REMOTE AUTHENTICATION AND TRANSACTION SIGNATURES

US 20110258452A1
Filed: 04/13/2011
Published: 10/20/2011
Est. Priority Date: 05/31/2007
Status: Active Grant

First Claim

Patent Images

1. A method for securing an application comprising the steps of:

registering data representing a private key for at least one user having a PKI device storing said private key;

said registering comprisingreceiving a representation of a Private Key Code generated by a reader device operating in conjunction with said PKI device where said generation of said Private Key Code by said reader device occurs by said reader device generating and sending a challenge to said PKI device, and instructing said PKI device to perform an asymmetric cryptographic operation on said challenge with said private key, and said reader device receiving from said PKI device a result of said asymmetric cryptographic operation, and deriving from said received result said Private Key Code;

deriving from said representation of said Private Key Code a Private Key Related Value,storing said Private Key Related Value linked to said user;

receiving from said at least one user at least one dynamic credential that has been generated by a reader device in conjunction with said PKI device and where said generation by said reader device of said dynamic credential comprises obtaining and sending said challenge to said PKI device, instructing said PKI device to perform an asymmetric cryptographic operation on said challenge with said private key, receiving from said PKI device a result of said asymmetric cryptographic operation, deriving from said received result a first Private Key Related Input Parameter, deriving said dynamic credential by cryptographically combining said derived first Private Key Related Input Parameter with at least one dynamic input variable;

verifying the received dynamic credentials comprising the steps of;

retrieving said stored Private Key Related Value linked to said user, andderiving from said retrieved Private Key Related Value a second Private Key Related Input Parameter,calculating a reference value by cryptographically combining said derived second Private Key Related Input Parameter with a value for at least one dynamic input variable, andcomparing said calculated reference value with said received dynamic credential; and

protecting access to said application in dependence on the outcome of said verifying.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a method, apparatus, computer readable medium and signal which allows the usage of devices containing PKI private keys such as PKI-enabled smart cards or USB sticks to authenticate users and to sign transactions. The authenticity of the user and/or the message is verified. Furthermore the operation (authentication and/or signing) occurs without the need for an application to have some kind of a direct or indirect digital connection with the device containing the private key. In addition the operation occurs without the need for the PKI-enabled device containing the private key (e.g. a PKI smart card or USB stick) to either support symmetric cryptographic operations or to have been personalized with some secret or confidential data element that can be read by a suitable reader.

228 Citations

30 Claims

1. A method for securing an application comprising the steps of:
- registering data representing a private key for at least one user having a PKI device storing said private key;
  
  said registering comprisingreceiving a representation of a Private Key Code generated by a reader device operating in conjunction with said PKI device where said generation of said Private Key Code by said reader device occurs by said reader device generating and sending a challenge to said PKI device, and instructing said PKI device to perform an asymmetric cryptographic operation on said challenge with said private key, and said reader device receiving from said PKI device a result of said asymmetric cryptographic operation, and deriving from said received result said Private Key Code;
  
  deriving from said representation of said Private Key Code a Private Key Related Value,storing said Private Key Related Value linked to said user;
  
  receiving from said at least one user at least one dynamic credential that has been generated by a reader device in conjunction with said PKI device and where said generation by said reader device of said dynamic credential comprises obtaining and sending said challenge to said PKI device, instructing said PKI device to perform an asymmetric cryptographic operation on said challenge with said private key, receiving from said PKI device a result of said asymmetric cryptographic operation, deriving from said received result a first Private Key Related Input Parameter, deriving said dynamic credential by cryptographically combining said derived first Private Key Related Input Parameter with at least one dynamic input variable;
  
  verifying the received dynamic credentials comprising the steps of;
  
  retrieving said stored Private Key Related Value linked to said user, andderiving from said retrieved Private Key Related Value a second Private Key Related Input Parameter,calculating a reference value by cryptographically combining said derived second Private Key Related Input Parameter with a value for at least one dynamic input variable, andcomparing said calculated reference value with said received dynamic credential; and
  
  protecting access to said application in dependence on the outcome of said verifying.
- View Dependent Claims (2, 3, 4, 16)
- - 2. The method of claim 1 wherein aid representation of said Private Key Code comprises said Private Key Code encrypted with a symmetric Activation Key secret by said reader;
    - andderiving said Private Key Related Value from said representation of said Private Key Code comprises decrypting said encrypted Private Key Code.
  - 3. The method of claim 2 further comprising providing the user with an Activation Code and wherein said Activation Key secret is derived by said reader device from said Activation Code.
  - 4. The method of claim 3 further comprising providing the user with said reader device.
  - 16. The method of claim 1 further comprising the steps of:
    - receiving from a user a claimed identity;
      
      receiving a User Identity Code;
      
      determining using the received claimed identity a User Identity Reference Code; and
      
      comparing said User Identity Reference Code with said received User Identity Code.

