SECURE LOGIN USING A MULTIFACTOR SPLIT ASYMMETRIC CRYPTO-KEY WITH PERSISTENT KEY SECURITY

US 20070258594A1
Filed: 05/05/2006
Published: 11/08/2007
Est. Priority Date: 05/05/2006
Status: Active Grant

First Claim

Patent Images

1. A system for authenticating a user multiple times during a single network session, comprising:

a storage device configured to concurrently store (i) a second key portion of one of a private key and a public key of an asymmetric crypto-key associated with the user, wherein the stored second key portion and a first key portion form a first split of the one key of the asymmetric crypto-key, and (ii) another second key portion of the one key of the asymmetric crypto-key, wherein the stored other second key portion and another first key portion form a second split, different than the first split, of the one key of the asymmetric crypto-key; and

a processor configured with logic to (i) receive, via a communications network, a first message encrypted with the first key portion of the one key of the asymmetric crypto-key, (ii) decrypt the received encrypted first message with the stored second key portion of the one key of the asymmetric crypto-key to authenticate the user for access to first information available on the communications network during the network session, (iii) subsequently receive, via the communications network, a second message encrypted with the other first key portion of the one key of the asymmetric crypto-key, and (iv) decrypt the received encrypted second message with the stored other second key portion of the one key of the asymmetric crypto-key to authenticate the user for access to second information available on the communications network during the network session.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first network station encrypts a first message with a first key portion from a first split of a private or public key of a user'"'"'s asymmetric crypto-key and transmits it during a network session. The second network station decrypts the transmitted encrypted first message with a second key portion from the first split of the one key of the asymmetric crypto-key to initially authenticate the user for access, during the session, to store information. The first network station also encrypts a second message with another first key portion from a second split of that one key, and subsequently transmits it during the same network session. The second network station decrypts the subsequently transmitted encrypted second message with another second key portion from the second split of that same one key to subsequently authenticate the user for access, during the same session, to other stored_information.

236 Citations

23 Claims

1. A system for authenticating a user multiple times during a single network session, comprising:
- a storage device configured to concurrently store (i) a second key portion of one of a private key and a public key of an asymmetric crypto-key associated with the user, wherein the stored second key portion and a first key portion form a first split of the one key of the asymmetric crypto-key, and (ii) another second key portion of the one key of the asymmetric crypto-key, wherein the stored other second key portion and another first key portion form a second split, different than the first split, of the one key of the asymmetric crypto-key; and
  
  a processor configured with logic to (i) receive, via a communications network, a first message encrypted with the first key portion of the one key of the asymmetric crypto-key, (ii) decrypt the received encrypted first message with the stored second key portion of the one key of the asymmetric crypto-key to authenticate the user for access to first information available on the communications network during the network session, (iii) subsequently receive, via the communications network, a second message encrypted with the other first key portion of the one key of the asymmetric crypto-key, and (iv) decrypt the received encrypted second message with the stored other second key portion of the one key of the asymmetric crypto-key to authenticate the user for access to second information available on the communications network during the network session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system according to claim 1, wherein:
    - the processor is further configured to (i) later receive, via the communications network, a third message encrypted with the other first key portion of the one key of the asymmetric crypto-key, and (iii) decrypt the received encrypted third message with the stored other second key portion of the one key of the asymmetric crypto-key to authenticate the user for access to third information available on the communications network during the network session.
  - 3. The system according to claim 1, wherein:
    - the first information is accessible at a first network site associated with a first network entity; and
      
      the second information is accessible at a second network site associated with a second network entity.
  - 4. The system according to claim 1, wherein:
    - the first key portion and the second key portion have the relationship D_U1*D_U2=D_Umodφ
      
      (N_U), where D_Urepresents the one key of the asymmetric crypto-key, D_U1represents the first key portion, and D_U2represents the second key portion; and
      
      the other first key portion and the other second key portion have the relationship D_U1′
      
      *D_U2′
      
      =D_Umodφ
      
      (N_U), where D_Urepresents the one key of the asymmetric crypto-key, D_U1′
      
      represents the other first key portion, and D_U2′
      
      represents the other second key portion.
  - 5. The system according to claim 4, wherein the one key represented by the D_Uis the private key of the asymmetric crypto-key.
  - 6. The system according to claim 1, wherein:
    - the first key portion corresponds to a first factor, a second factor, and a first value of a constant; and
      
      the other first key portion corresponds to the first factor, the second factor, and a second value of the constant that is different than the first value of the constant.
  - 7. The system according to claim 6, wherein:
    - the first factor corresponds to a password of the user;
      
      the second factor corresponds to another private key or another public key of another asymmetric crypto-key; and
      
      the constant is a salt or an iteration count.
  - 8. The system according to claim 6, wherein:
    - the received encrypted first message includes one of the first factor and the second factor; and
      
      the received encrypted second message also includes the one factor.

9. A method for authenticating a user multiple times during a single network session, comprising:
- receiving, via a communications network, a first message encrypted with a first key portion of one of a private key and a public key of an asymmetric crypto-key associated with a user;
  
  decrypting the received encrypted first message with a second key portion of the one key of the asymmetric crypto-key to authenticate the user for access to first information available on the communications network during the network session, wherein the first key portion and the second key portion form a first split of the one key of the asymmetric crypto-key;
  
  subsequently receiving, via the communications network, a second message encrypted with another first key portion of the one key of the asymmetric crypto-key; and
  
  decrypting the received encrypted second message with another second key portion of the one key of the asymmetric crypto-key to authenticate the user for access to second information available on the communications network during the network session, wherein the other first key portion and the other second key portion form a second split, different than the first split, of the one key of the asymmetric crypto-key.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method according to claim 9, further comprising:
    - later receiving, via the communications network, a third message encrypted with the other first key portion of the one key of the asymmetric crypto-key; and
      
      decrypting the received encrypted third message with the other second key portion of the one key of the asymmetric crypto-key to authenticate the user for access to third information available on the communications network during the network session.
  - 11. The method according to claim 9, wherein:
    - the first information is accessible at a first network site associated with a first network entity; and
      
      the second information is accessible at a second network site associated with a second network entity.
  - 12. The method according to claim 9, wherein:
    - the first key portion and the second key portion have the relationship D_U1*D_U2=D_Umodφ
      
