Systems and methods for facilitating user authentication over a network

US 8,539,569 B2
Filed: 03/31/2010
Issued: 09/17/2013
Est. Priority Date: 12/09/2009
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating transactions over a network, the method comprising:

communicating with a web-client over the network;

receiving a request for authentication from the web-client over the network, the request including user information related to a user;

verifying that the user information includes a first integer value P corresponding to a first identification number related to the user and a second integer value Q corresponding to a second identification number related to the user;

challenging the web-client over the network by generating and sending a plurality of different random integer values to the web-client over the network including a first random integer value R, a second random integer value T, and a third random integer value K;

defining a first line segment PR between the first integer value P and the first random integer value R;

defining a second line segment QT between the second integer value Q and the second random integer value T;

determining an intersection point S of the first line segment PR and the second line segment QT;

calculating a first hash value from the third random integer value K and the intersection point S;

receiving a second hash value from the web-client over the network;

performing a first authentication protocol by comparing the first hash value with the second hash value, wherein if the first and second hash values match, then the web-client is authenticated, and wherein if the first and second hash values do not match, then the first authentication protocol is aborted; and

storing information related to performing the first authentication protocol.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with embodiments of the present disclosure, systems and methods for facilitating network transactions include user authentication over a network by providing strong mutual authentication of client web application to server side application server, providing session encryption key negotiation after authentication to continue encryption during communication, and providing a high-level encryption technique referred to as an effective zero knowledge proof of identity (eZKPI) algorithm. In various implementations, the eZKPI algorithm is adapted to couple something the user Knows (e.g., a password or personal identification number) with something the user Has (e.g., a secure identification card) to create a stronger identity authentication proof for access to a mobile device and applications running on the mobile device.

Citations

24 Claims

1. A method for facilitating transactions over a network, the method comprising:
- communicating with a web-client over the network;
  
  receiving a request for authentication from the web-client over the network, the request including user information related to a user;
  
  verifying that the user information includes a first integer value P corresponding to a first identification number related to the user and a second integer value Q corresponding to a second identification number related to the user;
  
  challenging the web-client over the network by generating and sending a plurality of different random integer values to the web-client over the network including a first random integer value R, a second random integer value T, and a third random integer value K;
  
  defining a first line segment PR between the first integer value P and the first random integer value R;
  
  defining a second line segment QT between the second integer value Q and the second random integer value T;
  
  determining an intersection point S of the first line segment PR and the second line segment QT;
  
  calculating a first hash value from the third random integer value K and the intersection point S;
  
  receiving a second hash value from the web-client over the network;
  
  performing a first authentication protocol by comparing the first hash value with the second hash value, wherein if the first and second hash values match, then the web-client is authenticated, and wherein if the first and second hash values do not match, then the first authentication protocol is aborted; and
  
  storing information related to performing the first authentication protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - receiving a fourth random integer value L with the second hash value from the web-client over the network,performing a second authentication protocol by;
      
      calculating a third hash value from the third random integer value K, the intersection point S, and the fourth random integer value L,sending the third hash value to the web-client over the network,wherein if the third hash value is accepted by the web-client, then communication continues with the web-client, andwherein if the third hash value is not accepted by the web-client, then communication with the web-client is aborted by the web-client; and
      
      storing information related to performing the second authentication protocol.
  - 3. The method of claim 1, wherein the method further comprises:
    - locating a user account related to the user based on the user information passed with the request, wherein the user account includes information related to the user; and
      
      comparing the user information passed with the request with user information of the user account to verify that the user information includes a first integer value P and a second integer value Q related to the user.
  - 4. The method of claim 1, wherein:
    - the first integer value P comprises a value for the first identification number related to the user, andwherein the first identification number comprises a user identification number from a secure identification card.
  - 5. The method of claim 1, wherein:
    - the second integer value Q comprises a value for the second identification number related to the user, andwherein the second identification number comprises an alpha-numeric password selected by the user or a personal identification number selected by the user.
  - 6. The method of claim 1, wherein each different random integer value comprises 10 to 20 digits.
  - 7. The method of claim 1, wherein:
    - the first line segment PR passes through point values for the first integer value P and the first random integer value R,the second line segment passes through point values for the second integer value Q and the second random integer value T, andthe intersection of the first line segment PR and the second line segment QT passes through a point value for the intersection point S.
  - 8. The method of claim 1, wherein:
    - the first integer value P comprises a first shared secret with the web-client, andthe second integer value Q comprises a second shared secret with the web-client.
  - 9. The method of claim 1, further comprising:
    - storing one or more of the first integer value P, the second integer value Q, the third random integer value K, and the fourth random integer value L.
  - 10. The method of claim 1, further comprising:
    - storing a first encryption value comprising the third random integer value K plus a value for the intersection point S; and
      
      storing a second encryption value comprising the third random integer value K plus the fourth random integer value L plus a value for the intersection point S.
  - 11. The method of claim 1, wherein the method is performed by a server adapted to communicate with web-client over the network.

