Transient Protection Key Derivation in a Computing Device
First Claim
1. A method of operating a computing device comprising using one or a combination of methods chosen from amongst a plurality of methods for authenticating a user of the device by means of:
- a. providing the said user of the device with a unique CPK which can be used to guard or encrypt sensitive data and functionality; and
b. providing for each authentication method a means of returning a unique CIS each time it is employed by the said user; and
c. for each authentication method available to the devicei) passing the said CIS through replicable mathematical mechanisms which generate a CISK unique to that CIS but from which the CIS cannot be derived; and
ii) employing the said CISK to symmetrically encrypt the CPK; and
iii) keeping the said encrypted version of the CPK in some type of persistent storage available to the device in such a way that is can be retrieved by providing the authentication method and the user;
and wherein, when a user of the device requests authentication by means of one or a combination of available authentication methodsd. for each authentication method requiredi) that method is invoked to obtain its CIS for the said user; and
ii) the said CIS is passed through the mathematical mechanisms described above to generate a CISK; and
iii) the encrypted CPK for the said method and the said user is retrieved from the persistent storage where it is kept; and
iv) the actual CPK is decrypted from the encrypted CPK means of the CISK; and
e. authentication is provided by releasing the identify of the user and their CPK provided that eitheri) the CPKs returned by each authentication method required are identical;
orii) in the case where only a single authentication method is required, that it can successfully be used to decrypt a specific item of data stored on the device.
2 Assignments
0 Petitions
Accused Products
Abstract
A computing device is arranged to use any possible permutation of methods available to it to authenticate a user, without needing to persistently store any unencrypted data that can be used in authentication, such data only ever being held in transient memory. A user of the device is provided with their own unique common protection key (CPK) which can be used to guard or encrypt sensitive data and functionality. Each authentication method is guaranteed to return a unique consistent identification sequence (CIS) each time it is employed by any specific user. When a user registers on the device, the CIS from each authentication method is used to generate a key which in turn is used to encrypt the CPK; this E(CPK) is then stored in a table indexed by user and authentication method. Neither the CPK nor any CIS are ever kept on the device except in transient memory. When authentication is sought, the CIS for each requested method is obtained and is used to regenerate the key that can be used to decrypt the E(CPK). All the CPKs thus decrypted must match for authentication to be granted.
7 Citations
17 Claims
-
1. A method of operating a computing device comprising using one or a combination of methods chosen from amongst a plurality of methods for authenticating a user of the device by means of:
-
a. providing the said user of the device with a unique CPK which can be used to guard or encrypt sensitive data and functionality; and b. providing for each authentication method a means of returning a unique CIS each time it is employed by the said user; and c. for each authentication method available to the device i) passing the said CIS through replicable mathematical mechanisms which generate a CISK unique to that CIS but from which the CIS cannot be derived; and ii) employing the said CISK to symmetrically encrypt the CPK; and iii) keeping the said encrypted version of the CPK in some type of persistent storage available to the device in such a way that is can be retrieved by providing the authentication method and the user; and wherein, when a user of the device requests authentication by means of one or a combination of available authentication methods d. for each authentication method required i) that method is invoked to obtain its CIS for the said user; and ii) the said CIS is passed through the mathematical mechanisms described above to generate a CISK; and iii) the encrypted CPK for the said method and the said user is retrieved from the persistent storage where it is kept; and iv) the actual CPK is decrypted from the encrypted CPK means of the CISK; and e. authentication is provided by releasing the identify of the user and their CPK provided that either i) the CPKs returned by each authentication method required are identical;
orii) in the case where only a single authentication method is required, that it can successfully be used to decrypt a specific item of data stored on the device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
Specification