Method and apparatus for using a third party authentication server

US 7,409,543 B1
Filed: 11/06/2000
Issued: 08/05/2008
Est. Priority Date: 03/30/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method of authenticating a client, the method comprising in an authentication server:

receiving a record ID for a user, the record ID being a random value generated for tracking authentication data and disassociating the authentication data from other client identity data, and a one-time key generated by a third party server and encrypted with a user'"'"'s public key by the server;

receiving the user'"'"'s authentication data from the client;

determining if the user'"'"'s authentication data matches stored data associated with the record ID; and

if so, decrypting the one-time key with a user'"'"'s private key, and returning the decrypted one-time key to the client.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for a third party authentication server is described. The method includes receiving a record ID for a user, and a one-time key generated by the server and encrypted with a user'"'"'s public key by the server. The method further includes receiving the user'"'"'s authentication data from the client, and determining if the user'"'"'s authentication data matches the record ID. If the authentication data matches the record ID, decrypting the one-time key with the user'"'"'s private key, and returning the decrypted one-time key to the client.

157 Citations

31 Claims

1. A method of authenticating a client, the method comprising in an authentication server:
- receiving a record ID for a user, the record ID being a random value generated for tracking authentication data and disassociating the authentication data from other client identity data, and a one-time key generated by a third party server and encrypted with a user'"'"'s public key by the server;
  
  receiving the user'"'"'s authentication data from the client;
  
  determining if the user'"'"'s authentication data matches stored data associated with the record ID; and
  
  if so, decrypting the one-time key with a user'"'"'s private key, and returning the decrypted one-time key to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising registering the user with the authentication server, registering comprising:
    - receiving a registration authentication data from the user;
      
      generating a random public key/private key pair for the user;
      
      generating a random value as the record ID for the user; and
      
      associating the authentication data and the user'"'"'s private key with the record ID.
  - 3. The method of claim 2, further comprising:
    - sending the record ID and the public key to the user.
  - 4. The method of claim 2 further comprising establishing a secure connection between the authentication server and the user, prior to receiving registration authentication data.
  - 5. The method of claim 1, wherein a web page presented by the third party server to the client prompts the user to enter the authentication data to log in to the server.
  - 6. The method of claim 5, wherein the client'"'"'s authentication data is automatically redirected to the authentication server.
  - 7. The method of claim 1, wherein the authentication data is biometric data.
  - 8. The method of claim 1, wherein the authentication data is personal data selected from among the following:
    - a password, a smart card, and another type of authentication card.
  - 9. The method of claim 1, wherein the client forwards the decrypted one-time key to the third party server, thereby authenticating the user as the owner of the private key.
  - 10. A method of claim 1, further comprising discarding the record ID after returning the one-time key to the user.
  - 11. The method of claim 1, wherein the record ID and the encrypted one-time key are further encrypted using a partner key, the method further comprising decrypting the record ID and encrypted one-time key using the partner key.
  - 12. The method of claim 11, wherein the partner is a symmetric key set up during registration of the partner.
  - 13. The method of claim 11, wherein the partner key is a private key of the authentication server.

14. A method of using an authentication server to authenticate a user to a third party server, the method comprising the third party server:
- looking up a record ID associated with the user, the record ID being a random value generated to track the user'"'"'s authentication data and used to separate the user'"'"'s other identity information from the authentication data;
  
  generating a one-time key and encrypting the one-time key with a public key of the user, and sending the encrypted one-time key and the record ID to the user;
  
  receiving the authentication data, the authentication data being the decrypted one-time key decrypted with the user'"'"'s private key by the authentication server, such that the user does not have control of the user'"'"'s private key at any time; and
  
  permitting access to the server.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14, comprising:
    - determining an authentication policy associated with the user; and
      
      verifying that the authentication policy has been satisfied, prior to permitting access to the server.
  - 16. The method of claim 15, wherein verifying that the authentication policy has been satisfied comprises:
    - determining if the server should verify additional data; and
      
      if so, requesting additional data from the user prior to generating the one-time key.

17. An authentication system comprising:
- an authentication server to receive a record ID for a user, the record ID being a randomly generated value used to separate the user'"'"'s other identity information from the user'"'"'s authentication data, and a one-time key generated by a third party server and encrypted with a user'"'"'s public key by the third party server;
  
  a comparison logic in the authentication server to receive user authentication data from a client and determine whether the user'"'"'s authentication data matches stored data associated with the record ID; and
  
  a decryption logic in the authentication server to decrypt the one-time key with a private key associated with the validated record ID, and to return the decrypted one-time key to the client.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 18. The system of claim 17, further comprising:
    - a policy validation logic to receive a policy from the third party server, and determine if the policy has been fulfilled; and
      
      the decryption logic to decrypt the one-time key only if the policy has been fulfilled.
  - 19. The system of claim 18, further comprising:
    - the interface to send the record ID and the public key to the user.
  - 20. The system of claim 17, further comprising:
    - a nonce generation logic in the authentication server to generate a nonce, and to send the nonce to the client, the nonce to be included with the user authentication data from the client; and
      
      the comparison logic to verify that the user authentication data includes the appropriate nonce.
  - 21. The system of claim 20, wherein the interface establish a secure connection with the user, prior to receiving registration authentication data.
  - 22. The system of claim 17, further comprising a client registration logic to register the user, the client registration logic comprising:
    - a key generation logic to generate a random public key/private key pair for the user;
      
      a record ID generation logic to generate a random record ID for the user; and
      
      the client registration logic to associate user authentication data with the private key and the record ID.
  - 23. The system of claim 17, wherein a web page presented by the third party server to the client prompts the user to enter the authentication data to log in to the third party server.
  - 24. The system of claim 23, wherein the authentication data is automatically redirected to the authentication server.
  - 25. The system of claim 17, wherein the authentication data is biometric data.
  - 26. The system of claim 17, wherein the authentication data is personal data selected from among the following:
    - a password, a smart card, and another type of authentication card.
  - 27. The system of claim 17, wherein the client forwards the decrypted one-time key to the third party server, thereby authenticating the user as the owner of the private key.
  - 28. The system of claim 17, further comprising a security mechanism to discard the record ID after returning the one-time key to the user.
  - 29. The system of claim 17, wherein the decryption logic further decrypts the record ID and the encrypted one-time key with a partner key.
  - 30. The system of claim 29, wherein the partner key is a symmetric key set up during registration of the partner.
  - 31. The system of claim 29, wherein the partner key is a private key of the authentication server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
HID Global Corporation (Assa Abloy AB)
Original Assignee
Digitalpersona Corporation (Assa Abloy AB)
Inventors
Bjorn, Vance C.
Primary Examiner(s)
Revak; Christopher
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US09/707,417
Time in Patent Office

2,829 Days
Field of Search

713/155, 713/200, 713/201, 713/202, 380/259, 380/285
US Class Current

713/155
CPC Class Codes

H04L 63/067   using one-time keys cryptog...

H04L 63/0838   using one-time-passwords

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/321   involving a third party or ...

H04L 9/3231   Biological data, e.g. finge...

Method and apparatus for using a third party authentication server

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

157 Citations

31 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for using a third party authentication server

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

157 Citations

31 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others