Method and apparatus for secure distribution of authentication credentials to roaming users
First Claim
1. A computer-implemented method for obtaining, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising:
- (a) accessing, over a network, a server to request therefrom a predetermined authentication credential, said authentication credential;
(i) in existence at said server prior to said request therefor, (ii) uniquely identifying a requestor thereof, and (iii) suitable for use in conducting an electronic transaction;
(b) receiving, from said server, a challenge soliciting a predetermined response associated with a holder of said authentication credential;
(c) transmitting an answer to said challenge; and
(d) in response to a determination by said server that said answer satisfies said challenge, receiving said authentication credential from said server;
said method being operable in a repeatable, on-demand manner by said requestor from a plurality of requestor locations.
9 Assignments
0 Petitions
Accused Products
Abstract
A roaming user needing an his authentication credential (e.g., private key) to access a computer server to perform an electronic transaction may obtain the authentication credential in an on-demand fashion from a credential server accessible to the user over a computer network. In this way, the user is free to roam on the network without having to physically carry his authentication credential. Access to the credential may be protected by one or more challenge-response protocols involving simple shared secrets, shared secrets with one-to-one hashing, or biometric methods such as fingerprint recognition. If camouflaging is used to protect the authentication credential, decamouflaging may be performed either at the credential server or at the user'"'"'s computer.
387 Citations
52 Claims
-
1. A computer-implemented method for obtaining, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising:
-
(a) accessing, over a network, a server to request therefrom a predetermined authentication credential, said authentication credential;
(i) in existence at said server prior to said request therefor, (ii) uniquely identifying a requestor thereof, and (iii) suitable for use in conducting an electronic transaction;
(b) receiving, from said server, a challenge soliciting a predetermined response associated with a holder of said authentication credential;
(c) transmitting an answer to said challenge; and
(d) in response to a determination by said server that said answer satisfies said challenge, receiving said authentication credential from said server;
said method being operable in a repeatable, on-demand manner by said requestor from a plurality of requestor locations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
(e) using said authentication credential to conduct said electronic transaction; and
(f) deleting said credential from said requestor'"'"'s computing device.
-
-
5. The method of claim 2 where said requestor'"'"'s computing device includes a web browser, and said network is a distributed computer network.
-
6. The method of claim 2 where said requestor'"'"'s computing device includes a digital wallet.
-
7. The method of claim 2 where said response includes a shared secret between said server and said requestor.
-
8. The method of claim 1 further comprising:
-
(e) using said authentication credential to conduct said electronic transaction; and
(f) deleting said credential from said requestor'"'"'s computing device.
-
-
9. The method of claim 8 where said authentication credential includes a private key of said requestor.
-
10. The method of claim 1 where said received authentication credential is in cryptographically camouflaged form.
-
11. The method of claim 10 where said authentication credential is encrypted under an access code, and further comprising:
-
(i) receiving from said requestor a candidate access code;
(ii) verifying that said candidate access code belongs to a family of pseudo-valid responses; and
(iii) using said pseudo-valid candidate access code to decrypt said stored authentication credential.
-
-
12. The method of claim 11 where said pseudo-valid responses have the characteristic of being hashable to the same output as said access code.
-
13. The method of claim 12 where said authentication credential includes a private key of said requestor.
-
14. The method of claim 10 where said authentication credential includes a secret credential of said requestor.
-
15. The method of claim 10 further comprising the steps of:
-
(e) using said authentication credential to conduct said electronic transaction; and
(f) deleting said credential from said requestor'"'"'s computing device.
-
-
16. The method of claim 1 where said challenge and said response are members of a zero knowledge proof protocol.
-
17. The method of claim 1 where said steps (b) and (c) are part of a cryptographic camouflage challenge-response protocol.
-
18. The method of claim 1 further comprising downloading a digital currency from said server along with said authentication credential.
