Methods and systems for establishing a shared secret using an authentication token

US 6,173,400 B1
Filed: 07/31/1998
Issued: 01/09/2001
Est. Priority Date: 07/31/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for establishing a shared secret among a plurality of devices, comprising the steps of:

providing an authentication token;

generating a first character string on the authentication token;

communicating the first character string to a local device;

creating a second character string from the first character string on the local device;

sending the second character string to a remote device;

disambiguating the second character string from a plurality of predicted character string values; and

utilizing at least one of the plurality of predicted character string values to establish a shared secret between the local device and the remote device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for establishing a shared secret between a plurality of devices using an authentication token. An authentication token is used to establish a shared secret between a local device and a remote device to provide user authentication, data encryption, and integrity protection. The authentication token may be used in a variety of ways to authenticate a user. First, a time-synchronized authentication token can generate a first character string that is communicated to a workstation. The workstation can manipulate the first character string to generate a second character string and send the second character string to a server. The server then compares the second character string with a plurality of possible matching character string values and determines the first character string. In another implementation, a challenge from a server can be received and processed by a challenge-response authentication token to generate a character string. The generated character string is then communicated to the workstation to establish a shared secret. A smart card may also be used to establish a shared secret between a local device and a remote device using similar techniques.

257 Citations

73 Claims

1. A method for establishing a shared secret among a plurality of devices, comprising the steps of:
- providing an authentication token;
  
  generating a first character string on the authentication token;
  
  communicating the first character string to a local device;
  
  creating a second character string from the first character string on the local device;
  
  sending the second character string to a remote device;
  
  disambiguating the second character string from a plurality of predicted character string values; and
  
  utilizing at least one of the plurality of predicted character string values to establish a shared secret between the local device and the remote device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1 further comprising the step of implementing a shared secret key exchange protocol using the first character string to establish a shared secret with the remote device.
  - 3. The method of claim 2 wherein the implementing step includes the steps of:
4. The method of claim 2 wherein the implementing step includes the steps of:
- disambiguating the first character string from a plurality of predicted character string values; and
  
  implementing the shared secret key exchange protocol while the first character string is disambiguated.
5. The method of claim 2 wherein the implementing step includes the steps of:
- implementing the shared secret key exchange protocol; and
  
  disambiguating the first character string from a plurality of predicted character string values after the shared secret key exchange protocol is implemented.
6. The method of claim 2 wherein the implementing step includes the step of implementing a shared secret key exchange protocol using the first character string and a personal identification number to establish a shared secret with the remote device.
7. The method of claim 1 wherein the creating step includes the step of implementing a function of the first character string to generate the second character string.
9. The method of claim 1 further comprising the steps of proving to the remote device that the local device has the shared secret.
10. The method of claim 9 wherein the proving step includes the steps of:
- communicating a third character string from the remote device to the local device;
  
  implementing a function on the local device using at least one of the shared secret and the third character string to produce an output;
  
  sending the output to the remote device; and
  
  comparing the output with a predicted character string value to prove that the local device has the shared secret.
11. The method of claim 1 further comprising the step of proving to the local device that the remote device has the shared secret.
12. The method of claim 11 wherein the proving step includes the steps of:
- communicating a third character string from the local device to the remote device;
  
  implementing a function on the remote device using at least one of the shared secret and the third character string to produce an output;
  
  sending the output to the local device; and
  
  comparing the output with a predicted character string value to prove that the remote device has the shared secret.
13. The method of claim 1 wherein the creating step includes the step of creating the second character string using the first character string and a personal identification number.
14. The method of claim 1 wherein the creating step includes the step of implementing a hash function to create the second character string from the first character string.
15. The method of claim 1 wherein the sending step includes the step of sending only a portion of the second character string to the remote device.
16. The method of claim 1 further comprising the step of communicating an instruction from the remote device to the local device for information required to disambiguate the second character string from the at least one of a plurality of predicted character string values.
17. The method of claim 16 further comprising the step of generating an output value on the workstation, in response to the instruction, used to disambiguate the second character string from the at least one of a plurality of predicted character string values.
18. The method of claim 1 further comprising the step of activating the authentication token with an activation code.
19. The method of claim 1 wherein the providing step includes the step of providing an authentication token that is approximately time-synchronized with at least one of the plurality of devices.

