STRONG AUTHENTICATION TOKEN WITH VISUAL OUTPUT OF PKI SIGNATURES

US 20130198519A1
Filed: 12/27/2012
Published: 08/01/2013
Est. Priority Date: 12/30/2011
Status: Active Grant

First Claim

Patent Images

1. A portable handheld authentication device comprising at least one data processing component and a display, the authentication device adapted to:

generate an input value;

submit the input value to an asymmetric cryptographic operation, said asymmetric cryptographic operation generating a result based on an asymmetric cryptographic algorithm parameterized by a first private key of a public-private key pair;

obtain the result of said asymmetric cryptographic operation;

generate an authentication message substantially comprising said result of said asymmetric cryptographic operation;

encode said authentication message into one or more images; and

display said one or more images on said display.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A handheld authentication device comprising a data processor and a display is adapted to: generate an input value; submit the input value to an asymmetric cryptographic operation; obtain the result of said asymmetric cryptographic operation; generate an authentication message substantially comprising the result of the asymmetric cryptographic operation; encode the authentication message into one or more images; and display these images on the display. A method for securing computer-based applications remotely accessed by a user comprises capturing images displayed on the display of an authentication device of the user whereby these images have been encoded with an authentication message generated by the authentication device and whereby the authentication message comprises the result of an asymmetric cryptographic operation on an input value; decoding the images to retrieve the authentication message; retrieving the result of the asymmetric cryptographic operation from the authentication message; verifying the authentication message.

122 Citations

40 Claims

1. A portable handheld authentication device comprising at least one data processing component and a display, the authentication device adapted to:
- generate an input value;
  
  submit the input value to an asymmetric cryptographic operation, said asymmetric cryptographic operation generating a result based on an asymmetric cryptographic algorithm parameterized by a first private key of a public-private key pair;
  
  obtain the result of said asymmetric cryptographic operation;
  
  generate an authentication message substantially comprising said result of said asymmetric cryptographic operation;
  
  encode said authentication message into one or more images; and
  
  display said one or more images on said display.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The authentication device of claim 1 further comprising a communication interface to communicate with a separate security device wherein:
    - said separate security device stores said first private key of said public-private key pair;
      
      said separate security device is adapted to perform said asymmetric cryptographic operation;
      
      said authentication device obtains said result of said asymmetric cryptographic operation by requesting said separate security device to generate said result of said asymmetric cryptographic operation by performing said asymmetric cryptographic operation on said input value using said first private key stored in the separate security device andreceiving from said separate security device said result of said asymmetric cryptographic operation generated by said separate security device.
  - 3. The authentication device of claim 2 wherein the separate security device comprises a removable smart card.
  - 4. The authentication device of claim 2 further comprising a data input interface adapted to receive at least one variable data element that is external to the authentication device and wherein the input value is generated using said at least one external variable data element.
  - 5. The authentication device of claim 4 wherein said data input interface comprises a keyboard.
  - 6. The authentication device of claim 4 wherein said data input interface comprises an optical data input interface.
  - 7. The authentication device of claim 4 wherein said data input interface comprises an acoustical data input interface.
  - 8. The authentication device of claim 4 wherein said at least one external variable data element comprises a challenge.
  - 9. The authentication device of claim 4 wherein said at least one external variable data element comprises transaction data.
  - 10. The authentication device of claim 1 or 2 further adapted to generate said input value using at least one variable data element that is internal to the authentication device.
  - 11. The authentication device of claim 10 further comprising a real-time clock and wherein said at least one internal variable data element comprises a time value provided by said real-time clock.
  - 12. The authentication device of claim 11 further comprising a counter and wherein said at least one internal variable data element comprises a counter value provided by said counter.
  - 13. The authentication device of claim 2 further adapted to include data related to said input value in said authentication message.
  - 14. The authentication device of claim 13 wherein said data related to said input value comprises the input value.
  - 15. The authentication device of claim 1 further comprising a first secure data storage component wherein said first secure data storage component stores said first private key and wherein said authentication device is further adapted to perform said asymmetric cryptographic operation and to generate said result of said asymmetric cryptographic operation by performing said asymmetric cryptographic operation on said input value using said first private key stored in said first secure data storage component.
  - 16. The authentication device of claim 2 further comprising a second secure data storage component wherein said second secure data storage component stores a secret data element.
  - 17. The authentication device of claim 16 further adapted to generate data cryptographically related to said input value by cryptographically combining a first cryptographic key with data related to said input value and to include said generated data cryptographically related to said input value in said authentication message wherein said first cryptographic key is comprised in or derived from said secret data element.
  - 18. The authentication device of claim 17 wherein said first cryptographic key comprises a symmetric cryptographic key that is shared with a verifying entity and wherein said cryptographically combining is done using a symmetric cryptographic algorithm.
  - 19. The authentication device of claim 17 wherein said first cryptographic key comprises an asymmetric cryptographic key and wherein said cryptographically combining is done using an asymmetric cryptographic algorithm.
  - 20. The authentication device of claim 17 wherein said first cryptographic key comprises an encryption key and wherein said cryptographically combining comprises encrypting said data related to said input value using an encryption algorithm.
  - 21. The authentication device of claim 16 further adapted to generate data cryptographically related to said result of said asymmetric cryptographic operation by cryptographically combining a second cryptographic key with at least a part of said result of said asymmetric cryptographic operation and to include said generated data cryptographically related to said result of said asymmetric cryptographic operation in said authentication message and wherein said second cryptographic key is comprised in or derived from said secret data element.
  - 22. The authentication device of claim 21 wherein said second cryptographic key comprises a symmetric cryptographic key that is shared with a verifying entity and wherein said cryptographically combining is done using a symmetric cryptographic algorithm.
  - 23. The authentication device of claim 21 wherein said second cryptographic key comprises an asymmetric cryptographic key and wherein said cryptographically combining is done using an asymmetric cryptographic algorithm.
  - 24. The authentication device of claim 21 wherein said second cryptographic key comprises an encryption key and wherein said cryptographically combining comprises encrypting at least a part of said result of said asymmetric cryptographic operation using an encryption algorithm.
  - 25. The authentication device of claim 2 further adapted to include in said authentication message a reference to the public key corresponding to said first private key.
  - 26. The authentication device of claim 1 or 2 further adapted to include in said authentication message a data element to identify the authentication device.
  - 27. The authentication device of claim 2 further adapted to include in said authentication message a data element to identify the user.
  - 28. The authentication device of claim 2 further adapted to include in said authentication message a data element to identify said separate security device.

