Methods and systems for establishing a shared secret using an authentication token
First Claim
1. A method for establishing a shared secret among a plurality of devices, comprising the steps of:
- providing an authentication token;
generating a first character string on the authentication token;
communicating the first character string to a local device;
creating a second character string from the first character string on the local device;
sending the second character string to a remote device;
disambiguating the second character string from a plurality of predicted character string values; and
utilizing at least one of the plurality of predicted character string values to establish a shared secret between the local device and the remote device.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for establishing a shared secret between a plurality of devices using an authentication token. An authentication token is used to establish a shared secret between a local device and a remote device to provide user authentication, data encryption, and integrity protection. The authentication token may be used in a variety of ways to authenticate a user. First, a time-synchronized authentication token can generate a first character string that is communicated to a workstation. The workstation can manipulate the first character string to generate a second character string and send the second character string to a server. The server then compares the second character string with a plurality of possible matching character string values and determines the first character string. In another implementation, a challenge from a server can be received and processed by a challenge-response authentication token to generate a character string. The generated character string is then communicated to the workstation to establish a shared secret. A smart card may also be used to establish a shared secret between a local device and a remote device using similar techniques.
257 Citations
73 Claims
-
1. A method for establishing a shared secret among a plurality of devices, comprising the steps of:
-
providing an authentication token;
generating a first character string on the authentication token;
communicating the first character string to a local device;
creating a second character string from the first character string on the local device;
sending the second character string to a remote device;
disambiguating the second character string from a plurality of predicted character string values; and
utilizing at least one of the plurality of predicted character string values to establish a shared secret between the local device and the remote device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
disambiguating the first character string from a plurality of predicted character string values; and
implementing the shared secret key exchange protocol after the first character string is disambiguated.
-
-
4. The method of claim 2 wherein the implementing step includes the steps of:
-
disambiguating the first character string from a plurality of predicted character string values; and
implementing the shared secret key exchange protocol while the first character string is disambiguated.
-
-
5. The method of claim 2 wherein the implementing step includes the steps of:
-
implementing the shared secret key exchange protocol; and
disambiguating the first character string from a plurality of predicted character string values after the shared secret key exchange protocol is implemented.
-
-
6. The method of claim 2 wherein the implementing step includes the step of implementing a shared secret key exchange protocol using the first character string and a personal identification number to establish a shared secret with the remote device.
-
7. The method of claim 1 wherein the creating step includes the step of implementing a function of the first character string to generate the second character string.
-
9. The method of claim 1 further comprising the steps of proving to the remote device that the local device has the shared secret.
-
10. The method of claim 9 wherein the proving step includes the steps of:
-
communicating a third character string from the remote device to the local device;
implementing a function on the local device using at least one of the shared secret and the third character string to produce an output;
sending the output to the remote device; and
comparing the output with a predicted character string value to prove that the local device has the shared secret.
-
-
11. The method of claim 1 further comprising the step of proving to the local device that the remote device has the shared secret.
-
12. The method of claim 11 wherein the proving step includes the steps of:
-
communicating a third character string from the local device to the remote device;
implementing a function on the remote device using at least one of the shared secret and the third character string to produce an output;
sending the output to the local device; and
comparing the output with a predicted character string value to prove that the remote device has the shared secret.
-
-
13. The method of claim 1 wherein the creating step includes the step of creating the second character string using the first character string and a personal identification number.
-
14. The method of claim 1 wherein the creating step includes the step of implementing a hash function to create the second character string from the first character string.
-
15. The method of claim 1 wherein the sending step includes the step of sending only a portion of the second character string to the remote device.
-
16. The method of claim 1 further comprising the step of communicating an instruction from the remote device to the local device for information required to disambiguate the second character string from the at least one of a plurality of predicted character string values.
-
17. The method of claim 16 further comprising the step of generating an output value on the workstation, in response to the instruction, used to disambiguate the second character string from the at least one of a plurality of predicted character string values.
-
18. The method of claim 1 further comprising the step of activating the authentication token with an activation code.
-
19. The method of claim 1 wherein the providing step includes the step of providing an authentication token that is approximately time-synchronized with at least one of the plurality of devices.
