Apparatus for pre-authentication of users using one-time passwords

US 7,181,762 B2
Filed: 06/28/2001
Issued: 02/20/2007
Est. Priority Date: 01/17/2001
Status: Expired due to Term

First Claim

Patent Images

1. A computer program product for a client computing system including a processor includes:

code that directs the processor to request a challenge from an authentication server;

code that directs the processor to receive the challenge from the authentication server via a secure communications channel, wherein the challenge includes at least a password that is inactive;

code that directs the processor to receive user authentication data from a user;

code that directs the processor to determine a private key and a digital certificate in response to the user authentication data;

code that directs the processor to form a digital signature in response to the password that is inactive from the authentication server and the private key;

code that directs the processor to communicate the digital signature to the authentication server,code that directs the processor to communicate the digital certificate to the authentication server, the digital certificate comprising a public key in an encrypted form; and

code that directs the processor to communicate network user authentication data and the password that is inactive to the authentication server via a security server,wherein the authentication server activates the password that is inactive when the digital signature is verified, andwherein the codes reside on a tangible media.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer program product for a client computing system including a processor includes code that directs the processor to request a challenge from a authentication server, code that directs the processor to receive the challenge from the authentication server via a first secure communications channel, the challenge comprising an identity code, code that directs the processor to receive user authentication data from a user, code that directs the processor to determine a private key and a digital certificate in response to the user authentication data, code that directs the processor to form a digital signature in response to the identity code and the private key, code that directs the processor to communicate the digital signature to the authentication server, code that directs the processor to communicate the digital certificate to the authentication server, the digital certificate comprising a public key in an encrypted form, and code that directs the processor to communicate network user authentication data and the identity code to the authentication server via a security server, wherein the authentication server activates the identity code when the digital signature is verified, and wherein the codes reside on a tangible media.

Citations

20 Claims

1. A computer program product for a client computing system including a processor includes:
- code that directs the processor to request a challenge from an authentication server;
  
  code that directs the processor to receive the challenge from the authentication server via a secure communications channel, wherein the challenge includes at least a password that is inactive;
  
  code that directs the processor to receive user authentication data from a user;
  
  code that directs the processor to determine a private key and a digital certificate in response to the user authentication data;
  
  code that directs the processor to form a digital signature in response to the password that is inactive from the authentication server and the private key;
  
  code that directs the processor to communicate the digital signature to the authentication server,code that directs the processor to communicate the digital certificate to the authentication server, the digital certificate comprising a public key in an encrypted form; and
  
  code that directs the processor to communicate network user authentication data and the password that is inactive to the authentication server via a security server,wherein the authentication server activates the password that is inactive when the digital signature is verified, andwherein the codes reside on a tangible media.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer program product of claim 1 wherein the password that is inactive remains inactivate when the authentication server does not verify the digital signature.
  - 3. The computer program product of claim 1 wherein the security server comprises a server selected from a group of servers consisting of:
    - firewall server, VPN gateway server.
  - 4. The computer program product of claim 1 wherein code that directs the processor to determine the private key and the digital certificate in response to the user authentication data comprises code that directs the processor to determine a private key associated with the user when the user authentication data is correct.
  - 5. The computer program product of claim 4 wherein code that directs the processor to determine the private key and the digital certificate in response to the user authentication data further comprises code that directs the processor to determine a private key not associated with the user when the user authentication data is incorrect.
  - 6. The computer program product of claim 1 further comprising code that directs the processor to receive network user authentication data from the user.
  - 7. The computer program product of claim 1 wherein code that directs the processor to receive user authentication data from a user comprises code that directs the processor to receive user authentication data and the network authentication data from the user.

