System, Design and Process for Secure Documents Credentials Management Using Out-of-Band Authentication

US 20160351080A1
Filed: 05/18/2016
Published: 12/01/2016
Est. Priority Date: 12/31/2012
Status: Active Grant

First Claim

Patent Images

1. A method for authentication for accessing a document in a system comprising a user, a first channel document application, a second channel portable communications device application, and an authentication server application having a provisioned user database and encrypted payload, wherein the method comprises:

providing a login portal for accessing a document by a user, said login portal being in communication with said first channel document application;

establishing contact between the first channel document application and the authentication server application wherein a new authentication session is started;

generating a session identification (“

ID”

) at the authentication server, wherein the session ID is communicated to the first channel document application through at least a first communications channel;

creating a multi-dimensional barcode at the first channel document application, wherein the barcode has dynamic encryption keys, portal information, session ID, and a unique key, and wherein the barcode is displayed at the login screen;

creating a message at the first channel document application, wherein the message has dynamic encryption keys, portal information, session ID, and a unique key;

holding the first channel document application in waiting pending the authentication server application notification of session validation;

starting authentication by user entering at least one credential on the second channel portable communications device application, wherein the second channel portable communications device validates at least one credential and displays at least one scan option;

using the second channel portable communications device application to scan the barcode displayed at the login screen and validate the first channel document application;

using the second channel portable communications device application to receive the message from the first channel document application and to validate the first channel document application;

finding on the second channel portable communications device application at least one encrypted user credential;

sending the encrypted credentials and session ID from the second channel portable communications device application to the authentication server application via an outbound out-of-band communications channel;

checking in provisioned user database of the authentication server application, wherein the session is validated;

sending the encrypted payload to the first channel document application;

sending validation result from authentication server application to the second channel portable communication device application where the result is displayed;

decrypting the encrypted payload at the first channel document application using the encryption keys;

extracting and decrypting the credentials at the first channel document application; and

using the decrypted credentials to access the document.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides an easy to use credential management mechanism for multi-factor out-of-band multi-channel authentication process to protect a large number of documents without the need to remember all the document passwords. When opened, the secure document application generates a multi-dimensional code. The user scans the multi-dimensional code and validates the secure document application and triggers an out-of-band outbound mechanism. The portable mobile device invoices the authentication server to get authenticated. The authentication server authenticates the user based on shared secret key and is automatically allowed access to the secure document. The process of the invention includes an authentication server, a secure document application to generate an authentication vehicle or an embodiment (i.e. multi-dimensional bar code) and handle incoming requests, secret keys and a portable communication device with a smartphone application.

Citations

20 Claims

1. A method for authentication for accessing a document in a system comprising a user, a first channel document application, a second channel portable communications device application, and an authentication server application having a provisioned user database and encrypted payload, wherein the method comprises:
- providing a login portal for accessing a document by a user, said login portal being in communication with said first channel document application;
  
  establishing contact between the first channel document application and the authentication server application wherein a new authentication session is started;
  
  generating a session identification (“
  
  ID”
  
  ) at the authentication server, wherein the session ID is communicated to the first channel document application through at least a first communications channel;
  
  creating a multi-dimensional barcode at the first channel document application, wherein the barcode has dynamic encryption keys, portal information, session ID, and a unique key, and wherein the barcode is displayed at the login screen;
  
  creating a message at the first channel document application, wherein the message has dynamic encryption keys, portal information, session ID, and a unique key;
  
  holding the first channel document application in waiting pending the authentication server application notification of session validation;
  
  starting authentication by user entering at least one credential on the second channel portable communications device application, wherein the second channel portable communications device validates at least one credential and displays at least one scan option;
  
  using the second channel portable communications device application to scan the barcode displayed at the login screen and validate the first channel document application;
  
  using the second channel portable communications device application to receive the message from the first channel document application and to validate the first channel document application;
  
  finding on the second channel portable communications device application at least one encrypted user credential;
  
  sending the encrypted credentials and session ID from the second channel portable communications device application to the authentication server application via an outbound out-of-band communications channel;
  
