Method and apparatus for using cryptographic mechanisms to provide access to a portable device using integrated authentication using another portable device

US 8,479,011 B2
Filed: 10/27/2009
Issued: 07/02/2013
Est. Priority Date: 10/07/2009
Status: Active Grant

First Claim

Patent Images

1. A method for providing authentication of a user to a first peripheral device connected to a host computer using an authentication of the user on an independently connected second peripheral device also connected to the host computer, allowing the user access to both devices through a single authentication, comprising:

operating the host computer to detect that the user is attempting use of the first peripheral device;

operating the second peripheral device to cause the user to authenticate to the second peripheral device;

operating the host computer to cause the second peripheral device which is independently connected to the host computer to execute a security function that utilizes a unique characteristic of the second peripheral device to produce a result that uniquely links the first peripheral device to the second peripheral device and that ensures that the first peripheral device cannot be accessed without authentication via the second peripheral device, and the result of which may be used by the host computer to compute an authentication phrase that may be validated by the first peripheral device as a credential allowing access to the first peripheral device conditioned upon the presence of and successful authentication to the second peripheral device;

operating the host computer to calculate the authentication phrase based on the result of the security function returned from the second peripheral device;

transmitting the authentication phrase from the host computer to the first peripheral device;

operating the first peripheral device to allow the user access to private assets stored on the first peripheral device only upon positive determination by the first peripheral device that the user has been authenticated based on verification of the authentication phrase as corresponding to an accepted authentication phrase.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for providing authentication of a user to a first peripheral device connected to a host computer using an authentication of the user on a second peripheral device, thereby allowing the user access to both devices through a single authentication. A security function on the second peripheral device is used to create an authorization phrase. Subsequent accesses to the first peripheral device requires the second peripheral device to re-create the same authorization phrase thereby demonstrating that the same second peripheral device is being used to access the first peripheral device and that a user was successfully authenticated to the second peripheral device. Other systems and methods are disclosed.

Citations

15 Claims

1. A method for providing authentication of a user to a first peripheral device connected to a host computer using an authentication of the user on an independently connected second peripheral device also connected to the host computer, allowing the user access to both devices through a single authentication, comprising:
- operating the host computer to detect that the user is attempting use of the first peripheral device;
  
  operating the second peripheral device to cause the user to authenticate to the second peripheral device;
  
  operating the host computer to cause the second peripheral device which is independently connected to the host computer to execute a security function that utilizes a unique characteristic of the second peripheral device to produce a result that uniquely links the first peripheral device to the second peripheral device and that ensures that the first peripheral device cannot be accessed without authentication via the second peripheral device, and the result of which may be used by the host computer to compute an authentication phrase that may be validated by the first peripheral device as a credential allowing access to the first peripheral device conditioned upon the presence of and successful authentication to the second peripheral device;
  
  operating the host computer to calculate the authentication phrase based on the result of the security function returned from the second peripheral device;
  
  transmitting the authentication phrase from the host computer to the first peripheral device;
  
  operating the first peripheral device to allow the user access to private assets stored on the first peripheral device only upon positive determination by the first peripheral device that the user has been authenticated based on verification of the authentication phrase as corresponding to an accepted authentication phrase.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method for providing authentication of a user to a first peripheral device of claim 1 wherein the security function is a cryptographic signature of a reference data.
  - 3. The method for providing authentication of a user to a first peripheral device of claim 1 further comprising a linking step:
    - operating the host computer to;
      
      request the second peripheral device to cryptographically sign a specified reference data;
      
      convert the resulting signature into an authentication phrase for the first peripheral device; and
      
      transmit the authentication phrase to become the accepted authentication phrase for the first peripheral device; and
      
      operating the first peripheral device to store the accepted authentication phrase thereby uniquely linking the first peripheral device to the second peripheral device.
  - 4. The method for providing authentication of a user to a first peripheral device of claim 1 wherein the security function is performing a cryptographic signature on a reference data and the step of using the security function to determine whether the user has been authenticated by the second peripheral device comprises:
    - operating the host computer to request the second peripheral device to sign and return the reference data; and
      
      operating the host computer to convert the reference data signature received from the second peripheral device into an authentication phrase for the first peripheral device and having the first peripheral device allow or disallow access to the private assets stored thereon based on whether the authentication phrase matches a known authentication phrase.
  - 5. The method for providing authentication of a user to a first peripheral device of claim 1 wherein the security function is a request to the second peripheral device to generate a byte array and the method further comprising:
    - generating the byte array on the second peripheral device; and
      
      storing the byte array on the first peripheral device thereby uniquely linking the first peripheral device to the second peripheral device.
  - 6. The method for providing authentication of a user to a first peripheral device of claim 5 further comprising storing the generated byte array on the second peripheral device.
  - 7. The method for providing authentication of a user to a first peripheral device of claim 5 further comprising:
    - upon an attempted access to the first peripheral device, requesting a candidate authentication byte array from the second peripheral device; and
      
      allowing access to the first peripheral device if the candidate authentication byte array corresponds to the stored generated authentication byte array thereby demonstrating presence of and successful authentication to second peripheral device.
  - 8. The method for providing authentication of a user to a first peripheral device of claim 1 further comprising:
    - storing an authentication agent on the second peripheral device;
      
      operating the authentication agent to generate a byte array on the second peripheral device;
      
      transmitting the generated byte array from the second peripheral device to an authentication initialization module on the first peripheral device; and
      
      storing the generated byte array on the first peripheral device thereby uniquely linking the first peripheral device to the second peripheral device.
  - 9. The method for providing authentication of a user to a first peripheral device of claim 8 further comprising:
    - upon an attempt to access the first peripheral device, operating the first peripheral device to send a request for an authentication phrase directly to authentication agent executing on the second peripheral device;
      
      operating the second peripheral device to retrieve the authentication phrase and to transmit the retrieved authentication phrase as a candidate authentication phrase to the first peripheral device; and
      
      allowing access to the first peripheral device if the candidate authentication phrase matches the authentication phrase stored on the first peripheral device thereby demonstrating presence of and successful authentication to second peripheral device.

