System and method for user authentication employing dynamic encryption variables
DCFirst Claim
1. A user authentication system for control of access of at least one user to a function, said system including at least one first unit personalized for said user and at least one second verification unit controlling access to said function,(a) said first unit comprising:
- first generator means for producing at least two dynamic variables;
first calculation means for producing a first password in accordance with at least one first encryption algorithm using input parameters dependent on said dynamic variables; and
means for transmitting said first password to said second unit;
(b) said second unit comprising;
second generator means for, in response to an access request made by way of a specified one of said at least one first unit, producing at least two dynamic variables assigned to said specified one of said at least one first unit;
second calculation means for producing a second password in accordance with at least one second encryption algorithm using input parameters dependent on said dynamic variables produced in said second unit;
comparator means for comparing said first and second passwords; and
means, responsive to said comparator means determining that a predetermined relationship exists between said passwords, for delivering an authorization of access to said function;
wherein said first and second generator means provided respectively in said first and second units produce said at least two dynamic variables in concert, but independently.
3 Assignments
Litigations
0 Petitions
Accused Products
Abstract
The system includes a first card-like unit adapted to communicate with a second unit giving only conditionally access to a function. Both units are capable of running software for generating a password by means of encryption of a plurality of dynamic variables produced separately but in concert (so as to have a predetermined relationship, such as identity, with one another) in the units. The encryption is carried out in each unit by a public algorithm using a dynamically varying encryption key. Each time an access request is issued by a card user, the key is modified as a function of the number of access requests previously formulated by the card user. Access to the function is granted when the passwords generated in the units have a predetermined relationship (such as identity) with each other. In a "virtual token" implementation, the first unit can be a smart card, which stores the dynamic key and the variable representing the number of formulated authentication requests and executes an encryption algorithm, a smart card reader and a computer such as a personal computer. Either the smart card reader or the personal computer can generate the time dependent variable. In a "software token" implementation, the functions of the first unit are performed by a personal computer, thus eliminating the need for a smart card or a smart card reader.
-
Citations
53 Claims
-
1. A user authentication system for control of access of at least one user to a function, said system including at least one first unit personalized for said user and at least one second verification unit controlling access to said function,
(a) said first unit comprising: -
first generator means for producing at least two dynamic variables; first calculation means for producing a first password in accordance with at least one first encryption algorithm using input parameters dependent on said dynamic variables; and means for transmitting said first password to said second unit; (b) said second unit comprising; second generator means for, in response to an access request made by way of a specified one of said at least one first unit, producing at least two dynamic variables assigned to said specified one of said at least one first unit; second calculation means for producing a second password in accordance with at least one second encryption algorithm using input parameters dependent on said dynamic variables produced in said second unit; comparator means for comparing said first and second passwords; and means, responsive to said comparator means determining that a predetermined relationship exists between said passwords, for delivering an authorization of access to said function; wherein said first and second generator means provided respectively in said first and second units produce said at least two dynamic variables in concert, but independently. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A user authentication system for control of access of at least one user to a function, said system including at least one first unit personalized for said user and at least one second verification unit controlling access to said function,
(a) said first unit comprising: -
first generator means for producing at least two dynamic variables; first calculation means for producing a password in accordance with at least one first encryption algorithm using input parameters dependent on said dynamic variables; and means for transmitting said password to said second unit; (b) said second unit comprising; second generator means for, in response to an access request made by way of a specified one of said at least one first unit, producing at least two dynamic variables assigned to said specified one of said at least one first unit; second calculation means for decrypting said password in accordance with at least one decryption algorithm using as a decryption key an input parameter dependent on a first one of said dynamic variables produced in said second unit to derive one of said dynamic variables produced in said first unit; comparator means for comparing said dynamic variable derived by said second calculation means with a second one of said dynamic variables produced in said second unit; and means, responsive to said comparator means determining that a predetermined relationship exists between said dynamic variable derived by said second calculation means with said second one of said dynamic variables produced in said second unit, for delivering an authorization of access to said function; wherein said first and second generator means provided respectively in said first and second units produce said at least two dynamic variables in concert, but independently.
