One time password key ring for mobile computing device

US 8,230,231 B2
Filed: 04/14/2009
Issued: 07/24/2012
Est. Priority Date: 04/14/2009
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable storage media, the one or more computer-readable storage media not consisting of a propagating signal, the one or more computer-readable storage media comprising computer-executable instructions for provisioning independent generation of single-use combinations of characters to aid in remote verification, the computer-executable instructions directed to steps comprising:

receiving, from a server computing device, multiple alternative sets of provisioning information, each alternative set of provisioning information comprising a set of parameters and a server computing device public key corresponding to that set of parameters that are both unique among the received multiple alternative sets of provisioning information;

selecting, from among the received multiple alternative sets of provisioning information, a single selected set of provisioning information;

creating a client public key from a randomly selected value that is a client private key and the parameters of the single selected set of provisioning information that was selected from among the received multiple alternative sets of provisioning information;

creating a shared secret from the client private key and the parameters and server computing device public key of the single selected set of provisioning information that was selected from among the received multiple alternative sets of provisioning information; and

creating the single-use combination of characters from the shared secret.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Single-use character combinations are a secure mechanism for user authentication. Such “one-time passwords” (OTPs) can be generated by a mobile device to which the user otherwise maintains easy access. A key exchange, such as in accordance with the Diffie-Hellman algorithm, can provide both the mobile device and a server with a shared secret from which the OTPs can be generated. The shared secret can be derived from parameters posted on the server and updated periodically, and the mobile device can obtain such parameters from the server before generating an OTP. Such parameters can also specify the type of OTP mechanism to be utilized. A second site can, independently, establish an OTP mechanism with the mobile device. For efficiency, the first server can provide an identity token which provides the mobile device'"'"'s public key in a trusted manner, enabling more efficient generation of the shared secret with the second server.

Citations

20 Claims

1. One or more computer-readable storage media, the one or more computer-readable storage media not consisting of a propagating signal, the one or more computer-readable storage media comprising computer-executable instructions for provisioning independent generation of single-use combinations of characters to aid in remote verification, the computer-executable instructions directed to steps comprising:
- receiving, from a server computing device, multiple alternative sets of provisioning information, each alternative set of provisioning information comprising a set of parameters and a server computing device public key corresponding to that set of parameters that are both unique among the received multiple alternative sets of provisioning information;
  
  selecting, from among the received multiple alternative sets of provisioning information, a single selected set of provisioning information;
  
  creating a client public key from a randomly selected value that is a client private key and the parameters of the single selected set of provisioning information that was selected from among the received multiple alternative sets of provisioning information;
  
  creating a shared secret from the client private key and the parameters and server computing device public key of the single selected set of provisioning information that was selected from among the received multiple alternative sets of provisioning information; and
  
  creating the single-use combination of characters from the shared secret.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-readable storage media of claim 1, comprising further computer-executable instructions for establishing a communicational connection with a personal computing device and providing the single-use combination of characters to one or more application programs executing on the personal computing device and communicationally coupled to a remote entity associated with the server computing device.
  - 3. The computer-readable storage media of claim 1, comprising further computer-executable instructions for displaying the single-use combination of characters to a user.
  - 4. The computer-readable storage media of claim 1, comprising further computer-executable instructions for obtaining an identity token from another server computing device with which the independent generation of the single-use combinations of characters have already been provisioned and providing the identity token to the server computing device.
  - 5. The computer-readable storage media of claim 1, comprising further computer-executable instructions for:
    - receiving a registration code generated by the server computing device;
      
      providing client data to the server computing device, the client data comprising;
      
      the single selected set of provisioning information and the client public key; and
      
      providing a cryptographic verification of the client data to the server computing device, the cryptographic verification being based on a combination of the shared secret and the registration code.
  - 6. The computer-readable storage media of claim 1, comprising further computer-executable instructions for:
    - creating a first confirmation code from the share secret;
      
      receiving a second confirmation code generated by the server computing device; and
      
      determining that the provisioning the independent generation of the single-use combinations of characters was successful if the first confirmation code is equivalent to the received second confirmation code.
  - 7. The computer-readable storage media of claim 1, comprising further computer-executable instructions for:
    - receiving challenge data generated by the server computing device;
      
      creating response data from the challenge data and the shared secret; and
      
      transmitting the response data to the server computing device in response to the received challenge data to verify proper provisioning of the independent generation of the single-use combinations of characters.
  - 8. The computer-readable storage media of claim 1, comprising further computer-executable instructions for:
    - determining that the received multiple alternative sets of provisioning information have expired;
      
      requesting, in response to the determining, new multiple alternative sets of provisioning information; and
      
      repeating the receiving, the selected, the creating the client public key, the creating the shared secret, and the creating the single-use combination of characters with the new multiple alternative sets of provisioning information.
  - 9. The computer-readable storage media of claim 1, wherein the single-use combination of characters is created from both the shared secret and a challenge issued by the remote entity.

