Token distribution, registration, and dynamic configuration of user entitlement for an application level security system and method
DCFirst Claim
1. A method of registration and key distribution, comprising the steps of:
- a. providing an authentication token with a server public key of a server public key-private key cryptosystem;
b. generating at least a portion of an authentication key;
c. encrypting user identification information and said portion of the authentication key by using the server public key;
d. transmitting the encrypted portion of the user identification information and the authentication key over an open network;
e. decrypting the encrypted portion of the user identification information and the portion of the authentication key using the private key;
f. using the user identification information to register the user and forming an authentication key based on the decrypted portion of the authentication key.
5 Assignments
Litigations
0 Petitions
Accused Products
Abstract
A shared secret key distribution system which enables secure on-line registration for services provided by an application server through an application level security system or firewall utilizes an authentication token containing a server public key. The server public key is used to encrypt a client-generated portion of the shared secret key, and the encrypted client-generated key is sent to the server where it is recovered using a private key held by the server and combined with a server generated portion of the shared secret key to form the shared secret key. The server generated portion of the shared secret key is then encrypted by the client-generated portion of the shared secret key and transmitted to the client for recovery and combination with the client-generated portion of the shared secret key, at which time both the client and server are in possession of the shared secret key, which can then be used for mutual authentication and development of session keys to secure subsequent communications. The session keys can be used to provide dynamic configuration of a client system to provide for different or changing user entitlements.
550 Citations
26 Claims
-
1. A method of registration and key distribution, comprising the steps of:
-
a. providing an authentication token with a server public key of a server public key-private key cryptosystem; b. generating at least a portion of an authentication key; c. encrypting user identification information and said portion of the authentication key by using the server public key; d. transmitting the encrypted portion of the user identification information and the authentication key over an open network; e. decrypting the encrypted portion of the user identification information and the portion of the authentication key using the private key; f. using the user identification information to register the user and forming an authentication key based on the decrypted portion of the authentication key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of distributing a shared secret key for use in a token authentication system, comprising the steps of:
-
a. distributing to a user an authentication token and a server public key; b. causing a client computer to retrieve the server public key, generate a first portion of the shared secret key and store the first portion of the shared secret key; c. causing the client computer to encrypt the first portion of the shared secret key together with user identification information and transmit the encrypted first portion of the shared secret key and user identification information to a server; d. causing the server to recover the first portion of the shared secret key and user identification information; e. causing the server to generate a second portion of the shared secret key; f. causing the server to generate a user identification code based on the user identification information; g. causing the server to form the shared secret key by combining the first and second portions of the shared secret key; h. causing the server to encrypt the user identification code and the second portion of the shared secret key using the first portion of the shared secret key as an encryption key, and transmitting the encrypted user identification code and second portion of the shared secret key to the client computer; i. causing the client computer to recover identification code and the second portion of the shared secret key using the stored first portion of the shared secret key; j. causing the client computer to form the shared secret key by combining the first and second portions of the shared secret key. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A system for registration and key distribution, comprising:
-
a. means for distributing an authentication token to a user; b. means for distributing a server public key of a server public key-private key cryptosystem to the user; c. means for generating at least a portion of an authentication key; d. means for encrypting user identification information and said portion of the authentication key by using the server public key; e. means for transmitting the encrypted portion of the user identification information and the authentication key over an open network; f. means for decrypting the encrypted portion of the user identification information and the portion of the authentication key using the private key; g. means for using the user identification information to register the user and forming an authentication key based on the decrypted portion of the authentication key. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. A system of distributing a shared secret key for use in a token authentication system, comprising:
-
a. means for distributing to a user an authentication token; b. means for distributing to the user a server public key; c. means for causing a client computer to retrieve the server public key, generate a first portion of the shared secret key and store the first portion of the shared secret key; d. means for causing the client computer to encrypt the first portion of the shared secret key together with user identification information and transmit the encrypted first portion of the shared secret key and user identification information to a server; e. means for causing the server to recover the first portion of the shared secret key and user identification information; f. means for causing the server to generate a second portion of the shared secret key; g. means for causing the server to generate a user identification code based on the user identification information; h. means for causing the server to form the shared secret key by combining the first and second portions of the shared secret key; i. means for causing the server to encrypt the user identification code and the second portion of the shared secret key using the first portion of the shared secret key as an encryption key, and transmitting the encrypted user identification code and second portion of the shared secret key to the client computer; j. means for causing the client computer to recover identification code and the second portion of the shared secret key using the stored first portion of the shared secret key; k. means for causing the client computer to form the shared secret key by combining the first and second portions of the shared secret key. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification