ABDS system utilizing security information in authenticating entity access

US 7,010,691 B2
Filed: 01/31/2003
Issued: 03/07/2006
Est. Priority Date: 08/04/2000
Status: Expired due to Term

First Claim

Patent Images

1. A system for authenticating a requesting entity for access to a controlled resource, comprising:

(a) a device of the requesting entity, the device maintaining securely therein a private key of a public-private key pair and adapted to generate digital signatures of a message using the private key, the message comprising a unique identifier and a request by the requesting entity for access to the controlled resource;

(b) an access authentication component having authority to allow or deny the request for access to the controlled resource, the access authentication component separate from the device but in electronic communication over a communications medium with the device for receipt of the digitally-signed message; and

(c) at least one database containing information linked together, the information including;

(i) the public key of the public-private key pair, but not the private key, (ii) predetermined authorization rights of the requesting entity to access the controlled resource, and (iii) a security profile of the device, wherein the security profile includes security features and manufacturing history of the device and wherein a security strength of the device relative to other devices is determinable from the security profile;

wherein the unique identifier is associated with the public key in the at least one database prior to receipt of the digitally-signed message and wherein the information is accessible by the access authentication component from the at least one database based on the unique identifier, and wherein, in response to receipt of the digitally-signed message, the access authentication component verifies that the message was digitally-signed using the private key maintained within the device by decrypting the digital signature using the public key obtained from the database, and if the digitally-signed message verifies, the access authentication component authenticates the requesting entity for access to the controlled resource as a function of (i) the security strength of the device and (ii) the predetermined authorization rights of the requesting entity.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

AA system in which a requesting entity seeking access to a controlled resource is authenticated by an access authentication component includes the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining a record including information pertaining to the account and being retrievable based on a unique identifier for the requesting entity, and associating a public key of a public-private key pair with the record; the requesting entity originating an electronic message and generating a digital signature using a private key of the key pair, and sending the digitally signed electronic message to the access authentication component with the unique identifier; authenticating the electronic message using the public key associated with the record identified by the unique identifier; and upon successful authentication, authenticating access to the controlled resource. Security information is considered in authenticating the requesting entity.

176 Citations

42 Claims

1. A system for authenticating a requesting entity for access to a controlled resource, comprising:
- (a) a device of the requesting entity, the device maintaining securely therein a private key of a public-private key pair and adapted to generate digital signatures of a message using the private key, the message comprising a unique identifier and a request by the requesting entity for access to the controlled resource;
  
  (b) an access authentication component having authority to allow or deny the request for access to the controlled resource, the access authentication component separate from the device but in electronic communication over a communications medium with the device for receipt of the digitally-signed message; and
  
  (c) at least one database containing information linked together, the information including;
  
  (i) the public key of the public-private key pair, but not the private key, (ii) predetermined authorization rights of the requesting entity to access the controlled resource, and (iii) a security profile of the device, wherein the security profile includes security features and manufacturing history of the device and wherein a security strength of the device relative to other devices is determinable from the security profile;
  
