting entity'"'"'s unique identifier; and
  
  (e) upon the successful authentication of the verification status, the access authentication component authenticating the requesting entity for access to the controlled resource.
- View Dependent Claims (86, 87, 88, 89)
- - 86. The system of claim 85, including the requesting entity having a device with the public-private key pair in the device.
  - 87. The system of claim 85, including a requesting entity account established in the controlled resource.
  - 88. The system of claim 85, including a component for authenticating the electronic message after retrieving the public key from the database using the unique identifier.
  - 89. The system of claim 85, including the security account record stored in an account database.

90. A system for authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising:
- (a) the requesting entity having a device with a security profile associated therewith and a public-private key pair in the device;
  
  (b) a requesting entity security account opened with the access authentication component, the access authentication component establishing and maintaining at least one record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record the public key of the respective public-private key pair of the requesting entity associated with the record;
  
  (c) after initializing the account, the requesting entity then originating and digitally signing an electronic message using the device private key of the requesting entity'"'"'s public-private key pair, and a component for sending the electronic message to the access authentication component with the unique identifier of the requesting entity;
  
  (d) the access authentication component authenticating the electronic message and the security profile using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message; and
  
  (e) upon the successful authentication of the electronic message and approval of the security profile for the controlled resource, the access authentication component authenticating the requesting entity for access to the controlled resource.
- View Dependent Claims (91, 92, 93, 94, 95, 96)
- - 91. The system of claim 90, including a requesting entity account established in the controlled resource.
  - 92. The system of claim 91, including an instruction regarding the controlled resource account in the electronic message.
  - 93. The system of claim 92, including a component for executing the instruction regarding the controlled resource account contained in the electronic message.
  - 94. The system of claim 90, including a component for granting access to the controlled resource in response to authenticating the requesting entity.
  - 95. The system of claim 90, including a component for authenticating the electronic message after retrieving the public key from the database using the unique identifier.
  - 96. The system of claim 90, including the security account record stored in an account database.

97. A system for authenticating a requesting entity for continuing access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, the requesting entity having a device with a security profile associated therewith and including a public-private key pair in the device, the access authentication component having evaluated the security profile status and authenticated access to the controlled resource for the requesting entity, the access authentication component maintaining business rules and now requesting in accordance with one of the rules that the security profile be reconfirmed by the requesting entity, comprising:
- (a) the access authentication component obtaining the security profile associated with the device;
  
  (b) the access authentication component evaluating the current security profile with the security profile required by the business rule; and
  
  (c) upon the successful authentication of the security profile, the access authentication component authenticating the requesting entity for continuing access to the controlled resource.
- View Dependent Claims (98, 99, 100, 101)
- - 98. The system of claim 97, including a requesting entity account established in the controlled resource.
  - 99. The system of claim 98, including a component for establishing a session with the controlled resource account.
  - 100. The system of claim 99, including a component for reconfirming the security profile to continue the session in the controlled resource account.
  - 101. The system of claim 97, including the security profile stored in a secure database.

102. A system for initially authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising:
- (a) a requesting entity security account opened with the access authentication component, the access authentication component establishing business rules and maintaining at least one record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record a public key of a respective public-private key pair of the requesting entity associated with the record;
  
  (b) the requesting entity having a device with a security profile associated therewith and the public-private key pair in the device;
  
  (c) after initializing the account, the requesting entity presenting the device to the access authentication component to obtain access to the controlled resource;
  
  (d) the access authentication component obtaining the security profile of the device;
  
  (e) the access authentication component evaluating the security profile of the device to the security profile required by the business rule; and
  
  (f) upon the successful evaluation of the security profile of the device, the access authentication component authenticating the requesting entity for access to the controlled resource.
- View Dependent Claims (103, 104)
- - 103. The system of claim 102, including a requesting entity account established in the controlled resource.
  - 104. The system of claim 102, including the security profile stored in a secure database.

105. A system for authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising:
- (a) the requesting entity having a device with a public-private key pair in the device;
  
  (b) a requesting entity security account opened with the access authentication component, the access authentication component establishing and maintaining at least one record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record the public key of the respective public-private key pair of the requesting entity associated with the record;
  
  (c) a security profile associated with the device;
  
  (d) after initializing the account, the requesting entity entering personal verification data into the device, the device verifying the data to form a verification status;
  
  (e) the requesting entity then originating and digitally signing an electronic message including the verification status using the device private key of the requesting entity'"'"'s public-private key pair, and a component for sending the electronic message to the access authentication component with the unique identifier of the requesting entity;
  
  (f) the access authentication component authenticating the electronic message, including the verification status and the security profile using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message; and
  
  (g) upon the successful authentication of the electronic message, the verification status and the security profile, the access authentication component authenticating the requesting entity for access to the controlled resource.
- View Dependent Claims (106, 107, 108, 109, 110, 111, 112, 113)
- - 106. The system of claim 105, including a requesting entity account established in the controlled resource.
  - 107. The system of claim 106, including an instruction regarding the controlled resource account in the electronic message.
  - 108. The system of claim 107, including a component for executing the instruction regarding the controlled resource account contained in the electronic message.
  - 109. The system of claim 105, including a component for granting access to the controlled is resource in response to authenticating the requesting entity.
  - 110. The system of claim 105, including a component for authenticating the electronic message after retrieving the public key from the database using the unique identifier.
  - 111. The system of claim 105, including the security account record stored in an account database.
  - 112. The system of claim 105, including personalizing data relating to the requesting entity stored in the device.
  - 113. The system of claim 105, including the security profile stored in a secure database.

