Server-side implementation of a cryptographic system

US 7,187,771 B1
Filed: 09/20/2000
Issued: 03/06/2007
Est. Priority Date: 09/20/1999
Status: Expired due to Term

First Claim

Patent Images

1. A secure cryptographic system, comprising:

a depository system, remote from a user, having at least one server which stores at least one private key and a plurality of enrollment authentication data, wherein each enrollment authentication data identifies one of multiple users;

an authentication engine, remote from said user, which compares authentication data received by from one of said multiple users to enrollment authentication data corresponding to said one of multiple users using at least one private key received from the depository system;

a cryptographic engine which, when the authentication result indicates proper identification of the one of the multiple users, performs cryptographic functions on behalf of the one of the multiple users using the associated one or more different keys received from the depository system; and

a transaction engine connected to route data from the multiple users to the depository server system, said authentication engine, and said cryptographic engine;

wherein said secure cryptographic system is remote from said user and said user is connected to the system via a communication link,wherein said depository system further comprises a plurality of data storage facilities, each data storage facility having at least one server storing substantially randomized portion of said private key and a substantially randomized portion of said plurality of enrollment authentication data, andwherein each substantially randomized portion is individually undecipherable.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention is a secure server, or trust engine, having server-centric keys, or in other words, storing cryptographic keys and user authentication data on a server. Users access cryptographic functionality through network access to the trust engine; however, the trust engine does not release actual cryptographic keys or other authentication data. Therefore, the system provides that the keys and data remain secure. The server-centric storage of keys and authentication data provides for user-independent security, portability, availability, and straightforwardness, along with a wide variety of implementation possibilities.

Citations

36 Claims

1. A secure cryptographic system, comprising:
- a depository system, remote from a user, having at least one server which stores at least one private key and a plurality of enrollment authentication data, wherein each enrollment authentication data identifies one of multiple users;
  
  an authentication engine, remote from said user, which compares authentication data received by from one of said multiple users to enrollment authentication data corresponding to said one of multiple users using at least one private key received from the depository system;
  
  a cryptographic engine which, when the authentication result indicates proper identification of the one of the multiple users, performs cryptographic functions on behalf of the one of the multiple users using the associated one or more different keys received from the depository system; and
  
  a transaction engine connected to route data from the multiple users to the depository server system, said authentication engine, and said cryptographic engine;
  
  wherein said secure cryptographic system is remote from said user and said user is connected to the system via a communication link,wherein said depository system further comprises a plurality of data storage facilities, each data storage facility having at least one server storing substantially randomized portion of said private key and a substantially randomized portion of said plurality of enrollment authentication data, andwherein each substantially randomized portion is individually undecipherable.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A secure cryptographic system of claim 1, wherein said enrollment authentication data includes biometric data.
  - 3. A secure cryptographic system of claim 2, wherein said biometric data includes finger print patterns.
  - 4. A secure cryptographic system of claim 1, wherein said at least one private key corresponds to said secure cryptographic system.
  - 5. A secure cryptographic system of claim 1, wherein said at least one private key corresponds to said one of said multiple users.
  - 6. A secure cryptographic system of claim 1, wherein said cryptographic functions comprise one of digital signing, encryption, and decryption.
  - 7. A method of facilitating cryptographic functions, said method comprising using the system of claim 1.

8. An authentication system for uniquely identifying a user through secure storage of the user'"'"'s enrollment authentication data, said authentication system comprising:
- a plurality of data storage facilities, wherein each data storage facility includes a computer accessible storage medium which stores one of substantially randomized data portions of enrollment authentication data from and one of substantially randomized portions of said private key; and
  
  an authentication engine which communicates with said plurality of data storage facilities and comprisesa data splitting module which operates on the enrollment authentication data and said private key to create said substantially randomized data portions;
  
  a data assembling module which processes said substantially randomized data the portions from at least two of the data storage facilities to assemble enrollment authorization data and said private key, anddata comparator module which receives current authentication data from a user and compares the current authentication data with the assembled enrollment authentication data to determine whether said user has been uniquely identified;
  
