Token distribution, registration, and dynamic configuration of user entitlement for an application level security system and method

US 5,784,463 A
Filed: 12/04/1996
Issued: 07/21/1998
Est. Priority Date: 12/04/1996
Status: Expired due to Term

- Alert
- Pin

First Claim

Patent Images

1. A method of registration and key distribution, comprising the steps of:

a. providing an authentication token with a server public key of a server public key-private key cryptosystem;

b. generating at least a portion of an authentication key;

c. encrypting user identification information and said portion of the authentication key by using the server public key;

d. transmitting the encrypted portion of the user identification information and the authentication key over an open network;

e. decrypting the encrypted portion of the user identification information and the portion of the authentication key using the private key;

f. using the user identification information to register the user and forming an authentication key based on the decrypted portion of the authentication key.

View all claims

5 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A shared secret key distribution system which enables secure on-line registration for services provided by an application server through an application level security system or firewall utilizes an authentication token containing a server public key. The server public key is used to encrypt a client-generated portion of the shared secret key, and the encrypted client-generated key is sent to the server where it is recovered using a private key held by the server and combined with a server generated portion of the shared secret key to form the shared secret key. The server generated portion of the shared secret key is then encrypted by the client-generated portion of the shared secret key and transmitted to the client for recovery and combination with the client-generated portion of the shared secret key, at which time both the client and server are in possession of the shared secret key, which can then be used for mutual authentication and development of session keys to secure subsequent communications. The session keys can be used to provide dynamic configuration of a client system to provide for different or changing user entitlements.

550 Citations

26 Claims

1. A method of registration and key distribution, comprising the steps of:
- a. providing an authentication token with a server public key of a server public key-private key cryptosystem;
  
  b. generating at least a portion of an authentication key;
  
  c. encrypting user identification information and said portion of the authentication key by using the server public key;
  
  d. transmitting the encrypted portion of the user identification information and the authentication key over an open network;
  
  e. decrypting the encrypted portion of the user identification information and the portion of the authentication key using the private key;
  
  f. using the user identification information to register the user and forming an authentication key based on the decrypted portion of the authentication key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as claimed in claim 1, further comprising the steps, following step f, of encrypting a user identification code which is based on the user identification information together with a second portion of the authentication key and transmitting the encrypted user identification code and second portion of the authentication key using the first portion SSK1 of the authentication key, transmitting the encrypted user identification code and second portion of the authentication key back over the open network, decrypting the encrypted user identification code and second portion of the authentication key, and forming a second authentication key corresponding to the first authentication key for use as a shared secret key.
  - 3. A method as claimed in claim 2, further comprising the steps of mutually authenticating parties to a communication and generating a session key using the shared secret key for use in encrypting subsequent communications during a session.
  - 4. A method as claimed in claim 3, wherein the steps of mutually authenticating the parties and generating a session key comprise the steps of transmitting a number from one party to the other, encrypting the number using the shared secret key and generating a second number for transmission over the open network together with the encrypted first number, decrypting the first number to perform a first authentication, generating a session key by combining the encrypted first number with the second number using a one-way function and encrypting the second number using the session key, transmitting the encrypted second number over the open network, generating a second session key in the same manner as the first session key, and decrypting second number to perform a second authentication.
  - 5. A method as claimed in claim 3, further comprising the steps of using the session key to encrypt user information, decrypting the session key encrypted user information and retrieving from a database user entitlements, encrypting configuration instructions based on the user entitlements using the session key, and transmitting the encrypted configuration instructions over the open network to dynamically configure the user'"'"'s system based on the user entitlements.
  - 6. A method as claimed in claim 1, wherein the step of providing the token with the server public key comprises the steps of generating a digitally signed certificate containing said server public key and transmitting it to the user at the initiation of registration.
  - 7. A method as claimed in claim 6, further comprising the steps of embedding a token issuer public key in the authentication token and digitally signing the certificate prior to transmission of the server public key to the user so that the user can verify the authenticity of the server public key.

