Access system utilizing multiple factor identification and authentication

US 7,178,025 B2
Filed: 01/30/2003
Issued: 02/13/2007
Est. Priority Date: 02/13/1998
Status: Expired due to Fees

First Claim

Patent Images

1. In a computer system comprising a token communicatively connected to a provider, a method of authenticating a user to use a system, comprising:

generating, by the token, a random value;

sending, by the token, the random value, a token ID, and a salt value to the provider;

providing, by the user, a user password to the provider;

generating, by the provider, a derived key based at least in part on the salt value and the password;

applying, by the provider, a first key-based hash algorithm, using the derived key, to the token ID to provide a first hash value;

generating, by the provider, a first challenge data instance based at least in part on the random value and the first hash value;

sending, by the provider, the first challenge data instance to the token;

generating, by the provider, a token unlock key based at least in part on the derived key;

sending, by the provider, the token unlock key to the token;

generating, by the token, a second challenge data instance based at least in part on the random value and a second hash value, wherein the second hash value is stored on the token and is based on the token ID;

determining, by the token, whether the first and second challenge data instances match;

terminating, by the token, the method, if the first and second challenge data instances are determined not to match; and

if the first and second challenge data instances are determined to match, then establishing an encrypted data transfer system between the token and the provider,unlocking with the token unlock key, by the token, locked first private data stored on the token, andauthenticating the user for secured use of the system based at least in part on the unlocked first private data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of authenticating a user to use a system includes using a provider token to generate a random value. The token generates a derived key based at least in part on a token-provided salt value and a user-provided password. The provider generates a token unlock key based at least in part on the derived key and sends it to the token. First and second challenge data instances are generated by the provider and the token, respectively, and the process is terminated if the challenge data instances are determined not to match. If the challenge data instances are determined to match, then an encrypted data transfer system is established between the token and the provider, and the token unlocks locked private data stored on the token. The user is authenticated for secured use of the system based at least in part on the unlocked private data.

261 Citations

22 Claims

1. In a computer system comprising a token communicatively connected to a provider, a method of authenticating a user to use a system, comprising:
- generating, by the token, a random value;
  
  sending, by the token, the random value, a token ID, and a salt value to the provider;
  
  providing, by the user, a user password to the provider;
  
  generating, by the provider, a derived key based at least in part on the salt value and the password;
  
  applying, by the provider, a first key-based hash algorithm, using the derived key, to the token ID to provide a first hash value;
  
  generating, by the provider, a first challenge data instance based at least in part on the random value and the first hash value;
  
  sending, by the provider, the first challenge data instance to the token;
  
  generating, by the provider, a token unlock key based at least in part on the derived key;
  
  sending, by the provider, the token unlock key to the token;
  
  generating, by the token, a second challenge data instance based at least in part on the random value and a second hash value, wherein the second hash value is stored on the token and is based on the token ID;
  
  determining, by the token, whether the first and second challenge data instances match;
  
  terminating, by the token, the method, if the first and second challenge data instances are determined not to match; and
  
  if the first and second challenge data instances are determined to match, then establishing an encrypted data transfer system between the token and the provider,unlocking with the token unlock key, by the token, locked first private data stored on the token, andauthenticating the user for secured use of the system based at least in part on the unlocked first private data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the derived key is generated with a password-based encryption algorithm.
  - 3. The method of claim 2, wherein the password-based encryption algorithm is based at least in part on PKCS #5.
  - 4. The method of claim 1, wherein the first hash algorithm is a hash function-based message authentication code.
  - 5. The method of claim 1, wherein generating the token unlock key includes hashing the derived key to provide the token unlock key.
  - 6. The method of claim 1, wherein generating the first challenge data instance includes mathematically binding together the first hash value and the random value to provide the first challenge data instance.
  - 7. The method of claim 1, whereingenerating the first challenge data instance comprises mathematically binding together the first hash value and the random value to provide the first challenge data instance;
    - andgenerating the second challenge data instance comprises mathematically binding together the second hash value and the random value to provide the second challenge data instance.
  - 8. The method of claim 1, whereingenerating the first challenge data instance comprises mathematically binding together the first hash value and the random value to provide a first resulting value, and hashing the first resulting value to provide the first challenge data instance;
    - andgenerating the second challenge data instance comprises mathematically binding together the second hash value and the random value to provide a second resulting value, and hashing the second resulting value to provide the second challenge data instance.
  - 9. The method of claim 1, wherein establishing the encrypted data transfer system comprises generating, by at least one of the token and the provider, a shared key.
  - 10. The method of claim 9, wherein the shared key is a shared session key.
  - 11. The method of claim 9, wherein the shared key is generated based at least in part on shared data that includes a Diffie-Hellman parameter set.
  - 12. The method of claim 1, further comprising:
    - combining, by the provider, a message and a present message value to provide a modified message;
      
