Authentication method and system with a smartcard

US 5,347,580 A
Filed: 06/01/1993
Issued: 09/13/1994
Est. Priority Date: 04/23/1992
Status: Expired due to Fees

First Claim

Patent Images

1. A method for authenticating a user with a smartcard to a system including an authentication server and a plurality of distributed work stations connected to said server, said smartcard having a unique card identifier and including a running value device, input-output means, and encrypting means with a secret card key, said server having stored user names, user personal identifiers, at least one secret key, and card identifiers, said method comprising the following steps:

(1) indicating with a smartcard a card running value and computing with the smartcard a first encryption of the card running value under a the secret card key;

(2) receiving at a work station a user name, a card identifier, the card running value, and a user authenticator computed from a user'"'"'s personal identifier and the first encryption;

(3) transmitting from the work station to the server the user name, the card running value, the card identifier, and a second encryption of the card running value under the user authenticator;

(4) determining with the server a potential secret card key from the received card identifier and a potential personal identifier from the received user name;

(5) computing with the server a first potential encryption of the received card running value under the potential secret card key, and, combining the potential personal identifier and the computed first potential encryption to obtain a potential user authenticator;

(6) computing with the server a second potential encryption of the received card running value under the potential user authenticator, and comparing the second potential encryption to the received second encryption; and

(7) determining if the second potential encryption matches the received second encryption, and transmitting an accept signal from the server to the work station if a match is determined.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention relates to a novel smartcard-based authentication technique using a smartcard that encrypts the time displayed on the card with a secret, cryptographically strong key. The (public) work station receives as input certain values defining the user, the card and a particular value derived from the encrypted time and encrypts and/or transmits these values to the server. The server, in turn, computes from received values some potential values and compares these to other received values. If the server determines a match, an accept signal is transmitted to the work station.

Citations

21 Claims

1. A method for authenticating a user with a smartcard to a system including an authentication server and a plurality of distributed work stations connected to said server, said smartcard having a unique card identifier and including a running value device, input-output means, and encrypting means with a secret card key, said server having stored user names, user personal identifiers, at least one secret key, and card identifiers, said method comprising the following steps:
- (1) indicating with a smartcard a card running value and computing with the smartcard a first encryption of the card running value under a the secret card key;
  
  (2) receiving at a work station a user name, a card identifier, the card running value, and a user authenticator computed from a user'"'"'s personal identifier and the first encryption;
  
  (3) transmitting from the work station to the server the user name, the card running value, the card identifier, and a second encryption of the card running value under the user authenticator;
  
  (4) determining with the server a potential secret card key from the received card identifier and a potential personal identifier from the received user name;
  
  (5) computing with the server a first potential encryption of the received card running value under the potential secret card key, and, combining the potential personal identifier and the computed first potential encryption to obtain a potential user authenticator;
  
  (6) computing with the server a second potential encryption of the received card running value under the potential user authenticator, and comparing the second potential encryption to the received second encryption; and
  
  (7) determining if the second potential encryption matches the received second encryption, and transmitting an accept signal from the server to the work station if a match is determined.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, further comprising deriving the secret card key of the smartcard from the card identifier by encrypting the card identifier with a server secret key, storing at the server user names, user personal identifiers, and said server secret key, and determining at the server the potential secret card key from the received card identifier and the server secret key.
  - 3. The method according to claim 1, wherein the smartcard data resulting from said indicating step (1) is electrically entered into the work station.
  - 4. The method according to claim 1, wherein the smartcard data resulting from said indicating step (1) is optically entered into the work station.
  - 5. The method according to claim 1, wherein the smartcard data resulting from said indicating step (1) is manually entered into the work station.
  - 6. The method according to claim 1, wherein the smartcard must be activated to indicate a running value.
  - 7. The method according to claim 1, further comprising validating with the server the received card running value, comparing the received card running value to the server'"'"'s internal running value, and, if the difference exceeds a predetermined size, discontinuing processing.
  - 8. The method according to claim 1, further comprising validating with the server the received card running value, comparing the received card running value to the server'"'"'s internal running value, and, if the difference exceeds a predetermined size, transmitting a message to the work station.
  - 9. The method according to claim 1, further comprising that if a match of the second potential encryption with the received second encryption is determined, computing with the server a third encryption of a function of the received running value under the received user authenticator, and transmitting the third encryption to the work station.
  - 10. The method according to claim 9, further comprising the step of displaying to the user the third encryption value transmitted by the server to the work station.
  - 11. The method according to claim 1, further comprising that if a match of the second potential encryption with the received second encryption is determined, computing with the server a third encryption of a function of the received running value under the secret card key, and transmitting the third encryption to the work station.
  - 12. The method according to claim 11, further comprising the step of displaying to the user the third encryption value transmitted by the server to the work station.