-
-
30. A user authentication system for control of access of at least one user to a function, said system including at least one first unit personalized for said user and at least one second verification unit controlling access to said function,
(a) said first unit comprising: -
first generator means for producing at least one dynamic variable; first calculation means for producing a first password in accordance with at least one first encryption algorithm using input parameters dependent on said at least one dynamic variable; and means for transmitting said first password to said second unit; (b) said second unit comprising; second generator means for, in response to an access request made by way of a specified one of said at least one first unit, producing at least one dynamic variable assigned to said specified one of said at least one first unit; second calculation means for producing a second password in accordance with at least one second encryption algorithm using input parameters dependent on said at least one dynamic variable produced in said second unit; comparator means for comparing said first and second passwords; and means, responsive to said comparator means determining that a predetermined relationship exists between said passwords, for delivering an authorization of access to said function; wherein said first and second generator means provided respectively in said first and second units produce said at least one dynamic variable for the first unit and said at least one dynamic variable for the second unit in concert, but independently; said first unit further comprising; a card containing the first calculation means; a processor disposed outside the card; and a card reader for providing communication between the card and the processor, wherein; said means for producing said at least one dynamic variable for the first unit is contained in the processor and said at least one dynamic variable for said first unit is communicated by said card reader alone to said first calculation means in said card. - View Dependent Claims (31, 32, 33)
-
-
34. A user authentication method for control of access of at least one user to a function, said method comprising:
-
(a) producing at least two dynamic variables; (b) producing a first password in accordance with at least one first encryption algorithm using input parameters dependent on said dynamic variables; (c) in response to an access request made by a specified one of said at least one user, producing at least two dynamic variables assigned to said specified one of said at least one user; (d) producing a second password in accordance with at least one second encryption algorithm using input parameters dependent on said dynamic variables produced in step (c); (e) comparing said first and second passwords; and (f) if a predetermined relationship exists between said passwords, delivering an authorization of access to said function; wherein said at least two dynamic variables are produced in steps (a) and (c) in concert, but independently. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
-
-
51. A user authentication method for control of access of at least one user to a function, said method comprising:
-
(a) producing at least two dynamic variables; (b) producing a password in accordance with at least one first encryption algorithm using input parameters dependent on said dynamic variables; (c) in response to an access request made by a specified one of said at least one user, producing at least two dynamic variables assigned to said specified one of said at least one user; (d) decrypting said password in accordance with at least one decryption algorithm using as a decryption key an input parameter dependent on a first one of said dynamic variables produced in step (c) to derive one of said dynamic variables produced in step (a); (e) comparing said dynamic variable derived in step (d) means with a second one of said dynamic variables produced in step (c); and (f) if a predetermined relationship exists between said dynamic variable derived in step (a) with said second one of said dynamic variables produced in step (c), delivering an authorization of access to said function; wherein said at least two dynamic variables are produced in steps (a) and (c) in concert, but independently.
-
-
52. A user authentication method for control of access of at least one user to a function, said method comprising:
-
(a) producing at least one dynamic variable; (b) producing a first password in accordance with at least one first encryption algorithm using input parameters dependent on said at least one dynamic variable; (c) in response to an access request made by a specified one of said at least one user, producing at least one dynamic variable assigned to said specified one of said at least one user; (d) producing a second password in accordance with at least one second encryption algorithm using input parameters dependent on said at least one dynamic variable produced in step (c); (e) comparing said first and second passwords; and (f) if a predetermined relationship exists between said passwords, delivering an authorization of access to said function; wherein said at least one dynamic variable in step (a) and said at least one dynamic variable in step (c) and generated in concert, but independently; steps (a) and (b) being performed in a unit comprising; a card; a processor disposed outside the card; and a card reader for providing communication between the card and the processor, wherein the processor performs step (a) and communicates the at least one dynamic variable to the card, which performs step (b). - View Dependent Claims (53)
-
Specification