      encrypting, by the provider, the modified message, using a shared key, to provide an encrypted message;
      
      combining, by the provider, the modified message and the random value to provide a first pre-hash value;
      
      applying, by the provider, the first key-based hash algorithm, using the first hash value, to the first pre-hash value to provide a third hash value;
      
      combining, by the provider, the encrypted message and the third hash value to provide a signed message;
      
      sending, by the provider, the signed message to the token;
      
      extracting, by the token, the encrypted message and the third hash value from the signed message received from the provider;
      
      decrypting, by the token, the encrypted message, using the shared key to provide the modified message;
      
      extracting, by the token, the message and the present message value from the decrypted encrypted message;
      
      combining, by the token, the message, the present message value, and the random value to provide a second pre-hash value;
      
      applying, by the token, the first key-based hash algorithm, using the second hash value, to the second pre-hash value to provide a signing hash value; and
      
      validating, by the token, the message, if the signing hash value and the third hash value match and the present message value is greater than a prior message value stored on the token.
  - 13. The method of claim 1, further comprisingcombining, by the token, a message and a present message value to provide a modified message;
    - encrypting, by the token, the modified message, using a shared key, to provide an encrypted message;
      
      combining, by the token, the modified message and the random value to provide a first pre-hash value;
      
      applying, by the token, the first key-based hash algorithm, using the second hash value, to the first pre-hash value to provide a third hash value;
      
      combining, by the token, the encrypted message and the third hash value to provide a signed message;
      
      sending, by the token, the signed message to the provider;
      
      extracting, by the provider, the encrypted message and the third hash value from the signed message received from the token;
      
      decrypting, by the provider, the encrypted message, using the shared key to provide the modified message;
      
      extracting, by the provider, the message and the present message value from the decrypted encrypted message;
      
      combining, by the provider, the message, the present message value, and the random value to provide a second pre-hash value;
      
      applying, by the provider, the first key-based hash algorithm, using the first hash value, to the second pre-hash value to provide a signing hash value; and
      
      validating, by the provider, the message, if the signing hash value and the third hash value match and the present message value is greater than a prior message value stored on the provider.
  - 14. The method of claim 1, wherein unlocking the locked first private data comprises decrypting the locked first private data with the token unlock key.
  - 15. The method of claim 1,wherein the unlocked first private data includes at least one user credential associated with the user;
    - andwherein authenticating the user includes providing at least one of the at least one user credential to the system to grant the user cryptographic reading authority.
  - 16. The method of claim 1,wherein the unlocked private data includes at least one user credential associated with the user, andwherein authenticating the user includes providing at least one of the at least one user credential to the system to grant the user cryptographic writing authority.
  - 17. The method of claim 1, wherein the system further comprises a biometric reader communicatively connected to the provider, the locked first private data includes an encrypted biometric template, and the method further comprises:
    - sending, by the token, the encrypted biometric template to the provider;
      
      decrypting, by the provider, the encrypted biometric template with the derived key;
      
      providing, by the user, a biometric sample via the biometric reader to the provider;
      
      determining, by the token, whether the biometric sample corresponds to the decrypted biometric template;
      
      terminating the method, by the provider, if the biometric sample is determined not to correspond to the decrypted biometric template;
      
      if the biometric sample is determined to correspond to the decrypted biometric template,applying, by the provider, one of the first key-based algorithm and a second key-based algorithm, using the derived key, to the decrypted biometric template to provide a third hash value,generating, by the provider, a third challenge data instance based at least in part on the third hash value and the random value, andsending, by the provider, the third challenge data instance to the token;
      
