System and method for user authentication employing dynamic encryption variables

US 5,937,068 A
Filed: 10/02/1997
Issued: 08/10/1999
Est. Priority Date: 03/22/1996
Status: Expired due to Term

- Alert
- Pin

First Claim

Patent Images

1. A user authentication system for control of access of at least one user to a function, said system including at least one first unit personalized for said user and at least one second verification unit controlling access to said function,(a) said first unit comprising:

first generator means for producing at least two dynamic variables;

first calculation means for producing a first password in accordance with at least one first encryption algorithm using input parameters dependent on said dynamic variables; and

means for transmitting said first password to said second unit;

(b) said second unit comprising;

second generator means for, in response to an access request made by way of a specified one of said at least one first unit, producing at least two dynamic variables assigned to said specified one of said at least one first unit;

second calculation means for producing a second password in accordance with at least one second encryption algorithm using input parameters dependent on said dynamic variables produced in said second unit;

comparator means for comparing said first and second passwords; and

means, responsive to said comparator means determining that a predetermined relationship exists between said passwords, for delivering an authorization of access to said function;

wherein said first and second generator means provided respectively in said first and second units produce said at least two dynamic variables in concert, but independently.

View all claims

3 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

The system includes a first card-like unit adapted to communicate with a second unit giving only conditionally access to a function. Both units are capable of running software for generating a password by means of encryption of a plurality of dynamic variables produced separately but in concert (so as to have a predetermined relationship, such as identity, with one another) in the units. The encryption is carried out in each unit by a public algorithm using a dynamically varying encryption key. Each time an access request is issued by a card user, the key is modified as a function of the number of access requests previously formulated by the card user. Access to the function is granted when the passwords generated in the units have a predetermined relationship (such as identity) with each other. In a "virtual token" implementation, the first unit can be a smart card, which stores the dynamic key and the variable representing the number of formulated authentication requests and executes an encryption algorithm, a smart card reader and a computer such as a personal computer. Either the smart card reader or the personal computer can generate the time dependent variable. In a "software token" implementation, the functions of the first unit are performed by a personal computer, thus eliminating the need for a smart card or a smart card reader.

Citations

53 Claims

1. A user authentication system for control of access of at least one user to a function, said system including at least one first unit personalized for said user and at least one second verification unit controlling access to said function,(a) said first unit comprising:
- first generator means for producing at least two dynamic variables;
  
  first calculation means for producing a first password in accordance with at least one first encryption algorithm using input parameters dependent on said dynamic variables; and
  
  means for transmitting said first password to said second unit;
  
  (b) said second unit comprising;
  
  second generator means for, in response to an access request made by way of a specified one of said at least one first unit, producing at least two dynamic variables assigned to said specified one of said at least one first unit;
  
  second calculation means for producing a second password in accordance with at least one second encryption algorithm using input parameters dependent on said dynamic variables produced in said second unit;
  
  comparator means for comparing said first and second passwords; and
  
  means, responsive to said comparator means determining that a predetermined relationship exists between said passwords, for delivering an authorization of access to said function;
  