10. A method for providing authentication of a user to a first peripheral device connected to a host computer using an authentication of the user on a second peripheral device also connected to the host computer, allowing the user access to both devices through a single authentication, comprising:
- upon an attempt to establish a connection to the first peripheral device through the host computer, operating the host computer;
  
  to request the user to commence an authentication process for the second peripheral device;
  
  to attempt to authenticate the user to the second peripheral device;
  
  upon successful authentication to the second peripheral device, to request the second peripheral device to execute a security function designated by the host computer and that utilizes a unique characteristic of the second peripheral device to produce a result that uniquely links the first peripheral device to the second peripheral device and that ensures that the first peripheral device cannot be accessed without authentication via the second peripheral device thereby producing a security result that may be converted by the host computer to an authentication phrase useful as a credential allowing access to the first peripheral device conditioned upon the presence of and successful authentication to the second peripheral device;
  
  to receive the security result from second peripheral device;
  
  to convert the security result to an authentication phrase candidate for the first peripheral device;
  
  to attempt authentication to the first peripheral device using the authentication phrase candidate for the first peripheral device; and
  
  to receive an authentication result from the first peripheral device indicating success or failure of the authentication attempt.
- View Dependent Claims (11)
- - 11. The method for providing authentication of a user of claim 10 further comprising:
    - upon first use of the first peripheral device, operating the host computer;
      
      to authenticate the user to the second peripheral device;
      
      upon successful authentication to the second peripheral device, to request the second peripheral device to execute the security function designated by the host computer thereby producing a security result;
      
      converting the cryptographic result to an authentication phrase;
      
      causing the authentication phrase to become the expected authentication phrase used by the first peripheral device to determine whether to allow access to the first peripheral device by a user thereby uniquely linking the first peripheral device to the second peripheral device.

12. A computer having a processor and connectors allowing connection to at least two peripheral devices, the computer processor being programmed to allow authentication to a first peripheral device be accomplished using authentication on a second peripheral device, the computer being programmed with instructions directing the computer to:
- to request the user to commence an authentication process for the second peripheral device;
  
  to attempt to authenticate the user to the second peripheral device;
  
  upon successful authentication to the second peripheral device, to request the second peripheral device to execute a security function designated by the host computer and that utilizes a unique characteristic of the second peripheral device to produce a result that uniquely links the second peripheral device to the first peripheral device thereby producing a security result;
  
  to receive the security result from the second peripheral device;
  
  to convert the security result to an authentication phrase candidate for the first peripheral device;
  
  to attempt authentication to the first peripheral device using the authentication phrase candidate for the first peripheral device; and
  
  to receive an authentication result from the first peripheral device indicating success or failure of the authentication attempt.

13. A method for providing authentication of a user to a first peripheral device connected to a host computer using an authentication of the user on a second peripheral device also connected to the host computer, allowing the user access to both devices through a single authentication, comprising:
- uniquely linking the first peripheral device and to the second peripheral device through an authentication phrase created by the second peripheral device wherein the authentication phrase reflects a unique characteristic of the second peripheral device and that ensures that the first peripheral device cannot be accessed without authentication via the second peripheral device and using the authentication phrase to create an encrypted virtual drive data file on the first peripheral device;
  
  operating the second peripheral device to cause the user to authenticate to the second peripheral device;
  
  upon attempting to use the encrypted virtual drive on the first peripheral device, obtaining a candidate authentication phrase from the second peripheral device; and
  
  attempting to mount the encrypted virtual drive data file using the candidate authentication phrase wherein only the correct authentication phrase would successfully decrypt the encrypted virtual drive.
- View Dependent Claims (14, 15)
- - 14. The method for providing authentication of a user to a first peripheral device connected to a host computer using an authentication of the user on a second peripheral device also connected to the host computer of claim 13 wherein the authentication phrase is generated by requesting the second peripheral device to cryptographically sign a reference data item thereby uniquely linking the first peripheral device to the second peripheral device.
  - 15. The method for providing authentication of a user to a first peripheral device connected to a host computer using an authentication of the user on a second peripheral device also connected to the host computer of claim 13 wherein the authentication phrase is stored on the second peripheral device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS France SAS (Thales SA)
Original Assignee
Gemalto SA (Thales SA)
Inventors
Ali, Asad Mahboob, Bombay, Bart John, Malpani, Ashish
Primary Examiner(s)
EDWARDS, LINGLAN E

Application Number

US12/607,047
Publication Number

US 20110083017A1
Time in Patent Office

1,344 Days
Field of Search

713/185, 726 16- 20, 726 26- 29
US Class Current

713/185
CPC Class Codes

G06F 21/34 involving the use of extern...

G06F 21/78 to assure secure storage of...

Method and apparatus for using cryptographic mechanisms to provide access to a portable device using integrated authentication using another portable device

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for using cryptographic mechanisms to provide access to a portable device using integrated authentication using another portable device

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links