  wherein said trust engine comprises an authentication system,wherein said trust engine is remote from said user and said user is connected to said trust engine via a communication link, and wherein each substantially randomized portion is individually undecipherable.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 9. The authentication system of claim 8, wherein said each data storage facility is logically separated from any other data storage facility.
  - 10. The authentication system of claim 8, wherein said each data storage facility is physically separated from any other data storage facility.
  - 11. The authentication system of claim 8, further comprising a cryptographic engine which, upon the unique identification of said user by said authentication engine, provides cryptographic functionality to said user.
  - 12. The authentication system of claim 8, wherein said plurality of data storage facilities comprises at least one secure server.
  - 13. The authentication system of claim 8, wherein unique identification of said user by said authentication engine provides said user authorization to gain access to or operate one or more systems.
  - 14. The authentication system of claim 13, wherein said one or more systems include one or more electronic devices.
  - 15. The authentication system of claim 13, wherein said one or more systems include one or more computer software systems.
  - 16. The authentication system of claim 13, wherein said one or more systems include one or more consumer electronic.
  - 17. The authentication system of claim 13, wherein said one or more consumer electronics includes a cellular phone.
  - 18. The authentication system of claim 13, wherein said one or more systems include one or more cryptographic systems.
  - 19. The authentication system of claim 13, wherein said one or more systems include one or more physical locations.
  - 20. The authentication system of claim 8, wherein at least one of the data storage facilities stores at least some sensitive data, wherein said at least one of said data storage facilities serves said sensitive data when said authentication engine indicates that said user has been uniquely identified.
  - 21. The authentication system of claim 8, further comprising a data vault which stores sensitive data, wherein said data vault serves said sensitive data when said authentication engine indicates that said user has been uniquely identified.
  - 22. The authentication system of claim 8, wherein said identification system outputs an indication of whether said user has been uniquely identified.
  - 23. A method comprising using the system of claim 8.

24. A secure authentication system, on a remote trust engine, comprising:
- a depository system, remote from a user, having at least one server which stores at least one private key and a plurality of enrollment authentication data, wherein each enrollment authentication data identifies one of multiple user, wherein said depository system further comprises a plurality of data storage facilities, each data storage facility having at least one server storing a substantially randomized portion of said private key and a substantially randomized portion of said plurality of enrollment authentication data;
  
  a plurality of authentication engines, wherein each authentication engine a data assembling module which assembles said substantially randomized enrollment authentication data portions from said depository system to form the enrollment authentication data which uniquely identifies a user to a degree of certainty,wherein each authentication engine receives current authentication data to compare to said enrollment authentication data, and wherein each authentication engine generates an authentication result; and
  
  a redundancy system which receives said authentication result of at least two of the authentication engines and uses said authentication results to determine whether said user has been uniquely identified,wherein the secure authentication system is part of said remote trust engine;
  
  wherein said remote trust engine is remote from said user and said user is connected to said trust engine via a communication link; and
  
  wherein each substantially randomized portion is individually undecipherable.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The secure authentication system of claim 24, wherein said redundancy system determines whether said user has been identified by following the majority of said authentication results.
  - 26. The secure authentication system of claim 24, said redundancy system determines whether said user is uniquely identified by requiring said authentication results to be unanimously positive before issuing a positive identification.
  - 27. The secure authentication system of claim 24, wherein said redundancy system includes a plurality of redundancy modules, and said secure authentication system further comprises:
    - plurality of geographically remote trust engines, each trust engine having one of said plurality of authentication engines and one of said redundancy modules,wherein the redundancy module for at least one of said plurality of trust engines determines whether said user has been uniquely identified using said authentication results from ones of said authentication engines associated with the other trust engines and without using said authentication results from the at least one trust engine.
  - 28. The secure authentication system of claim 27, wherein said each of the plurality of trust engines includes a depository having a computer accessible storage medium which stores a substantially randomized portion of the enrollment authentication data and wherein each depository forwards the substantially randomized portion of the enrollment authentication data to the plurality of authentication engines.
  - 29. The secure authentication system of claim 27, wherein said determining whether the user has been uniquely identified corresponds to the one of the redundancy modules to first determine a result.
  - 30. A method comprising using the system of claim 24.

