Soft-Token Authentication System

US 20130097427A1
Filed: 10/12/2011
Published: 04/18/2013
Est. Priority Date: 10/12/2011
Status: Active Application

First Claim

Patent Images

1. A soft-token authentication system for controlling access by a user to a remote service, comprising:

a local device that interfaces with the user;

an interface for the local device to communicate with the remote service;

a PIN which is provided by the user to the local device;

storage used by the local device for storing soft-token data; and

a shared secret which is (a) known by the remote service, (b) saved by the local device after being encrypted using the user'"'"'s PIN, and (c) used to perform a challenge and response sequence, via the interface, between the local device and remote service.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for authenticating a user and his local device to a secured remote service with symmetrical keys, which utilizes a PIN from the user and a unique random value from the local device in such a way that prevents the remote service from ever learning the user'"'"'s PIN, or a hash of that PIN. The system also provides mutual authentication, verifying to the user and local device that the correct remote service is being used. At the same time, the system protects against PIN guessing attacks by requiring communication with the said remote service in order to verify if the correct PIN is known. Also, the system works in such a way as to change the random value stored on the user'"'"'s local device after each authentication session.

Citations

13 Claims

1. A soft-token authentication system for controlling access by a user to a remote service, comprising:
- a local device that interfaces with the user;
  
  an interface for the local device to communicate with the remote service;
  
  a PIN which is provided by the user to the local device;
  
  storage used by the local device for storing soft-token data; and
  
  a shared secret which is (a) known by the remote service, (b) saved by the local device after being encrypted using the user'"'"'s PIN, and (c) used to perform a challenge and response sequence, via the interface, between the local device and remote service.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The soft-token authentication system of claim 1, wherein encryption of the said shared secret is done using a cryptographic hash of the user'"'"'s PIN.
  - 3. The soft-token authentication system of claim 1, wherein the said challenge and response sequence provides mutual authentication.
  - 4. The soft-token authentication system of claim 1, wherein the said shared secret is replaced with a new random value as part of each authentication.
  - 5. The soft-token authentication system of claim 1, wherein the said shared secret is encrypted using a cryptographic hash of the user'"'"'s PIN in such a way that decryption with any PIN hash will produce a plausible secret value.
  - 6. The soft-token authentication system of claim 1, wherein the said user'"'"'s PIN, or any hash value derived therefrom, is never communicated to the remote service.
  - 7. The soft-token authentication system of claim 1, wherein the said local device is unable to verify that the user has entered his original PIN without communicating with the remote service.

8. A method for controlling access to a remote service by a user who has a local device, comprising the steps of:
- creating a soft-token on the local device by;
  
  generating a new shared secret, via an interface between the local device and remote service;
  
  storing the shared secret at the remote service;
  
  encrypting the shared secret using a PIN provided by the user during soft-token creation to produce a hidden secret;
  
  saving the hidden secret on storage that is accessible to the local device; and
  
  using the soft-token that was created by;
  
  decrypting the hidden secret using a PIN provided by the user during authentication to produce a plausible shared secret; and
  
  using the plausible shared secret to carry out a challenge and response sequence, via the interface between the local device and remote service.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein the said shared secret is encrypted using a cryptographic hash of the user'"'"'s PIN.
  - 10. The method of claim 8, further comprising the step of completing the said challenge and response sequence in such a way that provides mutual authentication.
  - 11. The method of claim 8, further comprising the step of replacing the said shared secret with a new random value as part of the authentication.
  - 12. The method of claim 8, wherein the PIN provided by the user, or any hash value derived therefrom, is never communicated to the remote service.
  - 13. The method of claim 8, wherein the said local device is unable to verify if the user entered the correct PIN without communicating with the said remote service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CybrSecurity Corporation.
Original Assignee
Goldkey Security Corporation
Inventors
Billings, Roger E., Billings, John A.

Granted Patent

US 10,263,782 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

H04L 9/3228   One-time or temporary data,...

H04L 9/3234   involving additional secure...

H04L 9/3273   for mutual authentication n...

Soft-Token Authentication System

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Soft-Token Authentication System

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links