Personal authentication device and system and method thereof

US 7,694,330 B2
Filed: 01/02/2004
Issued: 04/06/2010
Est. Priority Date: 05/23/2003
Status: Active Grant

First Claim

Patent Images

1. A personal authentication device (PAD) comprising:

at least one storage medium storing at least one CA public key, each public key associated with a certificate authority (CA);

one or more input means for receiving one or more digital certificates, wherein the one or more digital certificates comprise at least one ticket-generation certificate including at least one service key generating program or information indicating at least one service key generating program;

a processing component forauthenticating the one or more received digital certificates using the at least one stored CA public key, andgenerating at least one service key based on the one or more authenticated digital certificates; and

an output means for outputting the at least one service key,wherein the at least one storage medium comprises at least one component for storing a PAD private key associated with the PAD and used by the PAD to authenticate the PAD to a user, andwherein the one or more input means comprises at least one component for receiving a PAD authentication request from the user;

the processing component comprises at least one component for responding to the PAD authentication request using the stored PAD private key; and

the output means comprises at least one component for outputting responses to the PAD authentication request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a flexible, tamper-resistant authentication system, or personal authentication device (PAD), which can support applications in authentication, authorization and accounting. The PAD stores at least one public key associated with a certificate authority (CA) and receives one or more digital certificates, which may be authenticated based on the stored CA public keys. The PAD outputs a service key that, depending on the application, may be used to gain access to a controlled space, obtain permission for taking a certain action, or receive some service. The operation of the PAD and the nature of the service key may be determined by digital certificates that it receives during operation. Using a stored PAD private key that is kept secret, the PAD may perform a variety of security-related tasks, including authenticating itself to a user, signing service keys that it generates, and decrypting content on received digital certificates.

Citations

75 Claims

1. A personal authentication device (PAD) comprising:
- at least one storage medium storing at least one CA public key, each public key associated with a certificate authority (CA);
  
  one or more input means for receiving one or more digital certificates, wherein the one or more digital certificates comprise at least one ticket-generation certificate including at least one service key generating program or information indicating at least one service key generating program;
  
  a processing component forauthenticating the one or more received digital certificates using the at least one stored CA public key, andgenerating at least one service key based on the one or more authenticated digital certificates; and
  
  an output means for outputting the at least one service key,wherein the at least one storage medium comprises at least one component for storing a PAD private key associated with the PAD and used by the PAD to authenticate the PAD to a user, andwherein the one or more input means comprises at least one component for receiving a PAD authentication request from the user;
  
  the processing component comprises at least one component for responding to the PAD authentication request using the stored PAD private key; and
  
  the output means comprises at least one component for outputting responses to the PAD authentication request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 2. The personal authentication device (PAD) of claim 1, wherein the processing component comprises at least one component forauthenticating the at least one received ticket-generation certificate using the at least one stored CA public key;
    - andif one or more ticket-generation certificates are authenticated, generating the at least one service key based on the at least one authenticated service key generating program, wherein the at least one service key may be used by a user to obtain access to at least one service.
  - 3. The personal authentication device (PAD) of claim 1, wherein the one or more digital certificates further comprise:
    - a user-identification certificate comprising information uniquely associated with a user;
      
      and wherein the processing component comprises at least one component forauthenticating the received user-identification certificate using the at least one stored CA public key; and
      
      if the user-identification certificate is authenticated, authenticating the user based on the authenticated user-identification certificate.
  - 4. The personal authentication device (PAD) of claim 3, wherein the one or more digital certificates comprises:
    - at least one user-qualification certificate indicating at least one service and one or more users who may access the at least one service;
      
      and wherein the processing component comprises at least one component forauthenticating the at least one received user-qualification certificate based on the at least one CA public key, if the user is authenticated; and
      
      if the at least one user-qualification certificate is authenticated, determining at least one service that the authenticated user may have access to based on the at least one authenticated user-qualification certificate.
  - 5. The personal authentication device (PAD) of claim 1, wherein the at least one service key comprises at least one cookie.
  - 6. The personal authentication device (PAD) of claim 5, wherein the processing component comprises at least one component for:
    - generating a one-time key and storing it in PAD;
      
      based on the one-time key, generating the at least one cookie and sending the generated cookie to the user;
      
      receiving the previously generated the at least one cookie, and validating the received cookie using the stored one-time key; and
      
