User authentication for contact-less systems

US 7,246,744 B2
Filed: 12/13/2005
Issued: 07/24/2007
Est. Priority Date: 12/22/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

receiving, at a contact-less tag reader, first data transmitted by a tag;

validating the first data to determine whether the first data comprises candidate data for authentication, the validating being deemed successful if the first data comprises candidate data for authentication, and unsuccessful otherwise;

responsive to the validating being deemed successful, authenticating the candidate data;

wherein said validating comprises;

extracting from the first data an identifier and second data;

comparing the identifier to a predetermined reference identifier; and

concluding that the first data comprises candidate data for authentication if the identifier matches the predetermined reference identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A validation phase is performed at an RFID reader, in order to ascertain which of a plurality of potential candidates for authentication, are actual candidates for authentication. Once a candidate has been successfully validated, an authentication phase is initiated with a host computer, to determine whether the information presented by the candidate matches expected information about the candidate. If the authentication is considered successful, a final authorization procedure may be performed, or the authenticated candidate may be granted certain predetermined permissions. By performing the validation phase locally at the reader, the need for accessing a host computer is reduced and unnecessary queries to the host computer are avoided.

Citations

49 Claims

1. A method, comprising:
- receiving, at a contact-less tag reader, first data transmitted by a tag;
  
  validating the first data to determine whether the first data comprises candidate data for authentication, the validating being deemed successful if the first data comprises candidate data for authentication, and unsuccessful otherwise;
  
  responsive to the validating being deemed successful, authenticating the candidate data;
  
  wherein said validating comprises;
  
  extracting from the first data an identifier and second data;
  
  comparing the identifier to a predetermined reference identifier; and
  
  concluding that the first data comprises candidate data for authentication if the identifier matches the predetermined reference identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 2. The method defined in claim 1, further comprising:
    - broadcasting a query signal;
      
      wherein the first data transmitted by the tag is in response to the query signal.
  - 3. The method defined in claim 1, wherein the tag is an RFID tag.
  - 4. The method defined in claim 1, wherein the candidate data for authentication is the second data.
  - 5. The method defined in claim 4, wherein the step of validating further comprises:
    - concluding that the first data does not comprise candidate data for authentication if the identifier does not match the predetermined reference identifier.
  - 6. The method defined in claim 1, wherein the step of extracting from the first data an identifier and second data comprises applying decryption to the first data.
  - 7. The method defined in claim 6, wherein the first data is encrypted with an encryption key and wherein applying decryption to the first data comprises decrypting the first data using a decryption key associated to the encryption key.
  - 8. The method defined in claim 7, further comprising obtaining the decryption key prior to receiving the first data.
  - 9. The method defined in claim 8, further comprising obtaining the predetermined reference identifier prior to receiving the first data.
  - 10. The method defined in claim 7, wherein the encryption key is longer than the decryption key.
  - 11. The method defined in claim 10, wherein the encryption key is a private key and wherein the decryption key is a public key.
  - 12. The method defined in claim 1, wherein the second data comprises a first portion corresponding to an index and a second portion corresponding to an encrypted version of third data.
  - 13. The method defined in claim 12, wherein the step of authenticating the candidate data comprises:
    - applying decryption to the second portion of the second data to obtain the third data;
      
      consulting a database at a location associated with the index to obtain fourth data;
      
      comparing the third and fourth data;
      
      deeming authentication to be successful if the third data matches the fourth data, and unsuccessful otherwise.
  - 14. The method defined in claim 13, wherein the first data is encrypted with a first encryption key, wherein the step of extracting from the first data an identifier and second data comprises decrypting the first data using a first decryption key associated to the first encryption key, and wherein the encrypted version of the third data comprises the third data as encrypted by a second encryption key.
  - 15. The method defined in claim 14, wherein applying decryption to the second portion of the second data comprises decrypting the second portion of the second data using a second decryption key associated to the second encryption key.
  - 16. The method defined in claim 15, wherein the second encryption key is shorter than the second decryption key.
  - 17. The method defined in claim 16, wherein the second encryption key is a public key and wherein the second decryption key is a private key.
  - 18. The method defined in claim 13, further comprising:
    - receiving an indication of an action desired to be performed by a user;
      
      verifying access privileges associated with the user;
      