31. A trust engine system for facilitating authentication of a user, said trust engine system comprising:
- a first trust engine comprising a first depository, remote from a user, wherein said first depository includes a plurality of data storage facilities, each data storage facility having at least one server storing a substantially randomized portion of at least one piece of enrollment authentication data from a plurality of enrollment authentication data corresponding to multiple users and at least one piece of said private key;
  
  a second trust engine located at a different geographic location than said first trust engine and comprising a second depository having a plurality of data storage facilities, each data storage facility having at least one server storing substantially randomized portion of at least one piece of said enrollment authentication data and at least one piece of said private key;
  
  an authentication engine communicating with the first and second depositories and which assembles at least two of said substantially randomized data portions of at least one piece of said enrollment authentication data and at least one piece of said private key into a usable form, andan transaction engine communicating with the first and second depositories and the authentication engine,wherein when said second trust engine is determined to be available to execute a transaction, said transaction engine receives enrollment authentication data from a user and forwards a request for a data assembling module to assemble said enrollment authentication data from substantially randomized data portions using said private key, and wherein the authentication engine compares said authentication data from said user and enrollment authentication data assembled from said first and second depositories, and determines an authentication result,wherein said first and second trust engines are remote from said user and said user is connected to said trust engines via a communication link; and
  
  wherein each substantially randomized portion is individually undecipherable.
- View Dependent Claims (32, 33, 34, 35, 36)
- - 32. The trust engine system of claim 31, wherein said determination of whether said second trust engine is available to execute said transaction includes a determination of whether said second trust engine is within geographic proximity to the user.
  - 33. The trust engine system of claim 31, wherein said determination of whether said determining of whether said second trust engine is available to execute said transaction includes a determination of whether said second trust engine is currently servicing a light system load.
  - 34. The trust engine system of claim 31, wherein said determination of whether said second trust engine is available to execute said transaction includes a determination of whether said second trust engine is currently scheduled for maintenance.
  - 35. The trust engine system of claim 31, wherein said determination of whether said the first and second trust engines are determined to be available, and an authentication result for said trust engine system follows the first and second trust engines to produce the authentication result.
  - 36. A method comprising using the system of claim 31.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
Dickinson, Alexander G., Orsini, Rick L., Rohrbach, Mark D., Ferrante, Michelle, Clayton, Richard F., Davenport, Roger S., Stark, Gregory H., Ohare, Mark S., Brooks, Aaron A., Clough, Philip W., Zoccoli, James G.
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US09/666,519
Time in Patent Office

2,358 Days
Field of Search

713200-201, 713/155, 713/161, 713/166, 713168-169, 713/171, 713180-186, 713/150, 713/176, 713/189, 380228-229, 380/241, 380/282, 380277-278, 380281-285, 380/30, 380/232, 380/255, 380/258, 380/45, 380/231, 380/239, 380/28, 380/29, 380/201, 709201-203, 709/217, 709/223, 709/225, 705/71, 705/18, 382115-118, 382/124, 726 1- 6, 726 17- 18, 726/21, 726/22, 726 26- 30, 726/32, 726/35, 710/28, 710/33, 711/5, 711/100, 711/163, 711/105, 711/115
US Class Current

380/228
CPC Class Codes

G06F 21/31   User authentication

G06F 21/32   using biometric data, e.g. ...

G06F 21/33   using certificates

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/41   where a single sign-on prov...

G06F 21/64   Protecting data integrity, ...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2115   Third party

G06F 2221/2117   User registration

G06Q 20/02   involving a neutral party, ...

G06Q 20/04   Payment circuits

G06Q 20/12   specially adapted for elect...

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/38215   Use of certificates or encr...

G06Q 20/3823   combining multiple encrypti...

G06Q 20/3825   Use of electronic signatures

G06Q 20/3829   involving key management

G07F 7/1016   Devices or methods for secu...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80 : Wireless

H04L 63/0428 : wherein the data content is...

H04L 63/0435 : wherein the sending and rec...

H04L 63/06 : for supporting key manageme...

H04L 63/061 : for key exchange, e.g. in p...

H04L 63/0823 : using certificates cryptogr...

H04L 63/083 : using passwords cryptograph...

H04L 63/0853 : using an additional device,...

H04L 63/105 : Multiple levels of security

H04L 9/0825 : using asymmetric-key encryp...

H04L 9/0844 : with user authentication or...

H04L 9/085 : Secret sharing or secret sp...

H04L 9/0897 : involving additional device...

H04L 9/3073 : involving pairings, e.g. id...

H04L 9/321 : involving a third party or ...

H04L 9/3231 : Biological data, e.g. finge...

H04L 9/3236 : using cryptographic hash fu...

H04L 9/3247 : involving digital signatures

H04L 9/3265 : using certificate chains, t...

View All

Server-side implementation of a cryptographic system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Server-side implementation of a cryptographic system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links