      if the received cookie is successfully validated, invalidating the one-time key used in the cookie validation, generating a new one-time key and storing it in PAD, and based on the new one-time key, generating a new cookie and sending the new cookie to the user.
  - 7. The personal authentication device (PAD) of claim 5, wherein the content in the one or more cookies comprises usage counts indicating the number of times one or more users have used one or more services.
  - 8. The personal authentication device (PAD) of claim 4, wherein the one or more input means further receives one or more certificates comprising information for granting the user access to at least one additional service based on the at least one service.
  - 9. The personal authentication device (PAD) of claim 1, wherein the processing component comprises at least one component for signing the at least one service key using the stored PAD private key.
  - 10. The personal authentication device (PAD) of claim 1, the processing component comprises at least one component for decrypting contents on the one or more received digital certificates using the stored PAD private key, wherein the contents are encrypted with the corresponding PAD public key.
  - 11. The personal authentication device (PAD) of claim 4, wherein the one or more digital certificates comprise at least one ticket-generation certificate indicating at least one service key generating program corresponding to the at least one service;
    - and wherein the processing component comprises at least one component forauthenticating the at least one ticket-generation certificate using the at least one stored CA public key; and
      
      if one or more ticket-generation certificates are authenticated, generating the at least one service key based on the at least one authenticated service key generating program, wherein the at least one service key may be used by a user to obtain access to at least one service.
  - 12. The personal authentication device (PAD) of claim 3, wherein the one or more input means further receives one or more user credentials, andthe processing component comprises at least one component forauthenticating the user based on the authenticated user-identification certificate and the one or more received user credentials.
  - 13. The personal authentication device (PAD) of claim 12, wherein the one or more user credentials comprise one or more user private keys.
  - 14. The personal authentication device (PAD) of claim 12, wherein the one or more user credentials comprise a personal identification number (PIN) associated with the user, or information computed from the PIN.
  - 15. The personal authentication device (PAD) of claim 12, wherein the one or more user credentials comprise biometric information associated with the user.
  - 16. The personal authentication device (PAD) of claim 12, further comprising:
    - means for disabling the PAD if one or more attempts to authenticate the user based on the authenticated user-identification certificate and the one or more user credentials ends in failure.
  - 17. The personal authentication device (PAD) of claim 1, wherein the one or more digital certificates comprises:
    - an operations certificate comprising information for controlling the operations of the PAD for a current session.
  - 18. The personal authentication device (PAD) of claim 17, wherein the information for controlling the operations of the PAD for a current session comprises one or more of the following:
    - information governing input and output of the PAD, challenge and response protocols for user and PAD authentication, secure protocols for receiving and outputting data, and protocols for PAD management purposes.
  - 19. The personal authentication device (PAD) of claim 17, wherein the information for controlling the operations of the PAD for a current session comprises information governing linking of one or more received certificates, and wherein the processing component comprises at least one component for linking of one or more received certificates based on one or more certificates comprising information for granting the user access to at least one additional service based on the at least one service.
  - 20. The personal authentication device (PAD) of claim 1, wherein the one or more input means receive one or more signature-verification certificates forming a signature-verification chain, wherein each signature-verification certificate in the signature-verification chain is signed with the private key of an entity whose public key is certified by the preceding signature-verification certificate and wherein the first signature-verification certificate in the signature-verification chain is signed by at least one stored CA public key;
    - and wherein the processing component comprises at least one component for authenticating the one or more received digital certificates based on the last signature-verification certificate in the signature-verification chain.
  - 21. The personal authentication device (PAD) of claim 1, wherein the PAD is tamper-resistant.
  - 22. The personal authentication device (PAD) of claim 1, wherein the CA public keys and the PAD private key are written into the PAD only once.
  - 23. The personal authentication device (PAD) of claim 1, further comprising:
    - a protection mechanism that erases the PAD private key from the at least one storage medium when there are unauthorized attempts in reading or modifying the PAD private key.
  - 24. The personal authentication device (PAD) of claim 1, wherein at least one of the one or more input means is a reading device capable of receiving at least one of the one or more digital certificates and user credentials from a storage medium or network interface.
  - 25. The personal authentication device (PAD) of claim 1, further comprising a clock for determining a current date and time.
  - 26. The personal authentication device (PAD) of claim 1, further comprising one or more timers for determining time that has elapsed since a timer was reset.
  - 27. The personal authentication device (PAD) of claim 1, further comprising one or more counters for determining a number of times an event has occurred since a counter was reset.
  - 28. The personal authentication device (PAD) of claim 1, wherein the one or more digital certificates further comprise information which may reset clock, timers and counters of the PAD.
  - 29. The personal authentication device (PAD) of claim 1, wherein the one or more digital certificates comprise a content decryption key and content rights that the PAD will check before outputting the content decryption key as a service key.
  - 30. The personal authentication device (PAD) of claim 29, wherein the content rights comprise limits on at least one of the following:
    - content expiration time, content usage period, content usage count.
  - 31. The personal authentication device (PAD) of claim 25, wherein the processing component comprises at least one component for determining if the current date and time is within the validity period of the one or more received digital certificates.
  - 32. The personal authentication device (PAD) of claim 25, wherein the processing component comprises at least one component for generating timestamps to be included in service keys that the PAD generates.
  - 33. The personal authentication device (PAD) of claim 1, further comprising a write-once serial number.
  - 34. The personal authentication device (PAD) of claim 33, wherein the processing component comprises at least one component for generating the at least one service key based on the serial number.
  - 35. The personal authentication device (PAD) of claim 1, wherein the at least one ticket generation certificate further indicates a length of the at least one service key.
  - 36. The personal authentication device (PAD) of claim 1, wherein the at least one ticket generation certificate further indicates a format for outputting the at least one service key.
  - 37. The personal authentication device (PAD) of claim 1, wherein the information indicating the at least one service key generating program includes information of the at least one service key generating program stored on the PAD.
  - 38. The personal authentication device (PAD) of claim 1, wherein the information indicating the at least one service key generating program includes information of the at least one service key generating program available via the one or more input means.

