System and method for authentication seed distribution

US 6,985,583 B1
Filed: 05/04/1999
Issued: 01/10/2006
Est. Priority Date: 05/04/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method for distributing authentication information associated with a device, comprising the steps of:

generating a master seed associated with the device, and providing the master seed to a verifier seed generator;

deriving, by the verifier seed generator, a verifier seed using the master seed and information associated with a verifier, wherein the verifier seed generator and the verifier are distinct entities, such that the verifier cannot access the master seed; and

transmitting the verifier seed from the verifier seed generator to the verifier.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment of a user authentication system and method according to the invention, a device shares a secret, referred to as a master seed, with a server. The device and the server both derive one or more secrets, referred to as verifier seeds, from the master seed, using a key derivation function. The server shares a verifier seed with one or more verifiers. The device, or an entity using the device, can authenticate with one of the verifiers using the appropriate verifier seed. In this way, the device and the verifier can share a secret, the verifier seed for that verifier, without that verifier knowing the master seed, or any other verifier seeds. Thus, the device need only store the one master seed, have access to the information necessary to correctly derive the appropriate seed, and have seed derivation capability. A verifier cannot compromise the master seed, because the verifier does not have access to the master seed.

538 Citations

35 Claims

1. A method for distributing authentication information associated with a device, comprising the steps of:
- generating a master seed associated with the device, and providing the master seed to a verifier seed generator;
  
  deriving, by the verifier seed generator, a verifier seed using the master seed and information associated with a verifier, wherein the verifier seed generator and the verifier are distinct entities, such that the verifier cannot access the master seed; and
  
  transmitting the verifier seed from the verifier seed generator to the verifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 30, 31)
- - 2. The method of claim 1, further comprising, after the generating step, the step of transmitting the master seed to the device.
  - 3. The method of claim 1, further comprising, after the generating step, the step of sharing the master seed with the device and a server.
  - 4. The method of claim 1, further comprising, after the transmitting step, the steps of:
    - deriving a second verifier seed using the master seed and information associated with a second verifier; and
      
      transmitting the second verifier seed to the second verifier.
  - 5. The method of claim 1, further comprising, after the transmitting step, the step of generating an authentication code in response to the verifier seed.
  - 6. The method of claim 5, wherein the authentication code generating step further comprises generating an authentication code in response to the verifier seed and a time dependent value.
  - 7. The method of claim 5, further comprising the step of authenticating using the authentication code.
  - 8. The method of claim 7, wherein the authenticating step comprises authenticating a user or a device by verifying the authentication code.
  - 9. The method of claim 8 wherein the authenticating step comprises transmitting the authentication code to the verifier.
  - 10. The method of claim 1 wherein the master seed generating step comprises at least one of randomly generating and pseudorandomly generating the master seed.
  - 11. The method of claim 1 wherein the deriving step further comprises deriving the verifier seed in response to a time identifier.
  - 12. The method of claim 1, wherein the deriving step comprises deriving a verifier seed by using the master seed and information associated with a verifier as inputs to a key derivation function.
  - 13. The method of claim 12 wherein the key derivation function comprises a hash function.
  - 30. The method of claim 1 wherein the information associated with the verifier comprises a verifier identifier.
  - 31. The method of claim 4 wherein the information associated with the second verifier comprises a second verifier identifier.

14. A system for distributing authentication information associated with a device, comprising:
- a master seed generator for generating a master seed associated with a device;
  
  a verifier seed generator for deriving a verifier seed using the master seed and information associated with a verifier, wherein (i) the master seed generator and the verifier are distinct entities, and (ii) the verifier seed generator and the verifier are distinct entities, such that the verifier cannot access the master seed, anda transmitter for transmitting the verifier seed from the verifier seed generator to the verifier.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 32, 33, 35)
- - 15. The system of claim 14, further comprising a transmitter for transmitting the master seed to the device.
  - 16. The system of claim 14, further comprising a communication channel for sharing the master seed with the device and the verifier seed generator.
  - 17. The system of claim 14, wherein the verifier seed generator derives a second verifier seed using the master seed and information associated with a second verifier, and wherein the transmitter transmits the second verifier seed to the second verifier.
  - 18. The system of claim 14, further comprising an authentication code generator for generating an authentication code in response to the verifier seed.
  - 19. The system of claim 14, further comprising an authentication code generator for generating an authentication code in response to the verifier seed and a time dependent value.
  - 20. The system of claim 14, wherein the master seed generator comprises at least one of a random and pseudorandom generator.
  - 21. The system of claim 14, wherein the verifier seed generator comprises a key derivation function.
  - 32. The system of claim 14 wherein the information associated with the verifier comprises a verifier identifier.
  - 33. The system of claim 17 wherein the information associated with the second verifier comprises a second verifier identifier.
  - 35. The method of claim 14, wherein the master seed generator and the verifier seed generator are incorporated in a server, and wherein the server and the verifier are distinct entities, such that the verifier cannot access the master seed.

22. A method for authentication, comprising:
- storing a master seed associated with a device;
  
  deriving a verifier seed using the master seed and information associated with a verifier;
  
  isolating the master seed from the verifier such that the verifier cannot access the master seed; and
  
  generating an authentication code in response to the verifier seed.
- View Dependent Claims (23, 24, 25, 34)
- - 23. The method of claim 22, further comprising the step of authenticating a user with the authentication code.
  - 24. The method of claim 23, further comprising the step of transmitting the authentication code to a verifier.
  - 25. The method of claim 23, further comprising the step of receiving the authentication code by a verifier.
  - 34. The method of claim 22 wherein the information associated with the verifier comprises a verifier identifier.

26. A system for authentication, comprising:
- a memory for storing a master seed associated with a device;
  
  a server for deriving a verifier seed using the master seed and information associated with a verifier, wherein the master seed is isolated from the verifier such that the verifier cannot access the master seed; and
  
  an authentication code generator for generating an authentication code in response to the verifier seed, wherein the verifier includes the authentication code generator.

27. A verifier for authentication, comprising:
- a data store for storing a verifier seed, the verifier seed derived from a master seed associated with a device in response to information associated with the verifier, wherein the master seed is isolated from the verifier such that the verifier cannot access the master seed;
  
  an input for receiving an input authentication code; and
  
  an authenticator for determining whether the input authentication code was correctly generated in response to the verifier seed.

28. A token, comprising:
- a data store for storing a master seed;
  
  a key derivation function for deriving a verifier seed from a master seed in response to information associated with a verifier, wherein the master seed is isolated from the verifier such that the verifier cannot access the master seed;
  
  an authentication code generator for generating an authentication code in response to the verifier seed; and
  
  an output for providing the authentication code to a verifier.

29. A method for authentication, comprising:
- generating a master seed;
  
  sharing the master seed between a token and a server, and isolating the master seed from a verifier such that the verifier cannot access the master seed;
  
  deriving a verifier seed from the master seed in response to information associated with the verifier using a key derivation function; and
  
  transmitting an authentication code responsive to the verifier seed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
RSA Security Incorporated (Symphony Technology Group LLC)
Inventors
Kaliski, Burton S. Jr., Rivest, Ronald L., Brainard, John G., Nyström, Magnus
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Baum, Ronald

Application Number

US09/304,775
Time in Patent Office

2,443 Days
Field of Search

713168-176, 380/44, 380/277
US Class Current

380/44
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 9/0844   with user authentication or...

H04L 9/0869   involving random numbers or...

H04L 9/3234   involving additional secure...

System and method for authentication seed distribution

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

538 Citations

35 Claims

Specification

Use Cases

Quick Links

Others

System and method for authentication seed distribution

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

538 Citations

35 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others