Authentication system and method for operating the same

US 8,447,984 B1
Filed: 06/25/2004
Issued: 05/21/2013
Est. Priority Date: 06/25/2004
Status: Active Grant

First Claim

Patent Images

1. An authentication system, comprising:

an authentication card having a unique identifier, the authentication card being configured to include a private portion of an authentication keypair and an anonymous authentication certificate;

a card reader capable of interfacing with the authentication card, the card reader being configured to access information stored on the authentication card;

a client computing system connected to communicate with the card reader; and

a server computing system connected to communicate with the client computing system, the server computing system including a memory having a user record stored therein, the user record including the unique identifier of the authentication card, a user name assigned to the authentication card, and the anonymous authentication certificate of the authentication card having a public portion of the authentication keypair, wherein the anonymous authentication certificate is stored on the authentication card during provisioning of the authentication card and is placed in the user record in association with the unique identifier of the authentication card during a user enrollment process that links the user name to the anonymous authentication certificate,wherein the presence of the anonymous authentication certificate in the user record enables the server computing system to authenticate the authentication card without communication with an external certificate authority,wherein the server is configured to transmit a challenge string to the authentication card, the authentication card being configured to encrypt the challenge string using the private portion of the authentication keypair and transmit the encrypted challenge string to the server as a response, the server being configured to decrypt the response using the public portion of the authentication keypair, the server being further configured to determine if the decrypted response matches the challenge string transmitted to the authentication card.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A challenge string is sent from a server to an authentication card. The challenge string is encrypted using a private key on the authentication card. Then, the encrypted challenge string is sent as a response from the authentication card to the server. A unique identifier of the authentication card is correlated to a user record residing at the server to obtain an authentication certificate from within the user record. The authentication certificate includes a public key. The public key from the authentication certificate is used to decrypt the response at the server. A determination is then made as to whether the decrypted response matches the challenge string as originally sent from the server to the authentication card. If the decrypted response matches the original challenge string, the authentication is successful. Otherwise, the authentication fails.

11 Citations

View as Search Results

25 Claims

1. An authentication system, comprising:
- an authentication card having a unique identifier, the authentication card being configured to include a private portion of an authentication keypair and an anonymous authentication certificate;
  
  a card reader capable of interfacing with the authentication card, the card reader being configured to access information stored on the authentication card;
  
  a client computing system connected to communicate with the card reader; and
  
  a server computing system connected to communicate with the client computing system, the server computing system including a memory having a user record stored therein, the user record including the unique identifier of the authentication card, a user name assigned to the authentication card, and the anonymous authentication certificate of the authentication card having a public portion of the authentication keypair, wherein the anonymous authentication certificate is stored on the authentication card during provisioning of the authentication card and is placed in the user record in association with the unique identifier of the authentication card during a user enrollment process that links the user name to the anonymous authentication certificate,wherein the presence of the anonymous authentication certificate in the user record enables the server computing system to authenticate the authentication card without communication with an external certificate authority,wherein the server is configured to transmit a challenge string to the authentication card, the authentication card being configured to encrypt the challenge string using the private portion of the authentication keypair and transmit the encrypted challenge string to the server as a response, the server being configured to decrypt the response using the public portion of the authentication keypair, the server being further configured to determine if the decrypted response matches the challenge string transmitted to the authentication card.
- View Dependent Claims (2, 3, 4)
- - 2. An authentication system as recited in claim 1, wherein the authentication card is configured to require successful entry of a personal identification number (PIN) by a user to access information included in the authentication card.
  - 3. An authentication system as recited in claim 1, wherein an absence of the anonymous authentication certificate in the user record on the server computer system causes a failed authentication.
  - 4. An authentication system as recited in claim 1, wherein the authentication card is further configured to include one or more applets and a virtual machine to execute the one or more applets, wherein the one or more applets are defined to direct authentication operations.

5. A method for establishing an authentication system, comprising:
- prior to activating an authentication card for runtime use, provisioning an authentication card having a unique identifier with a private portion of an authentication keypair and an authentication certificate including a public portion of the authentication keypair;
  
  prior to activating the authentication card for runtime use, assigning the authentication card to an entity having a user record in an identity server;
  
  prior to activating the authentication card for runtime use, storing the unique identifier of the authentication card in the user record of the entity to which the authentication card is assigned;
  
  prior to activating the authentication card for runtime use, extracting the authentication certificate from the authentication card;
  
  prior to activating the authentication card for runtime use, storing the extracted authentication certificate in the user record of the entity to which the authentication card is assigned, wherein the authentication certificate extracted from the authentication card is the only authentication certificate allowed to be stored in the user record; and
  
  activating the authentication card for runtime use.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. A method for establishing an authentication system as recited in claim 5, wherein activating the authentication card for runtime use includes setting a personal identification number (PIN) in the authentication card, the PIN enabling access to information contained within the authentication card.
  - 7. A method for establishing an authentication system as recited in claim 5, wherein provisioning the authentication card is completed prior to distribution of the authentication card to an end-user.
  - 8. A method for establishing an authentication system as recited in claim 5, wherein provisioning the authentication card includes storing one or more applets on the authentication card, the one or more applets being defined to direct authentication operations.
  - 9. A method for establishing an authentication system as recited in claim 5, wherein the authentication certificate is defined as an anonymous certificate keyed to the unique identifier of the authentication card.
  - 10. A method for establishing an authentication system as recited in claim 5, wherein the authentication certificate is an x.509 certificate.

