Hardware-Bonded Credential Manager Method and System

US 20090259838A1
Filed: 04/15/2008
Published: 10/15/2009
Est. Priority Date: 04/15/2008
Status: Active Grant

First Claim

Patent Images

1. A method of providing secure network communication between a user with a networked computerized device, and a secure network server;

in which said networked computerized device has a hardware identity, and said secure network server has a secret;

comprising;

transmitting said hardware identity to said secure network server;

generating a challenge-response object (pocket) based on said hardware identity and said secret, and encrypting said pocket, thus generating an encrypted pocket;

transmitting said encrypted pocket back to said networked computerized device;

transmitting pocket decryption information (authorization) back to said networked computerized device by an out of band channel;

and decrypting said pocket, thereby creating a challenge-response object that resides on both the secure networked server and the networked computerized device; and

in which said networked computerized device and said secure network server then communicate securely by using said pocket to help encrypt and decrypt messages.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An internet data exchange authentication method that can provide much of the user authentication assurance and capability of dedicated computer security cryptographic hardware, without requiring that the user actually have such hardware. This method allows users with computerized devices to communicate securely with secure servers by creating customized challenge-response authentication objects (pockets) where both the challenge and the response is based partially on the hardware identity of the user'"'"'s computerized device, and partially on a secret (such as a random number) known only by the secure server. The secure server receives the device'"'"'s hardware identity, generates the secret, creates the pocket, encrypts the pocket, and sends the encrypted pocket back to the user'"'"'s device. The secure server, or a third trusted credential server, then sends the decryption key for the encrypted pocket back to the user using a different, “out of band” communications modality, thus reducing the chances of interception.

127 Citations

50 Claims

1. A method of providing secure network communication between a user with a networked computerized device, and a secure network server;
- in which said networked computerized device has a hardware identity, and said secure network server has a secret;
  
  comprising;
  
  transmitting said hardware identity to said secure network server;
  
  generating a challenge-response object (pocket) based on said hardware identity and said secret, and encrypting said pocket, thus generating an encrypted pocket;
  
  transmitting said encrypted pocket back to said networked computerized device;
  
  transmitting pocket decryption information (authorization) back to said networked computerized device by an out of band channel;
  
  and decrypting said pocket, thereby creating a challenge-response object that resides on both the secure networked server and the networked computerized device; and
  
  in which said networked computerized device and said secure network server then communicate securely by using said pocket to help encrypt and decrypt messages.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, in which the secret is a random number stored or generated by the secure network server, and in which the pocket is generated by the secure network server.
  - 3. The method of claim 1, in which the out of band channel uses oral communication, cellular telephone networks, wireless pager networks, and wired telephone networks, or one or more internet ports that are different from the internet ports used to communicate between said networked computerized device and said secure network server, and in which said different ports may include email ports.
  - 4. The method of claim 1, in which said hardware identity is comprised of hardware component identification values that includes values selected from the group consisting of CPU ID values, internet Media Access Control (MAC) addresses, Ethernet Hardware (EHA) addresses, hardware type, and hardware capability.
  - 5. The method of claim 4, in said user possesses user information and in which said hardware identity also contains this user information, and said user information is selected from the group consisting of user names, passwords, one time passwords (OTP), codes, and user biometric information selected from the group consisting of fingerprint information, face recognition information, or voice recognition information.
  - 6. The method of claim 1, in which the encrypted pocket is decrypted using data obtained from both the out of band channel and the hardware identity.
  - 7. The method of claim 1, which said pocket passed encryption and decryption of messages uses an encryption means selected from the group consisting of single key, secret key, symmetric encryption, public key, SSL protocols, Kerberos protocols, PKI protocols, RSA, PGP (pretty good privacy), SET (secure electronic transactions), DES (data encryption standard), or customized encryption protocols.
  - 8. The method of claim 1, in which said pocket is used by a plug-in or add-on associated with an internet browser software residing on said networked computerized device.
  - 9. The method of claim 1, in which said pocket is used by a stand along program on said networked computerized device, or in which said pocket is used by a component of a software program other than an internet browser on said networked computerized device.
  - 10. The method of claim 1, in which the pocket helps to encrypt and decrypt messages by sending message data that contains a challenge part of the object (pocket) as one portion of the data, and in which other portions of the message data are encrypted in a manner that requires the response part of the object (pocket) for decryption.
  - 11. The method of claim 1, in which said network computerized device obtains said pocket by establishing contact with said secure network server and requesting secure communication initialization software from said server;
    - wherein upon receiving said secure communication initialization software, said network computerized device uses said secure communication initialization software to determine said hardware identity, or transmit said hardware identity to said server, or receive said pocket, or receive said pocket decryption information, or decrypt said pocket or use said pocket to communicate securely with said server.
  - 12. The method of claim 1, in which the networked computerized device is connected to the internet, the secure network server is an internet web server, the user is running a web browser on said computerized device, and the computerized device communicates with the server using the http or https protocols and internet port 80 or internet port 443.
  - 13. The method of claim 1 in which said secure network server has its authenticity guaranteed by a trusted networked credential server, further comprising:
    - using said secure networked server to request said credential server send pocket decryption information back to said networked computerized device;
      
