PROXIMITY AUTHENTICATION

US 20090177892A1
Filed: 01/09/2008
Published: 07/09/2009
Est. Priority Date: 01/09/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method of verifying presence of a token at a computer, the method comprising:

creating a communication link between the token and the computer;

activating a process on the computer that creates a session key with the token;

publishing an availability of the process;

accepting a token authentication request from an other process;

providing a token authentication response to the other process;

validating the token authentication response;

continuing a session with the other process following a valid token authentication response; and

ending the session following a failed token authentication response.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security token is coupled to a computer and is available for use by both local and remote processes for on-demand response to a challenge. To minimize the security risk of an unattended session, the challenge may be issued to verify the presence of the token. When the token has a user interface, it may be used in conjunction with the computer to require that a user also participate in transferring displayed data between the token and computer. This helps to ensure that not only the token, but the user are both present at the computer during operation. For the most sensitive operations, such a confirmation may be required with each data submission.

72 Citations

View as Search Results

20 Claims

1. A method of verifying presence of a token at a computer, the method comprising:
- creating a communication link between the token and the computer;
  
  activating a process on the computer that creates a session key with the token;
  
  publishing an availability of the process;
  
  accepting a token authentication request from an other process;
  
  providing a token authentication response to the other process;
  
  validating the token authentication response;
  
  continuing a session with the other process following a valid token authentication response; and
  
  ending the session following a failed token authentication response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the failed token authentication response is one of a missing token authentication response, an untimely token authentication response, and a failed token authentication response.
  - 3. The method of claim 1, wherein providing the token authentication response comprises cryptographically authenticating a challenge in the token authentication request.
  - 4. The method of claim 1, wherein providing the token authentication response comprises entry of data corresponding to a displayed human presence check and a cryptographic authentication of the data.
  - 5. The method of claim 1, wherein providing the token authentication response comprises entry of data from the token authentication request directly into the token.
  - 6. The method of claim 1, wherein providing the token authentication response comprises activation of an input at the token that causes the token to authenticate a challenge in the token authentication request.
  - 7. The method of claim 1, further comprising:
    - creating a second communication link using a short range wireless connection between a fob and the token;
      
      authenticating the fob at the token; and
      
      immediately ending the session when the fob cannot be accessed via the second communication link.
  - 8. The method of claim 1, wherein the other process is a login process that logs off a user responsive to a failed token authentication response.
  - 9. The method of claim 1, wherein the other process is a remote process with access to the computer and the session is a remote session on a network.
  - 10. The method of claim 9, wherein the remote process terminates the session following an invalid token authentication response.

11. A system for verifying presence of a token at a computer comprising:
- the token including a cryptographic unit, a secure memory, and a communication link for maintaining a communication session with the computer; and
  
  the computer, including;
  
  a port for maintaining the communication session with the computer;
  
  a processor for executing programmable instructions; and
  
  a memory for storing processor-executable programmable instructions comprising;
  
  an interface module that presents an application program interface (API) for communicating with the token; and
  
  a program module that initially authenticates the token and thereafter periodically presents a challenge to the token via the API and interrupts an associated session when the token fails to provide a valid response to the challenge.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11, wherein the computer further comprises a network connection and the program module supports communication with a remote process.
  - 13. The system of claim 11, further comprising a fob with a wireless link and a cryptographic engine, wherein the fob establishes a second communication session with the token using a wireless connection on the token that is distinct from the communication link.
  - 14. The system of claim 11, wherein the computer further comprises a display and the program module presents information on the display as part of presenting the challenge.
  - 15. The system of claim 14, wherein the program module accesses a cryptographic function to verify a cryptographically altered form of the challenge plus the information received from the token.
  - 16. The system of claim 14, wherein the token further comprises an input that accepts a form of the information for use in providing a response to the challenge.

17. A computer-readable medium having computer-executable instructions for causing a processor in a computer to implement a method comprising:
- establishing a session with a security token;
  
  cryptographically authenticating the security token;
  
  presenting an application program interface (API) that allows communication with the security token using the session;
  
  passing a presence challenge from a process to the security token via the API;
  
  returning a response to the presence challenge to the process via the API;
  
  validating the response to the presence challenge at the process; and
  
  deactivating the process when the validating fails.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable medium of claim 17, further comprising:
    - presenting a portion of the presence challenge on a display of the computer; and
      
      inputting the portion of the presence challenge;
      
      wherein returning the response to the presence challenge comprises;
      
      combining the presence challenge from the process with the portion of the presence challenge input to form the response to the presence challenge.
  - 19. The computer-readable medium of claim 17, further comprising:
    - communicating with a network separate from any communication medium used by the session with the security token;
      
      passing a remote presence challenge received via the network to the security token via the API;
      
      returning a remote response to the remote presence challenge via the API.
  - 20. The computer-readable medium of claim 17, wherein the process is a user login process and wherein deactivating the process comprises logging out a user associated with the security token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Carpenter, Todd L., Bassett, Charles D., Carpenter, Bradley L., Abzarian, David, Steeves, David, Hartrell, Gregory

Application Number

US11/971,906
Publication Number

US 20090177892A1
Time in Patent Office

Days
Field of Search
US Class Current

713/185
CPC Class Codes

G06F 21/34 involving the use of extern...

PROXIMITY AUTHENTICATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

72 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PROXIMITY AUTHENTICATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links