Secure authentication using hardware token and computer fingerprint

US 8,065,718 B2
Filed: 10/30/2007
Issued: 11/22/2011
Est. Priority Date: 11/05/2002
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a hardware token, comprising the steps of:

providing a hardware token different from and connectable to a host computer;

generating in the host computer a host computer fingerprint F based at least in part on a unique characteristic of the host;

transmitting the host computer fingerprint F to an authorizing device different from the host computer and the hardware token;

establishing a secure communication mechanism between the hardware token and the authorizing device;

thereafter generating a random value R in the authorizing device and providing the random value R to the host computer;

computing in the host computer a challenge R′

derived at least in part from the host computer fingerprint F and the random value R;

transmitting the challenge R′

to the hardware token;

generating a response X in the hardware token, the response X generated at least in part from the challenge R′

; and

transmitting the response X from the hardware token to the authorizing device to authenticate the hardware token for operation with the host.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for secure authentication of a hardware token is disclosed. In one embodiment, a host computer fingerprint is used to generate a partial seed for a challenge-response authentication which is performed on the hardware token. In another embodiment, the host computer fingerprint is used as a personal identification number for the hardware token.

Citations

33 Claims

1. A method of authenticating a hardware token, comprising the steps of:
- providing a hardware token different from and connectable to a host computer;
  
  generating in the host computer a host computer fingerprint F based at least in part on a unique characteristic of the host;
  
  transmitting the host computer fingerprint F to an authorizing device different from the host computer and the hardware token;
  
  establishing a secure communication mechanism between the hardware token and the authorizing device;
  
  thereafter generating a random value R in the authorizing device and providing the random value R to the host computer;
  
  computing in the host computer a challenge R′
  
  derived at least in part from the host computer fingerprint F and the random value R;
  
  transmitting the challenge R′
  
  to the hardware token;
  
  generating a response X in the hardware token, the response X generated at least in part from the challenge R′
  
  ; and
  
  transmitting the response X from the hardware token to the authorizing device to authenticate the hardware token for operation with the host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the step of generating the host computer fingerprint comprises the steps of:
    - collecting host information C; and
      
      forming the host computer fingerprint F at least in part from the host information C.
  - 3. The method of claim 2, wherein the step of forming the host computer fingerprint F from the host information C comprises the step of hashing the host information C.
  - 4. The method of claim 2, wherein:
    - the method further comprises the step of receiving authorizing device specific vatic V; and
      
      the step of forming the host computer fingerprint F at least in part from the host information C comprises the step of forming the host computer fingerprint F at least in part from the host information C and the authorizing device specific value V.
  - 5. The method of claim 1, wherein the step of forming the host computer fingerprint F at least in part from the host information C and the authorizing device specific value V comprises the step of forming the host computer fingerprint F at least in part from a hash of the host information C and the authorizing device specific value V.
  - 6. The method of claim 4, wherein the step of forming the host computer fingerprint F at least in part from the host information C and the authorizing device specific value V comprises the step of forming the host computer fingerprint F at least in part from a concatenation of the host information C and the authorizing device specific value V.
  - 7. The method of claim 2, wherein the host computer is communicatively coupleable to the authorizing device and the hardware token, and the host information C includes information selected from the group comprising:
    - processor serial number;
      
      hard drive serial number;
      
      network interface MAC address;
      
      BIOS code checksum;
      
      operating system; and
      
      system directory timestamp.
  - 8. The method of claim 1 wherein the secure communication mechanism between the hardware token and the authorizing device comprises a shared secret S between the authorizing device and the hardware token.
  - 9. The method of claim 8, wherein the response X is the challenge R′
    - encrypted by the shared secret S.
  - 10. The method of claim 1, wherein the secure communication mechanism between the hardware token and the authorizing device comprises a private key K_prof a key pair having the private key K_praccessible to the token and a public key K_puaccessible to the authorizing device.
  - 11. The method of claim 10, wherein the response X is the challenge R′
    - encrypted by the private key K_pr.

12. An apparatus for authenticating a hardware token, comprising:
- a hardware token different from and connectable to a host computer;
  
  said host computer generating a host computer fingerprint F based at least in part on a unique characteristic of the host;
  
  means for transmitting the host computer fingerprint F to an authorizing device different from the host computer and the hardware token;
  
  the host computer receiving a random value R generated by the authorizing device;
  
  the host computer computing a challenge R′
  
  , the challenge R′
  
  derived at least in part from the host computer fingerprint F and the random value R;
  
  means for transmitting the challenge R′
  
  to the hardware token;
  
  the hardware token generating a response X, the response X generated at least in part from the challenge R′
  