      wherein if said secure networked server is approved by said credential server, said credential server transmits pocket decryption information (authorization) back to said user or said networked computerized device by the out of band channel, and said authorization is subsequently used to decrypt said pocket.

14. A method of providing secure network communication between a user with a networked computerized device, and a secure network server;
- in which the networked computerized device is connected to the internet, the secure network server is an internet web server, the user is running a web browser on said computerized device;
  
  in which said networked computerized device has a hardware identity, said secure network server has a secret, and said server has its authenticity guaranteed by a trusted networked credential server;
  
  comprising;
  
  transmitting said hardware identity to said secure network server;
  
  generating a challenge-response object (pocket) based on said hardware identity and said secret, and encrypting said pocket, thus generating an encrypted pocket;
  
  transmitting said encrypted pocket back to said networked computerized device;
  
  using said secure networked server to request said credential server send pocket decryption information back to said networked computerized device;
  
  wherein if said secure networked server is approved by said credential server, said credential server transmits pocket decryption information (authorization) back to said user or said networked computerized device by an out of band channeland decrypting said pocket, thereby creating a challenge-response object that resides on both the secure networked server and the networked computerized device; and
  
  in which said networked computerized device and said secure network server then communicate securely by using said pocket to help encrypt and decrypt messages.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 15. The method of claim 14, in which the secret is a random number with a length of 1024 bits or longer.
  - 16. The method of claim 14, in which the pocket is generated by the secure network server.
  - 17. The method of claim 14, in which said hardware identity is comprised of hardware component identification values that includes values selected from the group consisting of CPU ID values, internet Media Access Control (MAC) addresses, Ethernet Hardware (EHA) addresses, hardware type, and hardware capability.
  - 18. The method of claim 17, in said user possesses user information and in which said hardware identity also contains this user information, and in which said user information is selected from the group consisting of user names, passwords, one time passwords (OTP), codes, and user biometric information selected from the group consisting of fingerprint information, face recognition information, or voice recognition information.
  - 19. The method of claim 17, in which the encrypted pocket is decrypted using data obtained from both the out of band channel and the hardware identity.
  - 20. The method of claim 14, which said pocket passed encryption and decryption of messages uses an encryption means selected from the group consisting of single key, secret key, symmetric encryption, public key, SSL protocols, Kerberos protocols, PKI protocols, RSA, PGP (pretty good privacy), SET (secure electronic transactions), DES (data encryption standard), or customized encryption protocols.
  - 22. The method of claim 14, in which said pocket is used by a plug-in or add-on associated with an internet browser software residing on said networked computerized device.
  - 23. The method of claim 14, in which said pocket is used by a stand along program on said networked computerized device, or in which said pocket is used by a component of a software program other than an internet browser on said networked computerized device.