  wherein the unique identifier is associated with the public key in the at least one database prior to receipt of the digitally-signed message and wherein the information is accessible by the access authentication component from the at least one database based on the unique identifier, and wherein, in response to receipt of the digitally-signed message, the access authentication component verifies that the message was digitally-signed using the private key maintained within the device by decrypting the digital signature using the public key obtained from the database, and if the digitally-signed message verifies, the access authentication component authenticates the requesting entity for access to the controlled resource as a function of (i) the security strength of the device and (ii) the predetermined authorization rights of the requesting entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1 wherein the security strength of the device is indicative of the uniqueness of the private key maintained securely therein.
  - 3. The system of claim 1 wherein the security strength of the device is indicative of a likelihood that the private key of the device has been compromised.
  - 4. The system of claim 1 wherein the security profile of the device is stored in the database prior to receipt of the digitally-signed message.
  - 5. The system of claim 1 wherein the security profile of the device is included in the digitally-signed message.
  - 6. The system of claim 1 wherein the security profile of the device is obtained from the device prior to receipt of the digitally-signed message containing the request for access.
  - 7. The system of claim 1 wherein the security profile of the device is obtained from a manufacturer of the device.
  - 8. The system of claim 1 wherein the security profile of the device is obtained from a trusted third parry.
  - 9. The system of claim 1 wherein the controlled resource has associated therewith a security level and wherein the access authentication component authenticates the requesting entity for access to the controlled resource further as a function of the security level of the controlled resource.
  - 10. The system of claim 1 wherein the message is originated by the device.
  - 11. The system of claim 1 wherein the message is input into the device by a message generating component external to the device.
  - 12. The system of claim 1 wherein the message and digital signature of the message are communicated by the device to the authentication component.
  - 13. The system of claim 1 wherein the digitally-signed message is communicated to the access authentication component by an electronic communication component separate from the device.
  - 14. The system of claim 1 wherein the request for access is inferred from the message.
  - 15. The system of claim 1 wherein the request for access is explicitly sated as part of the message.
  - 16. The system of claim 1 wherein the requesting entity is authenticated for access only if the security strength of the device exceeds a minimum threshold required for access to the controlled resource.
  - 17. The system of claim 1 wherein the access authentication component generates ant access authentication signal for use by the controlled resource.
  - 18. The system of claim 1 wherein decrypting the digital signature of the message using the public key further comprises generating a message digest of the message and comparing the message digest with the decrypted digital signature.

19. A system for authenticating a requesting entity for access to a controlled resource, comprising:
- (a) a device of the requesting entity, the device maintaining therein a private key of a public-private key pair and a security profile of the device, wherein the security profile identifies security features and manufacturing history of the device, the device adapted to generate digital signatures of a message using the private key, the message comprising;
  
  (i) a unique identifier, (ii) a request by the requesting entity for access to the controlled resource, and (iii) the security profile of the device;
  
  (b) an access authentication component having authority to allow or deny the request for access to the controlled resource, the access authentication component separate from the device but in electronic communication over a communications medium with the device for receipt of the digitally-signed message; and
  
  (c) a database containing information linked together, the information including (i) the public key of the public-private key pair, but not the private key and (ii) predetermined authorization rights of the requesting entity to access the controlled resource, wherein the unique identifier is associated with the public key in the database prior to receipt of the digitally-signed message and wherein the information is accessible by the access authentication component from the database based on the unique identifier, and wherein, in response to receipt of the digitally-signed message, the access authentication component verifies that the message was digitally-signed using the private key of the device by decrypting the digital signature using the public key obtained from the database, and if the digitally-signed message verifies, the access authentication component authenticates the requesting entity for access to the controlled resource as a function of (i) the predetermined authorization rights of the requesting entity and (ii) a security strength of the device relative to other devices determined dynamically, based upon the security features and manufacturing history of the device obtained from the digitally-signed message.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The system of claim 19 wherein the Security Profile of the device comprises security characteristics of the device.
  - 21. The system of claim 20 wherein the security characteristics of the device include an algorithm used by the device in originating digital signatures.
  - 22. The system of claim 19 wherein the Security Profile of the device comprises authentication capabilities of the device.
  - 23. The system of claim 22 wherein the authentication capabilities of the device include whether the device performs authentication based on a Secret and authentication based on a biometric characteristic of the requesting entity.

24. A system for providing a requesting entity with access to a controlled resource, comprising:
- (a) a device possessed by the requesting entity, the device maintaining securely therein a private key of a public-private key pair and adapted to generate digital signatures of a message using the private key, the digitally-signed message comprising;
  
  (i) a unique identifier, (ii) a request by the requesting entity for access to the controlled resource, and (iii) a security profile of the device, wherein the security profile includes security features and manufacturing history of the device, (b) an access authentication component having authority to grant or refuse the request for access to the controlled resource, the access authentication component maintaining in a database a security account of the requesting entity, the security account including information accessible by the access authentication component based on the unique identifier, the information including the public key of the public-private key pair and predetermined authorization of the requesting entity to access the controlled resource; and
  
