ABDS method and verification status for authenticating entity access

US 7,143,284 B2
Filed: 01/31/2003
Issued: 11/28/2006
Est. Priority Date: 08/04/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method of authenticating a requesting entity for access to a controlled resource, the requesting entity communicating electronically over a communications medium with an access authentication component for the controlled resource, comprising the steps of:

(a) providing the requesting entity with a security account maintained in a database of the access authentication component, the security account having a record of information being retrievable by the access authentication component based on a unique identifier of the requesting entity;

(b) associating a public key of a public-private key pair of the requesting entity with the record such that the public key of the requesting entity is retrievable from the record based on the unique identifier and wherein the private key of the public-private key pair is maintained only within a secure device of the requesting entity, and wherein the access authentication component does not reside in and is not part of the secure device of the requesting entity;

(c) wherein the secure device performs the steps of;

(i) receiving suspect verification data;

(ii) comparing the suspect verification data with verification data of the requesting entity previously stored in the secure device;

(iii) generating a verification status indicator based on said comparison; and

(iv) generating a digitally-signed message using the private key of the secure device, the digitally-signed message including a message and a digital signature of the message, the message including a request by the requesting entity for access to the controlled resource and the verification status indicator generated by the secure device;

(d) wherein the access authentication component performs the steps of;

(i) receiving the unique identifier of the requesting entity;

(ii) receiving the digitally-signed message generated by the secure device;

(iii) obtaining the request and the verification status indicator from the message;

(iv) based on the unique identifier, obtaining the public key of the requesting entity from the record; and

(iv) using the public key obtained from the record, decrypting the digital signature to verify that the digital signature was generated using the private key of the secure device and that the verification status indicator was not altered after the digital signature was generated;

and, (e) providing the requesting entity with access to the controlled resource in response to the request if the digital signature was generated using the private key of the secure device and as a function of the verification status indicator obtained from the digitally-signed message.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authenticating an entity for access to a controlled resource by an access authentication component for the controlled resource includes the steps of: the requesting entity initially opening a security account with the access authentication component, with the access authentication component establishing and maintaining a record including information pertaining to the account and being retrievable based on a unique identifier for the requesting entity, and associating a public key of a public-private key pair with the record; the requesting entity originating an electronic message and generating a digital signature using a private key of the key pair, and sending the digitally signed electronic message to the access authentication component with the unique identifier; authenticating the electronic message using the public key associated with the record identified by the unique identifier; and upon successful authentication, authenticating access to the controlled resource. A digitally signed verification status is included with the electronic message.

156 Citations

17 Claims

1. A method of authenticating a requesting entity for access to a controlled resource, the requesting entity communicating electronically over a communications medium with an access authentication component for the controlled resource, comprising the steps of:
- (a) providing the requesting entity with a security account maintained in a database of the access authentication component, the security account having a record of information being retrievable by the access authentication component based on a unique identifier of the requesting entity;
  
  (b) associating a public key of a public-private key pair of the requesting entity with the record such that the public key of the requesting entity is retrievable from the record based on the unique identifier and wherein the private key of the public-private key pair is maintained only within a secure device of the requesting entity, and wherein the access authentication component does not reside in and is not part of the secure device of the requesting entity;
  
  (c) wherein the secure device performs the steps of;
  
  (i) receiving suspect verification data;
  
  (ii) comparing the suspect verification data with verification data of the requesting entity previously stored in the secure device;
  
  (iii) generating a verification status indicator based on said comparison; and
  
  (iv) generating a digitally-signed message using the private key of the secure device, the digitally-signed message including a message and a digital signature of the message, the message including a request by the requesting entity for access to the controlled resource and the verification status indicator generated by the secure device;
  
  (d) wherein the access authentication component performs the steps of;
  
  (i) receiving the unique identifier of the requesting entity;
  
  (ii) receiving the digitally-signed message generated by the secure device;
  