8. A method of distributing a shared secret key for use in a token authentication system, comprising the steps of:
- a. distributing to a user an authentication token and a server public key;
  
  b. causing a client computer to retrieve the server public key, generate a first portion of the shared secret key and store the first portion of the shared secret key;
  
  c. causing the client computer to encrypt the first portion of the shared secret key together with user identification information and transmit the encrypted first portion of the shared secret key and user identification information to a server;
  
  d. causing the server to recover the first portion of the shared secret key and user identification information;
  
  e. causing the server to generate a second portion of the shared secret key;
  
  f. causing the server to generate a user identification code based on the user identification information;
  
  g. causing the server to form the shared secret key by combining the first and second portions of the shared secret key;
  
  h. causing the server to encrypt the user identification code and the second portion of the shared secret key using the first portion of the shared secret key as an encryption key, and transmitting the encrypted user identification code and second portion of the shared secret key to the client computer;
  
  i. causing the client computer to recover identification code and the second portion of the shared secret key using the stored first portion of the shared secret key;
  
  j. causing the client computer to form the shared secret key by combining the first and second portions of the shared secret key.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. A method as claimed in claim 8, further comprising the steps of mutually authenticating parties to a communication and generating a session key using the shared secret key for use in encrypting subsequent communications during a session.
  - 10. A method as claimed in claim 9, wherein the steps of mutually authenticating the parties and generating a session key comprise the steps of transmitting a first number from the server to the client computer, causing the client computer to encrypt the first number using the shared secret key and generate a second number for transmission over the open network to the server together with the encrypted first number, causing the server to decrypt the first number to authenticate the client computer and generate a session key by combining the encrypted first number with the second number using a one-way function, causing the server to encrypt the second number using the session key and transmit the encrypted second number over the open network, causing the client computer to generate a second session key in the same manner as the first session key, and causing the client computer to decrypt the second number to thereby authenticate the server.
  - 11. A method as claimed in claim 9, further comprising the steps of causing the client computer to use the session key to encrypt user information, causing the server to decrypt the session key encrypted user information and retrieve from a database user entitlements, causing the server to encrypt configuration instructions based on the user entitlements using the session key and transmit the encrypted configuration instructions over the open network to the client computer so as to dynamically configure the client computer based on the user entitlements.
  - 12. A method as claimed in claim 8, wherein the step of distributing the server public key comprises the steps of generating a digitally signed certificate containing said server public key and transmitting it to the user at the initiation of registration.
  - 13. A method as claimed in claim 12, further comprising the steps of embedding a token issuer public key in the authentication token and digitally signing the certificate prior to transmission of the server public key to the user so that the user can verify the authenticity of the server public key.

14. A system for registration and key distribution, comprising:
- a. means for distributing an authentication token to a user;
  
  b. means for distributing a server public key of a server public key-private key cryptosystem to the user;
  
  c. means for generating at least a portion of an authentication key;
  
  d. means for encrypting user identification information and said portion of the authentication key by using the server public key;
  
  e. means for transmitting the encrypted portion of the user identification information and the authentication key over an open network;
  
  f. means for decrypting the encrypted portion of the user identification information and the portion of the authentication key using the private key;
  
  g. means for using the user identification information to register the user and forming an authentication key based on the decrypted portion of the authentication key.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. A system as claimed in claim 14, further comprising means for encrypting a user identification code which is based on the user identification information together with a second portion of the authentication key and transmitting the encrypted user identification code and second portion of the authentication key using the first portion SSK1 of the authentication key, means for transmitting the encrypted user identification code and second portion of the authentication key back over the open network, means for decrypting the encrypted user identification code and second portion of the authentication key, and means for forming a second authentication key corresponding to the first authentication key for use as a shared secret key.
  - 16. A system as claimed in claim 15, further comprising means for mutually authenticating parties to a communication and generating a session key using the shared secret key for use in encrypting subsequent communications during a session.
  - 17. A system as claimed in claim 16, wherein the steps of mutually authenticating the parties and generating a session key comprise the steps of transmitting a number from one party to the other, means for encrypting the number using the shared secret key and generating a second number for transmission over the open network together with the encrypted first number, means for decrypting the first number to perform a first authentication, means for generating a session key by combining the encrypted first number with the second number using a one-way function and encrypting the second number using the session key, means for transmitting the encrypted second number over the open network, means for generating a second session key in the same manner as the first session key, and means for decrypting second number to perform a second authentication.
  - 18. A system as claimed in claim 16, further comprising means for using the session key to encrypt user information, means for decrypting the session key encrypted user information and retrieving from a database user entitlements, means for encrypting configuration instructions based on the user entitlements using the session key, and means for transmitting the encrypted configuration instructions over the open network to dynamically configure the user'"'"'s system based on the user entitlements.
  - 19. A system as claimed in claim 14, wherein the means for distributing the server public key to the user comprises means for generating a digitally signed certificate containing said server public key and transmitting it to the user at the initiation of registration.
  - 20. A system as claimed in claim 19, further comprising the means for embedding a token issuer public key in the authentication token and digitally signing the certificate prior to transmission of the server public key to the user so that the user can verify the authenticity of the server public key.

