Integrated circuit card with identity authentication table and authorization tables defining access rights based on Boolean expressions of authenticated identities

US 6,567,915 B1
Filed: 10/23/1998
Issued: 05/20/2003
Est. Priority Date: 10/23/1998
Status: Expired due to Fees

First Claim

Patent Images

1. An integrated circuit (IC) device comprising:

a memory;

a processor coupled to access the memory; and

an identity authentication table stored in the memory to hold an arbitrary number of identities associated with a single IC device user, to correlate authentication protocols with individual ones of the identities and to maintain counts for the identities, individual counts specifying a number of authenticated uses of the IC device for a corresponding identity without requiring the IC device to actually authenticate the identity for each of the authenticated uses.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention concerns an integrated circuit (IC) device, such as smart cards, electronic wallets, PC cards, and the like, and various methods for authenticating identities and authorizing transactions based on the authenticated identities. The IC device has a memory and a processor. The IC device maintains an identity authentication table in the memory to hold an arbitrary number of identities. The identity authentication table correlates identities with authentication protocols, so that different protocols can be used to authenticate associated identities. The identity authentication table also correlates counts with the identities. Individual counts specify a number of uses of the IC device for a corresponding identity without requiring the IC device to authenticate the identity for each use. The IC device also maintains an authentication vector in memory. The authentication vector tracks identities in the identity authentication table that are currently authenticated by the IC device. The IC device further maintains authorization tables in the memory and in association with particular files used in transactions. Each authorization table defines authorization for a particular transaction as a Boolean expression of the identities listed in the identity authentication table.

140 Citations

53 Claims

1. An integrated circuit (IC) device comprising:
- a memory;
  
  a processor coupled to access the memory; and
  
  an identity authentication table stored in the memory to hold an arbitrary number of identities associated with a single IC device user, to correlate authentication protocols with individual ones of the identities and to maintain counts for the identities, individual counts specifying a number of authenticated uses of the IC device for a corresponding identity without requiring the IC device to actually authenticate the identity for each of the authenticated uses.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. An integrated circuit device as recited in claim 1, wherein the counts comprise decrementable counts, individual counts decrementable after each of the authenticated uses of the IC device for a corresponding identity.
  - 3. An integrated circuit device as recited in claim 1, further comprising an authentication vector stored in the memory to track identities that are currently authenticated.
  - 4. An integrated circuit device as recited in claim 1, further comprising an authorization table stored in the memory that defines authorization for a particular transaction as a Boolean expression of authenticatable identities.
  - 5. An integrated circuit device as recited in claim 1, wherein the processor is configured, upon receipt of an instantaneous authentication command containing an operation and an identity, to verify the authentication of the identity, perform the operation if authenticated, and then deauthenticate the identity.
  - 6. An integrated circuit device as recited in claim 1, wherein the processor is configured to authenticate an identity seeking to use an external protected resource, and upon authentication, to create a capability ticket for the authenticated identity to gain access to the protected resource.
  - 7. An integrated circuit device as recited in claim 1 embodied as a smart card.

8. An integrated circuit (IC) device comprising:
- a memory;
  
  a processor coupled to access the memory; and
  
  an identity authentication table stored in the memory to hold an arbitrary number of identities associated with a single IC device user and to correlate a count with individual ones of the identities, the count specifying a number of authenticated uses of the IC device for a corresponding identity without requiring the IC device to actually authenticate the identity for each of the authenticated uses.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. An integrated circuit device as recited in claim 8, further comprising an authentication vector stored in the memory to track identities that are currently authenticated.
  - 10. An integrated circuit device as recited in claim 8, further comprising an authorization table stored in the memory that defines authorization for a particular transaction as a Boolean expression of authenticatable identities.
  - 11. An integrated circuit device as recited in claim 8, wherein the processor is configured, upon receipt of an instantaneous authentication command containing an operation and an identity, to verify the authentication of the identity, perform the operation if authenticated, and then deauthenticate the identity.
  - 12. An integrated circuit device as recited in claim 8, wherein the processor is configured to authenticate an identity seeking to use an external protected resource, and upon authentication, to create a capability ticket for the authenticated identity to gain access to the protected resource.
  - 13. An integrated circuit device as recited in claim 8 embodied as a smart card.

14. An integrated circuit (IC) device comprising:
- a memory;
  
  a processor coupled to access the memory; and
  
  an authorization table stored in the memory, to hold a plurality of authenticatable identities associated with a single IC device user, that defines authorization for a particular transaction as a Boolean expression of at least two of the identities and maintains counts for the identities, individual counts specifying a number of authenticated uses of the IC device for a corresponding identity without requiring the IC device to actually authenticate the identity for each of the authenticated uses.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. An integrated circuit device as recited in claim 14, further comprising an identity authentication table stored in the memory to hold an arbitrary number of identities and to correlate authentication protocols with individual ones of the identities.
  - 16. An integrated circuit device as recited in claim 14, wherein the counts comprise decrementable counts, individual counts decrementable after each of the authenticated uses of the IC device for a corresponding identity.
  - 17. An integrated circuit device as recited in claim 14, further comprising an authentication vector stored in the memory to track identities that are currently authenticated.
  - 18. An integrated circuit device as recited in claim 14, wherein the processor is configured, upon receipt of an instantaneous authentication command containing an operation and an identity, to verify the authentication of the identity, perform the operation if authenticated, and then deauthenticate the identity.
  - 19. An integrated circuit device as recited in claim 14, wherein the processor is configured to authenticate an identity seeking to use an external protected resource, and upon authentication, to create a capability ticket for the authenticated identity to gain access to the protected resource.
  - 20. An integrated circuit device as recited in claim 14 embodied as a smart card.

21. An integrated circuit (IC) device comprising:
- a memory;
  
  a processor coupled to access the memory; and
  
  the processor being configured, to correlate an identity with one or more of an arbitrary number of identities using an identity authentication table stored in the memory to hold the arbitrary number of identities, to correlate a count with individual ones of the identities, the count specifying a number of authenticated uses of the IC device for a corresponding identity without requiring the IC device to actually authenticate the identity for each of the authenticated uses, and, upon receipt of an instantaneous authentication command containing an operation and an identity, based on the count, to verify authentication of the identity or to authenticate the identity.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. An integrated circuit device as recited in claim 21, wherein the instantaneous authentication command comprises a command header field specifying the operation, an identity name field for the identity, a message integrity code field, and a command data field to hold data used in the operation.
  - 23. An integrated circuit device as recited in claim 21, the processor further configured to correlate authentication protocols with individual ones of the identities.
  - 24. An integrated circuit device as recited in claim 21, wherein the counts comprise decrementable counts, individual counts decrementable after each of the authenticated uses of the IC device for a corresponding identity.
  - 25. An integrated circuit device as recited in claim 21, further comprising an authentication vector stored in the memory to track identities that are currently authenticated.
  - 26. An integrated circuit device as recited in claim 21, wherein the processor is configured to authenticate an identity seeking to use an external protected resource, and upon authentication, to create a capability ticket for the authenticated identity to gain access to the protected resource.
  - 27. An integrated circuit device as recited in claim 21 embodied as a smart card.

28. A method for authenticating an identity using an integrated circuit device, comprising the following steps:
- receiving an identity;
  
  determining whether the identity is listed in an identity authentication table maintained on the integrated circuit device to hold an arbitrary number of identities associated with a single integrated circuit device user;
  
  correlating a count with individual ones of the identities, the count specifying a number of authenticated uses of the integrated circuit device for a corresponding identity without requiring the integrated circuit device to actually authenticate the identity for each of the authenticated uses; and
  
  if the identity is listed, based on the count, verifying authentication of the identity or authenticating the identity using an authentication protocol correlated with the identity in the identity authentication table.
- View Dependent Claims (29, 30, 31, 32)
- - 29. A method as recited in claim 28, further comprising the step of rejecting the identity if the identity is not listed in the identity authentication table.
  - 30. A method as recited in claim 28, further comprising the step of changing a bit value in an authentication vector to reflect that the identity is authenticated.
  - 31. A method as recited in claim 28, further comprising the step of decrementing a count associated with the identity in the identity authentication table upon authentication of the identity.
  - 32. A method as recited in claim 28, further comprising the following steps:

33. A method for authenticating an identity using an integrated circuit device, comprising the following steps:
- correlating identities with a count in an identity authentication table maintained on the integrated circuit device to hold an arbitrary number of identities associated with a single integrated circuit device user, wherein the count specifies a number of authenticated uses for a corresponding identity without requiring actual authentication of the identity for each of the authenticated uses;
  
  receiving an identity; and
  
  upon each of the authenticated uses, decrementing the count associated with the identity in the identity authentication table.
- View Dependent Claims (34)
- - 34. A method as recited in claim 33, further comprising the following steps:

35. A method for authorizing a transaction, comprising the following steps:
- tracking multiple authenticated identities associating an authorization table with a particular transaction, the authorization table holding an arbitrary number of identities associated with a single user and defining a Boolean expression of the one or more authenticated identities;
  
  performing the particular transaction in an event that the Boolean expression in the authorization table is satisfied; and
  
  decrementing a count, the count specifying a number of authenticated uses for a corresponding identity without requiring actual authentication of the identity for each of the authenticated uses.

36. A method for authorizing a transaction using an integrated circuit device holding an arbitrary number of identities associated with a single integrated circuit device user, comprising the following steps:
- receiving an instantaneous authentication command containing an operation and an identity;
  
  correlating the identity with a count, the count specifying a number of authenticated uses for a corresponding identity without requiring actual authentication of the identity for each of the authenticated uses;
  
  based on the count, verifying authentication of the identity or authenticating the identity; and
  
  performing the operation if the identity is verified or authenticated.
- View Dependent Claims (37)
- - 37. A method as recited in claim 36, wherein the verifying or authenticating step comprises the following steps:

38. A storage medium embodied in an integrated circuit device, comprising:
- an identity authentication table to hold multiple identities associated with a single integrated circuit device user and to correlate the identities with associated authentication protocols and a count, the count specifying a number of authenticated uses for a corresponding identity without requiring actual authentication of the identity for each of the authenticated uses; and
  
  code means for performing the following steps;
  
  (a) receiving an identity;
  
  (b) determining whether the identity is listed in the identity authentication table; and
  
  (c) if the identity is listed, based on the count, verifying authentication of the identity or authenticating the identity using the authentication protocol correlated with the identity in the identity authentication table.

39. A storage medium embodied in an integrated circuit device, comprising:
- an identity authentication table to hold multiple identities associated with a single integrated circuit device user and to correlate the identities with associated authentication protocols and a count, the count specifying a number of authenticated uses for a corresponding identity without requiring actual authentication of the identity for each of the authenticated uses; and
  
  code means for performing the following steps;
  
  (a) receiving an instantaneous authentication command containing an operation and an identity;
  
  (b) based on the count, verifying authentication of the identity or authenticating the identity using the authentication protocol correlated with the identity in the identity authentication table; and
  
  (c) performing the operation if the identity is authenticated.

40. A storage medium embodied in an integrated circuit device, comprising:
- an identity authentication table to hold multiple identities associated with a single integrated circuit device user;
  
  an authentication vector to track the identities in the identity authentication table that are currently authenticated;
  
  a count, the count specifying a number of authenticated uses for a corresponding identity without requiring actual authentication of the identity for each of the authenticated uses;
  
  an authorization table stored in the storage medium that defines authorization for a particular transaction as a Boolean expression of the identities listed in the identity authentication table; and
  
  code means for performing the following steps;
  
  (a) receiving a request for the particular transaction;
  
  (b) evaluating, from the counts and the authorization table, what identities need to be authenticated to satisfy the Boolean expression and gain authorization to perform the particular transaction; and
  
  (c) determining, from the authentication vector, whether the identities needed to satisfy the Boolean expression are currently authenticated and if so, authorizing the particular transaction.