  checking in provisioned user database of the authentication server application, wherein the session is validated;
  
  sending the encrypted payload to the first channel document application;
  
  sending validation result from authentication server application to the second channel portable communication device application where the result is displayed;
  
  decrypting the encrypted payload at the first channel document application using the encryption keys;
  
  extracting and decrypting the credentials at the first channel document application; and
  
  using the decrypted credentials to access the document.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method according to claim 1 wherein the step of creating a multidimensional barcode includes the first channel document application creating a QR code from the encrypted payload.
  - 3. A method according to claim 1 wherein the step of creating a message at the first channel document application, includes the first channel document application creating a message from the encrypted payload.
  - 4. A method according to claim 1 wherein the step of finding on the second channel portable communications device application at least one encrypted user credential with the encryption key and/or user permissions from the barcode.
  - 5. A method according to claim 1 wherein the step of sending the encrypted credentials and session ID to the authentication server application via an outbound out-of-band communications channel is performed by the first channel document application.
  - 6. A method according to claim 1 wherein the step of sending the encrypted credentials and session ID to the authentication server application via an outbound out-of-band communications channel is performed by the login portal.
  - 7. A method according to claim 1 wherein the first channel document application creates a public/private key.
  - 8. , A method according to claim 1, wherein said document is a file selected from a group consisting of:
    - an electronic file, email, instant message, picture, encrypted file, video, video message, audio file, audio message, and at least one packet comprising a string of bits with a header.
  - 9. A method according to claim 1 wherein the step of using the second channel portable communications device application to receive the message from the first channel document application includes at least one mode of communication selected from a group comprising:
    - NFC, Bluetooth, RFID, and Computer Generated Sound.

10. A method for authentication in a system comprising a user, a secure document application or plugin, a second channel portable communications device application, and an authentication server having a provisioned user database and an encrypted payload, wherein the method comprises:
- detecting user intent to access an online document;
  
  establishing contact between the secure document application or plugin and the authentication server wherein a new authentication session is started;
  
  generating a session ID at the authentication server, wherein the session ID is communicated to the secure document application or plugin through at least a first communications channel;
  
  creating a multi-dimensional barcode at the secure document application or plugin, wherein the barcode has dynamic encryption keys, document identifier, the session ID, and a unique key, and wherein the barcode is displayed in the browser;
  
  holding the secure document application or plugin in waiting pending authentication server notification of session validation;
  
  starting authentication by user entering credential on the second channel portable communications device application, wherein the second channel portable communications device application validates the credential and displays scan option;
  
  using the second channel portable communications device application to scan the barcode displayed at login screen and validate the secure document application or plugin;
  
  finding on the second channel portable communications device application at least one encrypted user credential with the encryption key from the barcode;
  
  sending the encrypted credentials and the session ID from the second channel portable communications device application to the authentication server via an outbound out-of-band communications channel;
  
  checking in provisioned user database of the authentication server, wherein the session is validated;
  
  sending the encrypted payload to waiting at the secure document application or plugin;
  
  sending validation result from the authentication server to the second channel portable communications device application where the result is displayed;
  
  decrypting the payload at the secure document application or plugin using the encryption keys;
  
  extracting and decrypting the credentials at the secure document application or plugin;
  
  using the decrypted credentials to access the document.

11. A system of user authentication for accessing a document in a communications network, the system comprising:
- a first channel document application having programming for communication with a login portal and screen for access by a user;
  
  an authentication server application having programming for establishing contact between the first channel document application wherein a new authentication session is started;
  
  programming for generating a session identification (“
  
  ID”
  