-
19. An apparatus for obtaining, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising:
-
(a) a network interface configured to;
(i) access, over a network, a server to request therefrom a predetermined authentication credential, said authentication credential;
(A) in existence at said server prior to said request therefor, (B) uniquely identifying a requestor thereof, and (C) suitable for use in conducting an electronic transaction, and (ii) receive, from the server, a challenge soliciting a predetermined response associated with said requestor of said authentication credential;
(b) an user interface configured to receive, from said requestor, an answer to said challenge;
(c) said network interface configured to receive said authentication credential in response to a determination by said server that said answer satisfies said challenge; and
(d) a memory configured to store said authentication credential at said requestor'"'"'s computing device;
said apparatus being usable by said requestor to obtain repeated, on-demand access from a plurality of requestor locations. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
(i) said authentication credential is encrypted under an access code;
(ii) said user interface is configured to receive, from said requestor, a candidate access code; and
(iii) further comprising cryptographic logic configured to;
(iv) verify that said candidate access code belongs to a family of pseudo-valid responses; and
(v) use said pseudo-valid candidate access code to decrypt said stored authentication credential.
-
-
26. The apparatus of claim 25 wherein said pseudo-valid responses have the characteristic of being hashable to the same output as said access code.
-
27. The apparatus of claim 26 wherein said authentication credential includes a private key of said requestor.
-
28. The apparatus of claim 19 wherein said challenge and said predetermined response are part of a cryptographic camouflage challenge-response protocol.
-
29. The apparatus of claim 24 wherein said authentication credential includes a secret credential of said requestor.
-
30. A computer-implemented method for providing, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising:
-
(a) receiving from a requestor, over a network, a request for a predetermined authentication credential, said authentication credential;
(i) in existence at said server prior to said request therefor, (ii) uniquely identifying a requestor thereof, and (iii) suitable for use in conducting an electronic transaction;
(b) transmitting, to said requestor, a challenge soliciting a predetermined response associated with said requestor;
(c) receiving an answer to said challenge;
(d) determining that said answer satisfies said challenge; and
(e) transmitting said authentication credential for said requestor;
said method being operable to process repeated, on-demand authentication credential requests by said requestor at a plurality of requestor locations. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
(i) verifying that said answer belongs to a family of pseudo-valid responses; and
(ii) using said response to decrypt said stored authentication credential.
-
-
38. The method of claim 37 where said pseudo-valid responses have the characteristic of being hashable to the same output as said access code.
-
39. The method of claim 38 where said authentication credential includes a private key of said requestor.
-
40. The method of claim 36 where said authentication credential includes a secret credential of said requestor.
-
41. The method of claim 36 where said step (e) includes transmitting said authentication credential to said requestor in cryptographically camouflaged form for cryptographic decamouflaging by said requestor.
-
42. The method of claim 30 further comprising sending a digital currency to said requestor along with said authentication credential.
-
43. An apparatus for providing, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising:
-
(a) a network interface configured to;
(i) receive from a requestor, over a network, a request for a predetermined authentication credential, said authentication credential;
(A) in existence at said apparatus prior to said request therefor;
(B) uniquely identifying a requestor thereof; and
(C) suitable for use in conducting an electronic transaction, (ii) transmit a challenge soliciting a predetermined response associated with said requestor, and (iii) receive, from said holder, an answer to said challenge;
(b) logic configured to determine whether said answer satisfies said challenge; and
(c) a memory configured to store said authentication credential to be released for said requestor;
said apparatus being operable to process repeated, on-demand authentication credential requests by said requestor at a plurality of requestor locations. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52)
(i) cryptographic logic for verifying that said answer belongs to a family of pseudo-valid responses; and
(ii) cryptographic logic for using said answer to decrypt said stored authentication credential.
-
-
49. The apparatus of claim 48 where said pseudo-valid responses have the characteristic of being hashable to the same output as said access code.
-
50. The apparatus of claim 49 where said authentication credential includes a private key of said requestor.
-
51. The apparatus of claim 47 wherein said network interface is configured to release said authentication credential to said requestor in cryptographically camouflaged form for cryptographic decamouflaging by said requestor.
-
52. The apparatus of claim 47 wherein said authentication credential includes a secret credential of said user.
Specification