11. A method for performing authentication, comprising:
- sending a challenge string from a server to an authentication card;
  
  using a private key on the authentication card to encrypt the challenge string;
  
  sending the encrypted challenge string as a response from the authentication card to the server;
  
  correlating a unique identifier of the authentication card to a user record residing at the server to obtain an authentication certificate including a public key from within the user record;
  
  using the public key from the authentication certificate to decrypt the response at the server; and
  
  determining if the decrypted response matches the challenge string as sent from the server to the authentication card, wherein a successful match results in a successful authentication and an unsuccessful match results in an unsuccessful authentication.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. A method for performing authentication as recited in claim 11, wherein using the public key from the authentication certificate is not contingent on validation of the authentication certificate with a Certificate Authority.
  - 13. A method for performing authentication as recited in claim 11, wherein the authentication certificate is defined as an anonymous certificate keyed to the unique identifier of the authentication card.
  - 14. A method for performing authentication as recited in claim 11, wherein using the private key on the authentication card to encrypt the challenge string is directed by an applet executing within the authentication card.
  - 15. A method for performing authentication as recited in claim 11, wherein the authentication certificate is an x.509 certificate.
  - 16. A method for performing authentication as recited in claim 11, further comprising:
    - revoking an authentication privilege by removing the authentication certificate from the user record residing at the server.
  - 17. A method for performing authentication as recited in claim 11, further comprising:
    - establishing an interface between the authentication card and the client; and
      
      supplying a correct personal identification number (PIN) to enable access to information stored in the authentication card.

18. A data storage device including program instructions for performing authentication, comprising:
- program instructions for sending a challenge string from a server to an authentication card;
  
  program instructions for using a private key on the authentication card to encrypt the challenge string;
  
  program instructions for sending the encrypted challenge string as a response from the authentication card to the server without sending an authentication certificate of the authentication card to the server;
  
  program instructions for correlating a unique identifier of the authentication card to a user record residing at the server to obtain the authentication certificate including a public key from within the user record;
  
  program instructions for using the public key from the authentication certificate to decrypt the response at the server; and
  
  program instructions for determining if the decrypted response matches the challenge string as sent from the server to the authentication card, wherein a successful match results in a successful authentication and an unsuccessful match results in an unsuccessful authentication.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. A data storage device including program instructions for performing authentication as recited in claim 18, wherein the program instructions for using the public key from the authentication certificate do not include program instructions for validating the authentication certificate with a Certificate Authority.
  - 20. A data storage device including program instructions for performing authentication as recited in claim 18, wherein the authentication certificate is defined as an anonymous certificate keyed to the unique identifier of the authentication card.
  - 21. A data storage device including program instructions for performing authentication as recited in claim 18, wherein the program instructions for using the private key on the authentication card to encrypt the challenge string are defined within one or more applets capable of being executed on the authentication card.
  - 22. A data storage device including program instructions for performing authentication as recited in claim 18, wherein the authentication certificate is an x.509 certificate.
  - 23. A data storage device including program instructions for performing authentication as recited in claim 18, further comprising:
    - program instructions for concluding the authentication process in an unsuccessful state upon recognizing an absence of the authentication certificate within the user record residing at the server.
  - 24. A data storage device including program instructions for performing authentication as recited in claim 18, further comprising:
    - program instructions for requiring a correct personal identification number (PIN) to be supplied to enable access to information stored in the authentication card.

25. An authentication system, comprising:
- means for sending a challenge string from a server to an authentication card;
  
  means for using a private key on an authentication card to encrypt the challenge string;
  
  means for sending the encrypted challenge string as a response from the authentication card to the server without sending an authentication certificate of the authentication card to the server;
  
  means for correlating a unique identifier of the authentication card to a user record residing at the server to obtain the authentication certificate including a public key from within the user record;
  
  means for using the public key from the authentication certificate to decrypt the response at the server; and
  
  means for determining if the decrypted response matches the challenge string as sent from the server to the authentication card, wherein a successful match results in a successful authentication and an unsuccessful match results in an unsuccessful authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Oracle America, Inc. (Oracle Corporation)
Inventors
Siegel, Ellen H., Hare, Dwight F., Ravishankar, Tanjore S.
Primary Examiner(s)
ZECHER, CORDELIA P K

Application Number

US10/877,743
Time in Patent Office

3,252 Days
Field of Search

713/185
US Class Current

713/173
CPC Class Codes

G06Q 20/4097   using mutual authentication...

G06Q 20/40975   using encryption therefor

G07C 2009/00388   code verification carried o...

H04L 63/0853   using an additional device,...

H04L 9/3268   using certificate validatio...

H04L 9/3273   for mutual authentication n...

Authentication system and method for operating the same

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Authentication system and method for operating the same

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others