  (c) a transmitter component in electronic communication over a communications medium with the device and with the access authentication component, the transmitter component configured to transmit the digitally-signed message from the device to the access authentication component;
  
  wherein, in response to receipt of the digitally-signed message, the access authentication component verifies that the message was digitally-signed using the private key by decrypting the digital signature using the public key obtained from the database, such verification not requiring a digital certificate or the security profile and, upon successful verification of the message, the access authentication component grants the requesting entity with access to the controlled resource as a function of (i) the predetermined authorization of the requesting entity and (ii) a security level of the manufactured device relative to other manufactured devices determined dynamically, based upon security features and manufacturing history of the device obtained from the digitally-signed message.
- View Dependent Claims (25, 26, 27, 28, 29)
- - 25. The system of claim 24 wherein the transmitter component provides the message to the device.
  - 26. The system of claim 24 wherein the access authentication component does not reside in and is not pat of the device.
  - 27. The system of claim 24 wherein the controlled resource is a computer system.
  - 28. The system of claim 24 wherein the controlled resource is a physical space.
  - 29. The system of claim 24 wherein the controlled resource is a data record.

30. A system for providing a requesting entity with access to a controlled resource, comprising:
- (a) a device of the requesting entity, the device maintaining securely therein a private key of a public-private key pair and adapted to generate digital signatures of a message using the private key, the message comprising a unique identifier and serving as a request for access to the controlled resource;
  
  (b) an access authentication component having authority to grant or deny the request for access to the controlled resource;
  
  (c) a database containing information linked together, the information including;
  
  (i) the public key of the public-private key pair, but not the private key, (ii) predetermined authorization rights of the requesting entity to access the controlled resource, and (iii) a security profile of the device, wherein the security profile includes security features and manufacturing history of the device and wherein the security profile defines a security level of the device relative to other devices;
  
  wherein the unique identifier is associated with the public key in the database prior to receipt of the digitally-signed message and wherein the information is accessible by the access authentication component from the database based on the unique identifier; and
  
  (d) a transmitter component in electronic communication over a communications medium with the device and with the access authentication component, the transmitter component configured to transmit the digitally-signed message from the device to the access authentication component;
  
  wherein, in response to receipt of the digitally-signed message, the access authentication component verifies that the message was digitally-signed using the private key by decrypting the digital signature using the public key obtained from the database, such verification not requiring a digital certificate or the security profile and, upon successful verification of the message, the access authentication component grants the requesting entity with access to the controlled resource as a function of (i) the security level of the device, and (ii) the predetermined authorization rights of the requesting entity.
- View Dependent Claims (31, 32, 38, 39)
- - 31. The system of claim 30 wherein the request for access is inferred from the message.
  - 32. The system of claim 30 wherein the request for access is explicitly stated as part of the message.
  - 38. The system of claim 31 wherein, after granting the requesting entity with access to the controlled resource, the authentication component thereafter requests reconfirmation of the request for continuing access to the controlled resource.
  - 39. The system of claim 38 wherein the authentication component uses business rules for determining when to request reconfirmation of the request.

33. A system for authenticating a requesting entity for access to a controlled resource having a defined security level, wherein, prior to a request for access to the controlled resource, the requesting entity is provided with a device, the device adapted to generate digital signatures using a unique private key of a public-private key pair, the private key being stored securely within the device, the public key of the public-private key pair is stored in a database accessible by an access authentication component, the access authentication component having authority to allow or deny the request for access to the controlled resource, a unique identifier is associated with the public key such that the public key is retrievable from the database by the access authentication component based upon the unique identifier, and authorization rights of the requesting entity to access the controlled resource are assigned to the requesting entity, the system further comprising:
- (a) a security profile of the device, wherein the security profile is stored in the database and linked together with the public key of the device, wherein the security profile includes at least one of security features and manufacturing history of the device and wherein the security profile defines a security strength of the device relative to other devices adapted to generate digital signatures;
  
