ONE TIME PASSWORD KEY RING FOR MOBILE COMPUTING DEVICE

US 20100262834A1
Filed: 04/14/2009
Published: 10/14/2010
Est. Priority Date: 04/14/2009
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable media comprising computer-executable instructions for provisioning independent generation of single-use combinations of characters to aid in remote verification, the computer-executable instructions directed to steps comprising:

receiving information regarding a server computing device associated with a remote entity with which the provisioning will be performed;

receiving provisioning information, comprising a signature, from the server computing device;

verifying the signature of the received provisioning information based on the received information regarding the server computing device;

creating a private key from a random value;

selecting parameters from the received provisioning information;

creating a public key from data comprising;

the private key and the selected parameters;

creating a shared secret from data comprising;

the private key, the selected parameters, and a public key of the server computing device associated with the selected parameters; and

creating, from data comprising the shared secret, a single-use combination of characters to aid in remote verification to the remote entity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Single-use character combinations are a secure mechanism for user authentication. Such “one-time passwords” (OTPs) can be generated by a mobile device to which the user otherwise maintains easy access. A key exchange, such as in accordance with the Diffie-Hellman algorithm, can provide both the mobile device and a server with a shared secret from which the OTPs can be generated. The shared secret can be derived from parameters posted on the server and updated periodically, and the mobile device can obtain such parameters from the server before generating an OTP. Such parameters can also specify the type of OTP mechanism to be utilized. A second site can, independently, establish an OTP mechanism with the mobile device. For efficiency, the first server can provide an identity token which provides the mobile device'"'"'s public key in a trusted manner, enabling more efficient generation of the shared secret with the second server.

83 Citations

View as Search Results

20 Claims

1. One or more computer-readable media comprising computer-executable instructions for provisioning independent generation of single-use combinations of characters to aid in remote verification, the computer-executable instructions directed to steps comprising:
- receiving information regarding a server computing device associated with a remote entity with which the provisioning will be performed;
  
  receiving provisioning information, comprising a signature, from the server computing device;
  
  verifying the signature of the received provisioning information based on the received information regarding the server computing device;
  
  creating a private key from a random value;
  
  selecting parameters from the received provisioning information;
  
  creating a public key from data comprising;
  
  the private key and the selected parameters;
  
  creating a shared secret from data comprising;
  
  the private key, the selected parameters, and a public key of the server computing device associated with the selected parameters; and
  
  creating, from data comprising the shared secret, a single-use combination of characters to aid in remote verification to the remote entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-readable media of claim 1, comprising further computer-executable instructions for establishing a communicational connection with a personal computing device and providing the single-use combination of characters to one or more application programs executing on the personal computing device, the one or more application programs communicationally coupled to the remote entity, wherein the receiving the information regarding the server computing device was from the one or more application programs executing on the personal computing device.
  - 3. The computer-readable media of claim 1, comprising further computer-executable instructions for displaying the single-use combination of characters to a user.
  - 4. The computer-readable media of claim 1, comprising further computer-executable instructions for obtaining an identity token from another server computing device with which the independent generation of the single-use combinations of characters have already been provisioned and providing the identity token to the server computing device.
  - 5. The computer-readable media of claim 1, comprising further computer-executable instructions for:
    - receiving a registration code generated by the server computing device;
      
      providing client data comprising;
      
      the selected parameters and the public key to the server computing device; and
      
      providing a cryptographic verification of the client data to the server computing device, the cryptographic verification being based on a combination of the shared secret and the registration code.
  - 6. The computer-readable media of claim 1, comprising further computer-executable instructions for:
    - creating, from data comprising the shared secret, a first confirmation code;
      
      receiving a second confirmation code generated by the server computing device; and
      
      determining that the provisioning the independent generation of the single-use combinations of characters was successful if the first confirmation code is equivalent to the second confirmation code.
  - 7. The computer-readable media of claim 1, comprising further computer-executable instructions for:
    - receiving challenge data generated by the server computing device;
      
      creating response data from data comprising;
      
      the challenge data and the shared secret; and
      
      transmitting the response data to the server computing device to verify proper provisioning of the independent generation of the single-use combinations of characters.
  - 8. The computer-readable media of claim 1, comprising further computer-executable instructions for obtaining, from the remote entity, updated data comprising a public key, wherein the creating the shared secret comprises creating an updated shared secret from data comprising the public key of the updated data, and wherein further the creating the single-use combination of characters comprises creating the single-use combination of characters from data comprising the updated shared secret.
  - 9. The computer-readable media of claim 1, wherein the data from which the single-use combination of characters is created further comprises a challenge issued by the remote entity.