39. An authentication method comprising:
- storing on a personal authentication device (PAD) at least one CA public key, each public key associated with a certificate authority (CA);
  
  receiving one or more digital certificates, wherein the one or more digital certificates comprise at least one ticket-generation certificate including at least one service key generating program or information indicating at least one service key generating program;
  
  authenticating the one or more received digital certificates using the at least one stored CA public key;
  
  generating at least one service key based on the one or more authenticated digital certificates;
  
  outputting the at least one service key;
  
  storing on the personal authentication device (PAD) a PAD private key associated with the PAD and used by the PAD to authenticate the PAD to a user;
  
  receiving a PAD authentication request from the user;
  
  responding to the PAD authentication request using the stored PAD private key; and
  
  outputting the response to the PAD authentication request.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75)
- - 40. The method of claim 39, further comprising:
    - authenticating the at least one received ticket-generation certificate using the at least one CA public key; and
      
      if the at least one ticket-generation certificate is authenticated, generating at least one service key based on the at least one service key generating program, wherein the at least one service key may be used by a user to obtain access to at least one service.
  - 41. The method of claim 39, further comprising:
    - receiving a user-identification certificate comprising information uniquely associated with a user;
      
      authenticating the received user-identification certificate based on the at least one CA public key; and
      
      if the user-identification certificate is authenticated, authenticating the user based on the authenticated user-identification certificate.
  - 42. The method of claim 41, further comprising:
    - receiving at least one user-qualification certificates indicating at least one service and one or more users who may access the at least one service;
      
      authenticating the at least one received user-qualification certificate based on the at least one CA public key; and
      
      if the at least one user-qualification certificate is authenticated, determining at least one service that the authenticated user may have access to based on the at least one authenticated user-qualification certificate.
  - 43. The method of claim 39, wherein the at least one service key comprises at least one cookie.
  - 44. The method of claim 39, further comprising:
    - generating a one-time key and storing it on the PAD;
      
      based on the one-time key, generating the at least one cookie and sending the generated cookie to the user;
      
      receiving the previously generated the at least one cookie, and validating the received cookie using the stored one-time key; and
      
      if the received cookie is successfully validated, invalidating the one-time key used in the cookie validation, generating a new one-time key and store it on the PAD, and based on the new one-time key, generating a new cookie and sending the new cookie to the user.
  - 45. The method of claim 44, wherein the content in the one or more cookies comprises usage counts indicating the number of times one or more users have used one or more services.
  - 46. The method of claim 39, further comprising:
    - signing the at least one service key using the stored PAD private key.
  - 47. The method of claim 39, further comprising:
    - decrypting contents on the one or more received digital certificates using the stored PAD private key, wherein the contents are encrypted with the corresponding PAD public key.
  - 48. The method of claim 42, further comprising:
    - if the authenticated user is determined to have access to the services, authenticating the at least one ticket-generation certificate using the at least one CA public key; and
      
      if the at least one ticket-generation certificate is authenticated, generating at least one service key based on the at least one service key generating program, wherein the at least one service key may be used by a user to obtain access to at least one service.
  - 49. The method of claim 42, further comprising:
    - granting the user access to at least one additional service based on the at least one service and received digital certificate information.
  - 50. The method of claim 41, further comprising:
    - receiving one or more received user credentials; and
      
