Soft-Token Authentication System
First Claim
1. A soft-token authentication system for controlling access by a user to a remote service, comprising:
- a local device that interfaces with the user;
an interface for the local device to communicate with the remote service;
a PIN which is provided by the user to the local device;
storage used by the local device for storing soft-token data; and
a shared secret which is (a) known by the remote service, (b) saved by the local device after being encrypted using the user'"'"'s PIN, and (c) used to perform a challenge and response sequence, via the interface, between the local device and remote service.
4 Assignments
0 Petitions
Accused Products
Abstract
A system for authenticating a user and his local device to a secured remote service with symmetrical keys, which utilizes a PIN from the user and a unique random value from the local device in such a way that prevents the remote service from ever learning the user'"'"'s PIN, or a hash of that PIN. The system also provides mutual authentication, verifying to the user and local device that the correct remote service is being used. At the same time, the system protects against PIN guessing attacks by requiring communication with the said remote service in order to verify if the correct PIN is known. Also, the system works in such a way as to change the random value stored on the user'"'"'s local device after each authentication session.
-
Citations
13 Claims
-
1. A soft-token authentication system for controlling access by a user to a remote service, comprising:
-
a local device that interfaces with the user; an interface for the local device to communicate with the remote service; a PIN which is provided by the user to the local device; storage used by the local device for storing soft-token data; and a shared secret which is (a) known by the remote service, (b) saved by the local device after being encrypted using the user'"'"'s PIN, and (c) used to perform a challenge and response sequence, via the interface, between the local device and remote service. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for controlling access to a remote service by a user who has a local device, comprising the steps of:
-
creating a soft-token on the local device by; generating a new shared secret, via an interface between the local device and remote service; storing the shared secret at the remote service; encrypting the shared secret using a PIN provided by the user during soft-token creation to produce a hidden secret; saving the hidden secret on storage that is accessible to the local device; and using the soft-token that was created by; decrypting the hidden secret using a PIN provided by the user during authentication to produce a plausible shared secret; and using the plausible shared secret to carry out a challenge and response sequence, via the interface between the local device and remote service. - View Dependent Claims (9, 10, 11, 12, 13)
-
Specification