System and method for authentication seed distribution
First Claim
1. A method for distributing authentication information associated with a device, comprising the steps of:
- generating a master seed associated with the device, and providing the master seed to a verifier seed generator;
deriving, by the verifier seed generator, a verifier seed using the master seed and information associated with a verifier, wherein the verifier seed generator and the verifier are distinct entities, such that the verifier cannot access the master seed; and
transmitting the verifier seed from the verifier seed generator to the verifier.
14 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment of a user authentication system and method according to the invention, a device shares a secret, referred to as a master seed, with a server. The device and the server both derive one or more secrets, referred to as verifier seeds, from the master seed, using a key derivation function. The server shares a verifier seed with one or more verifiers. The device, or an entity using the device, can authenticate with one of the verifiers using the appropriate verifier seed. In this way, the device and the verifier can share a secret, the verifier seed for that verifier, without that verifier knowing the master seed, or any other verifier seeds. Thus, the device need only store the one master seed, have access to the information necessary to correctly derive the appropriate seed, and have seed derivation capability. A verifier cannot compromise the master seed, because the verifier does not have access to the master seed.
538 Citations
35 Claims
-
1. A method for distributing authentication information associated with a device, comprising the steps of:
-
generating a master seed associated with the device, and providing the master seed to a verifier seed generator; deriving, by the verifier seed generator, a verifier seed using the master seed and information associated with a verifier, wherein the verifier seed generator and the verifier are distinct entities, such that the verifier cannot access the master seed; and transmitting the verifier seed from the verifier seed generator to the verifier. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 30, 31)
-
-
14. A system for distributing authentication information associated with a device, comprising:
-
a master seed generator for generating a master seed associated with a device; a verifier seed generator for deriving a verifier seed using the master seed and information associated with a verifier, wherein (i) the master seed generator and the verifier are distinct entities, and (ii) the verifier seed generator and the verifier are distinct entities, such that the verifier cannot access the master seed, and a transmitter for transmitting the verifier seed from the verifier seed generator to the verifier. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 32, 33, 35)
-
-
22. A method for authentication, comprising:
-
storing a master seed associated with a device; deriving a verifier seed using the master seed and information associated with a verifier; isolating the master seed from the verifier such that the verifier cannot access the master seed; and generating an authentication code in response to the verifier seed. - View Dependent Claims (23, 24, 25, 34)
-
-
26. A system for authentication, comprising:
-
a memory for storing a master seed associated with a device; a server for deriving a verifier seed using the master seed and information associated with a verifier, wherein the master seed is isolated from the verifier such that the verifier cannot access the master seed; and an authentication code generator for generating an authentication code in response to the verifier seed, wherein the verifier includes the authentication code generator.
-
-
27. A verifier for authentication, comprising:
-
a data store for storing a verifier seed, the verifier seed derived from a master seed associated with a device in response to information associated with the verifier, wherein the master seed is isolated from the verifier such that the verifier cannot access the master seed; an input for receiving an input authentication code; and an authenticator for determining whether the input authentication code was correctly generated in response to the verifier seed.
-
-
28. A token, comprising:
-
a data store for storing a master seed; a key derivation function for deriving a verifier seed from a master seed in response to information associated with a verifier, wherein the master seed is isolated from the verifier such that the verifier cannot access the master seed; an authentication code generator for generating an authentication code in response to the verifier seed; and an output for providing the authentication code to a verifier.
-
-
29. A method for authentication, comprising:
-
generating a master seed; sharing the master seed between a token and a server, and isolating the master seed from a verifier such that the verifier cannot access the master seed; deriving a verifier seed from the master seed in response to information associated with the verifier using a key derivation function; and transmitting an authentication code responsive to the verifier seed.
-
Specification