Server mediated security token access

US 20050138421A1
Filed: 12/23/2003
Published: 06/23/2005
Est. Priority Date: 12/23/2003
Status: Abandoned Application

First Claim

Patent Images

1. A server mediated security token access method comprising the steps of:

a. exchanging one or more critical security parameters between a security token enabled client, a security token operatively coupled to said security token enabled client and an authentication server, wherein said security token is generally unavailable to a user due to implementation of a security policy or a processing limitation, b. performing a plurality of authentication transactions between at least said security token and said authentication server using said one or more critical security parameters, and c. allowing said user access to one or more security token resources following successful completion of said plurality of authentication transactions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer program product for accessing one or more security token resources using an authentication server as an intermediary before access is permitted to the security token resources. The server intermediary performs an initial authentication based on a user supplied critical security parameter. To ensure confidentiality of transported critical security parameters, a secure messaging session is established which provides end-to-end security between the authentication server and the security token. A second critical security parameter is then sent to the security token. The security token authenticates the second critical security parameter and allows access token resources. Alternate secure communications mechanisms and an invalid entry counter reset capability are also described.

Citations

31 Claims

1. A server mediated security token access method comprising the steps of:
- a. exchanging one or more critical security parameters between a security token enabled client, a security token operatively coupled to said security token enabled client and an authentication server, wherein said security token is generally unavailable to a user due to implementation of a security policy or a processing limitation, b. performing a plurality of authentication transactions between at least said security token and said authentication server using said one or more critical security parameters, and c. allowing said user access to one or more security token resources following successful completion of said plurality of authentication transactions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1 wherein step 1.a further includes the steps of;
    - a. generating by either said security token or said security token enabled client, an access request which incorporates a unique identifier associated with said security token, b. sending said access request to said authentication server, and c. obtaining a critical security parameter associated with said unique identifier, wherein said critical security parameter is a member of said one or more critical security parameters.
  - 3. The method according to claim 1 wherein said one or more critical security parameters is selected from the group consisting of a passphrase, a cryptographic key, biometric data, a password, a security state associated with said security policy and a result of a cryptographic operation.
  - 4. The method according to claim 1 further including the step of establishing a secure messaging session between said authentication server and at least said security token.
  - 5. The method according to claim 1 further including the step of resetting an invalid entry counter associated with said security token following successful completion of said plurality of authentication transactions.
  - 6. The method according to claim 4 wherein said secure messaging session incorporates a set of session keys generated by said authentication server and shared with said security token.
  - 7. The method according to claim 4 wherein said secure messaging session incorporates an APDU communications pipe.
  - 8. The method according to claim 4 wherein said secure messaging session includes SSL, IPsec or TLS.
  - 9. The method according to claim 3 wherein said biometric data is sent from said security token enabled client to said authentication server, processed by said authentication server and returned to said security token as a member of said one or more critical security parameters.
  - 10. The method according to claim 3 wherein said biometric data is sent from said security token enabled client to said authentication server, processed by said authentication server, matched against a reference biometric template and a cryptographic result returned to said security token as a member of said one or more critical security parameters.

11. A server mediated security token access system comprising:
- a security token enabled client in processing communications with an authentication server and an operatively coupled security token, wherein said security token enabled client includes means for;
  
  receiving a first critical security parameter from a user, exchanging a plurality of critical security parameters between said security token and said authentication server, wherein said first critical security parameter is a member of said plurality of critical security parameters, generating an access request which incorporates a unique identifier associated with said security token, sending an access request and at least one member of said plurality of critical security parameters to said authentication server, and said authentication server including means for;
  
  authenticating said user via at least said at least one member, obtaining a second critical security parameter having an association with said security token, wherein said second critical security parameter is also a member of said plurality of critical security parameters, and sending said second critical security parameter to said security token;
  
  said security token including means for;
  
  authenticating said second critical security parameter, and allowing access to one or more security token resources following successful authentication of said second critical security parameter.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system according to claim 11 wherein said authentication server further includes means for generating and sharing a set of session keys with said security token.
  - 13. The system according to claim 11 wherein said processing communications includes SSL, IPsec or TLS.
  - 14. The system according to claim 12 wherein said authentication server and said security token further includes means for establishing a secure messaging session between said authentication server and said security token using said set of session keys.
  - 15. The system according to claim 12 wherein said security token further includes means for generating and assigning session identifiers to said set of session keys.
  - 16. The system according to claim 11 wherein said plurality of critical security parameters is selected from the group consisting of a passphrase, a cryptographic key, biometric data, a password, a security state associated with a security policy and a result of a cryptographic operation.
  - 17. The system according to claim 11 wherein said authentication server further includes means for;
    - processing a biometric sample sent from said security token enabled client as said first critical security parameter, generating a sample biometric template, matching said sample biometric template against a reference biometric template and returning a cryptographic result to said security token as said second critical security parameter, or sending said sample biometric template to said security token as said second critical security parameter.
  - 18. The system according to claim 11 wherein said authentication server further includes means for resetting an invalid entry counter associated with said security token following authentication of said second critical security parameter.
  - 19. The system according to claim 11 wherein said security token is generally unavailable to said user due to implementation of a security policy or a processing limitation.
  - 20. The system according to claim 16 wherein said security policy is associated with at least said security token, said security token enabled computer system or said authentication server.

