Authentication method and system with a smartcard
First Claim
1. A method for authenticating a user with a smartcard to a system including an authentication server and a plurality of distributed work stations connected to said server, said smartcard having a unique card identifier and including a running value device, input-output means, and encrypting means with a secret card key, said server having stored user names, user personal identifiers, at least one secret key, and card identifiers, said method comprising the following steps:
- (1) indicating with a smartcard a card running value and computing with the smartcard a first encryption of the card running value under a the secret card key;
(2) receiving at a work station a user name, a card identifier, the card running value, and a user authenticator computed from a user'"'"'s personal identifier and the first encryption;
(3) transmitting from the work station to the server the user name, the card running value, the card identifier, and a second encryption of the card running value under the user authenticator;
(4) determining with the server a potential secret card key from the received card identifier and a potential personal identifier from the received user name;
(5) computing with the server a first potential encryption of the received card running value under the potential secret card key, and, combining the potential personal identifier and the computed first potential encryption to obtain a potential user authenticator;
(6) computing with the server a second potential encryption of the received card running value under the potential user authenticator, and comparing the second potential encryption to the received second encryption; and
(7) determining if the second potential encryption matches the received second encryption, and transmitting an accept signal from the server to the work station if a match is determined.
1 Assignment
0 Petitions
Accused Products
Abstract
This invention relates to a novel smartcard-based authentication technique using a smartcard that encrypts the time displayed on the card with a secret, cryptographically strong key. The (public) work station receives as input certain values defining the user, the card and a particular value derived from the encrypted time and encrypts and/or transmits these values to the server. The server, in turn, computes from received values some potential values and compares these to other received values. If the server determines a match, an accept signal is transmitted to the work station.
-
Citations
21 Claims
-
1. A method for authenticating a user with a smartcard to a system including an authentication server and a plurality of distributed work stations connected to said server, said smartcard having a unique card identifier and including a running value device, input-output means, and encrypting means with a secret card key, said server having stored user names, user personal identifiers, at least one secret key, and card identifiers, said method comprising the following steps:
-
(1) indicating with a smartcard a card running value and computing with the smartcard a first encryption of the card running value under a the secret card key; (2) receiving at a work station a user name, a card identifier, the card running value, and a user authenticator computed from a user'"'"'s personal identifier and the first encryption; (3) transmitting from the work station to the server the user name, the card running value, the card identifier, and a second encryption of the card running value under the user authenticator; (4) determining with the server a potential secret card key from the received card identifier and a potential personal identifier from the received user name; (5) computing with the server a first potential encryption of the received card running value under the potential secret card key, and, combining the potential personal identifier and the computed first potential encryption to obtain a potential user authenticator; (6) computing with the server a second potential encryption of the received card running value under the potential user authenticator, and comparing the second potential encryption to the received second encryption; and (7) determining if the second potential encryption matches the received second encryption, and transmitting an accept signal from the server to the work station if a match is determined. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for authenticating a user with a smartcard, said system including authentication server means and a plurality of distributed work stations connected to said server means, comprising:
-
said smartcard having a card identifier, a running value device for indicating a card running value, input-output means, and encrypting means with a secret card key for computing a first encryption of the indicated card running value under the secret card key, each said work station having input means for receiving the user name the card identifier, the card running value, and a user authenticator computed from the user'"'"'s personal identifier and the first encryption, means for encrypting the card running value under the user authenticator, means connectable to said server for transmitting to the server the user name, the card running value, the card identifier, and a second encryption of the card running value under the user authenticator, said server means having at least one memory storing user names, user personal identifiers, at least one secret key, and preferably, card identifiers, means for determining a potential secret card key from the received card identifier and a potential personal identifier from the received user name, means for computing a first potential encryption of the received card running value under the potential secret card key, means for obtaining a potential user authenticator from the potential personal identifier and the computed first potential encryption, means for computing a second potential encryption of the received card running value under the potential user authenticator, means for comparing the second potential encryption with the received second encryption, means for transmitting a signal to the work station, which is an accept signal if the second potential encryption matches the received second encryption, and which is a non-accept signal otherwise. - View Dependent Claims (14)
-
-
15. A method for authenticating a user with a smartcard to a system including an authentication server and at least one distributed work station connected to said server, said smartcard having a unique card identifier and including means for generating a running value, input-output means, and encrypting means with a secret card key, said server having stored user names, user personal identifiers, at least one secret key, and card identifiers, said method comprising the following steps:
-
(1) generating a card running value with the running value generating means and computing with the smartcard a first encryption of the card running value under a secret card key; (2) receiving at a work station a user name, a card identifier, the card running value, and a user authenticator computed from a user'"'"'s personal identifier and the first encryption; (3) transmitting from the work station to the server the user name, the card running value, the card identifier, and a second encryption of the card running value under the user authenticator; (4) determining a potential secret card key from the received card identifier and a potential personal identifier from the received user name; (5) computing a first potential encryption of the received card running value under the potential secret card key, and, combining the potential personal identifier and the computed first potential encryption to obtain a potential user authenticator; (6) computing a second potential encryption of the received card running value under the potential user authenticator, and comparing the second potential encryption to the received second encryption; and (7) determining if the second potential encryption matches the received second encryption, and transmitting an accept signal from the server to the work station if a match is determined. - View Dependent Claims (16, 17)
-
-
18. A system for authenticating a user with a smartcard to an authentication server and a plurality of distributed work stations connected to said server, comprising:
-
(1) means for indicating with a smartcard a card running value and computing with the smartcard a first encryption of the card running value under a secret card key; (2) means for receiving at a work station a user name, a card identifier, the card running value, and a user authenticator computed from a user'"'"'s personal identifier and the first encryption; (3) means for transmitting from the work station to the server a user name, the card running value, the card identifier, and a second encryption of the card running value under the user authenticator; (4) means for determining with the server a potential secret card key from the received card identifier and a potential personal identifier from the received user name; (5) means for computing with the server a first potential encryption of the received card running value under the potential secret card key, and, combining the potential personal identifier and the computed first potential encryption to obtain a potential user authenticator; (6) means for computing with the server a second potential encryption of the received card running value under the potential user authenticator, and comparing the second potential encryption to the received second encryption; and (7) means for determining if the second potential encryption matches the received second encryption, and transmitting an accept signal from the server to the work station if a match is determined. - View Dependent Claims (19, 20, 21)
-
Specification