13. A system for authenticating a user with a smartcard, said system including authentication server means and a plurality of distributed work stations connected to said server means, comprising:
- said smartcard havinga card identifier,a running value device for indicating a card running value,input-output means, andencrypting means with a secret card key for computing a first encryption of the indicated card running value under the secret card key,each said work station havinginput means for receiving the user name the card identifier, the card running value, and a user authenticator computed from the user'"'"'s personal identifier and the first encryption,means for encrypting the card running value under the user authenticator,means connectable to said server for transmitting to the server the user name, the card running value, the card identifier, and a second encryption of the card running value under the user authenticator,said server means havingat least one memory storing user names, user personal identifiers, at least one secret key, and preferably, card identifiers,means for determining a potential secret card key from the received card identifier and a potential personal identifier from the received user name,means for computing a first potential encryption of the received card running value under the potential secret card key,means for obtaining a potential user authenticator from the potential personal identifier and the computed first potential encryption,means for computing a second potential encryption of the received card running value under the potential user authenticator,means for comparing the second potential encryption with the received second encryption,means for transmitting a signal to the work station, which is an accept signal if the second potential encryption matches the received second encryption, and which is a non-accept signal otherwise.
- View Dependent Claims (14)
- - 14. The system of claim 13, wherein the running value device in the smartcard is a continuously running clock.

15. A method for authenticating a user with a smartcard to a system including an authentication server and at least one distributed work station connected to said server, said smartcard having a unique card identifier and including means for generating a running value, input-output means, and encrypting means with a secret card key, said server having stored user names, user personal identifiers, at least one secret key, and card identifiers, said method comprising the following steps:
- (1) generating a card running value with the running value generating means and computing with the smartcard a first encryption of the card running value under a secret card key;
  
  (2) receiving at a work station a user name, a card identifier, the card running value, and a user authenticator computed from a user'"'"'s personal identifier and the first encryption;
  
  (3) transmitting from the work station to the server the user name, the card running value, the card identifier, and a second encryption of the card running value under the user authenticator;
  
  (4) determining a potential secret card key from the received card identifier and a potential personal identifier from the received user name;
  
  (5) computing a first potential encryption of the received card running value under the potential secret card key, and, combining the potential personal identifier and the computed first potential encryption to obtain a potential user authenticator;
  
  (6) computing a second potential encryption of the received card running value under the potential user authenticator, and comparing the second potential encryption to the received second encryption; and
  
  (7) determining if the second potential encryption matches the received second encryption, and transmitting an accept signal from the server to the work station if a match is determined.
- View Dependent Claims (16, 17)
- - 16. The method according to claim 15, wherein steps 4, 5, and 6 are performed at the server.
  - 17. The method according to claim 15, wherein steps 4, 5, and 6 are performed at a station within a computerized system.

18. A system for authenticating a user with a smartcard to an authentication server and a plurality of distributed work stations connected to said server, comprising:
- (1) means for indicating with a smartcard a card running value and computing with the smartcard a first encryption of the card running value under a secret card key;
  
  (2) means for receiving at a work station a user name, a card identifier, the card running value, and a user authenticator computed from a user'"'"'s personal identifier and the first encryption;
  
  (3) means for transmitting from the work station to the server a user name, the card running value, the card identifier, and a second encryption of the card running value under the user authenticator;
  
  (4) means for determining with the server a potential secret card key from the received card identifier and a potential personal identifier from the received user name;
  
  (5) means for computing with the server a first potential encryption of the received card running value under the potential secret card key, and, combining the potential personal identifier and the computed first potential encryption to obtain a potential user authenticator;
  
  (6) means for computing with the server a second potential encryption of the received card running value under the potential user authenticator, and comparing the second potential encryption to the received second encryption; and
  
  (7) means for determining if the second potential encryption matches the received second encryption, and transmitting an accept signal from the server to the work station if a match is determined.
- View Dependent Claims (19, 20, 21)
- - 19. The system according to claim 18, wherein the smartcard comprises:
    - means for associating a unique card identifier with the smartcard,means for generating a running value,input-output means, andencryption means connectable to said running value generating means.
  - 20. The smartcard of claim 19, further comprising:
    - (1) means for activating input to the smartcard, and(2) means for displaying output of the smartcard.
  - 21. The smartcard of claim 19, further comprising data transfer means for communicating the card data to an external device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Tsudik, Gene, Molva, Refik
Primary Examiner(s)
Gregory, Bernarr E.

Application Number

US08/034,023
Time in Patent Office

469 Days
Field of Search

380/9, 380/21, 380/23, 380/24, 380/25, 380/30, 380/43, 380/49, 380/50, 380/29, 235/379, 235/380, 340/825.31, 340/825.34
US Class Current

713/159
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/335   for accessing specific reso...

G06F 21/34   involving the use of extern...

G06F 2221/2151   Time stamp

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/3415   Cards acting autonomously a...

G06Q 20/40975   using encryption therefor

G07F 7/1008   Active credit-cards provide...

H04L 63/0853   using an additional device,...

H04L 9/0844   with user authentication or...

H04L 9/0877   using additional device, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3273   for mutual authentication n...

Authentication method and system with a smartcard

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication method and system with a smartcard

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links