System and method for securing a credential via user and server verification

US 20070245148A1
Filed: 01/03/2007
Published: 10/18/2007
Est. Priority Date: 12/31/2005
Status: Active Grant

First Claim

Patent Images

1. A method for securing a credential during an attempt to access a service hosted on a server, comprising:

(a) receiving, in a secure processor, the credential from an authentication token;

(b) verifying the identity of an individual attempting to use the authentication token to access the service;

(c) cryptographically verifying the server hosting the service; and

(d) releasing the credential for transmission to the server if the identity of the individual is successfully verified and the server is successfully verified.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for securing a credential generated by or stored in an authentication token during an attempt to access a service, application, or resource are provided. A secure processor receives a credential from an authentication token and securely stores the credential. The secure processor then verifies the identity of the individual attempting to use the authentication token and cryptographically verifies the identity of the server being accessed. The credential is only released for transmission to the server if both the identity of the individual and the identity of the server are successfully verified. Alternatively, a secure connection is established between the secure processor and the server being accessed and a secure connection is established between the secure processor and a computing device. The establishment of the secure connections verifies the identity of the server. After the secure connections are established, the identity of the user is verified.

113 Citations

21 Claims

1. A method for securing a credential during an attempt to access a service hosted on a server, comprising:
- (a) receiving, in a secure processor, the credential from an authentication token;
  
  (b) verifying the identity of an individual attempting to use the authentication token to access the service;
  
  (c) cryptographically verifying the server hosting the service; and
  
  (d) releasing the credential for transmission to the server if the identity of the individual is successfully verified and the server is successfully verified.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein step (b) includes:
    - verifying authentication data entered by the individual.
  - 3. The method of claim 2, wherein the authentication data includes a password.
  - 4. The method of claim 2, wherein the authentication data includes a shared secret.
  - 5. The method of claim 2, wherein the authentication data includes a biometric template of the individual.
  - 6. The method of claim 1, wherein step (c) includes:
    - receiving a message including a digital certificate of the server, wherein the digital certificate includes a digital signature; and
      
      validating the received digital certificate by verifying the digital signature with a public key of the server.
  - 7. The method of claim 1, wherein step (c) includes:
    - (i) transmitting a random value as a challenge to the server;
      
      (ii) receiving a digital signature from the server, wherein the digital signature is a hash value encrypted using a private key of the server and the hash value includes a hash of a server identifier and the random value;
      
      (iii) decrypting the digital signature with a public key of the server to obtain the hash value;
      
      (iv) generating a hash value including a hash of the server identifier and the random value; and
      
      (v) comparing the decrypted hash value and the generated hash value.
  - 8. The method of claim 1, wherein step (c) includes:
    - (i) transmitting a client hello message to the server, wherein the client hello message includes a listing of cryptographic algorithms supported by the secure processor;
      
      (ii) receiving a server hello message in response to the client hello message, wherein server hello message includes a selection of a cryptographic algorithm from the listing of cryptographic algorithms in the client hello message;
      
      (iii) receiving a digital certificate from the server;
      
      (iv) validating the digital certificate of the server; and
      
      (v) transmitting a client key exchange message to the server, wherein the client exchange message sets a premaster secret to be used for communication between the server and the secure processor.
  - 9. The method of claim 8, wherein the client hello message, server hello message, and client key exchange message are transport layer security (TLS) protocol messages.
  - 10. The method of claim 8, wherein the client hello message, server hello message, and client key exchange message are secure sockets layer (SSL) protocol messages.
  - 11. The method of claim 1, further comprising:
    - after step (a), storing the credential in a memory within a security boundary established by the secure processor.
  - 12. The method of claim 1, further comprising:
    - after step (a), encrypting the credential using a cryptographic key of the secure processor; and
      
      storing the encrypted credential in an external memory.

13. A method for securing a credential during an attempt to access a service hosted on a server, comprising:
- (a) establishing a secure connection between a secure processor and the server;
  
  (b) establishing a secure connection between the secure processor and a computing device;
  
  (c) receiving, in the secure processor, a credential from an authentication token; and
  
  (d) verifying the identity of an individual attempting to use the authentication token to access the service.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13, wherein the secure connection between the secure processor and the server is established using a transport layer security (TLS) protocol.
  - 15. The method of claim 13, wherein the secure connection between the secure processor and the computing device is established using a transport layer security (TLS) protocol.
  - 16. The method of claim 13, wherein the secure connection between the secure processor and the server is established using a secure sockets layer (SSL) protocol.
  - 17. The method of claim 13, wherein the secure connection between the secure processor and the computing device is established using a secure sockets layer (SSL) protocol.
  - 18. The method of claim 13, wherein step (b) includes:
    - verifying authentication data entered by the individual.
  - 19. The method of claim 18, wherein the authentication data includes a password.
  - 20. The method of claim 18, wherein the authentication data includes a shared secret.
  - 21. The method of claim 18, wherein the authentication data includes a biometric template of the individual.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NXP B.V. (NXP Semiconductors NV)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Buer, Mark

Granted Patent

US 8,112,787 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

H04L 9/32   including means for verifyi...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

System and method for securing a credential via user and server verification

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

113 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securing a credential via user and server verification

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links