29. A method for securing computer-based applications being remotely accessed by at least one user comprising the steps of:
- capturing one or more images displayed on the display of an authentication device of said at least one user whereby said one or more images have been encoded with an authentication message generated by said authentication device and whereby said authentication message comprises the result of an asymmetric cryptographic operation on an input value based on an asymmetric cryptographic algorithm parameterized by a first private key of a public-private key pair;
  
  decoding said one or more images to retrieve said authentication message;
  
  retrieving said result of said asymmetric cryptographic operation from said authentication message;
  
  verifying said authentication message;
  
  wherein verifying said authentication message comprises verifying said retrieved result of said asymmetric cryptographic operation using an asymmetric cryptographic algorithm parameterized with a public key corresponding to said first private key.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 30. The method of claim 29 wherein said result of said asymmetric cryptographic operation comprises a digital signature over said input value generated with a digital signature generation algorithm based on asymmetric cryptography and parameterized with said first private key and wherein verifying said retrieved result of said asymmetric cryptographic operation comprises verifying said digital signature using a digital signature verification algorithm based on asymmetric cryptography and parameterized with said public key.
  - 31. The method of claim 29 further comprising obtaining the value of said public key by using data comprised in said authentication message.
  - 32. The method of claim 31 wherein said authentication message further comprises a data element identifying said at least one user and wherein said user identifying data element is used to obtain the value of said public key.
  - 33. The method of claim 31 wherein said authentication message further comprises a data element identifying the device that performed said asymmetric cryptographic operation and wherein said device identifying data element is used to obtain the value of said public key.
  - 34. The method of claim 29 wherein said authentication message further comprises data related to said input value and wherein verifying said authentication message further comprises verifying said data related to said input value.
  - 35. The method of claim 29 wherein said authentication message further comprises data elements that are cryptographically related to said input value and wherein verifying said authentication message comprises cryptographically verifying said data elements that are cryptographically related to said input value.
  - 36. The method of claim 35 wherein said authentication message further comprises a data element identifying said authentication device;
    - wherein the method further comprises the step of obtaining the value of a first cryptographic key using said authentication device identifying data element; and
      
      wherein cryptographically verifying said data elements that are cryptographically related to said input value comprises using a cryptographic algorithm parameterized with said first cryptographic key.
  - 37. The method of claim 29 wherein said authentication message further comprises data elements that are cryptographically related to said result of said asymmetric cryptographic operation and wherein verifying said authentication message comprises cryptographically verifying said data elements that are cryptographically related to said result of said asymmetric cryptographic operation.
  - 38. The method of claim 37 wherein said authentication message further comprises a data element identifying said authentication device;
    - wherein the method further comprises the step of obtaining the value of a second cryptographic key using said authentication device identifying data element; and
      
      wherein cryptographically verifying said data elements that are cryptographically related to said result of said asymmetric cryptographic operation comprises using a cryptographic algorithm parameterized with said second cryptographic key.
  - 39. The method of claim 29 wherein said result of said asymmetric cryptographic operation comprised in said authentication message comprises at least one encrypted part and wherein retrieving said result of said asymmetric cryptographic operation from said authentication message comprises decrypting said at least one encrypted part.
  - 40. The method of claim 39 wherein said authentication message further comprises a data element identifying said authentication device;
    - wherein the method further comprises the step of obtaining the value of a third cryptographic key using said authentication device identifying data element; and
      
      wherein said decrypting of said at least one encrypted part comprises using a decryption algorithm parameterized with said third cryptographic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Onespan North America Incorporated (OneSpan, Inc.)
Original Assignee
Vasco Data Security Incorporated (OneSpan, Inc.)
Inventors
MARIEN, DIRK

Granted Patent

US 8,966,268 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/172
CPC Class Codes

G06F 21/34   involving the use of extern...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 63/126   the source of the received ...

H04L 63/18   using different networks or...

H04L 9/006   involving public key infras...

H04L 9/32   including means for verifyi...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

STRONG AUTHENTICATION TOKEN WITH VISUAL OUTPUT OF PKI SIGNATURES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

STRONG AUTHENTICATION TOKEN WITH VISUAL OUTPUT OF PKI SIGNATURES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links