  wherein said first and second generator means provided respectively in said first and second units produce said at least two dynamic variables in concert, but independently.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The system as claimed in claim 1, wherein said first and second generator means respectively include third and fourth calculation means for producing at least a first one of the dynamic variables according to a function involving a number of access requests made by said first unit prior to a current access request in progress.
  - 3. The system as claimed in claim 2, wherein said third and fourth calculation means respectively generate an intermediate dynamic variable by logical combination of said number of access requests made and a current value of said first dynamic variable.
  - 4. The system as claimed in claim 3, wherein said third and fourth calculation means respectively perform, by means of third and fourth algorithms, an encryption of said intermediate dynamic variable, the result of this encryption constituting a new value of said first dynamic variable.
  - 5. The system as claimed in claim 4, wherein said third and fourth calculation means respectively comprise means for encrypting said intermediate dynamic variable with said first dynamic variable used as a secret encryption key in respect of said third and fourth encryption algorithms.
  - 6. The system as claimed in claim 4, wherein said third and fourth calculation means respectively comprise means for encrypting said intermediate dynamic variable with an encryption key which differs from said first dynamic variable and is used in respect of said third and fourth encryption algorithms respectively.
  - 7. The system as claimed in claim 4, wherein said third calculation means and said fourth calculation means transfer the result of said encryption by said third and fourth encryption algorithms to said first and second calculation means respectively as an encryption key in respect of said first and second encryption algorithms.
  - 8. The system as claimed in claim 7, wherein said first and second generator means respectively generate a second one of said dynamic variables as a function of said number of access requests made and transfer said second dynamic variable to said first and second calculation means respectively, and wherein said first and second calculation means encrypt an input datum comprising said second dynamic variable, in accordance with said first and second encryption algorithms respectively.
  - 9. The system as claimed in claim 8, wherein said first and second generator means respectively generate a third one of said dynamic variables as a function of current time and transfer said third dynamic variable to said first and second calculation means respectively and wherein said first and second calculation means incorporate said third dynamic variable in said input datum.
  - 10. The system as claimed in claim 9, wherein said first and second calculation means respectively perform a concatenation of said second and third dynamic variables to produce said input datum.
  - 11. The system as claimed in claim 4, wherein said third and fourth encryption algorithms are identical to said first and second encryption algorithms.
  - 12. The system as claimed in claim 1, wherein said first and second generator means respectively transfer a first one of said dynamic variables to said first and second calculation means as an encryption key in respect of said first and second algorithms and produce an input datum comprising a second one of said dynamic variables consisting of a number of access requests made by said first unit prior to a current access request in progress, said input datum being transferred to said first and second calculation means respectively so as to be encrypted therein by said first dynamic variable.
  - 13. The system as claimed in claim 12, wherein said first and second generator means respectively comprise third and fourth calculation means for producing said encryption key as a function of said number of access requests made.
  - 14. The system as claimed in claim 13, wherein said third and fourth calculation means respectively comprise memory storage means and generate, from the current value of said encryption key, a new value of said encryption key and store said new value in said memory storage means as replacement for said current value.
  - 15. The system as claimed in claim 1, wherein said first unit comprises means for storing data intended to be transferred to said second unit so as to be used in accomplishing said function and said second unit comprises means for receiving said data, and wherein said first and second generator means comprise means for transferring said data respectively to said first and second calculation means so as to serve as a component of at least one of said dynamic variables to be encrypted.
  - 16. The system as claimed in claim 1, wherein the first unit is a portable device comprising a source of electrical energy.
  - 17. The system as claimed in claim 16 comprising communication means in said first and second units, said communication means comprising a DTMF telephone link for allowing communication of information between first and second said units.
  - 18. The system as claimed in claim 16 comprising communication means in said first and second units, said communication means comprising an infrared communication device for allowing communication of information between said units.
  - 19. The system as claimed in claim 1, wherein the first unit is a portable device comprising a card.
  - 20. The system as claimed in claim 1, wherein said first unit comprises:
    - a card reader; and
      
      a card adapted for being read by said card reader.
  - 21. The system as claimed in claim 20, wherein:
    - the card comprises a first portion of the first generator means, the first portion for producing a first one of the at least two dynamic variables; and
      
      the first unit further comprises a processor in communication with the card, the processor comprising a second portion of the first generator means, the second portion for producing a second one of the at least two dynamic variables.
  - 22. The system as claimed in claim 21, wherein the processor is disposed in the card reader.
  - 23. The system as claimed in the claim 21, wherein the processor is disposed in a computer connected to the card reader.
  - 24. The system as claimed in claim 21, wherein the second one of the at least two dynamic variables varies as a function of time.
  - 25. The system as claimed in claim 1, wherein the first unit is one of a personal computer, personal digital assistant and telephonic device and programmed to function as the first generator means and the first calculation means.
  - 26. The system as in claim 1 wherein said predetermined relationship between said passwords is equality.
  - 27. The system as in claim 9, wherein said first and second calculation means respectively process said second and third dynamic variables to produce said input datum.
  - 28. The system as in claim 1, wherein said first and second encryption algorithms are different from one another and have a predetermined relationship with one another such said first password and said second password have said predetermined relationship.