21. A server mediated security token access system comprising:
- a security token enabled client in processing communications with an authentication server and an operatively coupled security token including;
  
  a user input means;
  
  a first processor;
  
  a first memory operatively coupled to said first processor;
  
  a client application operatively stored in at least a portion of said first memory having logical instructions executable by said first processor to;
  
  receive a first critical security parameter from said user input means, exchange a plurality of critical security parameters between said security token and said authentication server, wherein said first critical security parameter is a member of said plurality of critical security parameters, generate an access request which incorporates a unique identifier associated with said security token, and send said access request to said authentication server;
  
  said authentication server including;
  
  a second processor;
  
  a second memory operatively coupled to said second processor;
  
  a server application operatively stored in at least a portion of said second memory having logical instructions executable by said second processor to;
  
  authenticate a user via said first critical security parameter, obtain a second critical security parameter associated with said security token via said unique identifier, wherein said second critical security parameter is also a member of said plurality of critical security parameters, and send said second critical security parameter to said security token; and
  
  said security token including;
  
  a third processor;
  
  a third memory operatively coupled to said third processor;
  
  a security executive application operatively stored in at least a portion of said third memory having logical instructions executable by said third processor to;
  
  authenticate said second critical security parameter, and allow access to one or more security token resources following successful authentication of said second critical security parameter;
  
  wherein said security token is generally unavailable to said user due to implementation of a security policy or a processing limitation.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 30, 31)
- - 22. The system according to claim 21 wherein said authentication server further includes a pipe server application operatively installed in another portion of said second memory having logical instructions executable by said second processor to;
    - generate APDU commands, encapsulate said APDU commands in one or more communications packets, and extract APDU responses encapsulated in said one or communications packets.
  - 23. The system according to claim 22 wherein said security token enabled client further includes a pipe client application operatively installed in another portion of said first memory having logical instructions executable by said first processor to;
    - encapsulate said APDU responses in one or more communications packets, and extract said APDU commands encapsulated in said one or communications packets.
  - 24. The system according to claims 21 wherein said plurality of critical security parameters is selected from the group consisting of a passphrase, a cryptographic key, biometric data, a password, a security state associated with a security policy and a result of a cryptographic operation.
  - 25. The system according to claim 21 wherein said client application further includes logical instructions executable by said first processor to receive a biometric sample from said user and send said biometric sample to said authentication server as said first critical security parameter.
  - 26. The system according to claim 21 wherein said server application authentication further includes logical instructions executable by said second processor to;
    - process a biometric sample sent from said security token enabled client as said first critical security parameter, generate a sample biometric template, match said sample biometric template against a reference biometric template and return a cryptographic result to said security token as said second critical security parameter, or send said sample biometric template to said security token as said second critical security parameter.
  - 27. The system according to claim 21 wherein said processing communications includes SSL, IPsec or TLS.
  - 28. The system according to claim 21 wherein said processing communications includes a set of session keys generated by said authentication server and shared with said security token.
  - 30. The computer program product according to claim 28 wherein said tangible form includes magnetic media, optical media or logical media.
  - 31. The computer program product according to claim 28 wherein said executable instructions are stored in a code format selected from the group consisting of compiled, interpreted, compilable and interpretable.

29. A computer program product embodied in a tangible form readable by a plurality of processors in processing communications, wherein said computer program product includes executable instructions stored thereon for causing one or more of said plurality of processors to;
- a. exchange a plurality of critical security parameters between a first processor, a second processor and a third processor, b. authenticate a first member of said plurality of critical security parameters received by said second processor, c. send a second member of said plurality of critical security parameters to said third processor following authentication of said first member of said plurality of critical security parameters by said second processor, d. authenticate said second member of said plurality of critical security parameters by said third processor, and e. allow access to a memory coupled to said third processor following successful authentication of said second member of said plurality of critical security parameters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ActivCard, Inc. (Assa Abloy AB)
Original Assignee
ActivCard, Inc. (Assa Abloy AB)
Inventors
Le Saint, Eric F., Fedronic, Dominique Louis Joseph

Application Number

US10/743,323
Publication Number

US 20050138421A1
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/335   for accessing specific reso...

G06F 21/34   involving the use of extern...

G06F 2221/2101   Auditing as a secondary aspect

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/3576   Multiple memory zones on card

G06Q 20/40975   using encryption therefor

G07F 7/1008   Active credit-cards provide...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

Server mediated security token access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Server mediated security token access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links