Derivative seeds

US 20070174614A1
Filed: 02/17/2006
Published: 07/26/2007
Est. Priority Date: 02/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method for generating authentication seeds for a plurality of client-side entities, said method comprising:

based on a single master seed, generating a plurality of derivative seeds, each one for a corresponding different one of a plurality of client-side entities, wherein generating each one of the plurality of derivative seeds involves mathematically combining the master seed and a unique identifier identifying the corresponding client-side entity.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of generating authentication seeds for a plurality of users, the method involving: based on a single master seed, generating a plurality of derivative seeds, each one for a corresponding different one of a plurality of users; and distributing the plurality of derivative seeds to a verifier for use in individually authenticating each of the plurality of users to that verifier, wherein generating each one of the plurality of derivative seeds involves mathematically combining the master seed and a unique identifier identifying the corresponding user.

427 Citations

47 Claims

1. A method for generating authentication seeds for a plurality of client-side entities, said method comprising:
- based on a single master seed, generating a plurality of derivative seeds, each one for a corresponding different one of a plurality of client-side entities, wherein generating each one of the plurality of derivative seeds involves mathematically combining the master seed and a unique identifier identifying the corresponding client-side entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the plurality of client-side entities is a plurality of users.
  - 3. The method of claim 1, further comprising distributing the plurality of derivative seeds to a verifier for use in individually authenticating each of the plurality of client-side entities to that verifier.
  - 4. The method of claim 1, further comprising:
    - generating the master seed; and
      
      receiving the corresponding unique identifier for each of the plurality of client-side entities.
  - 5. The method of claim 1, further comprising:
    - receiving the master seed from a master seed generator; and
      
      receiving the corresponding unique identifier for each of the plurality of client-side entities.
  - 6. The method of claim 4, wherein receiving involves receiving from the verifier the unique identifier for each of the plurality of client-side entities.
  - 7. The method of claim 1, wherein said method is implemented on a token device and wherein generating each of the plurality of derivative seeds takes place when the client-side entity for whom that derivative seed is being generated seeks to authenticate to a verifier.
  - 8. The method of claim 1, further comprising receiving a unique identifier identifying a server to which one of the plurality of client-side entities seeks access, wherein generating the derivative seed for that client-side entity involves mathematically combining the master seed, the unique identifier identifying that client-side entity, and the unique identifier identifying the server.
  - 9. The method of claim 1, wherein mathematically combining involves using a key derivation function.
  - 10. The method of claim 9, wherein the key derivation function includes an iterative function.
  - 11. The method of claim 9, wherein the key derivation function takes as inputs a value derived from the master seed and one of the unique identifiers identifying a selected one of the plurality of client-side entities.
  - 12. The method of claim 11, wherein the value derived from the master seed is the master seed.
  - 13. The method of claim 11, wherein the value derived from the master seed is generated by mathematically combining the master seed with at least one other identifier.

14. A method of using a single master seed to authenticate any selectable one of a plurality of client-side entities to a verifier, wherein each of the plurality of client-side entities is identified by a different unique identifier, said method comprising:
- mathematically combining the master seed with the unique identifier for said any selectable client-side entity to generate a derivative seed for said any selectable client-side entity; and
  
  using the derivative seed that was generated for said any selectable client-side entity to authenticate said any selectable client-side entity to the verifier.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The method of claim 14, wherein the plurality of client-side entities is a plurality of users.
  - 16. The method of claim 15, wherein using the derivative seed for said any selectable user involves sending to the verifier a value that is computed from the derivative seed for said any selectable user.
  - 17. The method of claim 14, wherein mathematically combining the master seed with the unique identifier for said any selectable client-side entity involves using a function which utilizes a secret shared by the verifier and the client-side entity.
  - 18. The method of claim 17, wherein using the derivative seed that was generated for said any selectable client-side entity to authenticate said any selectable client-side entity to the verifier involves using an authentication algorithm selected from the group consisting of a time-based authentication algorithm, a challenge-response authentication algorithm, a counter-based authentication algorithm, and an event synchronous authentication algorithm.
  - 19. The method of claim 14, wherein mathematically combining the master seed with the unique identifier for said any selectable client-side entity involves using a function selected from the group of functions consisting of a hash function, a block cipher function, a stream cipher function, and a message authentication code function.
  - 20. The method of claim 14, wherein mathematically combining involves using a key derivation function.
  - 21. The method of claim 19, wherein the key derivation function includes an iterative function.
  - 22. The method of claim 19, wherein the key derivation function takes as inputs a value derived from the master seed and one of the unique identifiers identifying the plurality of client-side entities.
  - 23. The method of claim 21, wherein the value derived from the master seed is the master seed.

