Mobile smartcard based authentication

US 8,132,244 B2
Filed: 11/26/2008
Issued: 03/06/2012
Est. Priority Date: 12/07/2007
Status: Active Grant

First Claim

Patent Images

1. A method for processing authentication information in a smartcard reader, said method comprising:

receiving, by the smartcard reader, a challenge from an authentication server via a first computing device connected to the authentication server via a network;

after said receiving the challenge, said smartcard reader transferring the challenge to a smartcard;

after said transferring the challenge to the smartcard, said smartcard reader receiving a response to the challenge from the smartcard, said response comprising an encryption of the challenge, said response comprising a first part and a second part, said encryption of the challenge having been generated through use of a private authentication key of a user;

in response to the smartcard reader having received the response from the smartcard, said smartcard reader sending the first part of the response to the authentication server via the first computing device;

after said sending the first part of the response to the authentication server, said smartcard reader obtaining the challenge from the authentication server via a second computing device connected to the authentication server via the network, said second computing device and said first computing device being different computing devices;

after said obtaining the challenge, said smartcard reader providing the challenge to the smartcard;

after said providing the challenge to the smartcard, said smartcard reader obtaining the response from the smartcard;

in response to the smartcard reader having obtained the response from the smartcard, displaying the second part of the response to the user via a user interface at the smartcard reader.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an authentication server, information representing a first part of a response to a challenge is received during the authentication preparation phase. The challenge and the first part of the response are stored for further use. The challenge is resent and information representing a second part of the response to the challenge is received during a modified authentication phase. The first and second parts of the response are checked against the challenge for authenticating the user. In a smartcard reader, the response received from the smartcard is sent to a computing device, when the smartcard reader received the challenge via an interface to the computing device during normal authentication. In response to the smartcard reader having received the challenge via the interface to the computing device during an authentication preparation phase, the smartcard reader sends the first part of the response to the computing device. In response to the smartcard reader having received the challenge via a user interface, it presents at least the second part of the response to a user via the user interface.

10 Citations

View as Search Results

18 Claims

1. A method for processing authentication information in a smartcard reader, said method comprising:
- receiving, by the smartcard reader, a challenge from an authentication server via a first computing device connected to the authentication server via a network;
  
  after said receiving the challenge, said smartcard reader transferring the challenge to a smartcard;
  
  after said transferring the challenge to the smartcard, said smartcard reader receiving a response to the challenge from the smartcard, said response comprising an encryption of the challenge, said response comprising a first part and a second part, said encryption of the challenge having been generated through use of a private authentication key of a user;
  
  in response to the smartcard reader having received the response from the smartcard, said smartcard reader sending the first part of the response to the authentication server via the first computing device;
  
  after said sending the first part of the response to the authentication server, said smartcard reader obtaining the challenge from the authentication server via a second computing device connected to the authentication server via the network, said second computing device and said first computing device being different computing devices;
  
  after said obtaining the challenge, said smartcard reader providing the challenge to the smartcard;
  
  after said providing the challenge to the smartcard, said smartcard reader obtaining the response from the smartcard;
  
  in response to the smartcard reader having obtained the response from the smartcard, displaying the second part of the response to the user via a user interface at the smartcard reader.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, said method further comprising:
    - after said transferring the challenge to the smartcard, said smartcard reader receiving a first entry by the user of a Personal Identification Number (PIN) of the user at the smartcard reader; and
      
      in response to said receiving the first entry of the PIN, said smartcard reader sending the first entry of the PIN to the smartcard,wherein said receiving the response from the smartcard is performed after the response has been generated by the smartcard in response to the smartcard having received the first entry of the PIN from the smartcard reader.
  - 3. The method of claim 2, said method further comprising:
    - after said providing the challenge to the smartcard, said smartcard reader receiving a second entry by the user of the PIN at the smartcard reader; and
      
      in response to said receiving the second entry of the PIN, said smartcard reader sending the second entry of the PIN to the smartcard,wherein said obtaining the response from the smartcard is performed after the response has been generated by the smartcard in response to the smartcard having received the second entry of the PIN from the smartcard reader.
  - 4. The method of claim 1, said method further comprising:
    - in response to said displaying the second part of the response to the user, receiving an entry by the user of the second part of the response;
      
      in response to said receiving the second part of the response, sending the second part of the response to the authentication server via the second computing device.
  - 5. The method of claim 4, said response consisting of the first part and the second part, said method further comprising:
    - after the authentication server has received the second part of the response sent via the second computing device, said authentication server generating a combined response by combining the first and second parts of the response;
      
      after said generating the combined response, said authentication server decrypting the combined response; and
      
      said authentication server determining that the decrypted combined response is equal to the challenge.
  - 6. The method of claim 1, wherein the first computing device is a trusted computing device that is trusted by the user, and wherein the second computing device is a non-trusted computing device that is not trusted by the user.

7. A computer program product, comprising a computer readable physically tangible storage device having computer readable program code stored therein, said program code configured to be executed by at least one processor of a data processing system to implement a method for processing authentication information in a smartcard reader comprised by the data processing system, said method comprising:
- receiving, by the smartcard reader, a challenge from an authentication server via a first computing device connected to the authentication server via a network;
  
  after said receiving the challenge, said smartcard reader transferring the challenge to a smartcard;
  
  after said transferring the challenge to the smartcard, said smartcard reader receiving a response to the challenge from the smartcard, said response comprising an encryption of the challenge, said response comprising a first part and a second part, said encryption of the challenge having been generated through use of a private authentication key of a user;
  
  in response to the smartcard reader having received the response from the smartcard, said smartcard reader sending the first part of the response to the authentication server via the first computing device;
  
  after said sending the first part of the response to the authentication server, said smartcard reader obtaining the challenge from the authentication server via a second computing device connected to the authentication server via the network, said second computing device and said first computing device being different computing devices;
  