10. One or more computer-readable media comprising computer-executable instructions for provisioning independent generation of single-use combinations of characters to aid in remote verification, the computer-executable instructions directed to steps comprising:
- creating a private key from a random value;
  
  creating provisioning information comprising parameters and public keys corresponding to the parameters;
  
  providing the provisioning information to one or more clients through network communications;
  
  receiving client data comprising;
  
  selected parameters, selected from the parameters of the provisioning information and a public key of a client generating the received client data;
  
  creating a shared secret from data comprising;
  
  the private key, the selected parameters, and the public key of the client;
  
  receiving a first single-use combination of characters generated by the client as a remote verification;
  
  creating a second single-use combination of characters from data comprising the shared secret; and
  
  verifying the client if the first single-use combination of characters is equivalent to the second single-use combination of characters.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer-readable media of claim 10, comprising further computer-executable instructions for receiving an identity token, comprising the public key of the client, the identity token having been issued by a site with which the client has already provisioned the independent generation of the single-use combinations of characters.
  - 12. The computer-readable media of claim 10, comprising further computer-executable instructions for creating a registration code and verifying a cryptographic verification of the client data with reference to the registration code and the shared secret, wherein the computer-executable instructions for receiving the client data further comprise computer-executable instructions for receiving the cryptographic verification of the client data.
  - 13. The computer-readable media of claim 10, comprising further computer-executable instructions for:
    - creating, from data comprising the shared secret, a first confirmation code;
      
      receiving an indication of whether the first confirmation code was equivalent to an independently generated second confirmation code; and
      
      determining that the provisioning the independent generation of the single-use combinations of characters was successful if the indication indicated that the first confirmation code is equivalent to the second confirmation code.
  - 14. The computer-readable media of claim 10, comprising further computer-executable instructions for generating challenge data, wherein the data from which the second single-use combination of characters is created further comprises the challenge data.
  - 15. The computer-readable media of claim 10, comprising further computer-executable instructions for creating updated data comprising at least one updated public key and providing the updated data to one or more clients through network communications, wherein the creating the shared secret comprises creating an updated shared secret from data comprising one public key from the at least one updated public key of the updated data, and wherein further the creating the second single-use combination of characters comprises creating the second single-use combination of characters from data comprising the updated shared secret.

16. A system for providing protected information to at least one user, the system comprising:
- a server computing device associated with a site providing at least some of the protected information, the server computing device comprising a first shared secret from which single-use combinations of characters are created and updated data for creating the single-use combinations of characters, wherein the first shared secret is based on the updated data; and
  
  a mobile computing device utilized by the at least one user to generate a single-use combination of characters to verify the at least one user to the site, the mobile computing device comprising a second shared secret, equivalent to the first shared secret, from which the single-use combination of characters is created and a network connection for obtaining the updated data from the server computing device prior to creating the single-use combination of characters.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the mobile computing device further comprises computer-executable instructions for performing steps comprising:
    - receiving information regarding the server computing device;
      
      receiving provisioning information, comprising a signature, from the server computing device;
      
      verifying the signature of the received provisioning information based on the received information regarding the server computing device;
      
      creating a mobile computing device private key from a random value;
      
      selecting parameters from the received provisioning information;
      
      creating a mobile computing device public key from data comprising;
      
      the mobile computing device private key and the selected parameters;
      
      creating the second shared secret from data comprising;
      
      the mobile computing device private key, the selected parameters, and a public key of the server computing device associated with the selected parameters; and
      
      creating, from data comprising the shared secret, the single-use combination of characters; and
      
      wherein further the server computing device further comprises computer-executable instructions for performing steps comprising;
      
      creating a server computing device private key from another random value;
      
      creating the provisioning information and the signature;
      
      providing the provisioning information and the signature to the mobile computing device;
      
      receiving mobile device data comprising;
      
      the selected parameters and the mobile computing device public key;
      
      creating the first shared secret from data comprising;
      
      the server computing device private key, the selected parameters, and the mobile computing device public key;
      
      receiving the single-use combination of characters;
      
      creating a second single-use combination of characters from data comprising the first shared secret; and
      
      verifying the at least one user if the single-use combination of characters is equivalent to the second single-use combination of characters.
  - 18. The system of claim 16, wherein the first shared secret is created by the server computing device using a public key of the mobile computing device provided to the server computing device via an identity token;
    - the system further comprising a second server computing device associated with a second site providing more of the protected information, wherein the mobile computing device has already provisioned a single-use combination of characters generation mechanism with the second site, the second server computing device comprising the identity token.
  - 19. The system of claim 16, further comprising a personal computing device utilized by the at least one user to access the protected information through the site, the personal computing device comprising a communicational connection with the mobile computing device and one or more application programs for accessing the protected information through the site, the one or more application programs comprising computer-executable instructions for obtaining the single-use combination of characters from the mobile device through the communicational connection.
  - 20. The system of claim 16, further comprising a personal computing device associated with the site, the personal computing device comprising a communicational connection with the mobile device and a provisioning application program comprising computer-executable instructions for providing, to the mobile device through the communicational connection, provisioning information comprising at least one public key of the server computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Freeman, Trevor William, Shah, Atul Kumar, Biccum, K John, Benaloh, Josh

Granted Patent

US 8,230,231 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/184
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

H04L 2209/80   Wireless network architectu...

H04L 63/0838   using one-time-passwords

H04L 9/0891   Revocation or update of sec...

H04L 9/3228   One-time or temporary data,...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

ONE TIME PASSWORD KEY RING FOR MOBILE COMPUTING DEVICE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ONE TIME PASSWORD KEY RING FOR MOBILE COMPUTING DEVICE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links