Method and apparatus for user authentication

US 5,724,423 A
Filed: 09/18/1995
Issued: 03/03/1998
Est. Priority Date: 09/18/1995
Status: Expired due to Term

First Claim

Patent Images

1. In a system for providing user services electronically using a communications network, a method comprising the steps of:

(a) entering a user'"'"'s personal identification string of two or more characters;

(b) determining a character position of the user'"'"'s personal identification string;

(c) generating a code;

(d) combining the code with the user'"'"'s personal identification string at the determined character position to generate a user identification code; and

(e) transmitting the user identification code along with a user'"'"'s service request over the communications network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user authentication service is disclosed which is both highly secure and user friendly. To access a particular service, a user simply enters a personal identification type number (PIN) using a portable terminal device which encodes the PIN. More specifically, a character position of the user'"'"'s PIN is determined, and a random code having a length selectable at each service transaction by the user is generated. The user'"'"'s PIN is encrypted using one of plural available, pseudo-randomly encrypting algorithms to provide an encrypted PIN. The encrypted PIN is then combined with the code at the determined position before being transmitted over a communications network. When received, the encoded PIN is decoded using an analogous procedure to determine if the user is authorized. A plurality of security levels are provided with each level having a plurality of encryption algorithms and with each increasing level providing encryption algorithms of increasing complexity and sophistication. A user may also change a current PIN from the portable device easily and securely without having to contact a service center.

Citations

54 Claims

1. In a system for providing user services electronically using a communications network, a method comprising the steps of:
- (a) entering a user'"'"'s personal identification string of two or more characters;
  
  (b) determining a character position of the user'"'"'s personal identification string;
  
  (c) generating a code;
  
  (d) combining the code with the user'"'"'s personal identification string at the determined character position to generate a user identification code; and
  
  (e) transmitting the user identification code along with a user'"'"'s service request over the communications network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method in claim 1, further comprising:
    - encoding the user'"'"'s personal identification string using one of the encoding algorithms to provide an encoded identification string, wherein step (d) combines the code with the encoded identification string.
  - 3. The method in claim 2, further comprising:
    - selecting a key corresponding to one of plural encoding algorithms, wherein the user'"'"'s personal identification string is encoded using the encoding algorithm corresponding to the selected variable key.
  - 4. The method in claim 2, wherein the encoding step includes encrypting the user'"'"'s personal identification string using one of a plurality of encrypting algorithms corresponding to a selected variable key to provide an encrypted identification string.
  - 5. The method in claim 1, wherein the character position is determined in step (b) using the entered user'"'"'s personal identification string.
  - 6. The method in claim 5, wherein the using step includes:
    - counting a number of characters in the entered user'"'"'s personal identification string to provide a count;
      
      summing the characters or values corresponding to the characters in the entered user'"'"'s personal identification string to provide a sum;
      
      selecting a prime number based on the entered user'"'"'s personal identification string;
      
      dividing the sum by the selected prime number resulting in a quotient and a remainder; and
      
      assigning the remainder as the character position if the remainder is less than the count, otherwise assigning a difference between the remainder and the count as the position character.
  - 7. The method in claim 6, wherein the selecting step includes:
    - comparing the count to a determined prime number;
      
      if the count exceeds the determined prime number, determining a succeeding prime number and repeating the comparing step;
      
      if the count is less than the determined prime number, using the determined prime number as the selected prime number.
  - 8. The method in claim 1, wherein the characters may include numbers or alphabetic characters and wherein the alphabetic characters are converted from an ASCII code to a corresponding decimal value before summing.
  - 9. The method in claim 1, wherein the user selects a length of the code and step (c) includes generating a pattern of characters randomly or pseudo-randomly.
  - 10. The method in claim 1, wherein step (c) includes generating a pattern of characters randomly or pseudo-randomly and the pattern includes a variable number of characters that may vary each time step (a) is performed.
  - 11. The method in claim 3, further comprising:
    - converting the code to a code number;
      
      dividing the code number by a prime number corresponding to a security level; and
      
      selecting as the key a remainder of the dividing step.
  - 12. The method in claim 3, wherein a user subscribes to a security level to be associated with a current request for service such that the subscribed security level is used in selecting the key.
  - 13. The method in claim 12, wherein the security level corresponds to a number of encoding algorithms, a greater number of encoding algorithms corresponding to a higher security level.
  - 14. The method in claim 13, wherein the security level further includes a level of sophistication of the encoding algorithms.
  - 15. The method in claim 3, further comprising:
    - restricting the selected key such that the selected key is not the same as a preceding selected key.
  - 16. The method in claim 1, further comprising:
    - permitting the user to enter a length of the code for a current service transaction to be generated in step (b).
  - 17. The method in claim 2, wherein the combining step (d) includes:
    - shifting the encoded user identification string by a number corresponding to the determined character position, andinserting the determined code in the encoded user identification string after shifting is completed.
  - 18. The method in claim 1, further comprising the step of establishing a transaction timer during which a user must complete a transaction including steps (a)-(e), the transaction being automatically terminated at expiration of the transaction timer.
  - 19. The method in claim 1, further comprising:
    - after step (e), performing a request to change the user'"'"'s personal identification string to a new user'"'"'s personal identification string including;
      
      entering the new user'"'"'s personal identification string and performing steps (c)-(e) to generate a new user identification code;
      
      reentering the new user'"'"'s personal identification string and performing steps (c)-(e) to generate a reentered user identification code, wherein if the new and reentered user identification codes match, the user'"'"'s personal identification string is changed to the new user personal identification string.