8. The method of claim I wherein the providing step includes the step of providing a smart card.

20. A method for establishing a shared secret among a plurality of devices, comprising the steps of:
- providing an authentication token;
  
  communicating a first character string from a remote device to the authentication token;
  
  processing the first character string using the authentication token to generate a second character string;
  
  sending the second character string to a local device; and
  
  utilizing the second character string to establish a shared secret with a remote device.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The method of claim 20 further comprising the step of activating the authentication token with an activation code.
  - 22. The method of claim 20 wherein the sending step includes the step of communicating a personal identification number along with the second character string to the local device.
  - 23. The method of claim 20 wherein the utilizing step includes the step of implementing a shared secret key exchange protocol with the second character string to establish a shared secret.
  - 24. The method of claim 20 wherein the utilizing step includes the step of implementing a shared secret key exchange protocol with the second character string and a personal identification number to establish a shared secret.

25. A method for establishing a shared secret among a plurality of devices, comprising the steps of:
- providing an authentication token; and
  
  utilizing the authentication token to establish a shared secret among the plurality of devices.
- View Dependent Claims (26)
- - 26. The method of claim 25 wherein the providing step includes the step of providing a smart card.

27. A system for establishing a shared secret among a plurality of devices, comprising:
- an authentication token;
  
  a local device; and
  
  a remote device, wherein the authentication token is used to establish a shared secret between the local device and the remote device.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 28. The system of claim 27 wherein the authentication token is approximately time-synchronized with the remote device.
  - 29. The system of claim 27 wherein the authentication token includes a processor.
  - 30. The system of claim 27 wherein the authentication token is configured to receive an input.
  - 31. The system of claim 27 wherein the authentication token is configured to produce an output.
  - 32. The system of claim 27 wherein the authentication token includes a display.
  - 33. The system of claim 32 wherein the authentication token includes means for generating a character string viewable on the display.
  - 34. The system of claim 27 wherein the local device is a workstation.
  - 35. The system of claim 27 wherein the remote device is a server.
  - 36. The system of claim 27 wherein the authentication token is a smart card.

37. A system for establishing a shared secret among a plurality of devices, comprising:
- a local device;
  
  a remote device;
  
  an authentication token;
  
  means for generating a first character string on the authentication token;
  
  means for communicating the first character string to the local device;
  
  means for manipulating the first character string using a predetermined function to generate a second character string;
  
  means for sending the second character string to the remote device; and
  
  means for matching the second character string with at least one of a plurality of predicted character string values to establish a shared secret between the local device and the remote device.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 38. The system of claim 37 wherein the authentication token is an approximate time-synchronized token.
  - 39. The system of claim 37 wherein the manipulating means include means for executing a hash function using the first character string as an input to produce the second character string.
  - 40. The system of claim 37 wherein the manipulating means include means for executing a hash function using the first character string and a personal identification number as an input to produce the second character string.
  - 41. The system of claim 37 further comprising means for implementing a shared secret key exchange protocol using the first character string to produce a shared secret.
  - 42. The system of claim 41 wherein the implementing means includes means for implementing a shared secret key exchange protocol using the first character string and a personal identification number to produce a shared secret.
  - 43. The system of claim 37 wherein the sending means include means for sending less than a total number of bits of the second character string to the remote device.
  - 44. The system of claim 37 further comprising means for transferring an instruction from the remote device to the local device for information required to disambiguate the second character string from the at least one of a plurality of predicted character string values.
  - 45. The system of claim 44 wherein the transferring means include means for providing a constant with the instruction from the remote device to the local device that is processed with the second character string using a hash algorithm.
  - 46. The system of claim 37 wherein the generating means includes means for activating the authentication token with an activation code.