114. A system for authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising:
- (a) a requesting entity security account opened with the access authentication component, the access authentication component establishing and maintaining at least one record in an account database, each record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record a public key of a respective public-private key pair of the requesting entity associated with the record;
  
  (b) the requesting entity having a device with the public-private key pair in the device;
  
  (c) a requesting entity account established in the controlled resource;
  
  (d) after initializing the accounts the requesting entity originating an electronic message including an instruction regarding the controlled resource account and generating a digital signature using a private key of the requesting entity'"'"'s public-private key pair in the device, and a component for sending the digitally signed electronic message from the device to the access authentication component with the unique identifier of the requesting entity;
  
  (e) the access authentication component authenticating the electronic message using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message, after retrieving the public key from the database using the unique identifier;
  
  (f) upon the successful authentication of the electronic message, the access authentication component authenticating the requesting entity for access to the controlled resource;
  
  (g) a component for granting access to the controlled resource in response to authenticating the requesting entity; and
  
  (h) a component for executing the instruction regarding the controlled resource account contained in the electronic message.

115. A system for authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising:
- (a) a requesting entity a security account opened with the access authentication component, the access authentication component establishing and maintaining at least one record in an account database, each record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record a public key of a respective public-private key pair of the requesting entity associated with the record;
  
  (b) the requesting entity having a device with the public-private key pair in the device;
  
  (c) personalizing data relating to the requesting entity stored in the device;
  
  (d) a requesting entity account opened in the controlled resource;
  
  (e) after initializing the accounts, the requesting entity entering personal verification data and verifying the data to form at least one verification status;
  
  (f) the requesting entity then originating an electronic message including an instruction regarding the controlled resource account and the verification status and generating a digital signature using the private key of the requesting entity'"'"'s public-private key pair in the device, and a component for sending the digitally signed electronic message from the device to the access authentication component with the unique identifier of the requesting entity;
  
  (g) the access authentication component authenticating the electronic message and the verification status using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message, after retrieving the public key from the database using the unique identifier;
  
  upon the successful authentication of the electronic message and the verification status, the access authentication component authenticating the requesting entity for access to the controlled resource;
  
  (h) a component for granting access to the controlled resource in response to authenticating the requesting entity; and
  
  (i) a component for executing the instruction regarding the controlled resource account contained in the electronic message.

116. A system for authenticating a requesting entity for continuing access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, providing the requesting entity with a device and including the public-private key pair in the device, personalizing the device by storing data relating to the requesting entity, the requesting entity having an account in the controlled resource the requesting entity initially entering personal verification data in the device and the device verifying the data to form a verification status and the device having sent the verification status to the access authentication component, the access authentication component having evaluateded the verification status and authenticated access to the controlled resource for the requesting entity, the access authentication component maintaining business rules and now requesting in accordance with one of the rules that the verification status be reconfirmed by the requesting entity, comprising:
- (a) the access authentication component sending a message requesting the current verification status from the requesting entity;
  
  (b) the requesting entity digitally signing and resending the current verification status in a message to the access authentication component;
  
  (c) the access authentication component receiving and authenticating the message to obtain the current verification status;
  
  (d) the access authentication component evaluating the current verification status with the status required by the business rule; and
  
  (e) upon the successful evaluation of the verification status, the access authentication component authenticating the requesting entity for continuing access to the controlled resource account.

117. A system for initially authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising:
- (a) a requesting entity a security account opened with the access authentication component, the access authentication component establishing and maintaining at least one record in an account database, each record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record a public key of a respective public-private key pair of the requesting entity associated with the record;
  
  (b) the requesting entity having a device with the public-private key pair in the device;
  
  (c) personalizing data relating to the requesting entity stored in the device;
  
  (d) a requesting entity account established in the controlled resource;
  
  (e) after initializing the account, the requesting entity entering personal verification data and verifying the data to form a verification status;
  
  (f) the requesting entity then sending the verification status to the access authentication component with the unique identifier of the requesting entity;
  
  (g) the access authentication component authenticating the verification status using the requesting entity'"'"'s unique identifier; and
  
  (h) upon the successful authentication of the verification status, the access authentication component authenticating the requesting entity for access to the controlled resource account.