      allowing the user to perform the action if the action is within the access privileges associated with the user.
  - 19. The method defined in claim 13, wherein the third data is indicative of access privileges associated with a user, the method further comprising:
    - receiving an indication of an action desired to be performed by the user; and
      
      allowing the user to perform the action if the action is within the access privileges associated with the user.
  - 20. The method defined in claim 13, wherein responsive to successful authentication, a user is permitted to perform a local action.
  - 21. The method defined in claim 20, wherein the local action is one of activating a vehicle function, opening a door, accessing a computer, accessing a computer network or effecting a financial transaction.
  - 22. The method defined in claim 13, wherein responsive to unsuccessful authentication, a user is prevented from performing a local action.
  - 23. The method defined in claim 22, wherein the local action is one of activating a vehicle function, opening a door, accessing a computer, accessing a computer network or effecting a financial transaction.
  - 24. The method defined in claim 13, further comprising, responsive to authentication being deemed successful, confirming the authentication using keyed-in data entered by a user.
  - 25. The method defined in claim 24, wherein confirming the authentication comprises:
    - receiving the keyed-in data entered by the user;
      
      consulting the database at the location associated with the index to obtain fifth data;
      
      comparing the keyed-in data to the fifth data;
      
      confirming authentication if the keyed-in data matches the fifth data.
  - 26. The method defined in claim 25, wherein the keyed-in data is entered by the user via a keyboard located in proximity to the contact-less tag reader.
  - 27. The method defined in claim 25, wherein the keyed-in data is entered by the user via a mobile phone.
  - 28. The method defined in claim 24, wherein confirming the authentication comprises:
    - receiving the keyed-in data entered by the user;
      
      comparing the keyed-in data to the fourth data;
      
      confirming authentication if the keyed-in data matches the fourth data.
  - 29. The method defined in claim 12, wherein the step of authenticating the candidate data comprises transmitting the second portion of the second data to a server adapted to:
    - apply decryption to the second portion of the second data to obtain the third data;
      
      consult a database at a location associated with the index to obtain fourth data;
      
      perform a comparison of the third and fourth data;
      
      return a result of the comparison.
  - 30. The method defined in claim 29, wherein the step of authenticating the candidate data further comprises deeming authentication to be successful if the result of the comparison indicates that the third data matches the fourth data, and unsuccessful otherwise.
  - 31. The method defined in claim 30, wherein responsive to successful authentication, a user is permitted to perform a local action.
  - 32. The method defined in claim 31, wherein the local action is one of activating a vehicle function, opening a door, accessing a computer, accessing a computer network or effecting a financial transaction.
  - 33. The method defined in claim 30, wherein responsive to unsuccessful authentication, a user is prevented from performing a local action.
  - 34. The method defined in claim 33, wherein the local action is one of activating a vehicle function, opening a door, accessing a computer, accessing a computer network or effecting a financial transaction.
  - 35. The method defined in claim 29, further comprising:
    - receiving an indication of an action desired to be performed by a user;
      
      verifying access privileges associated with the user;
      
      allowing the user to perform the action if the action is within the access privileges associated with the user.
  - 36. The method defined in claim 29, wherein the third data is indicative of access privileges associated with a user, the method further comprising:
    - receiving an indication of an action desired to be performed by the user; and
      
      allowing the user to perform the action if the action is within the access privileges associated with the user.

37. A method of programming a tag, comprising:
- determining a user identifier associated with a user of the tag;
  
  determining a personal identifier associated with the user of the tag;
  
  encrypting the personal identifier with an encryption key to produce an encrypted personal identifier;
  
  determining a common identifier jointly associated with the user of the tag and other users of other tags;
  
  creating a unique tag identifier (UTI), the UTI comprising the user identifier, the encrypted personal identifier and the common identifier;
  
  storing the UTI in a memory of the tag.
- View Dependent Claims (38, 39, 40)
- - 38. The method defined in claim 37, wherein a priori knowledge of the common identifier allows a processing entity that is provided with the common identifier to validate the tag without contacting a host.
  - 39. The method defined in claim 37, the encryption key being associated with a decryption key, wherein a priori knowledge of (I) the personal identifier associated with the user;
    - (II) the user identifier associated with the user; and
      
      (III) the decryption key, allows a processing entity provided with the user identifier and a result of decrypting the encrypted personal identifier using the decryption key to authenticate the tag.
  - 40. The method defined in claim 37, further comprising:
    - encrypting the UTI before storing in the memory of the tag.