  ; and
  
  means for securely transmitting the response X from the hardware token to the authorizing device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The apparatus of claim 12, wherein the host computer fingerprint F is generated at least in part from host computer information C.
  - 14. The apparatus of claim 13, wherein the host computer fingerprint F is generated by hashing the host information C.
  - 15. The apparatus of claim 13, wherein:
    - the apparatus further comprises means for receiving at the host computer an authorizing device specific value V;
      
      wherein the host computer fingerprint F is generated at least in part from the host information C and the authorizing device specific value V.
  - 16. The apparatus of claim 15, wherein the host computer fingerprint F is generated at least in part from a hash of the host information C and the authorizing device specific value V.
  - 17. The apparatus of claim 15, wherein the host computer fingerprint F is generated at least in part from a concatenation of the host information C and the authorizing device specific value V.
  - 18. The apparatus of claim 13, wherein the host computer is communicatively coupleable to the authorizing device and the hardware token, and the host information C includes information selected from the group comprising:
    - processor serial number;
      
      hard drive serial number;
      
      network interface MAC address;
      
      BIOS code checksum;
      
      operating system; and
      
      system directory timestamp.
  - 19. The apparatus of claim 12, wherein the means for securely transmitting comprises generating the response X using the challenge R′
    - and a shared secret S between the authorizing device and the hardware token.
  - 20. The apparatus of claim 19, wherein the response X is the challenge R′
    - encrypted by the shared secret S.
  - 21. The apparatus of claim 12, wherein the means for securely transmitting comprises means for generating the response X using the challenge R′
    - and a private key K_prof a key pair having the private key K_praccessible to the token and a public key K_puaccessible to the authorizing device.
  - 22. The apparatus of claim 21, wherein the response X is the challenge R′
    - encrypted by the private key K_pr.

23. A computer for authenticating a hardware token different from and connectable to the computer, the computer having a processor communicatively coupled to a memory storing instructions for performing steps of:
- generating a host computer fingerprint F based at least in part on a unique characteristic of the host;
  
  transmitting the host computer fingerprint F to an authorizing device different from the computer and the hardware token;
  
  thereafter receiving a random value R from the authorizing device;
  
  computing a challenge R′
  
  , the challenge R′
  
  derived at least in part from the host computer fingerprint F and the random value R;
  
  transmitting the challenge R′
  
  to the hardware token;
  
  receiving a cryptographically secured response X from the hardware token, the cryptographically secured response X generated at least in part from the challenge R′
  
  ; and
  
  transmitting the cryptographically secured response X to the authorizing device.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The apparatus of claim 23, wherein the instructions for generating the host computer fingerprint comprise instructions for collecting host information C and forming the host computer fingerprint F at least in part from the host information C.
  - 25. The apparatus of claim 24, wherein the instructions for forming the host computer fingerprint F at least in part from the host information C comprise instructions for hashing the host information C.
  - 26. The apparatus of claim 24, wherein:
    - the computer includes means for receiving an authorizing device specific value V; and
      
      the instructions for forming the host computer fingerprint F at least in part from the host information C comprise instructions for forming the host computer fingerprint F at least in part from the host information C and the authorizing device specific value V.
  - 27. The apparatus of claim 26, wherein the instructions for forming the host computer fingerprint F at least in part from the host information C and the authorizing device specific value V comprise instructions for forming the host computer fingerprint F at least in part from a hash of the host information C and the authorizing device specific value V.
  - 28. The apparatus of claim 26, wherein the instructions for forming the host computer fingerprint F at least in part from the host information C and the authorizing device specific value V comprise instructions for forming the host computer fingerprint F at least in part from a concatenation of the host information C and the authorizing device specific value V.
  - 29. The apparatus of claim 24, wherein the host computer is communicatively coupleable to the authorizing device and the hardware token, and the host information C includes information selected from the group comprising:
    - processor serial number;
      
      hard drive serial number;
      
      network interlace MAC address;
      
      BIOS code checksum;
      
      operating system; and
      
      system directory timestamp.
  - 30. The apparatus of claim 23, wherein the response X is generated from a shared secret S between the authorizing device and the hardware token.
  - 31. The apparatus of claim 30, wherein the response X is the challenge R′
    - encrypted by the shared secret S.
  - 32. The apparatus of claim 23, wherein the response X is generated from a private key K_prof a key pair having the private key K_praccessible to the token and a public key K_puaccessible to the authorizing device.
  - 33. The apparatus of claim 32, wherein the response X is the challenge R′
    - encrypted by the private key K_pr.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS CPL USA, Inc. (Thales SA)
Original Assignee
SafeNet Incorporated (Thales SA)
Inventors
Grove, Brian, Khalaf, James, Tibbetts, Reed, Elteto, Laszlo
Primary Examiner(s)
Cervetti; David Garcia

Application Number

US11/978,757
Publication Number

US 20080065887A1
Time in Patent Office

1,484 Days
Field of Search

713/168, 713/172, 713/182, 713/185, 713/186, 713/159, 726/9, 726/20
US Class Current

726/9
CPC Class Codes

G06F 21/31   User authentication

G06F 21/34   involving the use of extern...

G06F 2221/2129   Authenticate client device ...

H04L 9/3234   involving additional secure...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3271   using challenge-response

Secure authentication using hardware token and computer fingerprint

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Secure authentication using hardware token and computer fingerprint

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links