  (iii) obtaining the request and the verification status indicator from the message;
  
  (iv) based on the unique identifier, obtaining the public key of the requesting entity from the record; and
  
  (iv) using the public key obtained from the record, decrypting the digital signature to verify that the digital signature was generated using the private key of the secure device and that the verification status indicator was not altered after the digital signature was generated;
  
  and, (e) providing the requesting entity with access to the controlled resource in response to the request if the digital signature was generated using the private key of the secure device and as a function of the verification status indicator obtained from the digitally-signed message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein the verification status indicator is indicative of no suspect verification data being input into the secure device within a predetermined period of time.
  - 3. The method of claim 1 wherein the verification status indicator is indicative of a successful comparison of the suspect verification data with the verification data of the requesting entity previously stored in the secure device.
  - 4. The method of claim 3 wherein the verification status indicator is further indicative that said indicator was included in a previous digitally-signed message generated by the secure device.
  - 5. The method of claim 1 wherein the verification status indicator is indicative of an unsuccessful comparison of the suspect verification data with the verification data of the requesting entity previously stored in the secure device.
  - 6. The method of claim 1 wherein the suspect verification data is input into the secure device by the requesting entity.
  - 7. The method of claim 1 wherein the verification data of the requesting entity is a secret, PIN, or password.
  - 8. The method of claim 1 wherein the verification data of the requesting entity is biometric data of the requesting entity.
  - 9. The method of claim 1 wherein the unique identifier is obtained from the secure device.
  - 10. The method of claim 1 wherein a portion of the message is input into the secure device before the digital signature is generated by the secure device.
  - 11. The method of claim 1 wherein the message further includes the unique identifier.
  - 12. The method of claim 1 wherein the step of decrypting the digital signature to verify that the digital signature was generated using the private key of the secure device further comprises generating a message digest of the message and comparing the message digest with the decrypted digital signature.
  - 13. The method of claim 1 further comprising establishing an account with the controlled resource on behalf of the requesting entity.
  - 14. The method of claim 13 wherein the message includes an instruction regarding the account of the controlled resource.
  - 15. The method of claim 1 wherein the verification data of the requesting entity is not provided to or accessible by the access authentication component.

16. In a system for authenticating a requesting entity for access to a controlled resource in which access to the controlled resource is controlled by an access authentication component for the controlled resource, a method comprising the steps of:
- (a) providing the requesting entity with a security account maintained in a database of the access authentication component, the security account having a record of information being retrievable by the access authentication component based on a unique identifier of the requesting entity;
  
  (b) associating a public key of a public-private key pair of the requesting entity with the record such that the public key of the requesting entity is retrievable from the record based on the unique identifier and wherein the private key of the public-private key pair is maintained within a secure device of the requesting entity, and wherein the access authentication component does not reside in and is not part of the secure device of the requesting entity;
  
  (c) wherein the secure device performs the steps of;
  
  (i) receiving suspect verification data;
  
  (ii) comparing the suspect verification data with verification data of the requesting entity previously stored in the secure device;
  
  (iii) generating a verification status indicator based on said comparison; and
  
  (iv) generating a digitally-signed message using the private key of the secure device, the digitally-signed message including a message and a digital signature of the message, the message including a request by the requesting entity for access to the controlled resource and the verification status indicator generated by the secure device;
  
  (d) transmitting over a communications medium an electronic communication from the requesting entity to the access authentication component, the electronic communication including the unique identifier of the requesting entity and the digitally-signed message;
  
  (e) wherein the access authentication component performs the steps of;
  
  (i) receiving the electronic communication;
  
  (ii) obtaining the digital signature, the unique identifier of the requesting entity, the request, and the verification status indicator from the electronic communication;
  
  (iii) based on the unique identifier, obtaining the public key of the requesting entity from the record; and
  
  (iv) using the public key obtained from the record, decrypting the digital signature to verify that the digital signature was generated using the private key of the secure device and that the verification status indicator was not altered after the digital signature was generated;
  
  and, (f) providing the requesting entity with access to the controlled resource in response to the request if the digital signature was generated using the private key of the secure device and as a function of the verification status indicator obtained from the digitally-signed message.