10. One or more computer-readable storage media, the one or more computer-readable storage media not consisting of a propagating signal, the one or more computer-readable storage media comprising computer-executable instructions for provisioning independent generation of single-use combinations of characters to aid in remote verification, the computer-executable instructions directed to steps comprising:
- creating a server computing device private key from a random value;
  
  creating multiple alternative sets of provisioning information, each alternative set of provisioning information comprising a set of parameters and a server computing device public keys corresponding to that set of parameters that are both unique among the created multiple alternative sets of provisioning information;
  
  providing the multiple alternative sets of provisioning information to a client;
  
  receiving, from the client, a single selected set of provisioning information, selected from among the multiple alternative sets of provisioning information, and a client public key;
  
  creating a shared secret from the server computing device private key, the parameters of the received single selected set of provisioning information that was selected from among the multiple alternative sets of provisioning information, and the received client public key; and
  
  creating the single-use combination of characters from the shared secret.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer-readable storage media of claim 10, comprising further computer-executable instructions for receiving an identity token comprising the received client public key, the identity token having been issued by a site with which the client has already provisioned the independent generation of the single-use combinations of characters.
  - 12. The computer-readable storage media of claim 10, comprising further computer-executable instructions for creating a registration code and verifying a received cryptographic hash of the received single selected set of provisioning information and the received client public key with reference to the registration code and the shared secret.
  - 13. The computer-readable storage media of claim 10, comprising further computer-executable instructions for:
    - creating a first confirmation code from the shared secret;
      
      receiving a second confirmation code generated by client; and
      
      determining that the provisioning the independent generation of the single-use combinations of characters was successful if the first confirmation code is equivalent to the received second confirmation code.
  - 14. The computer-readable storage media of claim 10, comprising further computer-executable instructions for:
    - receiving a first single-use combination of characters generated by the client as a remote verification;
      
      generating challenge data;
      
      creating a second single-use combination of characters from the shared secret and the generated challenge data;
      
      an verifying the client if the first single-use combination of characters is equivalent to the second single-use combination of characters.
  - 15. The computer-readable storage media of claim 10, comprising further computer-executable instructions for creating new, updated multiple alternatives is of provisioning information after at least some of the multiple alternative sets of provisioning information have expired;
    - and repeating the receiving, the creating the shared secret and the creating the single-use combination of characters with the new, updated multiple alternative sets of provisioning information.

16. A system for providing protected information to at least one user, the system comprising:
- a server computing device associated with a site providing at least some of the protected information, the server computing device comprising a first shared secret from which single-use combinations of characters are created and multiple alternative sets of provisioning information, each alternative set of provisioning information comprising a set of parameters and a server computing device public key corresponding to that set of parameters that are both unique among the created multiple alternative sets of provisioning information, the server computing device generating the first shared secret based on a server computing device private key, a mobile computing device public key, and a single selected set of provisioning information that is selected from among the multiple alternative sets of provisioning information; and
  
  a mobile computing device utilized by the at least one user to generate a single-use combination of characters to verify the at least one user to the site, the mobile computing device comprising a second shared secret, equivalent to the first shared secret, from which the single-use combination of characters is created, the mobile computing device selecting the single set of provisioning information from among the multiple alternative sets of provisioning information and generating the second shared secret based on a mobile computing device private key and the single selected set of provisioning information that was selected by the mobile computing device from among the multiple alternative sets of provisioning information, the mobile computing device generating the second shared secret independently of the server computing device'"'"'s generation of the first shared secret.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the mobile computing device further comprises computer-executable instructions for performing steps comprising:
    - receiving, from the server computing device, the multiple alternative sets of provisioning information;
      
      selecting, from among the received multiple alternative sets of provisioning information, the single selected set of provisioning information;
      
      creating the mobile computing device public key from a randomly selected value that is the mobile computed device private key and the parameters of the single selected set of provisioning information that was selected from among the received multiple alternative sets of provisioning information and, creating the second shared secret from the mobile computing device private key and the parameters and see server computing device public key of the single selected set of provisioning information that was selected from among the received multiple alternative sets of provisioning information; and
      
      wherein further the server computing device further comprises computer-executable instructions for performing steps comprising;
      
      creating the server computing device private key from another random value;
      
      creating the multiple alternative sets of provisioning information;
      
      receiving, from the mobile device, the single selected set of provisioning information and the mobile computing device public key and;
      
      creating the first shared secret from the server computing device private key, the parameters of the received single selected set of provisioning information, and the received mobile computing device public key.
  - 18. The system of claim 16, wherein the first shared secret is created by the server computing device using a public key of the mobile computing device provided to the server computing device via an identity token;
    - the system further comprising a second server computing device associated with a second site providing more of the protected information, wherein the mobile computing device has already provisioned a single-use combination of characters generation mechanism with the second site, the second server computing device comprising the identity token.
  - 19. The system of claim 16, further comprising a personal computing device utilized by the at least one user to access the protected information through the site, the personal computing device comprising a communicational connection with the mobile computing device and one or more application programs for accessing the protected information through the site, the one or more application programs comprising computer-executable instructions for obtaining the single-use combination of characters from the mobile device through the communicational connection.
  - 20. The system of claim 16, further comprising a personal computing device associated with the site, the personal computing device comprising a communicational connection with the mobile device and a provisioning application program comprising computer-executable instructions for providing, to the mobile device through the communicational connection, provisioning information comprising at least one public key of the server computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Freeman, Trevor William, Benaloh, Josh, Biccum, K John, Shah, Atul Kumar
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Su, Sarah

Application Number

US12/423,163
Publication Number

US 20100262834A1
Time in Patent Office

1,197 Days
Field of Search

713150-194, 726 1- 36, 380/44
US Class Current

713/184
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

H04L 2209/80   Wireless

H04L 63/0838   using one-time-passwords

H04L 9/0891   Revocation or update of sec...

H04L 9/3228   One-time or temporary data,...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

One time password key ring for mobile computing device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

One time password key ring for mobile computing device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links