29. A user authentication system for control of access of at least one user to a function, said system including at least one first unit personalized for said user and at least one second verification unit controlling access to said function,(a) said first unit comprising:
- first generator means for producing at least two dynamic variables;
  
  first calculation means for producing a password in accordance with at least one first encryption algorithm using input parameters dependent on said dynamic variables; and
  
  means for transmitting said password to said second unit;
  
  (b) said second unit comprising;
  
  second generator means for, in response to an access request made by way of a specified one of said at least one first unit, producing at least two dynamic variables assigned to said specified one of said at least one first unit;
  
  second calculation means for decrypting said password in accordance with at least one decryption algorithm using as a decryption key an input parameter dependent on a first one of said dynamic variables produced in said second unit to derive one of said dynamic variables produced in said first unit;
  
  comparator means for comparing said dynamic variable derived by said second calculation means with a second one of said dynamic variables produced in said second unit; and
  
  means, responsive to said comparator means determining that a predetermined relationship exists between said dynamic variable derived by said second calculation means with said second one of said dynamic variables produced in said second unit, for delivering an authorization of access to said function;
  
  wherein said first and second generator means provided respectively in said first and second units produce said at least two dynamic variables in concert, but independently.

30. A user authentication system for control of access of at least one user to a function, said system including at least one first unit personalized for said user and at least one second verification unit controlling access to said function,(a) said first unit comprising:
- first generator means for producing at least one dynamic variable;
  
  first calculation means for producing a first password in accordance with at least one first encryption algorithm using input parameters dependent on said at least one dynamic variable; and
  
  means for transmitting said first password to said second unit;
  
  (b) said second unit comprising;
  
  second generator means for, in response to an access request made by way of a specified one of said at least one first unit, producing at least one dynamic variable assigned to said specified one of said at least one first unit;
  
  second calculation means for producing a second password in accordance with at least one second encryption algorithm using input parameters dependent on said at least one dynamic variable produced in said second unit;
  
  comparator means for comparing said first and second passwords; and
  
  means, responsive to said comparator means determining that a predetermined relationship exists between said passwords, for delivering an authorization of access to said function;
  
  wherein said first and second generator means provided respectively in said first and second units produce said at least one dynamic variable for the first unit and said at least one dynamic variable for the second unit in concert, but independently;
  
  said first unit further comprising;
  
  a card containing the first calculation means;
  
  a processor disposed outside the card; and
  
  a card reader for providing communication between the card and the processor, wherein;
  
  said means for producing said at least one dynamic variable for the first unit is contained in the processor and said at least one dynamic variable for said first unit is communicated by said card reader alone to said first calculation means in said card.
- View Dependent Claims (31, 32, 33)
- - 31. The system as claimed in claim 30, wherein said at least one dynamic variable for each of the first unit and the second unit varies as a function of time.
  - 32. The system as claimed in claim 30, wherein the processor is disposed in the card reader.
  - 33. The system as claimed in claim 30, wherein the first unit further comprises a computer in which the processor is disposed.

34. A user authentication method for control of access of at least one user to a function, said method comprising:
- (a) producing at least two dynamic variables;
  
  (b) producing a first password in accordance with at least one first encryption algorithm using input parameters dependent on said dynamic variables;
  
  (c) in response to an access request made by a specified one of said at least one user, producing at least two dynamic variables assigned to said specified one of said at least one user;
  
  (d) producing a second password in accordance with at least one second encryption algorithm using input parameters dependent on said dynamic variables produced in step (c);
  
  (e) comparing said first and second passwords; and
  
  (f) if a predetermined relationship exists between said passwords, delivering an authorization of access to said function;
  
