Protection and Verification of User Authentication Credentials against Server Compromise

US 20180316666A1
Filed: 06/26/2018
Published: 11/01/2018
Est. Priority Date: 06/01/2016
Status: Active Application

First Claim

Patent Images

1. A computer-implemented method for authenticating a user, the computer-implemented method comprising:

receiving, by a computer, a data decryption key corresponding to an authentication account of the user of a client device and authentication credential data obtained from the user of the client device during authentication;

decrypting, by the computer, encrypted authentication credential data corresponding to the user using the received data decryption key;

comparing, by the computer, the decrypted authentication credential data with the received authentication credential data to authenticate the user of the client device; and

deleting, by the computer, the received data decryption key, the received authentication credential data, and any unencrypted credential data corresponding to the authentication account of the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authenticating a user is provided. A decryption key corresponding to an authentication account of the user of a client device and authentication credential data obtained from the user of the client device is received during authentication. Encrypted authentication credential data corresponding to the user is decrypted using the received decryption key corresponding to the authentication account of the user. The decrypted authentication credential data is compared with the received authentication credential data to authenticate the user of the client device.

138 Citations

22 Claims

1. A computer-implemented method for authenticating a user, the computer-implemented method comprising:
- receiving, by a computer, a data decryption key corresponding to an authentication account of the user of a client device and authentication credential data obtained from the user of the client device during authentication;
  
  decrypting, by the computer, encrypted authentication credential data corresponding to the user using the received data decryption key;
  
  comparing, by the computer, the decrypted authentication credential data with the received authentication credential data to authenticate the user of the client device; and
  
  deleting, by the computer, the received data decryption key, the received authentication credential data, and any unencrypted credential data corresponding to the authentication account of the user.
- View Dependent Claims (2, 3, 4, 6, 7, 8, 9, 10, 11, 21, 22)
- - 2. The computer-implemented method of claim 1, wherein the data decryption key and the authentication credential data are received from the client device, and further comprising:
    - determining, by the computer, whether the decrypted authentication credential data received by the client device matches the received authentication credential data.
  - 3. The computer-implemented method of claim 2 further comprising:
    - responsive to the computer determining that the decrypted authentication credential data does match the received authentication credential data, verifying, by the computer, the user as authentic; and
      
      allowing, by the computer, the authentication of the verified user.
  - 4. The computer-implemented method of claim 2 further comprising:
    - responsive to the computer determining that the decrypted authentication credential data does not match the received authentication credential data, rejecting, by the computer, the user as non-authentic; and
      
      denying, by the computer, the authentication of the rejected user.
  - 6. The computer-implemented method of claim 1 further comprising:
    - processing, by the computer, the received authentication credential data to generate and store an encrypted biometric template in response to the received authentication credential data being a biometric sample obtained from the user by the client device.
  - 7. The computer-implemented method of claim 1 further comprising:
    - storing, by the computer, the encrypted authentication credential data as a credential blob in the authentication account corresponding to of the user.
  - 8. The computer-implemented method of claim 7, wherein the credential blob includes an expiry date, and wherein the expiry date is a time when information contained in the credential blob expires such that the credential blob includes both encrypted and unencrypted data.
  - 9. The computer-implemented method of claim 1 further comprising:
    - receiving, by the computer, a request from the client device to delete the authentication account of the user; and
      
      deleting, by the computer, the authentication account from a storage device of the computer.
  - 10. The computer-implemented method of claim 1 further comprising:
    - receiving, by the computer, an encrypted decryption key from a first client device to transfer the encrypted encryption key to a second client device;
      
      receiving, by the computer, a request from the second client device for the encrypted decryption key corresponding to the first client device; and
      
      sending, by the computer, the encrypted decryption key corresponding to the first client device to the second client device, wherein the second client device decrypts the encrypted decryption key corresponding to the first client device using a private key corresponding to a public key of the second client device used to encrypt the encrypted decryption key on the first client device.
  - 11. The computer-implemented method of claim 1, wherein the authentication credential data obtained from the user during the authentication comprises a password and a biometric sample of the user.
  - 21. The computer-implemented method of claim 1, further comprising:
    - receiving, by the client device, a request to generate the authentication account of the user;
      
