Transient Protection Key Derivation in a Computing Device

US 20090327722A1
Filed: 06/07/2007
Published: 12/31/2009
Est. Priority Date: 06/08/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method of operating a computing device comprising using one or a combination of methods chosen from amongst a plurality of methods for authenticating a user of the device by means of:

a. providing the said user of the device with a unique CPK which can be used to guard or encrypt sensitive data and functionality; and

b. providing for each authentication method a means of returning a unique CIS each time it is employed by the said user; and

c. for each authentication method available to the devicei) passing the said CIS through replicable mathematical mechanisms which generate a CISK unique to that CIS but from which the CIS cannot be derived; and

ii) employing the said CISK to symmetrically encrypt the CPK; and

iii) keeping the said encrypted version of the CPK in some type of persistent storage available to the device in such a way that is can be retrieved by providing the authentication method and the user;

and wherein, when a user of the device requests authentication by means of one or a combination of available authentication methodsd. for each authentication method requiredi) that method is invoked to obtain its CIS for the said user; and

ii) the said CIS is passed through the mathematical mechanisms described above to generate a CISK; and

iii) the encrypted CPK for the said method and the said user is retrieved from the persistent storage where it is kept; and

iv) the actual CPK is decrypted from the encrypted CPK means of the CISK; and

e. authentication is provided by releasing the identify of the user and their CPK provided that eitheri) the CPKs returned by each authentication method required are identical;

orii) in the case where only a single authentication method is required, that it can successfully be used to decrypt a specific item of data stored on the device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device is arranged to use any possible permutation of methods available to it to authenticate a user, without needing to persistently store any unencrypted data that can be used in authentication, such data only ever being held in transient memory. A user of the device is provided with their own unique common protection key (CPK) which can be used to guard or encrypt sensitive data and functionality. Each authentication method is guaranteed to return a unique consistent identification sequence (CIS) each time it is employed by any specific user. When a user registers on the device, the CIS from each authentication method is used to generate a key which in turn is used to encrypt the CPK; this E(CPK) is then stored in a table indexed by user and authentication method. Neither the CPK nor any CIS are ever kept on the device except in transient memory. When authentication is sought, the CIS for each requested method is obtained and is used to regenerate the key that can be used to decrypt the E(CPK). All the CPKs thus decrypted must match for authentication to be granted.

7 Citations

View as Search Results

17 Claims

1. A method of operating a computing device comprising using one or a combination of methods chosen from amongst a plurality of methods for authenticating a user of the device by means of:
- a. providing the said user of the device with a unique CPK which can be used to guard or encrypt sensitive data and functionality; and
  
  b. providing for each authentication method a means of returning a unique CIS each time it is employed by the said user; and
  
  c. for each authentication method available to the devicei) passing the said CIS through replicable mathematical mechanisms which generate a CISK unique to that CIS but from which the CIS cannot be derived; and
  
  ii) employing the said CISK to symmetrically encrypt the CPK; and
  
  iii) keeping the said encrypted version of the CPK in some type of persistent storage available to the device in such a way that is can be retrieved by providing the authentication method and the user;
  
  and wherein, when a user of the device requests authentication by means of one or a combination of available authentication methodsd. for each authentication method requiredi) that method is invoked to obtain its CIS for the said user; and
  
  ii) the said CIS is passed through the mathematical mechanisms described above to generate a CISK; and
  
  iii) the encrypted CPK for the said method and the said user is retrieved from the persistent storage where it is kept; and
  
  iv) the actual CPK is decrypted from the encrypted CPK means of the CISK; and
  
  e. authentication is provided by releasing the identify of the user and their CPK provided that eitheri) the CPKs returned by each authentication method required are identical;
  
  orii) in the case where only a single authentication method is required, that it can successfully be used to decrypt a specific item of data stored on the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method according to claim 1 wherein authentication is requested by a client and is provided by an authentication server component.
  - 3. A method according to claim 1 wherein CPK and CIS and CISK data is only held transiently in the memory of the device and is never stored persistently.
  - 4. A method according to claim 1 wherein the CPK is rendered unique by deriving it from a random number generator.
  - 5. A method according to claim 1 wherein the device supports authentication for multiple users each of which has their own unique CPK.
  - 6. A method according to claim 1 wherein combinations of authentication methods can be dynamically chosen by the user or operating or application software of the device.
  - 7. A method according to claim 1 wherein the choice of authentication methods is varied depending on the location of the device.
  - 8. A method according to claim 1 wherein the choice of authentication methods is automatically varied depending on the location of the device.
  - 9. A method according to claim 1 wherein authentication is requested pursuant to a financial transaction and wherein the choice of authentication methods is automatically varied depending on the size of the transaction.
  - 10. A method according to claim 1 wherein the encrypted version of the CPK is kept in persistent storage in tabular form where the rows and columns represent the corresponding authentication method and user.
  - 11. A method according to claim 1 wherein either authentication methods or users or both can be dynamically added or removed.
  - 12. A method according to claim 1 wherein the mathematical mechanisms used to generate the CISK can be replaced.
  - 13. A method according to claim 1 wherein authentication methods are trained for each user to enable them to return a CIS.
  - 14. A method according to claim 1 wherein a one-way hash is generated each time a CISK is generated, and wherein each persistently stored CISK, stored as a tuple together with the said hash, and wherein authentication is dependent on the hashes of the CISKs generated by each authentication method and user matching a hashes stored for that authentication method and user.
  - 15. A method according to claim 1 by which the CPK is further mathematically modified by means of the unique identifier relating to a specific client.
  - 16. A computing device arranged to operate in accordance with a method as claimed in claim 1.
  - 17. An operating system for causing a computing device to operate in accordance with a method as claimed in claim 1.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Corporation
Original Assignee
Symbian Software Limited (Accenture PLC)
Inventors
Harker, Andrew

Application Number

US12/303,282
Publication Number

US 20090327722A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/31 User authentication

Transient Protection Key Derivation in a Computing Device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

7 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Transient Protection Key Derivation in a Computing Device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links