SECURE AUTHENTICATION IN A MULTI-PARTY SYSTEM

US 20150237031A1
Filed: 02/24/2015
Published: 08/20/2015
Est. Priority Date: 04/01/2012
Status: Active Grant

First Claim

Patent Images

1. A method of operating an authentication server to notify a network entity of a transaction via a network, comprising:

receiving, from a first network entity via the network, an identifier of a second network entity, a transaction identifier, transaction approval and authentication requirements, and a message regarding the transaction, wherein the message is encrypted with a credential of the second network entity;

transmitting, to the second network entity via the network, the received transaction identifier, transaction approval and any authentication requirements, and encrypted message;

receiving, from the second network entity via the network after transmitting the transaction identifier, transaction approval and authentication requirements, and encrypted message, at least one of a transaction approval and authentication information;

determining, based on any received authentication information, that the second network entity is authentic; and

transmitting to the first network entity a notification of any determination and any received transaction approval.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication server transmits a random number to and receives a other information from a service provider. Later, the first random number is received from a requester and a provider identifier, the received other information and provider authentication policy requirements are transmitted to the requester. A user identifier and validation information are received from the requester. The received validation information is determined to correspond to the provider authentication policy requirements, and compared with stored user validation information associated with the received user identifier to authenticate the requester. A message, including both the random number and other information, signed with a credential of the requesting user is received and transmitted to the first provider.

57 Citations

View as Search Results

21 Claims

1. A method of operating an authentication server to notify a network entity of a transaction via a network, comprising:
- receiving, from a first network entity via the network, an identifier of a second network entity, a transaction identifier, transaction approval and authentication requirements, and a message regarding the transaction, wherein the message is encrypted with a credential of the second network entity;
  
  transmitting, to the second network entity via the network, the received transaction identifier, transaction approval and any authentication requirements, and encrypted message;
  
  receiving, from the second network entity via the network after transmitting the transaction identifier, transaction approval and authentication requirements, and encrypted message, at least one of a transaction approval and authentication information;
  
  determining, based on any received authentication information, that the second network entity is authentic; and
  
  transmitting to the first network entity a notification of any determination and any received transaction approval.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the second network entity identifier is a unique user account identifier that the first network entity associates with a user account of the second network entity.
  - 3. The method of claim 1, wherein the message is also signed with a private key of a private/public key pair of the first network entity, and a public key of the first network entity private/public key pair is known to the second network entity.
  - 4. The method of claim 1, wherein the second network entity credential is a public key of a private/public key pair of the second network entity that is known to the first network entity.
  - 5. The method of claim 1, further comprising:
    - after receipt of the second network entity identifier, the transaction identifier, the transaction approval and authentication requirements, and the encrypted message, receiving a query message from the first network entity via the network, wherein the notification of any determination and any received transaction approval are transmitted to the first network entity in response to the received query message.
  - 6. The method of claim 1, further comprising:
    - prior to transmitting the received transaction identifier, transaction approval and any authentication requirements, and encrypted message, receiving a query message from the second network entity via the network, wherein the received transaction identifier, transaction approval and any authentication requirements, and encrypted message are transmitted in response to the received query message.
  - 7. The method of claim 1, further comprising, after transmitting the transaction identifier, transaction approval and authentication requirements, and encrypted signed message, and prior to receiving the at least one of transaction approval and authentication information:
    - receiving, from the second network entity via the network, a portion of secret data of the second network entity;
      
      applying the received portion of secret data to obtain a portion of a symmetric decryption key for decrypting credentials of the second network entity which are required to obtain the at least one of transaction approval and authentication information; and
      
      transmitting, to the second network entity via the network, the obtained portion of the symmetric decryption key.

8. A network server for notifying a network entity of a transaction via a network, comprising:
- a data store configured to store authentication information for authenticating network entities;
  
  a processing unit configured to (1) receive, from a first network entity via the network, an identifier of the second network entity, a transaction identifier, transaction approval and authentication requirements, and a message regarding the transaction, wherein the message is encrypted with a credential of the second network entity, and (2) direct transmission, to the second network entity via the network, of the received transaction identifier, transaction approval and any authentication requirements, and encrypted message, (3) receive, from the second network entity via the network after transmitting the transaction identifier, transaction approval and authentication requirements, and encrypted message, at least one of a transaction approval and authentication information, (4) determine, based on any received authentication information and the stored authentication information, that the second network entity is authentic, and (5) direct transmission, to the first network entity, of a notification of any determination and any received transaction approval.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The network server of claim 8, wherein the second network entity identifier is a unique user account identifier that the first network entity associates with a user account of the second network entity.
  - 10. The network server of claim 8, wherein the message is also signed with a private key of a private/public key pair of the first network entity, and a public key of the first network entity private/public key pair is known to the second network entity.
  - 11. The network server of claim 8, wherein the second network entity credential is a public key of a private/public key pair of the second network entity that is known to the first network entity.
  - 12. The network server of claim 8, wherein:
    - the processing unit is further configured to receive a query message from the first network entity via the network, after receipt of the second network entity identifier, the transaction identifier, the transaction approval and authentication requirements, and the encrypted message; and
      