17. A method of providing access to an entity requesting access to a controlled resource, the requesting entity communicating electronically over a communications medium with an access authentication component for the controlled resource, comprising the steps of:
- (a) providing the requesting entity with a security account maintained in a database accessible by the access authentication component, the security account having information that is retrievable based on a unique identifier, the information pertaining to the requesting entity'"'"'s right to access the controlled resource;
  
  (b) associating a public key of a public-private key pair with the security account such that the public key is retrievable based on the unique identifier of the requesting entity; and
  
  (c) thereafter,(i) receiving the unique identifier;
  
  (ii) receiving a message and a digital signature of the message, the message comprising a request by the requesting entity for access to the controlled resource and a verification status indicator, the verification status indicator and digital signature generated by a secure device, the verification status indicator representative of a comparison of suspect verification data input into the secure device with verification data of the requesting entity previously stored in the secure device, wherein the secure device does not reside in and is not part of the access authentication component;
  
  (iii) obtaining the public key associated with the unique identifier received;
  
  (iv) decrypting the digital signature using the public key obtained to verify that the digital signature was generated using the private key of the secure device and that the verification status indicator was not altered after the digital signature was generated; and
  
  (v) granting the requesting entity with access to the controlled resource in response to the request if the digital signature was generated using the private key of the secure device and as a function of the verification status indicator obtained from the digitally-signed message and as a function of the information pertaining to the requesting entity'"'"'s right to access the controlled resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
First Data Corporation (Fiserv Incorporated), Riverwood International Corporation
Original Assignee
First Data Corporation (Fiserv Incorporated)
Inventors
Wheeler, Anne M., Wheeler, Henry Lynn
Primary Examiner(s)
Zand, Kambiz

Application Number

US10/248,604
Publication Number

US 20030126437A1
Time in Patent Office

1,397 Days
Field of Search

713/161, 713/168, 713/169, 713/170, 713/176, 713/180, 713/182, 713/155
US Class Current

713/155
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 2221/2113   Multi-level security, e.g. ...

G06Q 20/00   Payment architectures, sche...

G06Q 20/02   involving a neutral party, ...

G06Q 20/04   Payment circuits

G06Q 20/0855   involving a third party

G06Q 20/12   specially adapted for elect...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/3558   Preliminary personalisation...

G06Q 20/3674   involving authentication

G06Q 20/3676   Balancing accounts

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/3823   combining multiple encrypti...

G06Q 20/3825   Use of electronic signatures

G06Q 20/3829   involving key management

G06Q 20/385   using an alias or single-us...

G06Q 20/388   using mutual authentication...

G06Q 20/4014   Identity check for transact...

G06Q 20/40145   Biometric identity checks

G06Q 20/403 : Solvency checks

G06Q 20/40975 : using encryption therefor

G06Q 50/188 : Electronic negotiation

G07F 7/0886 : the card reader being porta...

G07F 7/1008 : Active credit-cards provide...

G07F 7/1016 : Devices or methods for secu...

H04L 2209/42 : Anonymization, e.g. involvi...

H04L 2209/56 : Financial cryptography, e.g...

H04L 63/0428 : wherein the data content is...

H04L 63/0442 : wherein the sending and rec...

H04L 63/062 : for key distribution, e.g. ...

H04L 63/0823 : using certificates cryptogr...

H04L 63/083 : using passwords cryptograph...

H04L 63/12 : Applying verification of th...

H04L 9/321 : involving a third party or ...

H04L 9/3247 : involving digital signatures

View All

ABDS method and verification status for authenticating entity access

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

156 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

ABDS method and verification status for authenticating entity access

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

156 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links