Hardware-Bonded Credential Manager Method and System
First Claim
1. A method of providing secure network communication between a user with a networked computerized device, and a secure network server;
- in which said networked computerized device has a hardware identity, and said secure network server has a secret;
comprising;
transmitting said hardware identity to said secure network server;
generating a challenge-response object (pocket) based on said hardware identity and said secret, and encrypting said pocket, thus generating an encrypted pocket;
transmitting said encrypted pocket back to said networked computerized device;
transmitting pocket decryption information (authorization) back to said networked computerized device by an out of band channel;
and decrypting said pocket, thereby creating a challenge-response object that resides on both the secure networked server and the networked computerized device; and
in which said networked computerized device and said secure network server then communicate securely by using said pocket to help encrypt and decrypt messages.
1 Assignment
0 Petitions
Accused Products
Abstract
An internet data exchange authentication method that can provide much of the user authentication assurance and capability of dedicated computer security cryptographic hardware, without requiring that the user actually have such hardware. This method allows users with computerized devices to communicate securely with secure servers by creating customized challenge-response authentication objects (pockets) where both the challenge and the response is based partially on the hardware identity of the user'"'"'s computerized device, and partially on a secret (such as a random number) known only by the secure server. The secure server receives the device'"'"'s hardware identity, generates the secret, creates the pocket, encrypts the pocket, and sends the encrypted pocket back to the user'"'"'s device. The secure server, or a third trusted credential server, then sends the decryption key for the encrypted pocket back to the user using a different, “out of band” communications modality, thus reducing the chances of interception.
-
Citations
50 Claims
-
1. A method of providing secure network communication between a user with a networked computerized device, and a secure network server;
-
in which said networked computerized device has a hardware identity, and said secure network server has a secret;
comprising;transmitting said hardware identity to said secure network server; generating a challenge-response object (pocket) based on said hardware identity and said secret, and encrypting said pocket, thus generating an encrypted pocket; transmitting said encrypted pocket back to said networked computerized device; transmitting pocket decryption information (authorization) back to said networked computerized device by an out of band channel; and decrypting said pocket, thereby creating a challenge-response object that resides on both the secure networked server and the networked computerized device; and in which said networked computerized device and said secure network server then communicate securely by using said pocket to help encrypt and decrypt messages. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of providing secure network communication between a user with a networked computerized device, and a secure network server;
-
in which the networked computerized device is connected to the internet, the secure network server is an internet web server, the user is running a web browser on said computerized device; in which said networked computerized device has a hardware identity, said secure network server has a secret, and said server has its authenticity guaranteed by a trusted networked credential server;
comprising;transmitting said hardware identity to said secure network server; generating a challenge-response object (pocket) based on said hardware identity and said secret, and encrypting said pocket, thus generating an encrypted pocket; transmitting said encrypted pocket back to said networked computerized device; using said secure networked server to request said credential server send pocket decryption information back to said networked computerized device; wherein if said secure networked server is approved by said credential server, said credential server transmits pocket decryption information (authorization) back to said user or said networked computerized device by an out of band channel and decrypting said pocket, thereby creating a challenge-response object that resides on both the secure networked server and the networked computerized device; and in which said networked computerized device and said secure network server then communicate securely by using said pocket to help encrypt and decrypt messages. - View Dependent Claims (15, 16, 17, 18, 19, 20, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A method of providing secure internet communication between a user with an internet connected networked computerized device, and a secure internet server;
-
in which said secure internet server is a web server, and said user is running a web browser on said computerized device; in which said user possesses user information, said computerized device has a hardware identity, the secure internet server has a secret, and said secure internet server has its authenticity guaranteed by a trusted internet credential server, comprising; establishing contact with said secure internet server, requesting secure communication initialization software, and receiving said secure communication initialization software; using said secure communication initialization software to transmit said hardware identity and user information to said secure network server; generating a challenge-response object (pocket) based on said hardware identity, said user information, and said secret, and encrypting said pocket, thus generating an encrypted pocket; transmitting said encrypted pocket back to said networked computerized device; using said secure networked server to request said credential server to send pocket decryption information back to said networked computerized device; wherein if said secure networked server is approved by said credential server, said credential server transmits pocket decryption information (authorization) back to said user or said networked computerized device by an out of band channel; and decrypting said pocket using said authorization, hardware identity, and user information, thereby creating a challenge-response object (pocket) that resides on both the secure networked server and the networked computerized device; and in which said networked computerized device and said secure network server then communicate securely by using said pocket to help encrypt and decrypt messages. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
-
-
49. A method of providing secure network communication between a user with a networked computerized device, and a secure network server;
-
in which said user possesses user information, said networked computerized device has a hardware identity, and said secure network server has its authenticity guaranteed by a trusted networked credential server, comprising; using said secure networked server to request said credential server to authorize and customize secure network server specific communications (pocket) software; wherein if said secure networked server is approved by said credential server, said credential server sends notice of authorization of said pocket software directly to said user or said networked computerized device; and said user or networked computerized device then sends said user information and said hardware identity to said secure server and/or said credential server; said secure server and/or said credential server uses said user information and said hardware identity to customize said pocket software for said user information, hardware identity, and secure network server, and sends said customized pocket software back to said computerized device; in which the customized pocket software, when activated, allows secure communication between said computerized device and said secure network server only if the same user information is provided, and said computerized device has the same hardware identity.
-
-
50. A method of providing secure internet communication between a user with an internet connected computerized device, and a secure internet server;
-
in which said internet connected computerized device communicates with said secure internet server using the http or https protocols and internet port 80 or internet port 443, said secure internet server is a web server, and said user is running a web browser on said computerized device; in which said user possesses user information, said computerized device has a hardware identity, and said secure internet server has its authenticity guaranteed by a trusted internet credential server, comprising; using said secure internet server to request said credential server to authorize and customize secure network server specific communications (pocket) software; wherein if said secure internet server is approved by said credential server, said credential server sends notice of authorization of said pocket software directly to said user or said internet connected computerized device; and said user or internet connected computerized device then sends said user information and said hardware identity to said secure server and/or said credential server; said secure server and/or said credential server uses said user information and said hardware identity to customize said pocket software for said user information, hardware identity, and secure internet server, and sends said customized pocket software back to said computerized device; in which the customized pocket software, when activated, allows secure communication between said computerized device and said secure internet server only if the same user information is provided, and said computerized device has the same hardware identity.
-
Specification