      generating, by the client device, a data encryption key and the data decryption key for the authentication account of the user;
      
      obtaining, by the client device, authentication credential data from the user; and
      
      sending, by the client device, the data encryption key and the authentication credential data to the computer.
  - 22. The computer-implemented method of claim 21, further comprising:
    - receiving, by the computer, the data encryption key and the authentication credential data;
      
      encrypting, by the computer, the authentication credential data using the received data encryption key; and
      
      storing, by the computer, the encrypted authentication credential data in the authentication account of the user.

5. (canceled)

12. A computer system for authenticating a user, the computer system comprising:
- a bus system;
  
  a storage device connected to the bus system, wherein the storage device stores program instructions; and
  
  a processor connected to the bus system, wherein the processor executes the program instructions to;
  
  receive a data decryption key corresponding to an authentication account of the user of a client device and authentication credential data obtained from the user of the client device during authentication;
  
  decrypt encrypted authentication credential data corresponding to the user using the received data decryption key;
  
  compare the decrypted authentication credential data with the received authentication credential data to authenticate the user of the client device; and
  
  delete, by the computer, the received data decryption key, the received authentication credential data, and any unencrypted credential data corresponding to the authentication account of the user.
- View Dependent Claims (13, 14, 15)
- - 13. The computer system of claim 12, wherein the data decryption key and the authentication credential data are received from the client device, and wherein the processor further executes the program instructions to:
    - determine whether the decrypted authentication credential data received by the client device matches the received authentication credential data.
  - 14. The computer system of claim 13, wherein the processor further executes the program instructions to:
    - verify the user as authentic in response to determining that the decrypted authentication credential data does match the received authentication credential data; and
      
      allow the authentication of the verified user.
  - 15. The computer system of claim 13, wherein the processor further executes the program instructions to:
    - reject the user as non-authentic in response to determining that the decrypted authentication credential data does not match the received authentication credential data; and
      
      deny the authentication of the rejected user.

16. A computer program product for authenticating a user, the computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method comprising:
- receiving, by the computer, a data decryption key corresponding to an authentication account of the user of a client device and authentication credential data obtained from the user of the client device during authentication;
  
  decrypting, by the computer, encrypted authentication credential data corresponding to the user using the received data decryption key;
  
  comparing, by the computer, the decrypted authentication credential data with the received authentication credential data to authenticate the user of the client device; and
  
  deleting, by the computer, the received data decryption key, the received authentication credential data, and any unencrypted credential data corresponding to the authentication account of the user.
- View Dependent Claims (17, 18, 19)
- - 17. The computer program product of claim 16, wherein the data decryption key and the authentication credential data are received from the client device, and further comprising:
    - determining, by the computer, whether the decrypted authentication credential data received by the client device matches the received authentication credential data.
  - 18. The computer program product of claim 17 further comprising:
    - responsive to the computer determining that the decrypted authentication credential data does match the received authentication credential data, verifying, by the computer, the user as authentic; and
      
      allowing, by the computer, the authentication of the verified user.
  - 19. The computer program product of claim 17 further comprising:
    - responsive to the computer determining that the decrypted authentication credential data does not match the received authentication credential data, rejecting, by the computer, the user as non-authentic; and
      
      denying, by the computer, the authentication of the rejected user.

20. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Koved, Lawrence, Molloy, Ian M., Taban, Gelareh

Granted Patent

US 10,277,591 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 13/4282   on a serial bus, e.g. I2C b...

H04L 2463/062   applying encryption of the ...

H04L 63/045   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

Protection and Verification of User Authentication Credentials against Server Compromise

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

138 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Protection and Verification of User Authentication Credentials against Server Compromise

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

138 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links