One time password key ring for mobile computing device
First Claim
1. One or more computer-readable storage media, the one or more computer-readable storage media not consisting of a propagating signal, the one or more computer-readable storage media comprising computer-executable instructions for provisioning independent generation of single-use combinations of characters to aid in remote verification, the computer-executable instructions directed to steps comprising:
- receiving, from a server computing device, multiple alternative sets of provisioning information, each alternative set of provisioning information comprising a set of parameters and a server computing device public key corresponding to that set of parameters that are both unique among the received multiple alternative sets of provisioning information;
selecting, from among the received multiple alternative sets of provisioning information, a single selected set of provisioning information;
creating a client public key from a randomly selected value that is a client private key and the parameters of the single selected set of provisioning information that was selected from among the received multiple alternative sets of provisioning information;
creating a shared secret from the client private key and the parameters and server computing device public key of the single selected set of provisioning information that was selected from among the received multiple alternative sets of provisioning information; and
creating the single-use combination of characters from the shared secret.
2 Assignments
0 Petitions
Accused Products
Abstract
Single-use character combinations are a secure mechanism for user authentication. Such “one-time passwords” (OTPs) can be generated by a mobile device to which the user otherwise maintains easy access. A key exchange, such as in accordance with the Diffie-Hellman algorithm, can provide both the mobile device and a server with a shared secret from which the OTPs can be generated. The shared secret can be derived from parameters posted on the server and updated periodically, and the mobile device can obtain such parameters from the server before generating an OTP. Such parameters can also specify the type of OTP mechanism to be utilized. A second site can, independently, establish an OTP mechanism with the mobile device. For efficiency, the first server can provide an identity token which provides the mobile device'"'"'s public key in a trusted manner, enabling more efficient generation of the shared secret with the second server.
-
Citations
20 Claims
-
1. One or more computer-readable storage media, the one or more computer-readable storage media not consisting of a propagating signal, the one or more computer-readable storage media comprising computer-executable instructions for provisioning independent generation of single-use combinations of characters to aid in remote verification, the computer-executable instructions directed to steps comprising:
-
receiving, from a server computing device, multiple alternative sets of provisioning information, each alternative set of provisioning information comprising a set of parameters and a server computing device public key corresponding to that set of parameters that are both unique among the received multiple alternative sets of provisioning information; selecting, from among the received multiple alternative sets of provisioning information, a single selected set of provisioning information; creating a client public key from a randomly selected value that is a client private key and the parameters of the single selected set of provisioning information that was selected from among the received multiple alternative sets of provisioning information; creating a shared secret from the client private key and the parameters and server computing device public key of the single selected set of provisioning information that was selected from among the received multiple alternative sets of provisioning information; and creating the single-use combination of characters from the shared secret. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. One or more computer-readable storage media, the one or more computer-readable storage media not consisting of a propagating signal, the one or more computer-readable storage media comprising computer-executable instructions for provisioning independent generation of single-use combinations of characters to aid in remote verification, the computer-executable instructions directed to steps comprising:
-
creating a server computing device private key from a random value; creating multiple alternative sets of provisioning information, each alternative set of provisioning information comprising a set of parameters and a server computing device public keys corresponding to that set of parameters that are both unique among the created multiple alternative sets of provisioning information; providing the multiple alternative sets of provisioning information to a client;
receiving, from the client, a single selected set of provisioning information, selected from among the multiple alternative sets of provisioning information, and a client public key;creating a shared secret from the server computing device private key, the parameters of the received single selected set of provisioning information that was selected from among the multiple alternative sets of provisioning information, and the received client public key; and creating the single-use combination of characters from the shared secret. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A system for providing protected information to at least one user, the system comprising:
-
a server computing device associated with a site providing at least some of the protected information, the server computing device comprising a first shared secret from which single-use combinations of characters are created and multiple alternative sets of provisioning information, each alternative set of provisioning information comprising a set of parameters and a server computing device public key corresponding to that set of parameters that are both unique among the created multiple alternative sets of provisioning information, the server computing device generating the first shared secret based on a server computing device private key, a mobile computing device public key, and a single selected set of provisioning information that is selected from among the multiple alternative sets of provisioning information; and a mobile computing device utilized by the at least one user to generate a single-use combination of characters to verify the at least one user to the site, the mobile computing device comprising a second shared secret, equivalent to the first shared secret, from which the single-use combination of characters is created, the mobile computing device selecting the single set of provisioning information from among the multiple alternative sets of provisioning information and generating the second shared secret based on a mobile computing device private key and the single selected set of provisioning information that was selected by the mobile computing device from among the multiple alternative sets of provisioning information, the mobile computing device generating the second shared secret independently of the server computing device'"'"'s generation of the first shared secret. - View Dependent Claims (17, 18, 19, 20)
-
Specification