  after said obtaining the challenge, said smartcard reader providing the challenge to the smartcard;
  
  after said providing the challenge to the smartcard, said smartcard reader obtaining the response from the smartcard;
  
  in response to the smartcard reader having obtained the response from the smartcard, displaying the second part of the response to the user via a user interface at the smartcard reader.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7, said method further comprising:
    - after said transferring the challenge to the smartcard, said smartcard reader receiving a first entry by the user of a Personal Identification Number (PIN) of the user at the smartcard reader; and
      
      in response to said receiving the first entry of the PIN, said smartcard reader sending the first entry of the PIN to the smartcard,wherein said receiving the response from the smartcard is performed after the response has been generated by the smartcard in response to the smartcard having received the first entry of the PIN from the smartcard reader.
  - 9. The computer program product of claim 8, said method further comprising:
    - after said providing the challenge to the smartcard, said smartcard reader receiving a second entry by the user of the PIN at the smartcard reader; and
      
      in response to said receiving the second entry of the PIN, said smartcard reader sending the second entry of the PIN to the smartcard,wherein said obtaining the response from the smartcard is performed after the response has been generated by the smartcard in response to the smartcard having received the second entry of the PIN from the smartcard reader.
  - 10. The computer program product of claim 7, said method further comprising:
    - in response to said displaying the second part of the response to the user, receiving an entry by the user of the second part of the response;
      
      in response to said receiving the second part of the response, sending the second part of the response to the authentication server via the second computing device.
  - 11. The computer program product of claim 10, said response consisting of the first part and the second part, said method further comprising:
    - after the authentication server has received the second part of the response sent via the second computing device, said authentication server generating a combined response by combining the first and second parts of the response;
      
      after said generating the combined response, said authentication server decrypting the combined response; and
      
      said authentication server determining that the decrypted combined response is equal to the challenge.
  - 12. The computer program product of claim 7, wherein the first computing device is a trusted computing device that is trusted by the user, and wherein the second computing device is a non-trusted computing device that is not trusted by the user.

13. A data processing system comprising at least one processor, a computer readable memory unit coupled to the processor, and a physically tangible storage device coupled to the processor, said storage device storing program code configured to be executed by the at least one processor via the memory unit to implement a method for processing authentication information in a smartcard reader comprised by the data processing system, said method comprising:
- receiving, by the smartcard reader, a challenge from an authentication server via a first computing device connected to the authentication server via a network;
  
  after said receiving the challenge, said smartcard reader transferring the challenge to a smartcard;
  
  after said transferring the challenge to the smartcard, said smartcard reader receiving a response to the challenge from the smartcard, said response comprising an encryption of the challenge, said response comprising a first part and a second part, said encryption of the challenge having been generated through use of a private authentication key of a user;
  
  in response to the smartcard reader having received the response from the smartcard, said smartcard reader sending the first part of the response to the authentication server via the first computing device;
  
  after said sending the first part of the response to the authentication server, said smartcard reader obtaining the challenge from the authentication server via a second computing device connected to the authentication server via the network, said second computing device and said first computing device being different computing devices;
  
  after said obtaining the challenge, said smartcard reader providing the challenge to the smartcard;
  
  after said providing the challenge to the smartcard, said smartcard reader obtaining the response from the smartcard;
  
  in response to the smartcard reader having obtained the response from the smartcard, displaying the second part of the response to the user via a user interface at the smartcard reader.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The data processing system of claim 13, said method further comprising:
    - after said transferring the challenge to the smartcard, said smartcard reader receiving a first entry by the user of a Personal Identification Number (PIN) of the user at the smartcard reader; and
      
      in response to said receiving the first entry of the PIN, said smartcard reader sending the first entry of the PIN to the smartcard,wherein said receiving the response from the smartcard is performed after the response has been generated by the smartcard in response to the smartcard having received the first entry of the PIN from the smartcard reader.
  - 15. The data processing system of claim 14, said method further comprising:
    - after said providing the challenge to the smartcard, said smartcard reader receiving a second entry by the user of the PIN at the smartcard reader; and
      
      in response to said receiving the second entry of the PIN, said smartcard reader sending the second entry of the PIN to the smartcard,wherein said obtaining the response from the smartcard is performed after the response has been generated by the smartcard in response to the smartcard having received the second entry of the PIN from the smartcard reader.
  - 16. The data processing system of claim 13, said method further comprising:
    - in response to said displaying the second part of the response to the user, receiving an entry by the user of the second part of the response;
      
      in response to said receiving the second part of the response, sending the second part of the response to the authentication server via the second computing device.
  - 17. The data processing system of claim 16, said response consisting of the first part and the second part, said method further comprising:
    - after the authentication server has received the second part of the response sent via the second computing device, said authentication server generating a combined response by combining the first and second parts of the response;
      
      after said generating the combined response, said authentication server decrypting the combined response; and
      
      said authentication server determining that the decrypted combined response is equal to the challenge.
  - 18. The data processing system of claim 13, wherein the first computing device is a trusted computing device that is trusted by the user, and wherein the second computing device is a non-trusted computing device that is not trusted by the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Baltzer, Boris
Primary Examiner(s)
Popham, Jeffrey D
Assistant Examiner(s)
Potratz, Daniel

Application Number

US12/323,778
Publication Number

US 20090150667A1
Time in Patent Office

1,196 Days
Field of Search

726/9, 726/20, 726/30, 713/159, 713/172, 713/185
US Class Current

726/9
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/42   using separate channels for...

G06F 2221/2103   Challenge-response

H04L 63/0853   using an additional device,...

H04L 63/18   using different networks or...

Mobile smartcard based authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Mobile smartcard based authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others