41. Computer-readable media tangibly embodying a program of instructions executable by a host computer to perform a method of authenticating tag data that has been validated on a basis of an identifier in the tag data, the tag data further comprising second data, the second data having a first portion corresponding to an index and a second portion corresponding to an encrypted version of third data, the method comprising:
- applying decryption to the second portion of the second data to obtain the third data;
  
  consulting a database at a location associated with the index to obtain fourth data;
  
  comparing the third and fourth data;
  
  deeming authentication to be successful if the third data matches the fourth data, and unsuccessful otherwise.

42. A memory storing first data for transmission by a radio frequency tag to a reader, the first data comprising an identifier and second data, the identifier being known to the reader and allowing the reader to validate the tag without contacting a host, the second data comprising a first portion corresponding to an index and a second portion corresponding to an encrypted version of third data, the third data and the index being known to the host and allowing the host to authenticate the tag upon performing decryption of the second portion of the second data.
- View Dependent Claims (43, 44)
- - 43. A radio frequency tag, comprising:
    - the memory defined in claim 42;
      
      an antenna;
      
      a transponder operative to send a signal through the antenna, the signal being representative of the first data stored in the memory.
  - 44. The radio frequency tag defined in claim 43, wherein the transponder is operative to send the signal in response to receipt of a query signal through the antenna.

45. A signal tangibly embodied in a transmission medium and transmitted by a radio frequency tag, the signal comprising first data, the first data comprising an identifier and second data, the identifier being known to a reader of the tag and allowing the reader to validate the tag without contacting a host, the second data comprising a first portion corresponding to an index and a second portion corresponding to an encrypted version of third data, the third data and the index being known to the host and allowing the host to authenticate the tag upon performing decryption of the second portion of the second data.
- View Dependent Claims (46)
- - 46. The signal defined in claim 45, wherein the first data is in an encrypted form.

47. Computer-readable media tangibly embodying a program of instructions executable by a contact-less tag reader to perform a method, the method comprising:
- receiving first data transmitted by a tag;
  
  validating the first data to determine whether the first data comprises candidate data for authentication, the validating being deemed successful if the first data comprises candidate data for authentication, and unsuccessful otherwise;
  
  responsive to the validating being deemed successful, authenticating the candidate data;
  
  wherein said validating comprises;
  
  extracting from the first data an identifier and second data;
  
  comparing the identifier to a predetermined reference identifier; and
  
  concluding that the first data comprises candidate data for authentication if the identifier matches the predetermined reference identifier.

48. A contact-less tag reader, comprising:
- an antenna;
  
  a broadcast interface for receiving a signal through the antenna, the signal comprising first data transmitted by a tag;
  
  a control module connected to the broadcast interface, the control module being operative for;
  
  validating the first data to determine whether the first data comprises candidate data for authentication, the validating being deemed successful if the first data comprises candidate data for authentication, and unsuccessful otherwise;
  
  responsive to the validating being deemed successful, causing authentication of the candidate data to be performed;
  
  wherein said validating comprises;
  
  extracting from the first data an identifier and second data;
  
  comparing the identifier to a predetermined reference identifier; and
  
  concluding that the first data comprises candidate data for authentication if the identifier matches the predetermined reference identifier.
- View Dependent Claims (49)
- - 49. The contact-less tag reader defined in claim 48, wherein the signal comprising first data transmitted by a tag is received in response to broadcasting of a query signal through the antenna.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BCE Incorporated
Original Assignee
BCE Incorporated
Inventors
Yeap, Tet Hin, O'Brien, William G
Primary Examiner(s)
Frech; Karl D

Application Number

US11/299,730
Publication Number

US 20060131412A1
Time in Patent Office

588 Days
Field of Search

235/382, 235/382.5
US Class Current

235/382
CPC Class Codes

G07C 9/27   with central registration

G07C 9/28   the pass enabling tracking ...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 2209/84   Vehicles

H04L 9/3271   using challenge-response

User authentication for contact-less systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

User authentication for contact-less systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links