118. A system for authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising:
- (a) the requesting entity having a device with a security profile associated therewith, the security profile stored in a secure database and a public-private key pair in the device;
  
  (b) a requesting entity security account opened with the access authentication component, the access authentication component establishing and maintaining at least one record in an account database, each record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record the public key of the respective public-private key pair of the requesting entity associated with the record;
  
  (c) a requesting entity account established in the controlled resource;
  
  (d) after initializing the account, the requesting entity then originating and digitally signing an electronic message including an instruction regarding the controlled resource account using the device private key of the requesting entity'"'"'s public-private key pair, and a component for sending the electronic message from the device to the access authentication component with the unique identifier of the requesting entity;
  
  (e) the access authentication component obtaining the security profile and authenticating the electronic message and the security profile using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message, after retrieving the public key from the account database using the unique identifier;
  
  (f) upon the successful authentication of the electronic message and approval of the security profile for the controlled resource, the access authentication component authenticating the requesting entity for access to the controlled resource;
  
  (g) a component for granting access to the controlled resource in response to authenticating the requesting entity; and
  
  (h) a component for executing the instruction regarding the controlled resource account contained in the electronic message.

119. A system for authenticating a requesting entity for continuing access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, the requesting entity having a device with a security profile associated therewith and including a public-private key pair in the device, storing the security profile in a secure database, the access authentication component having evaluated the security profile and authenticated access to a session in an account in the controlled resource for the requesting entity, the access authentication component maintaining business rules and now requesting in accordance with one of the rules that the security profile be reconfirmed by the requesting entity to continue the session with the account, comprising:
- (a) the access authentication component obtaining the security profile associated with the device;
  
  (b) the access authentication component evaluating the current security profile with the security profile required by the business rule to continue the session with the account; and
  
  (c) upon the successful evaluation of the security profile, the access authentication component authenticating the requesting entity for continuing access to the controlled resource account.

120. A system for initially authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising:
- (a) a requesting entity security account opened with the access authentication component, the access authentication component establishing business rules and maintaining at least one record in an account database, each record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record a public key of a respective public-private key pair of the requesting entity associated with the record;
  
  (b) the requesting entity having a device with a security profile associated therewith, the security profile stored in a secure database and the public-private key pair in the device;
  
  (c) after initializing the account, the requesting entity presenting the device to the access authentication component to obtain access to the controlled resource;
  
  (d) the access authentication component obtaining the security profile of the device;
  
  (e) the access authentication component evaluating the security profile of the device to the security profile required by the business rule; and
  
  (f) upon the successful evaluation of the security profile of the device, the access authentication component authenticating the requesting entity for access to the controlled resource.

121. A system for authenticating a requesting entity for access to a controlled resource by communicating electronically over a communications medium to an access authentication component for the controlled resource, comprising:
- (a) the requesting entity having a device with a public-private key pair in the device;
  
  (b) a requesting entity security account opened with the access authentication component, the access authentication component establishing and maintaining at least one record in an account database, each record including information pertaining to the account and being retrievable based on a unique identifier established for the requesting entity, and for each record the public key of the respective public-private key pair of the requesting entity associated with the record;
  
  (c) a security profile associated with the device;
  
  (d) a requesting entity account established in the controlled resource;
  
  (e) after initializing the accounts, the requesting entity entering personal verification data into the device, the device verifying the data to form a verification status;
  
  (f) the requesting entity then originating and digitally signing an electronic message including an instruction regarding the controlled resource account and the verification status using the device private key of the requesting entity'"'"'s public-private key pair in the device, and a component for sending the electronic message from the device to the access authentication component with the unique identifier of the requesting entity;
  
  (g) the access authentication component obtaining the security profile of the device and authenticating the electronic message, including the verification status and the security profile using the public key associated with the record identified by the requesting entity'"'"'s unique identifier included with the electronic message, after retrieving the public key from the database using the unique identifier;
  
  (h) upon the successful authentication of the electronic message, the verification status and the security profile, the access authentication component authenticating the requesting entity for access to the controlled resource;
  
  (i) a component for granting access to the controlled resource in response to authenticating the requesting entity; and
  
  (j) a component for executing the instruction regarding the controlled resource account contained in the electronic message.

122. A system for controlling access by a requesting entity to one or more controlled resources via an electronic communication, the electronic communication including at least a digital signature, comprising:
- (a) in response to a first electronic communication from the requesting entity including a request to access a first controlled resource, a component for authenticating the first electronic communication by validating the digital signature with a public key to determine if the requesting entity is an authenticated entity;
  
  (b) in response to authenticating the first electronic communication, a component for determining a first access permission to the controlled resource with respect to the authenticated entity;
  
  (c) a component for permitting access to the first controlled resource in accordance with the first access permission;
  
  (d) in response to a second electronic communication from the requesting entity including a request to access a second controlled resource, a component for authenticating the second electronic communication by validating the digital signature with a public key to determine if the requesting entity is an authenticated entity;
  
  (e) in response to authenticating the second electronic communication, a component for determining a second access permission to the second controlled resource with respect to the authenticated entity; and
  
  (f) a component for permitting access to the second controlled resource in accordance with the second access permission.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
First Data Corporation (Fiserv Incorporated)
Original Assignee
First Data Corporation (Fiserv Incorporated)
Inventors
Wheeler, Lynn Henry, Wheeler, Anne M

Application Number

US10/343,618
Publication Number

US 20040128508A1
Time in Patent Office

Days
Field of Search
US Class Current

713/170
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0861   using biometrical features,...

H04L 63/102   Entity profiles

Method and apparatus for access authentication entity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

261 Citations

122 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for access authentication entity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

261 Citations

122 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links