Method and apparatus for using a third party authentication server

US 7,895,432 B2
Filed: 08/04/2008
Issued: 02/22/2011
Est. Priority Date: 03/30/2000
Status: Expired due to Term

First Claim

Patent Images

1. An authentication server comprising:

a memory, to store instructions for performing authentication; and

a processor, to execute the instructions, wherein the instructions cause the processor to have;

a comparison logic to receive, from a client, user authentication data, a record ID for a user, the record ID used to provide pseudonymity to the user, and a one-time key encrypted with a user'"'"'s public key, the comparison logic to determine whether the user authentication data matches stored data associated with the record ID; and

a decryption logic to decrypt the one-time key with a private key associated with the record ID, and to return the decrypted one-time key to the client.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for a third party authentication server is described. The method includes receiving a record ID for a user, and a one-time key generated by the server and encrypted with a user'"'"'s public key by the server. The method further includes receiving the user'"'"'s authentication data from the client, and determining if the user'"'"'s authentication data matches the record ID. If the authentication data matches the record ID, decrypting the one-time key with the user'"'"'s private key, and returning the decrypted one-time key to the client.

70 Citations

View as Search Results

20 Claims

1. An authentication server comprising:
- a memory, to store instructions for performing authentication; and
  
  a processor, to execute the instructions, wherein the instructions cause the processor to have;
  
  a comparison logic to receive, from a client, user authentication data, a record ID for a user, the record ID used to provide pseudonymity to the user, and a one-time key encrypted with a user'"'"'s public key, the comparison logic to determine whether the user authentication data matches stored data associated with the record ID; and
  
  a decryption logic to decrypt the one-time key with a private key associated with the record ID, and to return the decrypted one-time key to the client.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The server of claim 1, further comprising the instructions to cause the processor to have:
    - a nonce generation logic to generate the one-time key, and to send the one-time key to the client, the one-time key to be included with the user authentication data from the client; and
      
      the comparison logic to verify that the user authentication data includes the one-time key.
  - 3. The server of claim 1, further comprising the instructions to cause the processor to have a client registration logic to register the user, the client registration logic comprising:
    - a key generation logic to generate a random public key/private key pair for the user;
      
      a record ID generation logic to generate a record ID for the user; and
      
      the client registration logic to associate user authentication data with the private key and the record ID.
  - 4. The server of claim 1, wherein the authentication data is personal data selected from among the following:
    - biometric data, a password, a smart card, and another type of authentication card.
  - 5. The server of claim 1, wherein the client forwards the decrypted one-time key to a third party server, to authenticate the user as owner of the private key.
  - 6. The server of claim 1, further comprising a security mechanism to discard the record ID after returning the one-time key to the user.

7. A method of authenticating a user, the method comprising in an authentication server:
- receiving a record ID for a user, and a one-use nonce which has been encrypted with a user'"'"'s public key from a client;
  
  receiving user authentication data from the client;
  
  determining if the user authentication data matches stored data associated with the record ID; and
  
  if the user authentication data matches the stored data, decrypting the one-use nonce with a user'"'"'s private key and returning the decrypted one-use nonce to the client.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 8. The method of claim 7, further comprising registering the user with the authentication server, registering comprising:
    - receiving a registration authentication data from the user;
      
      generating a random public key/private key pair for the user, the public key/private key pair including the user'"'"'s private key and an associated public key;
      
      generating the record ID for the user; and
      
      associating the authentication data and the user'"'"'s private key with the record ID.
  - 9. The method of claim 8, further comprising:
    - sending the record ID and the public key to the user.
  - 10. The method of claim 7, wherein the authentication data is personal data selected from among the following:
    - biometric data, a password, a smart card, and another type of authentication card.
  - 11. The method of claim 7, wherein the client forwards the decrypted one-use nonce to a third party server, thereby authenticating the user as owner of the private key.
  - 12. A method of claim 7, further comprising discarding the record ID after returning the one-use nonce to the user.
  - 13. The method of claim 7, wherein the record ID and the encrypted one-use nonce are further encrypted using a partner key, the method further comprising decrypting the record ID and encrypted one-use nonce using the partner key.
  - 14. The method of claim 13, wherein the partner key is a symmetric key set up during registration of a partner server.
  - 15. The method of claim 14, wherein the partner key is a private key of the authentication server.
  - 16. The method of claim 7, further comprising:
    - determining an authentication policy associated with the user; and
      
      verifying that the authentication policy has been satisfied, prior to permitting access to the authentication server.
  - 17. The method of claim 16, wherein verifying that the authentication policy has been satisfied comprises determining if the authentication server should verify additional data;
    - and if so, requesting additional data from the user prior to generating the one-use nonce.

18. A server computing device comprising:
- a memory, to store instructions for performing authentication; and
  
  a processor, to execute the instructions, wherein the instructions cause the processor to;
  
  receive a record ID for a user, and a one-use nonce which has been encrypted with a user'"'"'s public key from a client;
  
  receive user authentication data from the client;
  
  determine if the user authentication data matches stored data associated with the record ID; and
  
  if the user authentication data matches the stored data, decrypt the one-use nonce with a user'"'"'s private key and return the decrypted one-use nonce to the client.
- View Dependent Claims (19, 20)
- - 19. The server computing device of claim 18, further comprising the instructions to cause the processor to:
    - receive a registration authentication data from the user;
      
      generate a random public key/private key pair for the user, the public key/private key pair including the user'"'"'s private key and an associated public key;
      
      generate the record ID for the user; and
      
      associate the authentication data and the user'"'"'s private key with the record ID.
  - 20. The server computing device of claim 18, wherein the record ID and the encrypted one-use nonce are further encrypted using a partner key, the instructions further to cause the processor to decrypt the record ID and encrypted one-use nonce using the partner key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Digital Persona
Original Assignee
Digitalpersona Corporation (Assa Abloy AB)
Inventors
Bjorn, Vance C.
Primary Examiner(s)
Moorthy; Aravind K

Application Number

US12/185,802
Publication Number

US 20090031125A1
Time in Patent Office

932 Days
Field of Search

713/155, 713/168, 713/171, 713/179, 713/185, 380/30, 380/255, 380/259, 380/281, 380/285, 726/4, 726/5, 726/26, 726/27
US Class Current

713/155
CPC Class Codes

H04L 63/067   using one-time keys cryptog...

H04L 63/0838   using one-time-passwords

H04L 9/0825   using asymmetric-key encryp...

H04L 9/083   involving central third par...

H04L 9/321   involving a third party or ...

H04L 9/3231   Biological data, e.g. finge...

Method and apparatus for using a third party authentication server

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for using a third party authentication server

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links