System and method for user authentication with exposed and hidden keys
First Claim
1. A method for digitally authenticating a user over a network system having at least one service server, at least one client device and a token provider communicable with one another through the internet, wherein the user has an account established with an account identifier (UserID) in the at least one service server and the token provider, a hardware token assigned by the token provider, and an owner code (OC) known only by the user and the token provider, wherein the at least one service server has a uniquely global identifier (SC) and an authentication license (AL) associated with the identification information of the at least one service server, the hardware token and the user, wherein the AL is provided by the token provider and stored in the at least one service server, wherein the UserID SC and the OC are stored in a database of the token provider, and wherein the hardware token is communicable with the at least one client device, comprising the steps of:
- a. entering the SC and the OC into the token by the user;
b. generating a first exposed key (EK) and a first hidden key (HK) by the token, wherein each of the EK and the HK is associated with at least the SC and the OC, and a time code (TC) and a noise code (NC) of the token, wherein the TC is the current time of the token when the EK and the HK are generated, and the NC is a built-in secret string of the token;
c. initializing a user login session of the at least one service server from the at least one client device by the user to enter the UserID and the generated EK and HK thereinto, wherein the UserID and the generated EK are transmitted to the at least one service server through the internet;
d. computing a second exposed key (CEK) and a second hidden key (CHK) by the at least one service server based on the AL provided by the token provider;
e. authenticating the user by at the at least one service server when the CEK is the same as the received EK;
f. sending a response message to the at least one client device by the at least one service server, wherein the response message is encrypted with the CHK; and
g. decrypting the response message received from the at least one service server at the at least one client device with the HK.
0 Assignments
0 Petitions
Accused Products
Abstract
The present invention relates to a system and method for digitally authenticating users both online and offline. In one embodiment, a hardware token assigned by a trusted token provider to the user is employed to ensure the identity of the user. In the online authentication, the token is adapted for generating an exposed key EK and a hidden key HK based on a noise code NC and a time code TC of the token, a space code SC of a service server, and an owner code OC of the user. A login session is initialized by entering a user identifier at the service server and the generated EK from a computing device. The service server computes an expose key CEK and a hidden key CHK based one an authentication license generated by the token provider. The service server authenticates the user if the CEK is same as the EK, and sends a response message encrypted the CHK to the computing device. Then, the user provides the HK to the computing device to decrypt the encrypted response message so as to access his/her account. In the offline authentication, the token is adapted for generating a license exposed key LEK used to render the encrypted digital content on an offline compliant device. The compliant device authenticates the user if a license exposed key computed by the compliant device based on a content license of which the user bought is same as LEK, so as to render the protected digital content after authentication.
-
Citations
25 Claims
-
1. A method for digitally authenticating a user over a network system having at least one service server, at least one client device and a token provider communicable with one another through the internet, wherein the user has an account established with an account identifier (UserID) in the at least one service server and the token provider, a hardware token assigned by the token provider, and an owner code (OC) known only by the user and the token provider, wherein the at least one service server has a uniquely global identifier (SC) and an authentication license (AL) associated with the identification information of the at least one service server, the hardware token and the user, wherein the AL is provided by the token provider and stored in the at least one service server, wherein the UserID SC and the OC are stored in a database of the token provider, and wherein the hardware token is communicable with the at least one client device, comprising the steps of:
-
a. entering the SC and the OC into the token by the user; b. generating a first exposed key (EK) and a first hidden key (HK) by the token, wherein each of the EK and the HK is associated with at least the SC and the OC, and a time code (TC) and a noise code (NC) of the token, wherein the TC is the current time of the token when the EK and the HK are generated, and the NC is a built-in secret string of the token; c. initializing a user login session of the at least one service server from the at least one client device by the user to enter the UserID and the generated EK and HK thereinto, wherein the UserID and the generated EK are transmitted to the at least one service server through the internet; d. computing a second exposed key (CEK) and a second hidden key (CHK) by the at least one service server based on the AL provided by the token provider; e. authenticating the user by at the at least one service server when the CEK is the same as the received EK; f. sending a response message to the at least one client device by the at least one service server, wherein the response message is encrypted with the CHK; and g. decrypting the response message received from the at least one service server at the at least one client device with the HK. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. Software stored on a non-transitory computer readable medium for causing a network system to perform functions to authenticate a user over the network system, wherein the network system has at least one service server, at least one client device and a token provider communicable with one another through the internet, wherein the user has an account established with an account identifier (UserID) in the at least one service server, a hardware token assigned by the token provider, and an owner code (OC) known only by the user and the token provider, wherein the at least one service server has a uniquely global identifier (SC) and an authentication license (AL) associated with the identification information of the at least one service server, the hardware token and the user, wherein the AL is provided by the token provider and stored in the at least one service server, wherein the SC and the OC are stored in a database of the token provider, and wherein the hardware token is communicable with the at least one client device and the database of the token provider, the functions comprising:
-
a. entering the SC and the OC into the token by the user; b. generating a first exposed key (EK) and a first hidden key (HK) by the token, wherein each of the EK and the HK is associated with at least the SC and the OC, and a time code (TC) and a noise code (NC) of the token, wherein the TC is the current time of the token when the EK and the HK are generated, and the NC is a built-in secret string of the token; c. initializing a user login session of the at least one service server from the at least one client device by the user to enter the UserID and the generated EK thereinto, wherein the UserID and the generated EK are transmitted to the at least one service server through the internet; d. computing a second exposed key (CEK) and a second hidden key (CHK) by the at least one service server based on the AL provided by the token provider; e. authenticating the user by at the at least one service server when the CEK is same as the EK; f. sending a response message to the at least one client device by at the at least one service server, wherein the response message is encrypted with the CHK; and g. decrypting the response message received from the at least one service server at the at least one client device by the HK.
-
-
16. A method for authenticating a user to render a piece of protected digital content stored in a compliant device in an offline system with a content publisher, a compliant device, a service server and a token provider, wherein the compliant device has a core content token (CCT) installed therein, wherein the service server has a uniquely global identifier (SC) and are adapted for providing a content license (CL) of the piece of protected digital content, wherein the user has an account established with an account identifier (UserID) in the service server, a hardware token assigned by the token provider, and an owner code (OC) known only by the user and the token provider, wherein the SC and the OC are stored in a database of the token provider, comprising the steps of:
-
a. generating two pairs of RSA public and private keys (PU_FOR_PUBLISHER, PR_FOR_PUBLISHER) and (PU_FOR_TOKEN, PR_FOR_TOKEN) by a consortium joined by the content publisher, the compliant device manufacture, and the token provider such that (i). the token provider is assigned the public key PU_FOR_TOKEN; (ii). the content publishers is assigned with the same public key PU_FOR_PUBLISHER; and (iii). private keys PR_FOR_PUBLISHER and PR_FOR_TOKEN are stored in the core content token CCT installed in the compliant device, b. packaging the digital content as a piece of the protected digital content by the content publisher; c. requesting the content license (CL) of the protected digital content by the user from the service server; d. providing a license exposed key (LEK) by the user with the hardware token to the compliant device; and e. authenticating the offline user by the compliant device for rendering the protected digital content based on the received LEK and the content license, wherein the CCT is built by the consortium. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. Software stored on a non-transitory computer readable medium for causing an offline system to perform functions to authenticate a user to render a piece of protected digital content stored in a compliant device in the offline system with a content publisher, a compliant device, a service server and a token provider, wherein the compliant device has a core content token (CCT) installed therein, wherein the service server has a uniquely global identifier (SC) and are adapted for providing a content license (CL) of the piece of protected digital content, wherein the user has an account established with an account identifier (UserID) in the service server, a hardware token assigned by the token provider, and an owner code (OC) known only by the user and the token provider, wherein the SC and the OC are stored in a database of the token provider, the function comprising:
-
a. generating two pairs of RSA public and private keys (PU_FOR_PUBLISHER, PR_FOR_PUBLISHER) and (PU_FOR_TOKEN, PR_FOR_TOKEN) by a consortium joined by the content publisher, the compliant device manufacture, and the token provider such that (i). the token provider is assigned the public key PU_FOR_TOKEN; (ii). the content publishers is assigned with the same public key PU_FOR_PUBLISHER; and (iii). private keys PR_FOR_PUBLISHER and PR_FOR_TOKEN are stored in the core content token (CCT) installed in the compliant device, b. packaging the digital content as a piece of the protected digital content by the content publisher; c. requesting the content license (CL) of the protected digital content by the user from the service server; d. providing a license exposed key (LEK) by the user with the hardware token to the compliant device; and e. authenticating the offline user by the compliant device for rendering the protected digital content based on the received LEK and the content license.
-
Specification