Challenge-Response Access Control Using Context-Based Proof

US 20180144564A1
Filed: 12/29/2017
Published: 05/24/2018
Est. Priority Date: 04/06/2016
Status: Active Grant

First Claim

Patent Images

1. A method for authorizing access to an asset, in which an access-controlling entity controls access to the asset and a requesting entity wishes access to the asset, said method comprising:

transmitting to the requesting entity a challenge data set;

receiving from the requesting entity a response purportedly corresponding to a representation of the challenge data set in a non-repudiatable form, obtained from an event validation system;

querying the event validation system to determine whether the response does correspond to a correct representation of the challenge data set in the non-repudiatable form; and

authorizing the requesting entity for access only if the response is correct representation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access by a requesting entity to an asset is authorized by an access-controlling entity, which transmits to the requesting entity a challenge data set and then receives from the requesting entity a response purportedly corresponding to a representation of the challenge data set in a non-repudiatable form, obtained from an event validation system. The access-controlling entity queries the event validation system to determine whether the response does correspond to a correct representation of the challenge data set in the non-repudiatable form, and authorizes the requesting entity for access only if the response is correct representation. Non-repudiation can be established through entry into a blockchain, or using a hash-tree-based digital signature infrastructure.

13 Citations

30 Claims

1. A method for authorizing access to an asset, in which an access-controlling entity controls access to the asset and a requesting entity wishes access to the asset, said method comprising:
- transmitting to the requesting entity a challenge data set;
  
  receiving from the requesting entity a response purportedly corresponding to a representation of the challenge data set in a non-repudiatable form, obtained from an event validation system;
  
  querying the event validation system to determine whether the response does correspond to a correct representation of the challenge data set in the non-repudiatable form; and
  
  authorizing the requesting entity for access only if the response is correct representation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, in which the event validation system is a widely witnessed blockchain and the non-repudiatable form is an entry of the representation of the approved state into the blockchain.
  - 3. The method of claim 1, comprising generating the representation of the approved state as a digital signature.
  - 4. The method of claim 3, in which the event validation system is a keyless, hash tree-based signing infrastructure, further comprising:
    - inputting the representation of the challenge data set as an input record to the keyless, hash tree-based signing infrastructure and computing the data signature including recomputation parameters to a logically uppermost value in the hash tree, said recomputation parameters encoding information from other data sets than the representation of the challenge data set,whereby determining whether the response does correspond to the correct representation comprises using the recomputation parameters and the purported representation of the challenge data set to recompute upward through the hash-tree based infrastructure, such that the response does correspond to the correct representation if the same uppermost value is attained as when it was computed with the challenge data set submitted by the requesting entity.
  - 5. The method of claim 1, further comprising reversing the method steps performed by the requesting entity and the access-controlling entity, whereby the requesting entity authorizes the access-controlling entity.
  - 6. The method of claim 1, in which the challenge data includes at least one value generated external to the requesting entity.
  - 7. The method of claim 1, in which the requesting entity is a body of processor-executable code.
  - 8. The method of claim 7, in which the requesting entity is a browser, the asset is a network-accessed asset, and the access-controlling entity is a server through which the browser requests access.
  - 9. The method of claim 8, in which the asset is a web page.
  - 10. The method of claim 8, in which the asset is a data base.
  - 11. The method of claim 1, in which the access-controlling entity is a user device, the asset is within the device, and the requesting entity is a software entity running on a remote device.

12. A system for authorizing access to an asset, in which an access-controlling entity controls access to the asset and a requesting entity wishes access to the asset, comprising computer-executable code embodied in a non-volatile storage medium, which, when executed by a processor, causes the access-controlling entity:
- to transmit to the requesting entity a challenge data set;
  
  to receive from the requesting entity a response purportedly corresponding to a representation of the challenge data set in a non-repudiatable form, obtained from an event validation system;
  
  to query the event validation system to determine whether the response does correspond to a correct representation of the challenge data set in the non-repudiatable form; and
  
  to authorize the requesting entity for access only if the response is correct representation.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 13. The system of claim 12, in which the event validation system is a widely witnessed blockchain and the non-repudiatable form is an entry of the representation of the approved state into the blockchain.
  - 14. The system of claim 12, in which the representation of the approved state is a digital signature.
  - 15. The system of claim 14, in which the event validation system is a keyless, hash tree-based signing infrastructure configured:
    - to input the representation of the challenge data set as an input record to the keyless, hash tree-based signing infrastructure and to compute the data signature including recomputation parameters to a logically uppermost value in the hash tree, said recomputation parameters encoding information from other data sets than the representation of the challenge data set,whereby determining whether the response does correspond to the correct representation comprises using the recomputation parameters and the purported representation of the challenge data set to recompute upward through the hash-tree based infrastructure, such that the response does correspond to the correct representation if the same uppermost value is attained as when it was computed with the challenge data set submitted by the requesting entity.
  - 16. The system of claim 12, in which the access-controlling entity is configured to respond to a second challenge data set issued by the requesting entity by obtaining from the event validation system a representation of the second challenge data set in the non-repudiatable form, whereby the requesting entity authorizes the access-controlling entity.
  - 17. The system of claim 12, in which the challenge data includes at least one value generated external to the requesting entity.
  - 18. The system of claim 12, in which the requesting entity is a body of processor-executable code.
  - 19. The system of claim 18, in which the requesting entity is a browser, the asset is a network-accessed asset, and the access-controlling entity is a server through which the browser requests access.
  - 20. The system of claim 19, in which the asset is a web page.
  - 21. The system of claim 19, in which the asset is a data base.
  - 22. The system of claim 12, in which the access-controlling entity is a user device, the asset is within the device, and the requesting entity is a software entity running on a remote device.
  - 23. The system of claim 12, in which the requesting entity is a device associated with an item in a production or supply chain.
  - 24. The system of claim 12, in which the requesting entity is a mobile device.
  - 25. The system of claim 24, in which the mobile device is a smart phone, tablet computer or portable computer.
  - 26. The system of claim 24, in which the mobile device is a vehicle and the asset is entry into a physical region.
  - 27. The system of claim 12, in which the requesting entity is a body of executable code.
  - 28. The system of claim 27, in which the asset is digital information stored in at least one server.
  - 29. The system of claim 12, in which the approved state includes at least one value generated external to the requesting entity.
  - 30. The system of claim 12, further comprising means for generating an invariant representation of at least one biometric value of a user of the requesting entity;
    - in which the approved state includes the invariant representation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Guardtime SA
Original Assignee
Guardtime IP Holdings Limited
Inventors
DAY, Garrett, PEARCE, Jeffrey, HAMILTON, JR., David E, ZAWICKI, Kevin, GUSEMAN, Roger

Granted Patent

US 10,297,094 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/6209   to a single file or object,...

G06F 2221/2103   Challenge-response

G07C 2009/00388   code verification carried o...

G07C 9/00309   operated with bidirectional...

G07C 9/27   with central registration

G07C 9/28   the pass enabling tracking ...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/107   wherein the security polici...

H04L 63/123   received data contents, e.g...

H04L 9/0836   using tree structure or hie...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

H04W 12/08   Access security

H04W 12/63   Location-dependent; Proximi...

Challenge-Response Access Control Using Context-Based Proof

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Challenge-Response Access Control Using Context-Based Proof

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links