      wherein the notification of any determination and any received transaction approval are directed to be transmitted to the first network entity in response to the received query message.
  - 13. The network server of claim 8, wherein:
    - the processing unit is further configured to receive a query message from the second network entity via the network, prior to transmitting the received transaction identifier, transaction approval and any authentication requirements, and encrypted message; and
      
      the received transaction identifier, transaction approval and any authentication requirements, and encrypted message are directed to be transmitted in response to the received query message.
  - 14. The network server of claim 8, wherein after directing transmission of the transaction identifier, transaction approval and authentication requirements, and encrypted signed message, and prior to receiving the at least one of transaction approval and authentication information, the processing unit is further configured to:
    - receive, from the second network entity via the network, a portion of secret data of the second network entity;
      
      apply the received portion of secret data to obtain a portion of a symmetric decryption key for decrypting credentials of the second network entity which are required to obtain the at least one of transaction approval and authentication information; and
      
      direct transmission, to the second network entity via the network, of the obtained portion of the symmetric decryption key.

15. An article of manufacture for authenticating a network user to another network entity, comprising:
- non-transitory storage medium; and
  
  logic stored on the storage medium, wherein the stored logic is configured to be readable by a processor and thereby cause the processor to operate so as to;
  
  to notify a network entity of a transaction via a network, comprising;
  
  receive, from a first network entity via the network, an identifier of a second network entity, a transaction identifier, transaction approval and authentication requirements, and a message regarding the transaction, wherein the message is encrypted with a credential of the second network entity;
  
  transmit, to the second network entity via the network, the received transaction identifier, transaction approval and any authentication requirements, and encrypted message;
  
  receive, from the second network entity via the network after transmitting the transaction identifier, transaction approval and authentication requirements, and encrypted message, at least one of a transaction approval and authentication information;
  
  determine, based on any received authentication information, that the second network entity is authentic; and
  
  transmit to the first network entity a notification of any determination and any received transaction approval.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The article of manufacture of claim 15, wherein the second network entity identifier is a unique user account identifier that the first network entity associates with a user account of the second network entity.
  - 17. The article of manufacture of claim 15, wherein, the message is also signed with a private key of a private/public key pair of the first network entity, wherein a public key of the first network entity private/public key pair is known to the second network entity.
  - 18. The article of manufacture of claim 15, wherein the second network entity credential is a public key of a private/public key pair of the second network entity that is known to the first network entity.
  - 19. The article of manufacture of claim 15, wherein:
    - the stored logic is further configured to cause the processor to operate so as to receive a query message from the first network entity via the network, after receipt of the second network entity identifier, the transaction identifier, the transaction approval and authentication requirements, and the encrypted message; and
      
      the notification of any determination and any received transaction approval are transmitted to the first network entity in response to the received query message.
  - 20. The article of manufacture of claim 15, wherein:
    - the stored logic is further configured to cause the processor to operate so as to receive a query message from the second network entity via the network, prior to transmitting the received transaction identifier, transaction approval and any authentication requirements, and encrypted message; and
      
      the received transaction identifier, transaction approval and any authentication requirements, and encrypted message are transmitted in response to the received query message.
  - 21. The article of manufacture of claim 15, wherein, after transmitting the transaction identifier, transaction approval and authentication requirements, and encrypted signed message, and prior to receiving the at least one of transaction approval and authentication information, the stored logic is further configured to cause the processor to operate so as to:
    - receive, from the second network entity via the network, a portion of secret data of the second network entity;
      
      apply the received portion of secret data to obtain a portion of a symmetric decryption key for decrypting credentials of the second network entity which are required to obtain the at least one of transaction approval and authentication information; and
      
      transmit, to the second network entity via the network, the obtained portion of the symmetric decryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Payfone Incorporated
Original Assignee
Authentify, Inc. (Early Warning Services, LLC)
Inventors
NEUMAN, Michael, NEUMAN, Diana

Granted Patent

US 9,641,505 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/35   communicating wirelessly

G06Q 20/322   Aspects of commerce using m...

G06Q 20/401   Transaction verification

H04L 2463/082   applying multi-factor authe...

H04L 63/045   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/0884   by delegation of authentica...

H04L 63/0892   by using authentication-aut...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 67/02   based on web technology, e....

H04L 9/30   Public key, i.e. encryption...

H04L 9/321   involving a third party or ...

H04L 9/3234   involving additional secure...

H04L 9/3247 : involving digital signatures

H04W 12/06 : Authentication

H04W 12/77 : Graphical identity

View All

SECURE AUTHENTICATION IN A MULTI-PARTY SYSTEM

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE AUTHENTICATION IN A MULTI-PARTY SYSTEM

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links