      authenticating the user based on the authenticated user-identification certificate and the one or more user credentials.
  - 51. The method of claim 50, wherein the user credentials comprise one or more user private keys.
  - 52. The method of claim 50, wherein the user credentials comprise a personal identification number (PIN) associated with the user, or information computed from the PIN.
  - 53. The method of claim 50, wherein the user credentials comprise biometric information associated with the user.
  - 54. The method of claim 50, further comprising:
    - disabling the PAD if one or more attempts to authenticate the user based on the authenticated user-identification certificate and the one or more user credentials ends in failure.
  - 55. The method of claim 39, further comprising:
    - receiving an operations certificate comprising information for controlling the operations of the PAD for a current session.
  - 56. The method of claim 55, wherein the information for controlling the operations of the PAD for a current session comprises one or more of the following:
    - information governing input and output of the PAD, challenge and response protocols for user and PAD authentication, secure protocols for receiving and outputting data, and protocols for PAD management purposes.
  - 57. The method of claim 55, wherein the information for controlling the operations of the PAD for a current session comprises information governing linking of one or more received certificates, and wherein the method further comprises:
    - linking one or more received certificates based on one or more certificates comprising information for granting the user access to at least one additional service based on the at least one service.
  - 58. The method of claim 39, further comprising:
    - receiving one or more signature-verification certificates forming a signature-verification chain, wherein each signature-verification certificate in the signature-verification chain is signed with the private key of an entity whose public key is certified by the preceding signature-verification certificate and wherein the first signature-verification certificate in the signature-verification chain is signed by at least one stored CA public key; and
      
      wherein the processing component comprises at least one component for authenticating the one or more received digital certificates based on the last signature-verification certificate in the signature-verification chain.
  - 59. The method of claim 39, further comprising:
    - erasing the PAD private key when one or more unauthorized attempts to read or modify the PAD private key are detected.
  - 60. The method of claim 39, wherein at least one of the one or more digital certificates is received from a storage medium or network interface.
  - 61. The method of claim 39, further comprising determining a current date and time.
  - 62. The method of claim 61, further comprising:
    - determining if the current date and time is within the validity period of the one or more received digital certificates.
  - 63. The method of claim 39, further comprising determining elapsed time since a prior event.
  - 64. The method of claim 39, further comprising determining the number of times an event has occurred since a prior event.
  - 65. The method of claim 39, further comprising:
    - receiving one or more digital certificates which contain information for resetting current date and time, elapsed time, and a number of times an event has occurred.
  - 66. The method of claim 65, further comprising:
    - resetting clock, timers or counters of the PAD based on information in the one or more digital certificates.
  - 67. The method of claim 39, further comprising:
    - receiving one or more digital certificates which provide a content decryption key and content rights; and
      
      checking the content rights before outputting the content decryption key as a service key.
  - 68. The method of claim 67, wherein the content rights comprise limits on at least one of the following:
    - content expiration time, content usage period, content usage count.
  - 69. The method of claim 61, further comprising:
    - generating timestamps based on the current date and time, the timestamps to be included in service keys that the PAD generates.
  - 70. The method of claim 39, further comprising:
    - generating the at least one service key based on a write-once serial number.
  - 71. The method of claim 70, further comprising:
    - including the serial number in the at least one service key.
  - 72. The method of claim 39, wherein the at least one ticket generation certificate further indicates a length of the at least one service key.
  - 73. The method of claim 39, wherein the at least one ticket generation certificate further indicates a format for outputting the at least one service key.
  - 74. The method of claim 39, wherein the information indicating the at least one service key generating program includes information of the at least one service key generating program stored on the PAD.
  - 75. The method of claim 39, wherein the information indicating the at least one service key generating program includes information of the at least one service key generating program available via one or more input devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hsiang-Tsung Kung, Industrial Technology Research Institute
Original Assignee
Industrial Technology Research Institute
Inventors
Kung, Hsiang-Tsung
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US10/749,558
Publication Number

US 20040250076A1
Time in Patent Office

2,286 Days
Field of Search

713/175, 713/172, 726/9, 726/10, 726/20
US Class Current

726/9
CPC Class Codes

G07C 9/22 in combination with an iden...

H04L 9/3263 involving certificates, e.g...

Personal authentication device and system and method thereof

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

75 Claims

Specification

Solutions

Use Cases

Quick Links

Personal authentication device and system and method thereof

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

75 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links