21. A system of distributing a shared secret key for use in a token authentication system, comprising:
- a. means for distributing to a user an authentication token;
  
  b. means for distributing to the user a server public key;
  
  c. means for causing a client computer to retrieve the server public key, generate a first portion of the shared secret key and store the first portion of the shared secret key;
  
  d. means for causing the client computer to encrypt the first portion of the shared secret key together with user identification information and transmit the encrypted first portion of the shared secret key and user identification information to a server;
  
  e. means for causing the server to recover the first portion of the shared secret key and user identification information;
  
  f. means for causing the server to generate a second portion of the shared secret key;
  
  g. means for causing the server to generate a user identification code based on the user identification information;
  
  h. means for causing the server to form the shared secret key by combining the first and second portions of the shared secret key;
  
  i. means for causing the server to encrypt the user identification code and the second portion of the shared secret key using the first portion of the shared secret key as an encryption key, and transmitting the encrypted user identification code and second portion of the shared secret key to the client computer;
  
  j. means for causing the client computer to recover identification code and the second portion of the shared secret key using the stored first portion of the shared secret key;
  
  k. means for causing the client computer to form the shared secret key by combining the first and second portions of the shared secret key.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. A system as claimed in claim 21, further comprising means for mutually authenticating parties to a communication and generating a session key using the shared secret key for use in encrypting subsequent communications during a session.
  - 23. A system as claimed in claim 22, wherein the means for mutually authenticating the parties and generating a session key comprise means for transmitting a first number from the server to the client computer, causing the client computer to encrypt the first number using the shared secret key and generate a second number for transmission over the open network to the server together with the encrypted first number, causing the server to decrypt the first number to authenticate the client computer and generate a session key by combining the encrypted first number with the second number using a one-way function, causing the server to encrypt the second number using the session key and transmit the encrypted second number over the open network, causing the client computer to generate a second session key in the same manner as the first session key, and causing the client computer to decrypt the second number to thereby authenticate the server.
  - 24. A system as claimed in claim 22, further comprising means for causing the client computer to use the session key to encrypt user information, causing the server to decrypt the session key encrypted user information and retrieve from a database user entitlements, causing the server to encrypt configuration instructions based on the user entitlements using the session key and transmit the encrypted configuration instructions over the open network to the client computer so as to dynamically configure the client computer based on the user entitlements.
  - 25. A system as claimed in claim 21, wherein the means for distributing the server public key to the user comprises means for generating a digitally signed certificate containing said server public key and transmitting it to the user at the initiation of registration.
  - 26. A system as claimed in claim 25, further comprising the means for embedding a token issuer public key in the authentication token and digitally signing the certificate prior to transmission of the server public key to the user so that the user can verify the authenticity of the server public key.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
SSL Services LLC
Original Assignee
V-ONE Corp. (AEP Networks Ltd.)
Inventors
Chen, James F., Wang, Jieh-Shan
Primary Examiner(s)
Gregory, Bernarr E.

Application Number

US08/760,414
Time in Patent Office

594 Days
Field of Search

380/4, 380/9, 380/21, 380/23, 380/24, 380/25, 380/30, 380/44, 380/45, 380/46, 380/47, 380/49, 380/50, 380/59
US Class Current

713/171
CPC Class Codes

G06F 21/33   using certificates

G06F 21/445   by mutual authentication, e...

G06F 2211/008   Public Key, Asymmetric Key,...

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 9/083   involving central third par...

H04L 9/0844   with user authentication or...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3263   involving certificates, e.g...

H04L 9/40   Network security protocols

Token distribution, registration, and dynamic configuration of user entitlement for an application level security system and method

First Claim

5 Assignments

Litigations

0 Petitions

Accused Products

Abstract

550 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Token distribution, registration, and dynamic configuration of user entitlement for an application level security system and method

First Claim

5 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

550 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links