  - 24. The method of claim 14, in which the pocket helps to encrypt and decrypt messages by sending message data that contains a challenge part of the object (pocket) as one portion of the data, and in which other portions of the message data are encrypted in a manner that requires the response part of the object (pocket) for decryption.
  - 25. The method of claim 14, in which said network computerized device obtains said pocket by establishing contact with said secure network server and requesting secure communication initialization software from said server;
    - wherein upon receiving said secure communication initialization software, said network computerized device uses said secure communication initialization software to determine said hardware identity, or transmit said hardware identity to said server, or receive said pocket, or receive said pocket decryption information, or decrypt said pocket or use said pocket to communicate securely with said server.
  - 26. The method of claim 14, in which the computerized device communicates with the server using the http or https protocols and internet port 80 or internet port 443.
  - 27. The method of claim 14, in which the authorization is sent directly from said credential server to said user or said computerized device by an out of band channel that utilizes oral communication, cellular telephone networks, wireless pager networks, and wired telephone networks.
  - 28. The method of claim 14 in which authorization is sent directly from said credential server to said user or said computerized device by an out of band channel that uses one or more internet ports that are different from the internet ports used to communicate between said networked computerized device and said secure network server, and in which said different ports may include email ports.
  - 29. The method of claim 14, in which the networked computerized device periodically checks with the credential server after authorization to verify that the secure network server is still authorized.
  - 30. The method of claim 14, in which the secure network server and the credential server are the same server.
  - 31. The method of claim 14, in which the secure network server and the credential server are different servers, and have different network addresses.

32. A method of providing secure internet communication between a user with an internet connected networked computerized device, and a secure internet server;
- in which said secure internet server is a web server, and said user is running a web browser on said computerized device;
  
  in which said user possesses user information, said computerized device has a hardware identity, the secure internet server has a secret, and said secure internet server has its authenticity guaranteed by a trusted internet credential server, comprising;
  
  establishing contact with said secure internet server, requesting secure communication initialization software, and receiving said secure communication initialization software;
  
  using said secure communication initialization software to transmit said hardware identity and user information to said secure network server;
  
  generating a challenge-response object (pocket) based on said hardware identity, said user information, and said secret, and encrypting said pocket, thus generating an encrypted pocket;
  
  transmitting said encrypted pocket back to said networked computerized device;
  
  using said secure networked server to request said credential server to send pocket decryption information back to said networked computerized device;
  
  wherein if said secure networked server is approved by said credential server, said credential server transmits pocket decryption information (authorization) back to said user or said networked computerized device by an out of band channel;
  
  and decrypting said pocket using said authorization, hardware identity, and user information, thereby creating a challenge-response object (pocket) that resides on both the secure networked server and the networked computerized device; and
  
