USER AUTHENTICATION OVER NETWORKS
First Claim
1. A method for authenticating user authentication data, associated with a user ID, at an authentication system comprising an authentication server connected to a network and a secure cryptoprocessor operatively coupled to the authentication server, the method comprising:
- providing, in data storage operatively coupled to the authentication server, a first token for said user ID, the first token being produced by the secure cryptoprocessor by encoding the user authentication data associated with the user ID via an encoding process dependent on a secret key of the secure cryptoprocessor;
at the authentication server, receiving an authentication request for the user ID from a remote computer via the network, the authentication request comprising a ciphertext encrypting user authentication data under a public key of a first public-private key pair the private key of which is secret to the secure cryptoprocessor, and supplying the ciphertext to the secure cryptoprocessor;
at the secure cryptoprocessor, decrypting the ciphertext using said private key to obtain plaintext user authentication data;
at the authentication server, retrieving said first token for the user ID from said data storage;
in the authentication system, checking for equality of said plaintext user authentication data and the user authentication data encoded in the first token via a cryptographic processing operation in which the authentication data is not exposed outside the secure cryptoprocessor; and
at the authentication server, in response to said equality, sending an authentication confirmation message to the remote computer via the network.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods are provided for authenticating user authentication data, associated with a user ID, at an authentication system. The authentication system comprises an authentication server connected to a network, and a secure cryptoprocessor operatively coupled to the authentication server. A first token for the user ID is provided in data storage operatively coupled to the authentication server. The first token is produced by the secure cryptoprocessor by encoding the user authentication data associated with the user ID via an encoding process dependent on a secret key of the secure cryptoprocessor. The authentication server receives an authentication request for the user ID from a remote computer via the network. The authentication request comprises a ciphertext encrypting user authentication data under a public key of a first public-private key pair, the private key of which is secret to the secure cryptoprocessor. The authentication server supplies the ciphertext to the secure cryptoprocessor which decrypts the ciphertext using this private key to obtain plaintext user authentication data. The authentication server retrieves the first token for the user ID from the data storage. The authentication system checks for equality of the plaintext user authentication data and the user authentication data encoded in the first token via a cryptographic processing operation in which the authentication data is not exposed outside the secure cryptoprocessor. In response to such equality, the authentication server sends an authentication confirmation message to the remote computer via the network.
42 Citations
20 Claims
-
1. A method for authenticating user authentication data, associated with a user ID, at an authentication system comprising an authentication server connected to a network and a secure cryptoprocessor operatively coupled to the authentication server, the method comprising:
-
providing, in data storage operatively coupled to the authentication server, a first token for said user ID, the first token being produced by the secure cryptoprocessor by encoding the user authentication data associated with the user ID via an encoding process dependent on a secret key of the secure cryptoprocessor; at the authentication server, receiving an authentication request for the user ID from a remote computer via the network, the authentication request comprising a ciphertext encrypting user authentication data under a public key of a first public-private key pair the private key of which is secret to the secure cryptoprocessor, and supplying the ciphertext to the secure cryptoprocessor; at the secure cryptoprocessor, decrypting the ciphertext using said private key to obtain plaintext user authentication data; at the authentication server, retrieving said first token for the user ID from said data storage; in the authentication system, checking for equality of said plaintext user authentication data and the user authentication data encoded in the first token via a cryptographic processing operation in which the authentication data is not exposed outside the secure cryptoprocessor; and at the authentication server, in response to said equality, sending an authentication confirmation message to the remote computer via the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for authenticating user authentication data associated with a user ID, the system comprising an authentication server connectable to a network, a secure cryptoprocessor operatively coupled to the authentication server, and data storage, operatively coupled to the authentication server, for storing for said user ID a first token produced by the secure cryptoprocessor by encoding the user authentication data associated with the user ID via an encoding process dependent on a secret key of the secure cryptoprocessor, wherein:
-
the authentication server is adapted, in response to receipt of an authentication request for the user ID from a remote computer via the network, the authentication request comprising a ciphertext encrypting user authentication data under a public key of a first public-private key pair the private key of which is secret to the secure cryptoprocessor, to supply the ciphertext to the secure cryptoprocessor and to retrieve said first token for the user ID from the data storage; the secure cryptoprocessor is adapted to decrypt the ciphertext using said private key to obtain plaintext user authentication data; the system is adapted to check for equality of said plaintext user authentication data and the user authentication data encoded in the first token via a cryptographic processing operation in which the authentication data is not exposed outside the secure cryptoprocessor; and the authentication server is adapted, in response to said equality, to send an authentication confirmation message to the remote computer via the network. - View Dependent Claims (14, 15, 16)
-
-
17. A computer program product for authenticating user authentication data, associated with a user ID, in an authentication system comprising an authentication server connectable to a network, a secure cryptoprocessor operatively coupled to the authentication server, and data storage, operatively coupled to the authentication server, for storing for said user ID a first token produced by the secure cryptoprocessor by encoding the user authentication data associated with the user ID via an encoding process dependent on a secret key of the secure cryptoprocessor, said computer program product comprising a computer readable storage medium having embodied therein:
-
first program instructions executable by the authentication server after receipt by the server of an authentication request for the user ID from a remote computer via the network, the authentication request comprising a ciphertext encrypting user authentication data under a public key of a first public-private key pair the private key of which is secret to the secure cryptoprocessor, to cause the server to supply the ciphertext to the secure cryptoprocessor and to retrieve said first token for the user ID from the data storage; second program instructions executable by the secure cryptoprocessor to cause the cryptoprocessor to decrypt the ciphertext using said private key to obtain plaintext user authentication data; third program instructions executable by at least one of the server and cryptoprocessor of said system to cause the system to check for equality of said plaintext user authentication data and the user authentication data encoded in the first token via a cryptographic processing operation in which the authentication data is not exposed outside the secure cryptoprocessor; and fourth program instructions executable by the authentication server, in response to said equality, to cause the server to send an authentication confirmation message to said remote computer via the network. - View Dependent Claims (18, 19, 20)
-
Specification