Authentication system and method for operating the same
First Claim
1. An authentication system, comprising:
- an authentication card having a unique identifier, the authentication card being configured to include a private portion of an authentication keypair and an anonymous authentication certificate;
a card reader capable of interfacing with the authentication card, the card reader being configured to access information stored on the authentication card;
a client computing system connected to communicate with the card reader; and
a server computing system connected to communicate with the client computing system, the server computing system including a memory having a user record stored therein, the user record including the unique identifier of the authentication card, a user name assigned to the authentication card, and the anonymous authentication certificate of the authentication card having a public portion of the authentication keypair, wherein the anonymous authentication certificate is stored on the authentication card during provisioning of the authentication card and is placed in the user record in association with the unique identifier of the authentication card during a user enrollment process that links the user name to the anonymous authentication certificate,wherein the presence of the anonymous authentication certificate in the user record enables the server computing system to authenticate the authentication card without communication with an external certificate authority,wherein the server is configured to transmit a challenge string to the authentication card, the authentication card being configured to encrypt the challenge string using the private portion of the authentication keypair and transmit the encrypted challenge string to the server as a response, the server being configured to decrypt the response using the public portion of the authentication keypair, the server being further configured to determine if the decrypted response matches the challenge string transmitted to the authentication card.
2 Assignments
0 Petitions
Accused Products
Abstract
A challenge string is sent from a server to an authentication card. The challenge string is encrypted using a private key on the authentication card. Then, the encrypted challenge string is sent as a response from the authentication card to the server. A unique identifier of the authentication card is correlated to a user record residing at the server to obtain an authentication certificate from within the user record. The authentication certificate includes a public key. The public key from the authentication certificate is used to decrypt the response at the server. A determination is then made as to whether the decrypted response matches the challenge string as originally sent from the server to the authentication card. If the decrypted response matches the original challenge string, the authentication is successful. Otherwise, the authentication fails.
11 Citations
25 Claims
-
1. An authentication system, comprising:
-
an authentication card having a unique identifier, the authentication card being configured to include a private portion of an authentication keypair and an anonymous authentication certificate; a card reader capable of interfacing with the authentication card, the card reader being configured to access information stored on the authentication card; a client computing system connected to communicate with the card reader; and a server computing system connected to communicate with the client computing system, the server computing system including a memory having a user record stored therein, the user record including the unique identifier of the authentication card, a user name assigned to the authentication card, and the anonymous authentication certificate of the authentication card having a public portion of the authentication keypair, wherein the anonymous authentication certificate is stored on the authentication card during provisioning of the authentication card and is placed in the user record in association with the unique identifier of the authentication card during a user enrollment process that links the user name to the anonymous authentication certificate, wherein the presence of the anonymous authentication certificate in the user record enables the server computing system to authenticate the authentication card without communication with an external certificate authority, wherein the server is configured to transmit a challenge string to the authentication card, the authentication card being configured to encrypt the challenge string using the private portion of the authentication keypair and transmit the encrypted challenge string to the server as a response, the server being configured to decrypt the response using the public portion of the authentication keypair, the server being further configured to determine if the decrypted response matches the challenge string transmitted to the authentication card. - View Dependent Claims (2, 3, 4)
-
-
5. A method for establishing an authentication system, comprising:
-
prior to activating an authentication card for runtime use, provisioning an authentication card having a unique identifier with a private portion of an authentication keypair and an authentication certificate including a public portion of the authentication keypair; prior to activating the authentication card for runtime use, assigning the authentication card to an entity having a user record in an identity server; prior to activating the authentication card for runtime use, storing the unique identifier of the authentication card in the user record of the entity to which the authentication card is assigned; prior to activating the authentication card for runtime use, extracting the authentication certificate from the authentication card; prior to activating the authentication card for runtime use, storing the extracted authentication certificate in the user record of the entity to which the authentication card is assigned, wherein the authentication certificate extracted from the authentication card is the only authentication certificate allowed to be stored in the user record; and activating the authentication card for runtime use. - View Dependent Claims (6, 7, 8, 9, 10)
-
-
11. A method for performing authentication, comprising:
-
sending a challenge string from a server to an authentication card; using a private key on the authentication card to encrypt the challenge string; sending the encrypted challenge string as a response from the authentication card to the server; correlating a unique identifier of the authentication card to a user record residing at the server to obtain an authentication certificate including a public key from within the user record; using the public key from the authentication certificate to decrypt the response at the server; and determining if the decrypted response matches the challenge string as sent from the server to the authentication card, wherein a successful match results in a successful authentication and an unsuccessful match results in an unsuccessful authentication. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A data storage device including program instructions for performing authentication, comprising:
-
program instructions for sending a challenge string from a server to an authentication card; program instructions for using a private key on the authentication card to encrypt the challenge string; program instructions for sending the encrypted challenge string as a response from the authentication card to the server without sending an authentication certificate of the authentication card to the server; program instructions for correlating a unique identifier of the authentication card to a user record residing at the server to obtain the authentication certificate including a public key from within the user record; program instructions for using the public key from the authentication certificate to decrypt the response at the server; and program instructions for determining if the decrypted response matches the challenge string as sent from the server to the authentication card, wherein a successful match results in a successful authentication and an unsuccessful match results in an unsuccessful authentication. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
-
25. An authentication system, comprising:
-
means for sending a challenge string from a server to an authentication card; means for using a private key on an authentication card to encrypt the challenge string; means for sending the encrypted challenge string as a response from the authentication card to the server without sending an authentication certificate of the authentication card to the server; means for correlating a unique identifier of the authentication card to a user record residing at the server to obtain the authentication certificate including a public key from within the user record; means for using the public key from the authentication certificate to decrypt the response at the server; and means for determining if the decrypted response matches the challenge string as sent from the server to the authentication card, wherein a successful match results in a successful authentication and an unsuccessful match results in an unsuccessful authentication.
-
Specification