20. A user service requesting device for permitting a user to request user services electronically over a communications network, comprising:
- a keypad for entering a request for a particular user service and a user'"'"'s personal identification string;
  
  a memory for storing a user authentication program and plural encoding algorithms;
  
  data processing circuitry for performing the steps of;
  
  (a) determining a character position of the user'"'"'s personal identification string;
  
  (b) generating a code;
  
  (c) encoding the user'"'"'s personal identification string using one of the encoding algorithms to provide an encoded identification string; and
  
  (d) combining the code with the encoded identification string at the determined character position to generate a user identification code; and
  
  communications circuitry for providing the user identification code along with the user'"'"'s service request to the communications network.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The device in claim 20, wherein the data processing circuitry further selects a variable key corresponding to one of plural encoding algorithms, wherein the user'"'"'s personal identification string is encoded using the encoding algorithm corresponding to the selected variable key.
  - 22. The device in claim 20, wherein the character position is determined using the entered user'"'"'s personal identification string.
  - 23. The device in claim 20, wherein the data processing circuitry further performs the steps of:
    - counting a number of characters in the entered user'"'"'s personal identification string to provide a count;
      
      summing the characters or values corresponding to the characters in the entered user'"'"'s personal identification string to provide a sum;
      
      selecting a prime number based on the entered user'"'"'s personal identification string;
      
      dividing the sum by the selected prime number resulting in a quotient and a remainder; and
      
      assigning the remainder as the character position if the remainder is less than the count, otherwise assigning a difference between the remainder and the count as the position character.
  - 24. The device in claim 20, further comprising a number generator for generating a pattern of characters randomly or pseudo-randomly.
  - 25. The device in claim 20, wherein the data processing circuitry further performs the steps of:
    - converting the code to a number;
      
      dividing the code by a prime number corresponding to a security level; and
      
      selecting as the key a division remainder.
  - 26. The device in claim 21, further comprising:
    - restricting the selected key such that the selected key is not the same as a preceding selected key.
  - 27. The device in claim 20, wherein the data processing circuitry further performs the steps of:
    - shifting the encoded user identification string by a number corresponding to the determined character position, andinserting the determined code in the encoded user identification string after shifting is completed.
  - 28. The device in claim 20, wherein when the user desires to change the user'"'"'s personal identification string, the user enters a new user'"'"'s personal identification string and the data processing circuitry performs steps (b)-(d) to generate a new user identification code;
    - andthe user reenters the new user'"'"'s personal identification string and the data processing circuitry performs steps (b)-(d) to generate a reentered user identification code, wherein if the new and reentered user identification codes match, the user'"'"'s personal identification string is changed to the new user personal identification string.

29. A user authentication service for authenticating an identity of a user requesting a service over a communications network, comprising the steps of:
- (a) storing for each of a plurality of subscribers a subscriber identification number along with a corresponding personal identification character string;
  
  (b) receiving a request to authenticate an identity of a user requesting a service over a communications network and determining a subscriber identification number corresponding to the user;
  
  (c) prompting the user over the communications network to enter a personal identification character string and receiving an encoded character string;
  
  (d) determining a code length based on a difference between the retrieved string and the encoded string to provide a number of code characters;
  
  (e) determining a character position;
  
  (f) removing the number of code characters beginning at the determined character position leaving a reduced character string;
  
  (g) decoding the reduced character string using one of plural decoding algorithms to provide a user entered personal identification character string; and
  
  (h) comparing the user entered character string with the stored character string corresponding to the determined subscriber identification number.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 30. The user authentication service according to claim 29, further comprising:
    - determining a number of occurrences where the user entered character string is not the same as the stored character string, andreporting the number of occurrences each time the user authentication service is requested.
  - 31. The user authentication service according to claim 30, wherein the number of occurrences is reported to the user before the prompting step as a number of potentially fraudulent and unsuccessful attempts to enter an authenticate personal identification character string.
  - 32. The user authentication service according to claim 29, further comprising:
    - determining a number of occurrences where the user entered character string is not the same as the retrieved character string;
      
      terminating the service request transaction when the number of occurrences exceeds a predetermined value.
  - 33. The user authentication service according to claim 32, wherein the terminating step includes resetting the code length and the character position to zero.
  - 34. The user authentication service according to claim 29, further comprising:
    - (1) when the character strings compared in step (h) are the same, detecting a user request to change the user'"'"'s current personal identification character string;
      
      (2) prompting the user to enter a second personal identification character string and receiving a second encoded character string;
      
      (3) removing the code length of characters beginning at the determined character position leaving a second reduced character string;
      
      (4) decoding the second reduced character string using a second one of plural decoding algorithms to provide a second user entered personal identification character string;
      