24. A method of generating authentication seeds for one or more client-side entities to enable them to individually authenticate to one or more server-side entities, said method comprising from a single master seed, generating a plurality of derivative seeds, wherein generating each one of the plurality of derivative seeds involves mathematically combining the master seed with a corresponding different plurality of unique identifiers, each unique identifier of the corresponding different plurality of unique identifiers identifying a different entity.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. The method of claim 24, further comprising distributing the plurality of derivative seeds to said one or more server-side entities to enable a user to authenticate to those one or more server-side entities by using an appropriate one of the plurality of derivative seeds.
  - 26. The method of claim 24, wherein the one or more users is a plurality of users, and wherein at least one of the unique identifiers of each corresponding different plurality of identifiers identifies a corresponding different user among the plurality of users.
  - 27. The method of claim 24, wherein the one or more server-side entities is a plurality of server-side entities, wherein at least one of the unique identifiers of each corresponding different plurality of identifiers identifies a corresponding different server-side entity user among the plurality of server-side entities.
  - 28. The method of claim 24, wherein mathematically combining involves using a key derivation function.
  - 29. The method of claim 27, wherein the key derivation function includes an iterative function.
  - 30. The method of claim 27, wherein the key derivation function takes as inputs a value derived from the master seed and one of the unique identifiers identifying the plurality of client-side entities.
  - 31. The method of claim 30, wherein the value derived from the master seed is the master seed.

32. A method implemented in a token for authenticating a plurality of different first entities to a second entity, said method comprising:
- storing a master seed in the token;
  
  when any one of said plurality of first entities seeks to authenticate to the second entity, (1) mathematically combining the master seed with a unique identifier supplied for that first entity to generate a derivative seed for that first entity; and
  
  (2) using the derivative seed for that first entity to authenticate to the second entity.
- View Dependent Claims (33, 34, 35, 36, 37)
- - 33. The method of claim 32, wherein the token is implemented in a hardware device.
  - 34. The method of claim 32, wherein the token is implemented in software.
  - 35. The method of claim 32, wherein using the derivative seed for that first entity to authenticate to the second entity involves using an authentication algorithm which utilizes a secret shared by the second entity and that first entity.
  - 36. The method of claim 32, wherein using the derivative seed for that first entity to authenticate to the second entity involves using an authentication algorithm selected from the group consisting of a time-based authentication algorithm, a challenge-response authentication algorithm, a counter-based authentication algorithm, and an event synchronous authentication algorithm.
  - 37. The method of claim 32, further comprising:
    - (3) after authenticating that first entity to the second entity, erasing the derivative seed for that first entity.

38. A method for use in a network in which a user having a user device that stores a master seed authenticates through a client-side device to another entity on the network, the method comprising:
- in a server connected to the network, receiving from the client-side device a unique identifier identifying the client-side device;
  
  in the server, mathematically combining a secret with the unique identifier for the client device to generate a derivative seed, wherein the secret is derived from the master seed; and
  
  sending the derivative seed from the server to the client-side device.
- View Dependent Claims (39, 40, 41, 42, 43)
- - 39. The method of claim 38, wherein the client-side device is an intermediary server.
  - 40. The method of claim 38, further comprising, at the client-side device:
    - receiving the derivative seed; and
      
      after receiving the derivative seed, disconnecting the client-side device from the network.
  - 41. The method of claim 38, further comprising, in the user device:
    - receiving the unique identifier for the client-side device;
      
      mathematically combining at least the unique identifier with the master seed to generate the derivative seed; and
      
      using the derivative seed to authenticate the user device to the client-side device while the client-side device is disconnected from the network.
  - 42. The method of claim 38, wherein the secret is the master seed.
  - 43. The method of claim 38, wherein the secret is a derived seed that is generated by mathematically combining the master seed with one or more other identifiers.

44. A method implemented by a client-side device on a network in which a user authenticates through the client-side device to another entity on the network, the method comprising:
- sending to the other entity of the network a unique identifier identifying the client-side device;
  
  receiving from the other entity a derivative seed, wherein the derivative seed was generated by mathematically combining a secret with the unique identifier for the client-side device, wherein the secret is based on the master seed;
  
  disconnecting from the network;
  
  to authenticate a user, sending the unique identifier for the client-side device to a user device;
  
  after sending the unique identifier for the client-side device to the user device, receiving information from the user device indicating that user device possesses the derivative seed.
- View Dependent Claims (45, 46)
- - 45. The method of claim 44, wherein prior to the step of receiving information from the user device indicating that user device possesses the derivative seed, the user device generating an authentication code in response to the derivative seed, and wherein the information from the user device is the authentication code.
  - 46. The method of claim 44, wherein the secret is mathematically computed from the master seed.

47. A method of authenticating a plurality of users at a server site, said method comprising:
- storing a plurality of derived seeds that are all computed from a single master seed, wherein each one of the plurality of derived seeds is for a corresponding different one of the plurality of entities, wherein each derived seed of the plurality of seeds is generated by mathematically combining the master seed with a unique identifier for the corresponding entity;
  
  for any selected one of the plurality of users, receiving authentication information from that user that is mathematically generated from the derived seed for that user; and
  
  for that selected user, authenticating that user based on the authentication information received from that user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
RSA Security Incorporated (Symphony Technology Group LLC)
Inventors
Duane, William, Hamel, Jeffrey

Granted Patent

US 8,370,638 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/31   User authentication

G06F 21/34   involving the use of extern...

G07C 9/21   having a variable access code

H04L 9/0833   involving conference or gro...

H04L 9/0866   involving user or device id...

H04L 9/0869   involving random numbers or...

H04L 9/0877   using additional device, e....

H04L 9/3213   using tickets or tokens, e....

Derivative seeds

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

427 Citations

47 Claims

Specification

Use Cases

Quick Links

Others

Derivative seeds

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

427 Citations

47 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others