12. A system for facilitating transactions over a network, the system comprising:
- a communication component adapted for communicating with a web-client over the network; and
  
  a processing component adapted for;
  
  receiving a request for authentication from the web-client over the network, the request including user information related to a user;
  
  verifying that the user information includes a first integer value P corresponding to a first identification number related to the user and a second integer value Q corresponding to a second identification number related to the user;
  
  challenging the web-client over the network by generating and sending a plurality of different random integer values to the web-client over the network including a first random integer value R, a second random integer value T, and a third random integer value K;
  
  defining a first line segment PR between the first integer value P and the first random integer value R;
  
  defining a second line segment QT between the second integer value Q and the second random integer value T;
  
  determining an intersection point S of the first line segment PR and the second line segment QT;
  
  calculating a first hash value from the third random integer value K and the intersection point S;
  
  receiving a second hash value from the web-client over the network;
  
  performing a first authentication protocol by comparing the first hash value with the second hash value, wherein if the first and second hash values match, then the web-client is authenticated, and wherein if the first and second hash values do not match, then the first authentication protocol is aborted; and
  
  storing information related to performing the first authentication protocol.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, the processing component further adapted for:
    - receiving a fourth random integer value L with the second hash value from the web-client over the network,performing a second authentication protocol by;
      
      calculating a third hash value from the third random integer value K, the intersection point S, and the fourth random integer value L,sending the third hash value to the web-client over the network,wherein if the third hash value is accepted by the web-client, then communication continues with the web-client, andwherein if the third hash value is not accepted by the web-client, then communication with the web-client is aborted by the web-client; and
      
      storing information related to performing the second authentication protocol.
  - 14. The system of claim 12, the processing component further adapted for:
    - locating a user account related to the user based on the user information passed with the request, wherein the user account includes information related to the user; and
      
      comparing the user information passed with the request with user information of the user account to verify that the user information includes a first integer value P and a second integer value Q related to the user.
  - 15. The system of claim 12, wherein:
    - the first integer value P comprises a value for the first identification number related to the user, andwherein the first identification number comprises a user identification number from a secure identification card.
  - 16. The system of claim 12, wherein:
    - the second integer value Q comprises a value for the second identification number related to the user, andwherein the second identification number comprises an alpha-numeric password selected by the user or a personal identification number selected by the user.
  - 17. The system of claim 12, wherein each different random integer value comprises 10 to 20 digits.
  - 18. The system of claim 12, wherein:
    - the first line segment PR passes through point values for the first integer value P and the first random integer value R,the second line segment passes through point values for the second integer value Q and the second random integer value T, andthe intersection of the first line segment PR and the second line segment QT passes through a point value for the intersection point S.
  - 19. The system of claim 12, wherein:
    - the first integer value P comprises a first shared secret with the web-client, andthe second integer value Q comprises a second shared secret with the web-client.
  - 20. The system of claim 12, the processing component further adapted for:
    - storing one or more of the first integer value P, the second integer value Q, the third random integer value K, and the fourth random integer value L.
  - 21. The system of claim 12, the processing component further adapted for:
    - storing a first encryption value comprising the third random integer value K plus a value for the intersection point S; and
      
      storing a second encryption value comprising the third random integer value K plus the fourth random integer value L plus a value for the intersection point S.
  - 22. The system of claim 12, wherein the system comprises a server adapted to communicate with the web-client over the network.

23. A non-transitory computer readable medium on which are stored computer readable instructions and when executed operable to:
- communicate with a web-client over the network;
  
  receive a request for authentication from the web-client over the network, the request including user information related to a user;
  
  verify that the user information includes a first integer value P corresponding to a first identification number related to the user and a second integer value Q corresponding to a second identification number related to the user;
  
  challenge the web-client over the network by generating and sending a plurality of different random integer values to the web-client over the network including a first random integer value R, a second random integer value T, and a third random integer value K;
  
  define a first line segment PR between the first integer value P and the first random integer value R;
  
  define a second line segment QT between the second integer value Q and the second random integer value T;
  
  determine an intersection point S of the first line segment PR and the second line segment QT;
  
  calculate a first hash value from the third random integer value K and the intersection point S;
  
  receive a second hash value from the web-client over the network;
  
  perform a first authentication protocol by comparing the first hash value with the second hash value, wherein if the first and second hash values match, then the web-client is authenticated, and wherein if the first and second hash values do not match, then the first authentication protocol is aborted; and
  
  store information related to performing the first authentication protocol.
- View Dependent Claims (24)
- - 24. The non-transitory computer readable medium of claim 23, further operable to:
    - receive a fourth random integer value L with the second hash value from the web-client over the network,perform a second authentication protocol by;
      
      calculating a third hash value from the third random integer value K, the intersection point S, and the fourth random integer value L,sending the third hash value to the web-client over the network,wherein if the third hash value is accepted by the web-client, then communication continues with the web-client, andwherein if the third hash value is not accepted by the web-client, then communication with the web-client is aborted by the web-client; and
      
      store information related to performing the second authentication protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
eBay Inc.
Inventors
Mansour, Rasta A
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
SONG, HEE K

Application Number

US12/751,986
Publication Number

US 20110138454A1
Time in Patent Office

1,266 Days
Field of Search

726 5- 9, 713/168, 713/176, 713/180, 380/44, 380/258
US Class Current

726/9
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless

H04L 63/0861   using biometrical features,...

H04L 9/3218   using proof of knowledge, e...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3273   for mutual authentication n...

H04L 9/50   using hash chains, e.g. blo...

H04W 12/068   using credential vaults, e....

Systems and methods for facilitating user authentication over a network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for facilitating user authentication over a network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links