  (b) a message digitally-signed by the device using the private key stored therein, the digitally-signed message including the unique identifier and acting as the request for access to the controlled resource;
  
  (c) a data transmission component in electronic communication with the device and in electronic communication over a communications medium with the access authentication component, wherein the data transmission component receives the digitally-signed message from the device and transmits the digitally-signed message to the access authentication component; and
  
  wherein, in response to receipt of the digitally-signed message, the access authentication component verifies that the message was digitally-signed using the private key maintained within the device by decrypting the digital signature using the public key obtained from the database, such verification not requiring a digital certificate or the security profile and, if the digitally-signed message verifies, the access authentication component authenticates the requesting entity for access to the controlled resource as a function of (i) the security strength of the device;
  
  (ii) the security level of the controlled resource, and (iii) the authorization rights of the requesting entity.
- View Dependent Claims (34, 35, 36, 37)
- - 34. The system of claim 33 wherein the access authentication component does not reside in and is not part of the device.
  - 35. The system of claim 33 wherein the security strength of the device is indicative of the likelihood that the private key has been compromised.
  - 36. The system of claim 33 wherein the security strength of the device enables the access authentication component to gauge the risk that the private key of the device has been compromised.
  - 37. The system of claim 33 wherein the security level of the controlled resource dictates a minimum required security strength of the device in order for the requesting entity to be authenticated for access.

40. A system for granting a requesting entity with access to a controlled resource, wherein, prior to a request for access to the controlled resource, the requesting entity is provided with a portable device, the portable device securely maintaining there a private key of a public-private key pair, the public key of the public-private key pair is stored in at least one database of an access authentication component, the access authentication component having authority to grant or refuse the request for access to the controlled resource, a unique identifier is associated with the public key such that the public key is retrievable from the database by the access authentication component based upon the unique identifier, and authorization rights of the requesting entity to access the controlled resource are assigned to the requesting entity, the system further comprising:
- (a) a message digitally-signed by the device using the private key, the digitally-signed message serving as the request by the requesting entity for access to the controlled resource and including;
  
  (i) the unique identifier, and (ii) a security profile of the device, wherein the security profile includes at least one of security features and manufacturing history of the device;
  
  (b) a means for electronically communicating the digitally-signed message from the device to the access authentication component; and
  
  wherein, in response to receipt of the digitally-signed message, the access authentication component verifies that the message was digitally-signed using the private key by decrypting the digital signature using the public key obtained from the database, such verification not requiring a digital certificate or the security profile of the device and, upon successful verification of the message, the access authentication component grants the requesting entity with access to the controlled resource as a function of (i) the authorization rights of the requesting entity and (ii) a relative security strength of the portable device determined dynamically by the access authentication component based upon the security features and manufacturing history of the device obtained from the digitally-signed message.
- View Dependent Claims (41, 42)
- - 41. The system of claim 40 wherein the digitally-signed message is communicated directly by the device to the access authentication component.
  - 42. The system of claim 40 wherein the digitally-signed message is communicated from the device to the access authentication component by a data transmission component in electronic communication with the device and in electronic communication over a communications medium with the access authentication component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
First Data Corporation (Fiserv Incorporated)
Original Assignee
First Data Corporation (Fiserv Incorporated)
Inventors
Wheeler, Lynn Henry, Wheeler, Anne M.
Primary Examiner(s)
Zand, Kambiz

Application Number

US10/248,607
Publication Number

US 20030126439A1
Time in Patent Office

1,131 Days
Field of Search

713/170, 713/175, 713/176, 713/182, 713/200, 713/201, 713/155, 713/161, 705/53, 705/54, 705/57, 705/58, 705/74
US Class Current

713/170
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/10   for controlling access to d...

ABDS system utilizing security information in authenticating entity access

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

176 Citations

42 Claims

Specification

Use Cases

Quick Links

Others

ABDS system utilizing security information in authenticating entity access

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

176 Citations

42 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others