47. A system for establishing a shared secret among a plurality of devices, comprising:
- a local device;
  
  a remote device;
  
  an authentication token;
  
  means for determining a first character string using the remote device;
  
  means for sending the first character string to the authentication token;
  
  means for processing the first character string to produce a second character string; and
  
  means for communicating the second character string into the local device such that the remote device and the local device share the second character string as a secret.
- View Dependent Claims (48, 49, 50, 51)
- - 48. The system of claim 47 wherein the authentication token is a challenge-response token.
  - 49. The system of claim 47 further comprising means for entering an activation code into the authentication token.
  - 50. The system of claim 47 further comprising means for entering a personal identification number into the local device.
  - 51. The system of claim 47 further comprising means for implementing a shared secret key exchange protocol using the second character string.

52. A method for establishing a shared secret among a plurality of devices, comprising the steps of:
- providing a smart card;
  
  communicating data from the smart card to a local device; and
  
  utilizing the data to establish a shared secret between the local device and a remote device.
- View Dependent Claims (53, 54, 55, 56, 57)
- - 53. The method of claim 52 further comprising the step of activating the smart card with an activation code.
  - 54. The method of claim 53 wherein the activation code is a personal identification number.
  - 55. The method of claim 53 wherein the activation code is a biometric.
  - 56. The method of claim 52 wherein the providing step includes the step of providing a smart card with an internal clock.
  - 57. The method of claim 52 wherein the providing step includes the step of providing a smart card that utilizes an external clock.

58. A method for establishing a shared secret among a plurality of devices, comprising the steps of:
- providing a smart card;
  
  establishing a shared secret between the smart card and a remote device; and
  
  communicating the shared secret from the smart card to a local device to establish the shared secret between the local device, smart card, and remote device.
- View Dependent Claims (59, 60, 61, 62, 63, 64, 65)
- - 59. The method of claim 58 wherein the establishing step includes the steps of:
60. The method of claim 58 wherein the establishing step includes the steps of:
- communicating a first character string from the remote device to the smart card; and
  
  processing the first character string on the smart card to generate a second character string used to establish a shared secret.
61. The method of claim 58 further comprising the step of activating the smart card with an activation code.
62. The method of claim 61 wherein the activation code is a personal identification number.
63. The method of claim 61 wherein the activation code is a biometric.
64. The method of claim 58 wherein the providing step includes the step of providing a smart card with an internal clock.
65. The method of claim 58 wherein the providing step includes the step of providing a smart card that utilizes an external clock.

66. A method for establishing a shared secret among a plurality of devices, comprising the steps of:
- providing a smart card;
  
  establishing a shared secret between the smart card and a remote device; and
  
  utilizing the smart card and the shared secret in transactions between the remote device and a local device.
- View Dependent Claims (67, 68, 69, 70, 71, 72, 73)
- - 67. The method of claim 66 wherein the establishing step includes the steps of:
68. The method of claim 66 wherein the establishing step includes the steps of:
- communicating a first character string from the remote device to the smart card; and
  
  processing the first character string on the smart card to generate a second character string used to establish a shared secret.
69. The method of claim 66 further comprising the step of activating the smart card with an activation code.
70. The method of claim 69 wherein the activation code is a personal identification number.
71. The method of claim 69 wherein the activation code is a biometric.
72. The method of claim 66 wherein the providing step includes the step of providing a smart card with an internal clock.
73. The method of claim 66 wherein the providing step includes the step of providing a smart card that utilizes an external clock.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Perlman, Radia J., Hanna, Stephen R.
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/126,659
Time in Patent Office

893 Days
Field of Search

713/172, 713/168, 713/171, 713/182, 713/185, 713/200, 713/201, 380/255, 380/278, 380/283
US Class Current

713/172
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 2221/2103   Challenge-response

H04L 63/0853   using an additional device,...

H04L 9/0844   with user authentication or...

H04L 9/12   Transmitting and receiving ...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

Methods and systems for establishing a shared secret using an authentication token

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

257 Citations

73 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for establishing a shared secret using an authentication token

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

257 Citations

73 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links