CRYPTOGRAPHIC DEVICE THAT BINDS AN ADDITIONAL AUTHENTICATION FACTOR TO MULTIPLE IDENTITIES

US 20120084565A1
Filed: 09/30/2010
Published: 04/05/2012
Est. Priority Date: 09/30/2010
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a method of binding a security artifact to a user'"'"'s account at a service provider, the method comprising:

determining a user'"'"'s identity;

generating a pseudonym for a security artifact, wherein the pseudonym is an identifier of the security artifact to the service provider that is unique to the service provider in that the pseudonym is not used to identify the security artifact to other service providers and in that it uniquely identifies the particular security artifact to the service provider even when the user has available a plurality of different security artifacts to authenticate to the same service provider to access a user account for the user; and

providing the pseudonym for the security artifact to the service provider, wherein the pseudonym for the security artifact is bound with a user account at the service provider for the user associated with the security artifact.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Binding a security artifact to a service provider. A method includes generating a pseudonym for a security artifact. The pseudonym is an identifier of the security artifact to the service provider that is unique to the service provider in that the pseudonym is not used to identify the security artifact to other service providers. Further, the pseudonym uniquely identifies the particular security artifact to the service provider even when a user has available a number of different security artifacts to authenticate to the same service provider to access a user account for the user. The method further includes providing the pseudonym for the security artifact to the service provider. The pseudonym for the security artifact is bound with a user account at the service provider for a user associated with the security artifact.

43 Citations

View as Search Results

20 Claims

1. In a computing environment, a method of binding a security artifact to a user'"'"'s account at a service provider, the method comprising:
- determining a user'"'"'s identity;
  
  generating a pseudonym for a security artifact, wherein the pseudonym is an identifier of the security artifact to the service provider that is unique to the service provider in that the pseudonym is not used to identify the security artifact to other service providers and in that it uniquely identifies the particular security artifact to the service provider even when the user has available a plurality of different security artifacts to authenticate to the same service provider to access a user account for the user; and
  
  providing the pseudonym for the security artifact to the service provider, wherein the pseudonym for the security artifact is bound with a user account at the service provider for the user associated with the security artifact.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein generating a pseudonym for a security artifact comprises using a service provider identifier, the service provider identifier uniquely identifying a service provider, and a security artifact secret, the security artifact secret uniquely identifying the security artifact.
  - 3. The method of claim 1, wherein generating a pseudonym for a security artifact comprises the security artifact generating the pseudonym and wherein providing the pseudonym for the security artifact to the service provider comprises the security artifact providing the pseudonym to the service provider as part of a binding protocol exchange.
  - 4. The method of claim 1, wherein generating a pseudonym for a security artifact comprises randomly generating the pseudonym whereafter the pseudonym is associated with both the security artifact and the service provider.
  - 5. The method of claim 1, wherein the pseudonym for the security artifact comprises a public key of an asymmetric key set.
  - 6. The method of claim 1, wherein the acts of claim 1 are repeated with the same security artifact, but with a different service provider, resulting in generating a different pseudonym that is used by the same security artifact with the different service provider.
  - 7. The method of claim 1, wherein the acts of claim 1 are repeated with a different security artifact, but with the same service provider, resulting in generating a different pseudonym that is used by the different security artifact with the same service provider, such that a user account is associated with a plurality of different security artifacts, any one or more of which may be used to access the user account.
  - 8. The method of claim 1, wherein the security artifact comprises a portable hardware device including at least one of a USB dongle, smart chip on a card or a SIM card in mobile phone.
  - 9. The method of claim 1, wherein the security artifact includes functionality for accepting second factor authentication including at least one of provisions for biometric validation or pin entry.
  - 10. The method of claim 1, wherein the security artifact comprises a software module implemented on a computer system by storing computer readable instructions in one or more physical computer readable media and executing the computer readable instructions using one or more processors.
  - 11. The method of claim 1 further comprising, using the security artifact to authenticate directly to the service provider upon access.
  - 12. The method of claim 1 further comprising, using the security artifact to protect one or more ephemeral or long-lived security tokens that have been issued for one or multiple uses.

13. In a computing environment, a method of using a security artifact bound to a user account at a service provider, the method comprising:
- receiving a security artifact challenge from a service provider;
  
  accessing a unique identifier for the service provider;
  
  using the unique identifier from the service provider and a unique secret for a security artifact, generating an asymmetric private key;
  
  accessing a nonce;
  
  signing the nonce with the asymmetric private key;
  
  sending the signature on the nonce to the service provider, whereafter the service provider validates the signature on the nonce to authenticate the security artifact; and
  
  accessing the service provider as a result of the service provider authenticating the security artifact
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, wherein sending the signature on the nonce to the service provider comprises sending the signature on the nonce to an application which forwards the signature to the service provider.
  - 15. The method of claim 13, wherein the security artifact challenge is received as a result of an application sending an access request.
  - 16. The method of claim 13, wherein the acts of claim 13 are repeated with the same security artifact, but with a different service provider, such that the same security artifact is used with different service providers.
  - 17. The method of claim 13, wherein the acts of claim 13 are repeated with a different security artifact, but with the same service provider, such that a user account at the service provider is associated with a plurality of different security artifacts, any one or more of which may be used to access the user account.
  - 18. The method of claim 13, wherein the security artifact comprises a portable hardware device including at least one of a USB dongle, smart chip on a card or a SIM card in mobile phone.
  - 19. The method of claim 13, wherein the security artifact comprises a software module implemented on a computer system by storing computer readable instructions in one or more physical computer readable media and executing the computer readable instructions using one or more processors.

20. In a computing environment, a method of validating a user using a security artifact at a service provider, the method comprisingreceiving a request from a security artifact for a site key;
- in response to the request from the security artifact for a site key, returning a service provider unique identifier to the security artifact;
  
  receiving from the security artifact a pseudonym from the security artifact, wherein the pseudonym is generated using the service provider unique identifier and a security artifact secret unique to the security artifact, wherein the pseudonym comprises a public key of an asymmetric key pair;
  
  registering the pseudonym with a user account at a service provider;
  
  receiving a request for access of to the user account from an application;
  
  sending a message to the application indicating that authentication is required to service the request;
  
  receiving a request from the application for authentication;
  
  in response to receiving a request from the application for authentication, sending a security artifact challenge to the application, wherein the device challenge comprises the service provider unique identifier and a nonce;
  
  receiving a security artifact response comprising the signature on a nonce generated using a private key generated using the service provider unique identifier and the security artifact secret unique to the security artifact; and
  
  validating the security artifact response using the pseudonym.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Paquin, Christian, Malaviarachchi, Rushmi U., Wittenberg, Craig Henry

Granted Patent

US 8,819,437 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/172
CPC Class Codes

H04L 2209/42   Anonymization, e.g. involvi...

H04L 9/32   including means for verifyi...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

CRYPTOGRAPHIC DEVICE THAT BINDS AN ADDITIONAL AUTHENTICATION FACTOR TO MULTIPLE IDENTITIES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CRYPTOGRAPHIC DEVICE THAT BINDS AN ADDITIONAL AUTHENTICATION FACTOR TO MULTIPLE IDENTITIES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links