  wherein said at least two dynamic variables are produced in steps (a) and (c) in concert, but independently.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 35. The method as claimed in claim 34, wherein each of steps (a) and (c) comprises producing at least a first one of the dynamic variables according to a function involving a number of access requests made by said at least one user prior to a current access request in progress.
  - 36. The method as claimed in claim 35, wherein each of steps(a) and (c) comprises generating an intermediate dynamic variable by logical combination of said number of access requests made and a current value of said first dynamic variable.
  - 37. The method as claimed in claim 36, wherein each of steps (a) and (c) comprises performing, by means of third and fourth algorithms, an encryption of said intermediate dynamic variable, the result of this encryption constituting a new value of said first dynamic variable.
  - 38. The method as claimed in claim 37, wherein each of steps (a) and (c) comprises encrypting said intermediate dynamic variable with said first dynamic variable used as a secret encryption key in respect of said third and fourth encryption algorithms.
  - 39. The method as claimed in claim 37, wherein each of steps (a) and (c) comprises encrypting said intermediate dynamic variable with an encryption key which differs from said first dynamic variable and is used in respect of said third and fourth encryption algorithms respectively.
  - 40. The method as claimed in claim 37, wherein the result of said encryption are used as an encryption key in respect of said first and second encryption algorithms.
  - 41. The method as claimed in claim 40, wherein a second one of said dynamic variables is generated in steps (a) and (c) as a function of said number of access requests made, and wherein said an input datum comprising said second dynamic variable is encrypted in accordance with said first and second encryption algorithms respectively.
  - 42. The method as claimed in claim 41, wherein a third one of said dynamic variables is generated as a function of current time and wherein said third dynamic variable is incorporated in said input datum.
  - 43. The method as claimed in claim 42, wherein a concatenation of said second and third dynamic variables is performed to produce said input datum.
  - 44. The method as claimed in claim 37, wherein said third and fourth encryption algorithms are identical to said first and second encryption algorithms.
  - 45. The method as claimed in claim 34, wherein a first one of said dynamic variables is used as an encryption key in respect of said first and second algorithms, an input datum is produced comprising a second one of said dynamic variables consisting of a number of access requests made by said first unit prior to a current access request in progress, said input datum being encrypted by said first dynamic variable.
  - 46. The method as claimed in claim 45, wherein said encryption key is a function of said number of access requests made.
  - 47. The method as claimed in claim 46, wherein, from the current value of said encryption key is generated.
  - 48. The method as claimed in claim 34, wherein the predetermined relationship between the passwords is equality.
  - 49. The method as in claim 42, wherein said second and third dynamic variables are processed to produce said input datum.
  - 50. The method as in claim 34, wherein said first and second encryption algorithms are different from one another and have a predetermined relationship with one another such said first password and said second password have said predetermined relationship.

51. A user authentication method for control of access of at least one user to a function, said method comprising:
- (a) producing at least two dynamic variables;
  
  (b) producing a password in accordance with at least one first encryption algorithm using input parameters dependent on said dynamic variables;
  
  (c) in response to an access request made by a specified one of said at least one user, producing at least two dynamic variables assigned to said specified one of said at least one user;
  
  (d) decrypting said password in accordance with at least one decryption algorithm using as a decryption key an input parameter dependent on a first one of said dynamic variables produced in step (c) to derive one of said dynamic variables produced in step (a);
  
  (e) comparing said dynamic variable derived in step (d) means with a second one of said dynamic variables produced in step (c); and
  
  (f) if a predetermined relationship exists between said dynamic variable derived in step (a) with said second one of said dynamic variables produced in step (c), delivering an authorization of access to said function;
  
  wherein said at least two dynamic variables are produced in steps (a) and (c) in concert, but independently.

52. A user authentication method for control of access of at least one user to a function, said method comprising:
- (a) producing at least one dynamic variable;
  
  (b) producing a first password in accordance with at least one first encryption algorithm using input parameters dependent on said at least one dynamic variable;
  
  (c) in response to an access request made by a specified one of said at least one user, producing at least one dynamic variable assigned to said specified one of said at least one user;
  
  (d) producing a second password in accordance with at least one second encryption algorithm using input parameters dependent on said at least one dynamic variable produced in step (c);
  
  (e) comparing said first and second passwords; and
  
  (f) if a predetermined relationship exists between said passwords, delivering an authorization of access to said function;
  
  wherein said at least one dynamic variable in step (a) and said at least one dynamic variable in step (c) and generated in concert, but independently;
  
  steps (a) and (b) being performed in a unit comprising;
  
  a card;
  
  a processor disposed outside the card; and
  
  a card reader for providing communication between the card and the processor, wherein the processor performs step (a) and communicates the at least one dynamic variable to the card, which performs step (b).
- View Dependent Claims (53)
- - 53. The method as claimed in claim 52, wherein said at least one dynamic variable in each of steps (a) and (c) varies as a function of time.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Assa Abloy AB
Original Assignee
ActivCard Co.
Inventors
Audebert, Yves
Primary Examiner(s)
Buczinski, Stephen C.

Application Number

US08/942,904
Time in Patent Office

677 Days
Field of Search

380/23, 380/25, 380/49, 235/382
US Class Current

713/185
CPC Class Codes

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/351   Virtual cards

G06Q 20/3674   involving authentication

G06Q 20/4093   Monitoring of device authen...

G06Q 20/4097   using mutual authentication...

G06Q 20/40975   using encryption therefor

G07C 9/21   having a variable access code

G07C 9/215   the system having a variabl...

G07F 7/1008   Active credit-cards provide...

System and method for user authentication employing dynamic encryption variables

First Claim

3 Assignments

Litigations

0 Petitions

Accused Products

Abstract

Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for user authentication employing dynamic encryption variables

First Claim

3 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links