5. A reader device for generating dynamic credentials comprising:
- a communication interface to communicate with a PKI device that stores at least one private key and that is capable of performing asymmetric cryptographic operations with said private key, said communication interface adapted to exchange data and commands with said PKI device;
  
  processing components adapted to;
  
  generate a challenge,send said challenge to said PKI device,instruct said PKI device to perform an asymmetric cryptographic operation on said challenge,receive from said PKI device a result of said asymmetric cryptographic operation;
  
  derive a Private Key Code from said received result;
  
  derive a Private Key Related Input Parameter from said received result; and
  
  generate dynamic credentials by cryptographically combining said Private Key Related Input Parameter with at least one dynamic variable using a symmetric cryptographic algorithm;
  
  said reader device further comprising output components adapted to output data related to said Private Key Code and said generated dynamic credentials.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 6. The reader device of claim 5 wherein said processing components are further adapted to encrypt said Private Key Code with an Activation Key secret using a symmetric encryption algorithm.
  - 7. The reader of claim 6 further comprising input components adapted to receive an Activation Code;
    - andwherein said processing means are further adapted to derive said Activation Key secret from said Activation Code.
  - 8. The reader device of claim 5 further comprising a memory for storing one or more symmetric secret keys;
    - andwherein said processing means are further adapted to generate dynamic credentials by cryptographically combining said Private Key Related Input Parameter and at least one dynamic variable with at least one of said one or more symmetric secret keys using a symmetric cryptographic algorithm.
  - 9. The reader device of claim 8 wherein at least one of said one or more symmetric secret keys is shared among a plurality of reader devices.
  - 10. The reader device of claim 8 wherein at least one of said one or more symmetric secret keys is specific for each one of a plurality of reader devices.
  - 11. The reader device of claim 5 wherein said PKI device comprises a smart card and wherein said communication means comprises a smart card interface.
  - 12. The reader device of claim 5 wherein said asymmetric cryptographic operation by said PKI device with said private key comprises digitally signing said challenge with said private key and wherein said received result of said asymmetric cryptographic operation comprises a digital signature.
  - 13. The reader device of claim 5 further adapted to:
    - read from said PKI device an identity related data element that is related to the identity of the legitimate holder of the PKI device; and
      
      derive from said identity related data element a User Identity Code.
  - 14. The reader device of claim 13 wherein said output components are further adapted to output said User Identity Code.
  - 15. The reader device of claim 13 wherein said processing components are further adapted to generate dynamic credentials by cryptographically combining said Private Key Related Input Parameter and said User Identity Code with at least one dynamic variable using a symmetric cryptographic algorithm

17. A method for verifying dynamic credentials comprising:
- receiving a dynamic credential for verification accompanied by an identification parameter;
  
  obtaining, based on said identification parameter, a reference private key related input parameter,combining said reference private key related input parameter with at least one reference dynamic variable to produce a reference dynamic credential; and
  
  comparing said reference dynamic credential with said received dynamic credential.
- View Dependent Claims (18, 19, 20, 21)
- - 18. A method as recited in claim 17 wherein said identification parameter includes data dependent on a user or a reader device used by the user.
  - 19. A method as recited in claim 18 wherein the reference dynamic credential comprises a combination of said reference private key related input parameter, at least one reference dynamic variable and a value corresponding to a secret value stored in a reader device used to create said dynamic credential.
  - 20. A method as recited in claim 18 wherein the secret value is common to plural different reader devices.
  - 21. A method as recited in claim 18 wherein the secret value is unique to the reader device which created the dynamic credential.

22. A system for verifying a dynamic credential received with an identification parameter comprising:
- means for receiving a dynamic credential for verification accompanied by an identification parameter;
  
  means for obtaining, based on said identification parameter, a reference private key related input parameter,means for combining said reference private key related input parameter with at least one reference dynamic variable to produce a reference dynamic credential; and
  
  means for comparing said reference dynamic credential with said received dynamic credential.
- View Dependent Claims (23, 24, 25)
- - 23. A system as recited in claim 22 wherein said means for obtaining includes a data base which is addressed by data related to said identification parameter to produce data relating to said reference private key related input parameter.
  - 24. The system as recited in claim 23 wherein said identification parameter includes data dependent on a user or a reader device used by the user.
  - 25. The system of claim 23 wherein the means for combining combines said reference private key related input parameter, at least one reference dynamic variable and a value corresponding to a secret value stored in a reader device used to create said dynamic credential.

26. A computer readable medium storing a sequence of instructions which, when executed performs a method for verifying dynamic credentials comprising:
- receiving a dynamic credential for verification accompanied by an identification parameter;
  
  obtaining, based on said identification parameter, a reference private key related input parameter,combining said reference private key related input parameter with at least one reference dynamic variable to produce a reference dynamic credential; and
  
  comparing said reference dynamic credential with said received dynamic credential.
- View Dependent Claims (27, 28, 29, 30)
- - 27. A computer readable medium as recited in claim 26 wherein said identification parameter includes data dependent on a user or a reader device used by the user.
  - 28. A computer readable medium as recited in claim 27 wherein the reference dynamic credential comprises a combination of said reference private key related input parameter, at least one reference dynamic variable and a value corresponding to a secret value stored in a reader device used to create said dynamic credential.
  - 29. A computer readable medium as recited in claim 28 wherein the secret value is common to plural different reader devices.
  - 30. A computer readable medium as recited in claim 28 wherein the secret value is unique to the reader device which created the dynamic credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Onespan North America Incorporated (OneSpan, Inc.)
Original Assignee
Vasco Data Security Incorporated (OneSpan, Inc.)
Inventors
Mennes, Frederik, Hoornaert, Frank, Coulier, Frank

Granted Patent

US 8,667,285 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

G06F 21/31   User authentication

G06F 21/34   involving the use of extern...

G06Q 20/3823   combining multiple encrypti...

G06Q 20/388   using mutual authentication...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/006   involving public key infras...

H04L 9/3228   One-time or temporary data,...

H04L 9/3242   involving keyed hash functi...

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

REMOTE AUTHENTICATION AND TRANSACTION SIGNATURES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

228 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

REMOTE AUTHENTICATION AND TRANSACTION SIGNATURES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

228 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links