  ), and programming for communicating a session ID to the first channel document application through at least a first communications channel;
  
  wherein the first channel document application includes programming for creating a multi-dimensional barcode for display at the login screen, wherein the barcode has dynamic encryption keys, document identifier, session ID, and a unique key; and
  
  programming for holding the first channel document application in waiting pending notification of session validation by the authentication server application;
  
  wherein the first channel document application includes programming for authentication by receiving user credentials from a second channel portable communications device application,a second channel portable communications device application having programming for authentication, including programming for receiving user credentials and displaying at least one scan option;
  
  programming for scanning the barcode displayed at the login screen;
  
  programming for validating the first channel document application;
  
  programming for finding at least one encrypted user credentials with the encryption key from the barcode; and
  
  programming for sending the encrypted credentials and session ID to the authentication server via an outbound out-of-band communications channel;
  
  wherein the authentication server application further includes programming for checking a provisioned user database and validating the session ID;
  
  programming for sending the encrypted payload to a waiting first channel document application;
  
  programming for sending validation result to the second channel portable communications device application where the result can be displayed;
  
  wherein the first channel document application includes programming for decrypting the encrypted payload at the secure document application using the encryption keys;
  
  programming for extracting and decrypting the credentials; and
  
  programming for using the decrypted credentials to access a document.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 20)
- - 12. A system according to claim 11 wherein the first channel document application further includes programming for the creation of a multi-dimensional barcode from a QR Code in the encrypted payload.
  - 13. A system according to claim 11 wherein the first channel document application further includes programming to create a message from the encrypted payload.
  - 14. A system according to claim 11 wherein the second channel portable communications device application further includes programming for finding at least one encrypted user credential with the encryption key and/or user permission from the barcode.
  - 15. A system according to claim 11 wherein the authentication server application farther includes programming for the receiving the encrypted credentials and session ID via an outbound out-of-hand communications channel from the first channel document application.
  - 16. A system according to claim 11 wherein the first channel document application further includes programming for the creation of a public/private key.
  - 17. A system according to claim 11 wherein the document is a file selected from a group consisting of:
    - an electronic file, email, instant message, picture, encrypted file, video, video message, audio file, audio message, and at least one packet comprising a string of bits with a header.
  - 18. A system according to claim 11 wherein the second channel portable communications device application further includes programming for receiving messages from the first channel document application from at least one mode of communication selected from a group consisting of:
    - NFC, Bluetooth, RFID, and Computer Generated Sound.
  - 20. The adapter as defined in claim 18 wherein the adapter includes programming to access decrypted files selected from a group consisting of:
    - a portable document format (PDF), an email, a picture, an instant message (IM), an originally encrypted file, a video or video message, an audio file or audio message, and a data packet.

19. A system of user authentication for accessing a document in a communications network, the system comprising:
- A secure document application having an interface, adapter, and programming for detecting user intent to access an online account and establishing communication between the secure document application and the authentication server to start a new authentication session;
  
  wherein the secure document application includes programming that creates a multi-dimensional barcode containing dynamic encryption keys, document identifier, session ID, and a unique key and said barcode is displayed in an interface;
  
  wherein the secure document application holds the document in place pending authentication from the authentication server and after the session is validated; and
  
  wherein the secure document application includes programming to decrypt the payload from the authentication server and extract the credentials using the decrypted credentials to access the document.A second channel portable communications device application having programming for the process of validating the credentials entered by the user and displaying a scan option for the barcode to validate the session; and
  
  programming for finding at least one encrypted user credential with the encryption key from the barcode and sending the credentials with the session ID to the authentication server; and
  
  An authentication server having programming for establishing a connection with the secure document application wherein the authentication server includes programming that generates a session ID and receives encrypted credentials from the second channel portable communications device application via an outbound out-of-band communications channel;
  
  programming to check in Its provisioned user database for the credentials; and
  
  programming for validation of the session and the sending of the encrypted payload to the secure document application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GCOM IP LLC
Original Assignee
Andrew Ferreira, Piyush Bhatnagar
Inventors
Bhatnagar, Piyush, Ferreira, Andrew

Granted Patent

US 9,741,265 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G09C 5/00   Ciphering apparatus or meth...

H04L 2209/80   Wireless

H04L 63/0853   using an additional device,...

H04L 63/18   using different networks or...

H04L 9/3215   using a plurality of channe...

H04L 9/3228   One-time or temporary data,...

H04W 12/77   Graphical identity

System, Design and Process for Secure Documents Credentials Management Using Out-of-Band Authentication

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System, Design and Process for Secure Documents Credentials Management Using Out-of-Band Authentication

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links