-
8. The method of claim I wherein the providing step includes the step of providing a smart card.
-
20. A method for establishing a shared secret among a plurality of devices, comprising the steps of:
-
providing an authentication token;
communicating a first character string from a remote device to the authentication token;
processing the first character string using the authentication token to generate a second character string;
sending the second character string to a local device; and
utilizing the second character string to establish a shared secret with a remote device. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A method for establishing a shared secret among a plurality of devices, comprising the steps of:
-
providing an authentication token; and
utilizing the authentication token to establish a shared secret among the plurality of devices. - View Dependent Claims (26)
-
-
27. A system for establishing a shared secret among a plurality of devices, comprising:
-
an authentication token;
a local device; and
a remote device, wherein the authentication token is used to establish a shared secret between the local device and the remote device. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A system for establishing a shared secret among a plurality of devices, comprising:
-
a local device;
a remote device;
an authentication token;
means for generating a first character string on the authentication token;
means for communicating the first character string to the local device;
means for manipulating the first character string using a predetermined function to generate a second character string;
means for sending the second character string to the remote device; and
means for matching the second character string with at least one of a plurality of predicted character string values to establish a shared secret between the local device and the remote device. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46)
-
-
47. A system for establishing a shared secret among a plurality of devices, comprising:
-
a local device;
a remote device;
an authentication token;
means for determining a first character string using the remote device;
means for sending the first character string to the authentication token;
means for processing the first character string to produce a second character string; and
means for communicating the second character string into the local device such that the remote device and the local device share the second character string as a secret. - View Dependent Claims (48, 49, 50, 51)
-
-
52. A method for establishing a shared secret among a plurality of devices, comprising the steps of:
-
providing a smart card;
communicating data from the smart card to a local device; and
utilizing the data to establish a shared secret between the local device and a remote device. - View Dependent Claims (53, 54, 55, 56, 57)
-
-
58. A method for establishing a shared secret among a plurality of devices, comprising the steps of:
-
providing a smart card;
establishing a shared secret between the smart card and a remote device; and
communicating the shared secret from the smart card to a local device to establish the shared secret between the local device, smart card, and remote device. - View Dependent Claims (59, 60, 61, 62, 63, 64, 65)
generating a first character string on the smart card;
communicating the first character string to the remote device; and
utilizing the first character string to establish a shared secret with the remote device.
-
-
60. The method of claim 58 wherein the establishing step includes the steps of:
-
communicating a first character string from the remote device to the smart card; and
processing the first character string on the smart card to generate a second character string used to establish a shared secret.
-
-
61. The method of claim 58 further comprising the step of activating the smart card with an activation code.
-
62. The method of claim 61 wherein the activation code is a personal identification number.
-
63. The method of claim 61 wherein the activation code is a biometric.
-
64. The method of claim 58 wherein the providing step includes the step of providing a smart card with an internal clock.
-
65. The method of claim 58 wherein the providing step includes the step of providing a smart card that utilizes an external clock.
-
66. A method for establishing a shared secret among a plurality of devices, comprising the steps of:
-
providing a smart card;
establishing a shared secret between the smart card and a remote device; and
utilizing the smart card and the shared secret in transactions between the remote device and a local device. - View Dependent Claims (67, 68, 69, 70, 71, 72, 73)
generating a first character string on the smart card;
communicating the first character string to the remote device; and
utilizing the first character string to establish a shared secret with the remote device.
-
-
68. The method of claim 66 wherein the establishing step includes the steps of:
-
communicating a first character string from the remote device to the smart card; and
processing the first character string on the smart card to generate a second character string used to establish a shared secret.
-
-
69. The method of claim 66 further comprising the step of activating the smart card with an activation code.
-
70. The method of claim 69 wherein the activation code is a personal identification number.
-
71. The method of claim 69 wherein the activation code is a biometric.
-
72. The method of claim 66 wherein the providing step includes the step of providing a smart card with an internal clock.
-
73. The method of claim 66 wherein the providing step includes the step of providing a smart card that utilizes an external clock.
Specification