Server-side implementation of a cryptographic system
First Claim
Patent Images
1. A secure cryptographic system, comprising:
- a depository system, remote from a user, having at least one server which stores at least one private key and a plurality of enrollment authentication data, wherein each enrollment authentication data identifies one of multiple users;
an authentication engine, remote from said user, which compares authentication data received by from one of said multiple users to enrollment authentication data corresponding to said one of multiple users using at least one private key received from the depository system;
a cryptographic engine which, when the authentication result indicates proper identification of the one of the multiple users, performs cryptographic functions on behalf of the one of the multiple users using the associated one or more different keys received from the depository system; and
a transaction engine connected to route data from the multiple users to the depository server system, said authentication engine, and said cryptographic engine;
wherein said secure cryptographic system is remote from said user and said user is connected to the system via a communication link,wherein said depository system further comprises a plurality of data storage facilities, each data storage facility having at least one server storing substantially randomized portion of said private key and a substantially randomized portion of said plurality of enrollment authentication data, andwherein each substantially randomized portion is individually undecipherable.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention is a secure server, or trust engine, having server-centric keys, or in other words, storing cryptographic keys and user authentication data on a server. Users access cryptographic functionality through network access to the trust engine; however, the trust engine does not release actual cryptographic keys or other authentication data. Therefore, the system provides that the keys and data remain secure. The server-centric storage of keys and authentication data provides for user-independent security, portability, availability, and straightforwardness, along with a wide variety of implementation possibilities.
-
Citations
36 Claims
-
1. A secure cryptographic system, comprising:
-
a depository system, remote from a user, having at least one server which stores at least one private key and a plurality of enrollment authentication data, wherein each enrollment authentication data identifies one of multiple users; an authentication engine, remote from said user, which compares authentication data received by from one of said multiple users to enrollment authentication data corresponding to said one of multiple users using at least one private key received from the depository system; a cryptographic engine which, when the authentication result indicates proper identification of the one of the multiple users, performs cryptographic functions on behalf of the one of the multiple users using the associated one or more different keys received from the depository system; and a transaction engine connected to route data from the multiple users to the depository server system, said authentication engine, and said cryptographic engine; wherein said secure cryptographic system is remote from said user and said user is connected to the system via a communication link, wherein said depository system further comprises a plurality of data storage facilities, each data storage facility having at least one server storing substantially randomized portion of said private key and a substantially randomized portion of said plurality of enrollment authentication data, and wherein each substantially randomized portion is individually undecipherable. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An authentication system for uniquely identifying a user through secure storage of the user'"'"'s enrollment authentication data, said authentication system comprising:
-
a plurality of data storage facilities, wherein each data storage facility includes a computer accessible storage medium which stores one of substantially randomized data portions of enrollment authentication data from and one of substantially randomized portions of said private key; and an authentication engine which communicates with said plurality of data storage facilities and comprises a data splitting module which operates on the enrollment authentication data and said private key to create said substantially randomized data portions; a data assembling module which processes said substantially randomized data the portions from at least two of the data storage facilities to assemble enrollment authorization data and said private key, and data comparator module which receives current authentication data from a user and compares the current authentication data with the assembled enrollment authentication data to determine whether said user has been uniquely identified; wherein said trust engine comprises an authentication system, wherein said trust engine is remote from said user and said user is connected to said trust engine via a communication link, and wherein each substantially randomized portion is individually undecipherable. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A secure authentication system, on a remote trust engine, comprising:
-
a depository system, remote from a user, having at least one server which stores at least one private key and a plurality of enrollment authentication data, wherein each enrollment authentication data identifies one of multiple user, wherein said depository system further comprises a plurality of data storage facilities, each data storage facility having at least one server storing a substantially randomized portion of said private key and a substantially randomized portion of said plurality of enrollment authentication data; a plurality of authentication engines, wherein each authentication engine a data assembling module which assembles said substantially randomized enrollment authentication data portions from said depository system to form the enrollment authentication data which uniquely identifies a user to a degree of certainty, wherein each authentication engine receives current authentication data to compare to said enrollment authentication data, and wherein each authentication engine generates an authentication result; and a redundancy system which receives said authentication result of at least two of the authentication engines and uses said authentication results to determine whether said user has been uniquely identified, wherein the secure authentication system is part of said remote trust engine; wherein said remote trust engine is remote from said user and said user is connected to said trust engine via a communication link; and wherein each substantially randomized portion is individually undecipherable. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
-
31. A trust engine system for facilitating authentication of a user, said trust engine system comprising:
-
a first trust engine comprising a first depository, remote from a user, wherein said first depository includes a plurality of data storage facilities, each data storage facility having at least one server storing a substantially randomized portion of at least one piece of enrollment authentication data from a plurality of enrollment authentication data corresponding to multiple users and at least one piece of said private key; a second trust engine located at a different geographic location than said first trust engine and comprising a second depository having a plurality of data storage facilities, each data storage facility having at least one server storing substantially randomized portion of at least one piece of said enrollment authentication data and at least one piece of said private key; an authentication engine communicating with the first and second depositories and which assembles at least two of said substantially randomized data portions of at least one piece of said enrollment authentication data and at least one piece of said private key into a usable form, and an transaction engine communicating with the first and second depositories and the authentication engine, wherein when said second trust engine is determined to be available to execute a transaction, said transaction engine receives enrollment authentication data from a user and forwards a request for a data assembling module to assemble said enrollment authentication data from substantially randomized data portions using said private key, and wherein the authentication engine compares said authentication data from said user and enrollment authentication data assembled from said first and second depositories, and determines an authentication result, wherein said first and second trust engines are remote from said user and said user is connected to said trust engines via a communication link; and wherein each substantially randomized portion is individually undecipherable. - View Dependent Claims (32, 33, 34, 35, 36)
-
Specification