8. A client computing system for communicating with a private server includes:
- a tangible memory configured to store a key wallet, the key wallet including a private key associated with a user and a digital certificate associated with the user, the private key and digital certificate stored in an encrypted form;
  
  a processor coupled to the tangible memory, the processor configured to receive a challenge from an authentication server via a secure communications channel, the challenge comprising a password that is inactive, configured to receive user authentication data from the user, configured to determine a retrieved private key and a retrieved digital certificate from the key wallet in response to the user authentication data from the user;
  
  configured to form a digital signature in response to the password that is inactive from the authentication server and the retrieved private key, configured to communicate the digital signature to the authentication server, configured to communicate the digital certificate to the authentication server, and configured to communicate network user authentication data and the identity code to the authentication server via a security server,wherein the authentication server activates the password that is inactive when the digital signature is verified, andwherein the security server allows the client computing system to communicate with the private server when the password that is inactive is activated.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The client computing system of claim 8 wherein the retrieved private key and the private key associated with the user are identical.
  - 10. The client computing system of claim 8wherein the retrieved private key and the private key associated with the user are different, andwherein when the retrieved private key and the private key associated with the user are different the identity code remains inactive.
  - 11. The client computing system of claim 8 wherein the security server comprises a server selected from a group of servers consisting of:
    - firewall server, VPN gateway server, electronic mail server, web server, database server, database system, application server.
  - 12. The client computing system of claim 8 wherein the tangible memory can be removed from the client computer.
  - 13. The client computing system of claim 8 wherein the processor is also configured to receive the network user authentication data from the user.
  - 14. The client computing system of claim 8wherein the password that is inactive is determined in the authentication server, andwherein the password that is inactive is not stored on the client computing system before receiving the challenge from the authentication server.

15. A client system for communicating with a remote server includes:
- a tangible memory configured to store key wallet program, the key wallet program configured to store a private key associated with a user and a digital certificate associated with the user in protected forms;
  
  means for receiving a challenge from a verification server via a secure communications channel, the challenge comprising at least a network password that is inactive;
  
  means for receiving at least a PIN from the user;
  
  means for determining a returned private key and a returned digital certificate from the key wallet in response to at least the PIN from the user;
  
  means for forming a digital signature in response to the network password received from the verification server and to the private key;
  
  means for communicating the digital certificate and the digital signature to the authentication server; and
  
  means for communicating at least the network password to a security server,wherein the network password is activated when the digital signature and digital certificate authenticate the user; and
  
  wherein the security server allows the client system to communicate with the remote server when the network password is activated.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The client system of claim 15 wherein the returned private key and the private key associated with the user are the same.
  - 17. The client system of claim 16wherein the means for determining a returned private key comprises means for determining the returned private key in response to the PIN from the user, and a pre-determined PIN, wherein when the PIN from the user and the pre-determined PIN are different, the returned private key is different from the private key associated with the user, wherein when the PIN from the user and the pre-determined PIN are the same, the returned private key is the private key associated with the user;
    - wherein when the returned private key and the private key associated with the user are different the digital signature and the digital certificate do not authenticate the user.
  - 18. The client system of claim 15 further comprising means for receiving at least a network password associated with the user from the user,wherein the means for communicating the digital certificate and the digital signature to the authentication server also comprise means for communicating the network password associated with the user to the authentication server.
  - 19. The client system of claim 15 wherein the means for communicating the digital certificate and the digital signature to the authentication server also comprise means for communicating a network password associated with the user to the authentication server;
    - the client system further comprising means for determining the network password associated with the user in response to at least the PIN from the user.
  - 20. The client computing system of claim 15 wherein the client computing system is selected from a group of devices consisting of:
    - desktop computer, portable computer, PDA, wireless device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Arcot Systems, Inc. (Broadcom, Inc.)
Inventors
Jerdonek, Robert A.
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Tran; Ellen C.

Application Number

US09/896,163
Publication Number

US 20020095569A1
Time in Patent Office

2,063 Days
Field of Search

713/153, 713/200, 713/202, 713/155, 380/124, 380/278, 726/9, 726/2
US Class Current

726/2
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/0861   using biometrical features,...

H04L 63/12   Applying verification of th...

H04L 9/32   including means for verifyi...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

Apparatus for pre-authentication of users using one-time passwords

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus for pre-authentication of users using one-time passwords

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links