      (5) prompting the user to reenter the second personal identification character string and receiving a third encoded character string,(6) removing the code length of characters beginning at the determined character position leaving a third reduced character string;
      
      (7) decoding the third reduced character string using a third one of plural decoding algorithms to provide a third user entered personal identification character string;
      
      (8) registering the second personal identification character string as the user'"'"'s new personal identification character string if the second and third user entered personal identification character strings decoded in steps (4) and (7) are the same.
  - 35. The user authentication service in claim 34, further comprising:
    - starting a timer after step (1),terminating a current user transaction to change the user'"'"'s personal identification character string if the timer reaches a predetermined value.
  - 36. The user authentication service in claim 29, further comprising:
    - maintaining a database for plural subscribers including for each subscriber a subscriber identifier, a personal identification character string, and a security level, wherein the subscriber upon being authenticated may change the personal identification character string.
  - 37. The user authentication service in claim 36, wherein the user authentication service includes a plurality of security levels, each security level corresponding to a level of sophistication of the encoding/decoding algorithms used to decode the user entered personal identification character string with higher levels corresponding to increasing sophistication, the subscriber being permitted to selectively subscribe to any of the security levels.
  - 38. The user authentication service in claim 37, wherein each security level further includes a plurality of encoding/decoding algorithms divided into tiers, each tier includes a number of encoding/decoding algorithms with higher tiers having a larger number of encoding/decoding algorithms, the user being permitted to selectively subscribe to any of the tiers.
  - 39. The user authentication service in claim 38, wherein upon initiation of a user request, the user authentication service retrieves the corresponding user'"'"'s current security level and personal identification character string.
  - 40. The user authentication service in claim 29, further comprising:
    - selecting a key corresponding to one of plural encoding/decoding algorithms, wherein the user'"'"'s personal identification string is decoded using one of the encoding/decoding algorithm corresponding to the selected variable key.
  - 41. The user authentication service in claim 29, wherein the character position is determined using the user'"'"'s personal identification string.
  - 42. The user authentication service in claim 41, wherein the using step includes:
    - counting a number of characters in the user'"'"'s personal identification string to provide a count;
      
      summing the characters or values corresponding to the characters in the user'"'"'s personal identification string to provide a sum;
      
      selecting a prime number based on the user'"'"'s personal identification string;
      
      dividing the sum by the selected prime number resulting in a quotient and a remainder; and
      
      assigning the remainder as the character position if the remainder is less than the count, otherwise assigning a difference between the remainder and the count as the position character.
  - 43. The user authentication service in claim 42, wherein the selecting step includes:
    - comparing the count to a determined prime number;
      
      if the count exceeds the determined prime number, determining a succeeding prime number and repeating the comparing step;
      
      if the count is less than the determined prime number, using the determined prime number as the selected prime number.
  - 44. The user authentication service in claim 29, wherein the number of code characters may vary each time step (c) is performed.
  - 45. The user authentication service in claim 29, wherein the decoding step (g) further includes:
    - converting the removed code characters into a code number;
      
      dividing the code number by a prime number corresponding to a security level; and
      
      selecting the one decoding algorithm using a remainder of the dividing step.

46. A user authentication service providing a user with a plurality of different security levels in conducting electronic service requests including for each security level one or more memories storing a plurality of encryption algorithms wherein the user selects a security level and a number of encryption algorithms from the plurality of encryption algorithms corresponding to the selected level.
- View Dependent Claims (47, 48)
- - 47. The user authentication service according to claim 46, wherein the greater the number of encryption algorithms selected, the greater the security.
  - 48. The user authentication service according to claim 46, wherein different ones of the plurality of security levels include encryption algorithms of different sophistication such that selection of a security level having a greater degree of sophistication provides greater security.

49. A method of encrypting a personal identification string, comprising:
- (a) entering a personal identification string, and(b) inserting a random code in between characters in the personal identification string at a predetermined position that varies each time the personal identification string is entered.
- View Dependent Claims (50, 52, 53, 54)
- - 50. The method in claim 49, further comprising:
    - encrypting the personal identification string and inserting the random code between characters in the personal identification string in accordance with one of a plurality of encryption techniques.
  - 52. The method in claim 49, wherein the position if generated using the entered identification string.
  - 53. The method in claim 49, wherein the user selects for each entry of the personal identification string a length of the code.
  - 54. The method in claim 49, wherein the code and character position where the code is inserted vary each time the personal identification string is entered.

51. A method of encrypting a personal identification string, comprising:
- (a) entering a personal identification string, and(b) inserting a random code in between characters in the personal identification string,wherein a length of the code may vary each time the personal identification string is entered.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Khello, Robert Peter
Primary Examiner(s)
Cain, David C.

Application Number

US08/529,405
Time in Patent Office

897 Days
Field of Search

380/23, 380/25, 380/49, 380/46
US Class Current

713/184
CPC Class Codes

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/4012   Verifying personal identifi...

G06Q 20/40975   using encryption therefor

G07C 9/33   by means of a password

G07F 7/10   together with a coded signa...

G07F 7/1008   Active credit-cards provide...

G07F 7/1066   PIN data being compared to ...

Method and apparatus for user authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for user authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links