41. An integrated circuit (IC) device comprising:
- a memory;
  
  a processor coupled to access the memory; and
  
  an identity authentication table stored in the memory to hold an arbitrary number of identities associated with a single IC device user, to maintain a count for each of the identities wherein the count specifies a number of authenticated uses for each identity without requiring actual authentication of the identity for each of the authenticated uses, to correlate authentication protocols with individual ones of the identities, to hold data required by the authentication protocols, and to correlate the data required by the authentication protocols with individual ones of the identities.
- View Dependent Claims (42, 43, 44, 45, 46, 47)
- - 42. An integrated circuit device as recited in claim 41, wherein the counts comprise decrementable counts, individual counts decrementable after each of the authenticated uses of the IC device for a corresponding identity.
  - 43. An integrated circuit device as recited in claim 41, further comprising an authentication vector stored in the memory to track identities that are currently authenticated.
  - 44. An integrated circuit device as recited in claim 41, further comprising an authorization table stored in the memory that defines authorization for a particular transaction as a Boolean expression of authenticatable identities.
  - 45. An integrated circuit device as recited in claim 41, wherein the processor is configured, upon receipt of an instantaneous authentication command containing an operation and an identity, to verify the authentication of the identity, perform the operation if authenticated, and then deauthenticate the identity.
  - 46. An integrated circuit device as recited in claim 41, wherein the processor is configured to authenticate an identity seeking to use an external protected resource, and upon authentication, to create a capability ticket for the authenticated identity to gain access to the protected resource.
  - 47. An integrated circuit device as recited in claim 41 embodied as a smart card.

48. A method for authenticating an identity using an integrated circuit device, comprising the following steps:
- receiving an identity;
  
  determining whether the identity is listed in an identity authentication table maintained on the integrated circuit device for holding identities associated with a single integrated circuit device user;
  
  if the identity is listed, correlating the identity with a count, the count specifying a number of authenticated uses for the identity without requiring actual authentication of the identity for each of the authenticated uses; and
  
  if the identity is listed, based on the count, verifying authentication of the identity or authenticating the identity using an authentication protocol and data required by the authentication protocol, the authentication protocol and the data correlated with the identity in the identity authentication table.
- View Dependent Claims (49, 50, 51, 52)
- - 49. A method as recited in claim 48, further comprising the step of rejecting the identity if the identity is not listed in the identity authentication table.
  - 50. A method as recited in claim 48, further comprising the step of changing a bit value in an authentication vector to reflect that the identity is authenticated.
  - 51. A method as recited in claim 48, further comprising the step of decrementing a count associated with the identity in the identity authentication table upon verifying authentication of the identity.
  - 52. A method as recited in claim 48, further comprising the following steps:

53. A storage medium embodied in an integrated circuit device, comprising:
- an identity authentication table to hold multiple identities associated with a single integrated circuit device user, to correlate the identities with associated authentication protocols, to hold data required by the authentication protocols, and to correlate the identities with the data;
  
  a count, the count specifying a number of authenticated uses for a corresponding identity without requiring actual authentication of the identity for each of the authenticated uses; and
  
  code means for performing the following steps;
  
  (a) receiving an identity;
  
  (b) determining whether the identity is listed in the identity authentication table;
  
  (c) if the identity is listed, correlating the identity with a count; and
  
  (d) if the identity is listed, based on the count, verifying authentication of the identity or authenticating the identity using the authentication protocol and data correlated with the identity in the identity authentication table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Guthery, Scott B.
Primary Examiner(s)
Peeso, Thomas R.
Assistant Examiner(s)
Zand, Kambiz

Application Number

US09/178,228
Time in Patent Office

1,670 Days
Field of Search

713/160, 713/161, 713/170-172, 713/175-176, 713/168-169, 713/185, 705/65, 705/67, 705/41, 705/44, 705/17-18
US Class Current

713/168
CPC Class Codes

G06Q 20/105   involving programming of a ...

G06Q 20/20   Point-of-sale [POS] network...

G06Q 20/204   comprising interface for re...

G06Q 20/367   involving electronic purses...

G06Q 20/3674   involving authentication

G06Q 20/40   Authorisation, e.g. identif...

G07C 9/23   by means of a password

Integrated circuit card with identity authentication table and authorization tables defining access rights based on Boolean expressions of authenticated identities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

140 Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated circuit card with identity authentication table and authorization tables defining access rights based on Boolean expressions of authenticated identities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

140 Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links