  in which said networked computerized device and said secure network server then communicate securely by using said pocket to help encrypt and decrypt messages.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 33. The method of claim 32, in which the secret is a random number.
  - 34. The method of claim 32, in which the pocket is generated by the secure network server.
  - 35. The method of claim 32, in which said hardware identity is comprised of hardware component identification values that includes values selected from the group consisting of CPU ID values, internet Media Access Control (MAC) addresses, Ethernet Hardware (EHA) addresses, hardware type, and hardware capability.
  - 36. The method of claim 32, in which said user information is selected from the group consisting of user names, passwords, one time passwords (OTP), codes, and user biometric information selected from the group consisting of fingerprint information, face recognition information, or voice recognition information.
  - 37. The method of claim 32, in which the encrypted pocket is decrypted using data obtained both from the out of band channel and the hardware identity.
  - 38. The method of claim 32, which said pocket passed encryption and decryption of messages uses an encryption means selected from the group consisting of single key, secret key, symmetric encryption, public key, SSL protocols, Kerberos protocols, PKI protocols, RSA, PGP (pretty good privacy), SET (secure electronic transactions), DES (data encryption standard), or customized encryption protocols.
  - 39. The method of claim 32, in which said pocket is used by a plug-in or add-on associated with an internet browser software residing on said networked computerized device.
  - 40. The method of claim 32, in which said pocket is used by a stand along program on said networked computerized device, or in which said pocket is used by a component of a software program other than an internet browser on said networked computerized device.
  - 41. The method of claim 32, in which the pocket helps to encrypt and decrypt messages by sending message data that contains a challenge part of the object (pocket) as one portion of the data, and in which other portions of the message data are encrypted in a manner that requires the response part of the object (pocket) for decryption.
  - 42. The method of claim 32, in which the computerized device communicates with the server using the http or https protocols and internet port 80 or internet port 443.
  - 43. The method of claim 32, in which the authorization is sent directly from said credential server to said user or said computerized device by an out of band channel that utilizes oral communication, cellular telephone networks, wireless pager networks, and wired telephone networks.
  - 44. The method of claim 32 in which authorization is sent directly from said credential server to said user or said computerized device by an out of band channel that uses one or more internet ports that are different from the internet ports used to communicate between said networked computerized device and said secure network server, and in which said different ports may include email ports.
  - 45. The method of claim 32, in which the networked computerized device periodically checks with the credential server after authorization to verify that the secure network server is still authorized.
  - 46. The method of claim 32, in which the secure network server and the credential server are the same server.
  - 47. The method of claim 32, in which the secure network server and the credential server are different servers, and have different network addresses.
  - 48. The method of claim 32, in which the user information is verified by an additional trusted authentication server (ASAS) different from said secure internet server and said credential server.

49. A method of providing secure network communication between a user with a networked computerized device, and a secure network server;
- in which said user possesses user information, said networked computerized device has a hardware identity, and said secure network server has its authenticity guaranteed by a trusted networked credential server, comprising;
  
  using said secure networked server to request said credential server to authorize and customize secure network server specific communications (pocket) software;
  
  wherein if said secure networked server is approved by said credential server, said credential server sends notice of authorization of said pocket software directly to said user or said networked computerized device; and
  
  said user or networked computerized device then sends said user information and said hardware identity to said secure server and/or said credential server;
  
  said secure server and/or said credential server uses said user information and said hardware identity to customize said pocket software for said user information, hardware identity, and secure network server, and sends said customized pocket software back to said computerized device;
  
  in which the customized pocket software, when activated, allows secure communication between said computerized device and said secure network server only if the same user information is provided, and said computerized device has the same hardware identity.

50. A method of providing secure internet communication between a user with an internet connected computerized device, and a secure internet server;
- in which said internet connected computerized device communicates with said secure internet server using the http or https protocols and internet port 80 or internet port 443, said secure internet server is a web server, and said user is running a web browser on said computerized device;
  
  in which said user possesses user information, said computerized device has a hardware identity, and said secure internet server has its authenticity guaranteed by a trusted internet credential server, comprising;
  
  using said secure internet server to request said credential server to authorize and customize secure network server specific communications (pocket) software;
  
  wherein if said secure internet server is approved by said credential server, said credential server sends notice of authorization of said pocket software directly to said user or said internet connected computerized device; and
  
  said user or internet connected computerized device then sends said user information and said hardware identity to said secure server and/or said credential server;
  
  said secure server and/or said credential server uses said user information and said hardware identity to customize said pocket software for said user information, hardware identity, and secure internet server, and sends said customized pocket software back to said computerized device;
  
  in which the customized pocket software, when activated, allows secure communication between said computerized device and said secure internet server only if the same user information is provided, and said computerized device has the same hardware identity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Authenex Incorporated
Original Assignee
Authenex Incorporated
Inventors
Lin, Paul

Granted Patent

US 8,037,295 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 9/3215   using a plurality of channe...

H04L 9/3226   using a predetermined code,...

H04L 9/3271   using challenge-response

Hardware-Bonded Credential Manager Method and System

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

127 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Hardware-Bonded Credential Manager Method and System

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

127 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links