      generating, by the token, a fourth challenge data instance based at least in part on the random value and a fourth hash value, wherein the fourth hash value is stored on the token and is based on the biometric template;
      
      determining, by the token, whether the third and fourth challenge data instances match;
      
      terminating, by the token, the method if the third and fourth challenge data instances are determined not to match; and
      
      if the third and fourth challenge data instances are determined to match, unlocking with at least a portion of the unlocked first private data, by the token, locked second private data stored on the token;
      
      wherein authenticating the user for secured use of the system further requires that the third and fourth data instances are determined to match.
  - 18. The method of claim 1, wherein the system further comprises a biometric reader communicatively connected to the token, the locked first private data includes an encrypted biometric template, and the method further comprises:
    - providing, by the user, a biometric sample via the biometric reader to the token;
      
      decrypting, by the token, the encrypted biometric template with the derived key;
      
      determining, by the token, whether the biometric sample corresponds to the decrypted biometric template;
      
      terminating the method, by the token, if the biometric sample is determined not to correspond to the decrypted biometric template; and
      
      if the biometric sample is determined to correspond to the decrypted biometric template, unlocking, by the token, with at least a portion of the unlocked first private data, locked second private data stored on the token;
      
      wherein authenticating the user for secured use of the system further requires that the biometric sample is determined to correspond to the decrypted biometric template.
  - 19. The method of claim 18, wherein the biometric reader is integral with the token.
  - 20. The method of claim 1, wherein establishing the encrypted data transfer system comprises encrypting messages exchanged between the token and the provider with an encryption key.
  - 21. The method of claim 20, further comprising:
    - sending, by the token, an encrypted instance of the encryption key and an encrypted user profile associated with the user to the provider;
      
      applying, by the provider, a key derivation function to the derived key and the first hash value to provide a cryptographic key;
      
      decrypting, by the provider, the encrypted instance of the encryption key;
      
      decrypting, by the provider, the encrypted profile with the encryption key; and
      
      providing, by the provider, the decrypted user credential to the system to grant the user at least one of cryptographic reading authority and cryptographic writing authority.

22. In a computer system comprising a token communicatively connected to a provider, a method of authenticating a user to use a system, comprising:
- sending, by the token, a token ID, a salt value, an encrypted instance of an encryption key, and an encrypted user profile to the provider;
  
  providing, by the user, a user password to the provider;
  
  generating, by the provider, a derived key based at least in part on the salt value and the password;
  
  applying, by the provider, a first key-based hash algorithm, using the derived key, to the token ID to provide a first hash value;
  
  applying, by the provider, a key derivation function to the derived key and the first hash value to provide a cryptographic key;
  
  decrypting, by the provider, the encrypted instance of the encryption key, to provide a decrypted encryption key;
  
  decrypting, by the provider, the encrypted user profile with the decrypted encryption key, to provide a decrypted user credential; and
  
  providing, by the provider, the decrypted user credential to the system to grant the user at least one of cryptographic reading authority and cryptographic writing authority.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
TecSec, Incorporated
Original Assignee
TecSec, Incorporated
Inventors
Scheidt, Edward M., Tsang, Wai, Butler, Roger, Domanque, Ersin
Primary Examiner(s)
Arani; Taghi T.

Application Number

US10/502,478
Publication Number

US 20050235148A1
Time in Patent Office

1,475 Days
Field of Search

713/166, 713/168, 713/176, 713182-185, 713/186, 705/67, 726/2, 726/5, 726 8- 10
US Class Current

713/168
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2113   Multi-level security, e.g. ...

G06Q 20/3674   involving authentication

G06Q 20/3829   involving key management

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/068   using time-dependent keys, ...

H04L 63/083   using passwords cryptograph...

H04L 63/105   Multiple levels of security

H04L 9/083   involving central third par...

H04L 9/32   including means for verifyi...

Access system utilizing multiple factor identification and authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

261 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Access system utilizing multiple factor identification and authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

261 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links