      (N_U), where D_Urepresents the one key of the asymmetric crypto-key, D_U1represents the first key portion, and D_U2represents the second key portion; and
      
      the other first key portion and the other second key portion have the relationship D_U1′
      
      *D_U2′
      
      =D_Umodφ
      
      (N_U), where D_Urepresents the one key of the asymmetric crypto-key, D_U1′
      
      represents the other first key portion, and D_U2′
      
      represents the other second key portion.
  - 13. The method according to claim 12, wherein the one key represented by the D_Uis the private key of the asymmetric crypto-key.
  - 14. The method according to claim 9, wherein:
    - the first key portion corresponds to a first factor, a second factor, and a first value of a constant; and
      
      the other first key portion corresponds to the first factor, the second factor, and a second value of the constant that is different than the first value of the constant.
  - 15. The method according to claim 14, wherein:
    - the first factor corresponds to a password of the user;
      
      the second factor corresponds to another private key or another public key of another asymmetric crypto-key; and
      
      the constant is one of a salt and an iteration count.
  - 16. The method according to claim 14, wherein:
    - the received encrypted first message includes one of the first factor and the second factor; and
      
      the received encrypted second message includes the one factor.

17. A networked system for authenticating a user multiple times during a single network session, comprising:
- a first network station configured with logic to (i) encrypt a first message with a first key portion of one of a private key and a public key of an asymmetric crypto-key associated with a user, and initially transmit the encrypted first message over a communications network during a network session, and (ii) encrypt a second message with another first key portion of the one key of the asymmetric crypto-key, and subsequently transmit the encrypted second message over the communications network during the network session; and
  
  a second network station configured with logic to (i) receive the initially transmitted encrypted first message and decrypt the received encrypted first message with a second key portion of the one key of the asymmetric crypto-key to initially authenticate the user, wherein the first key portion and the second key portion form a first split of the one key of the asymmetric crypto-key, and (ii) receive the subsequently transmitted encrypted second message and decrypt the received encrypted second message with another second key portion of the one key of the asymmetric crypto-key to subsequently authenticate the user, wherein the other first key portion and the other second key portion form a second split, different than the first split, of the one key of the asymmetric crypto-key;
  
  wherein the first network station is further configured to (i) access, during the network session and based on the initial authentication of the user by the second network station, first information stored on the communications network, and (ii) access, during the network session and based on the subsequent authentication of the user by the second network station, second information stored on the communications network.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The networked system according to claim 17, wherein:
    - the first network station is further configured to encrypt a third message with the other first key portion of the one key of the asymmetric crypto-key, and later transmit the encrypted third message over the communications network during the network session;
      
      the second network station is further configured to receive the later transmitted encrypted third message and decrypt the received encrypted second message with the other second key portion of the one key of the asymmetric crypto-key to later authenticate the user; and
      
      the first network station is further configured to access, during the network session and based on the later authentication of the user by the second network station, third information stored on the communications network.
  - 19. The networked system according to claim 17, wherein:
    - the first information is accessed at a first network site associated with a first network entity; and
      
      the second information is accessed at a second network site associated with a second network entity.
  - 20. The networked system according to claim 17, wherein:
    - the first key portion and the second key portion have the relationship D_U1*D_U2=D_Umodφ
      
      (N_U), where D_Urepresents the one key of the asymmetric crypto-key, D_U1represents the first key portion, and D_U2represents the second key portion; and
      
      the other first key portion and the other second key portion have the relationship D_U1′
      
      *D_U2′
      
      =D_Umodφ
      
      (N_U), where D_Urepresents the one key of the asymmetric crypto-key, D_U1′
      
      represents the other first key portion, and D_U2′
      
      represents the other second key portion.
  - 21. The networked system according to claim 17, wherein:
    - the first network station is further configured to generate the first key portion of the one key of the asymmetric crypto-key;
      
      the first message is encrypted with the generated first key portion;
      
      the first network station is also further configured to destroy the generated first key portion after encrypting the first message, and to generate the other first key portion of the one key of the asymmetric crypto-key after destruction of the generated first key portion; and
      
      the second message is encrypted with the generated other first key portion.
  - 22. The networked system according to claim 21, wherein:
    - the first network station is further configured to receive a user input representing a password of the user;
      
      the first key portion is generated based on a first factor corresponding to the password represented by the received user input, a second factor, and a first value of a constant; and
      
      the other first key portion is generated based on the first factor, the second factor, and a second value of the constant, which is different than the first value of the constant.
  - 23. The networked system according to claim 22, wherein both the first message and the second message include the second factor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
TriCipher, Inc. (Broadcom, Inc.)
Inventors
Ganesan, Ravi, Bellare, Mihir, Sandhu, Ravinderpal, deSa, Colin, Schoppert, Brett

Granted Patent

US 7,571,471 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0863   involving passwords or one-...

H04L 9/3218   using proof of knowledge, e...

SECURE LOGIN USING A MULTIFACTOR SPLIT ASYMMETRIC CRYPTO-KEY WITH PERSISTENT KEY SECURITY

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

236 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE LOGIN USING A MULTIFACTOR SPLIT ASYMMETRIC CRYPTO-KEY WITH PERSISTENT KEY SECURITY

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

236 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links