METHOD USING A SINGLE AUTHENTICATION DEVICE TO AUTHENTICATE A USER TO A SERVICE PROVIDER AMONG A PLURALITY OF SERVICE PROVIDERS AND DEVICE FOR PERFORMING SUCH A METHOD

US 20140181520A1
Filed: 12/18/2013
Published: 06/26/2014
Est. Priority Date: 12/21/2012
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user to a service provider, among a plurality of service providers each having a user account for said user, said method using a single authentication device identified by a device identifier and comprising the steps of:

transmitting, from the authentication device to the service provider, an authentication request comprising at least said device identifier;

preparing, by the service provider, provider authentication data on the basis of pairing data shared by both said authentication device and said service provider;

sending said provider authentication data from the service provider to the authentication device;

authenticating at the authentication device said provider authentication data;

in response to a positive authentication of the provider authentication data, preparing device authentication data based on any of said pairing data by the authentication device, and sending said device authentication data to the service provider;

verifying the authenticity of the device authentication data by the service provider and in response to a positive authentication of the device authentication data, validating the authentication of said user;

whereinsaid authentication device comprises a provider record for each of said service providers with whom the user is registered by having a user account, each provider record comprises a pairing key and first data, said pairing key and said first data being shared with the service provider to which said provider record refers;

said provider authentication data comprises a first cryptogram obtained by encrypting said first data with said pairing key; and

authenticating said provider authentication data is performed at the authentication device by the steps ofdecrypting said first cryptogram by means of the pairing key stored in one of said provider records;

comparing the decrypted first cryptogram with first data resulting from pairing data stored in said provider record;

if the comparison does not indicate a match, then repeating the previous decryption and comparison steps by using the pairing key of another provider record until each of said provider records stored in the authentication device has been processed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating a user to a provider, among a plurality of providers. The method uses an authentication device comprising, for each of provider, a record comprising a pairing key and first data, both as shared data. Provider authentication data comprises a first cryptogram obtained by encrypting said first data with said pairing key. Authenticating provider authentication data is performed at the authentication device by the steps of decrypting said first cryptogram by means of the pairing key stored in one of said records, then comparing the result of this decryption with first data resulting from pairing data stored in said record, if the comparison does not indicate a match, then processing again the previous decryption and comparison steps by using the pairing key of another record until each of said records stored in the authentication device has been processed.

39 Citations

View as Search Results

14 Claims

1. A method for authenticating a user to a service provider, among a plurality of service providers each having a user account for said user, said method using a single authentication device identified by a device identifier and comprising the steps of:
- transmitting, from the authentication device to the service provider, an authentication request comprising at least said device identifier;
  
  preparing, by the service provider, provider authentication data on the basis of pairing data shared by both said authentication device and said service provider;
  
  sending said provider authentication data from the service provider to the authentication device;
  
  authenticating at the authentication device said provider authentication data;
  
  in response to a positive authentication of the provider authentication data, preparing device authentication data based on any of said pairing data by the authentication device, and sending said device authentication data to the service provider;
  
  verifying the authenticity of the device authentication data by the service provider and in response to a positive authentication of the device authentication data, validating the authentication of said user;
  
  whereinsaid authentication device comprises a provider record for each of said service providers with whom the user is registered by having a user account, each provider record comprises a pairing key and first data, said pairing key and said first data being shared with the service provider to which said provider record refers;
  
  said provider authentication data comprises a first cryptogram obtained by encrypting said first data with said pairing key; and
  
  authenticating said provider authentication data is performed at the authentication device by the steps ofdecrypting said first cryptogram by means of the pairing key stored in one of said provider records;
  
  comparing the decrypted first cryptogram with first data resulting from pairing data stored in said provider record;
  
  if the comparison does not indicate a match, then repeating the previous decryption and comparison steps by using the pairing key of another provider record until each of said provider records stored in the authentication device has been processed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein said provider authentication data is a one-time provider authentication data and/or said device authentication data is a one-time device authentication data.
  - 3. The method of claim 2, wherein said provider authentication data further comprises a challenge identifiable by the authentication device.
  - 4. The method of claim 1, wherein said first data results either from a provider identifier or from a root value, said provider identifier or said root value being stored as pairing data both at the authentication device and at the service provider.
  - 5. The method of claim 1, wherein said first cryptogram is a provider digital signature of the service provider.
  - 6. The method of claim 1, wherein:
    - the service provider comprises a provider key which is the result of a one-way function of a root parameterized by the provider identifier, said root key being stored in the authentication device;
      
      said pairing key is calculated by the service provider as being the result of a one-way function of the provider key parameterized by the device identifier; and
      
      said pairing key is calculated by the authentication device as being the result of a one-way function of the root key parameterized by the provider identifier and by the device identifier.
  - 7. The method of claim 6, wherein:
    - said authentication device and said service provider both comprise;
      
      a shared value, the provider identifier and the device identifier as pairing data; and
      
      said pairing key is determined by raising said shared value to the power of the product of the provider identifier and the device identifier.
  - 8. The method of claim 7, wherein:
    - said shared value is a root key;
      
      said authentication device comprises a device key which is the result of the root key raised to the power of device identifier;
      
      said service provider comprises a provider key which is the result of said root key raised to the power of provider identifier;
      
      said pairing key is determined at the authentication device by raising the device key to the power of the provider identifier; and
      
      said pairing key is determined at the service provider by raising the provider key to the power of the device identifier.
  - 9. The method of claim 1, wherein said authentication request further comprises a second challenge generated by the authentication device and identifiable by the service provider.
  - 10. The method of claim 1, further comprising providing a user access to said authentication device by entering a PIN code in said authentication device;
    - andif the entered PIN code is recognized as beimz correct by said authentication device, authorizing the performance of the other steps of the method.

11. An Authentication device for authenticating a user to a service provider among a plurality of service providers, comprising:
- a non-volatile secured memory for storing secret and/or shared data;
  
  a unique device identifier stored in the memory;
  
  a use interface for user data input;
  
  a display; and
  
  a crypto-processor for performing cryptographic and logical operations and for managing functions and all components of the authentication device;
  
  wherein the memory is organized for storing, in an orderly manner, data relating to a plurality of service providers and the crypto-processor is able 5 to retrieve data relating to each of said service providers for processing them in a distinct manner.
- View Dependent Claims (12, 13, 14)
- - 12. The Authentication device of claim 11, wherein said data relating to a plurality of service providers are each stored in a provider record within the memory.
  - 13. The Authentication device of claim 11, wherein said crypto-processor is configured to retrieve data relating to each of said providers by sequentially comparing a provider identifier of a message received from the service provider with each identifier comprised in pairing data stored in said provider records.
  - 14. The Authentication device of claim 13, further comprising a communication interface for data exchange with the service providers, either directly or via a terminal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nagravision SA (Kudelski SA)
Original Assignee
Nagravision SA (Kudelski SA)
Inventors
WENDLING, Bertrand, WENGER, Joel

Granted Patent

US 9,338,163 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/169
CPC Class Codes

G06Q 20/3572   Multiple accounts on card

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04L 63/0869   for achieving mutual authen...

METHOD USING A SINGLE AUTHENTICATION DEVICE TO AUTHENTICATE A USER TO A SERVICE PROVIDER AMONG A PLURALITY OF SERVICE PROVIDERS AND DEVICE FOR PERFORMING SUCH A METHOD

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD USING A SINGLE AUTHENTICATION DEVICE TO AUTHENTICATE A USER TO A SERVICE PROVIDER AMONG A PLURALITY OF SERVICE PROVIDERS AND DEVICE FOR PERFORMING SUCH A METHOD

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links