Remote authentication and transaction signatures
First Claim
1. A method for securing an application comprising the steps of:
- registering data representing a private key for at least one user having a PKI device storing said private key;
said registering comprisingreceiving a representation of a Private Key Code generated by a reader device operating in conjunction with said PKI device where said generation of said Private Key Code by said reader device occurs by said reader device generating and sending a challenge to said PKI device, and instructing said PKI device to perform an asymmetric cryptographic operation on said challenge with said private key, and said reader device receiving from said PKI device a result of said asymmetric cryptographic operation, and deriving from said received result said Private Key Code;
deriving from said representation of said Private Key Code a Private Key Related Value,storing said Private Key Related Value linked to said user;
receiving from said at least one user at least one dynamic credential that has been generated by a reader device in conjunction with said PKI device and where said generation by said reader device of said dynamic credential comprises obtaining and sending said challenge to said PKI device, instructing said PKI device to perform an asymmetric cryptographic operation on said challenge with said private key, receiving from said PKI device a result of said asymmetric cryptographic operation, deriving from said received result a first Private Key Related Input Parameter, deriving said dynamic credential by cryptographically combining said derived first Private Key Related Input Parameter with at least one dynamic input variable;
verifying the received dynamic credentials comprising the steps of;
retrieving said stored Private Key Related Value linked to said user, andderiving from said retrieved Private Key Related Value a second Private Key Related Input Parameter,calculating a reference value by cryptographically combining said derived second Private Key Related Input Parameter with a value for at least one dynamic input variable, andcomparing said calculated reference value with said received dynamic credential; and
protecting access to said application in dependence on the outcome of said verifying.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention provides a method, apparatus, computer readable medium and signal which allows the usage of devices containing PKI private keys such as PKI-enabled smart cards or USB sticks to authenticate users and to sign transactions. The authenticity of the user and/or the message is verified. Furthermore the operation (authentication and/or signing) occurs without the need for an application to have some kind of a direct or indirect digital connection with the device containing the private key. In addition the operation occurs without the need for the PKI-enabled device containing the private key (e.g. a PKI smart card or USB stick) to either support symmetric cryptographic operations or to have been personalized with some secret or confidential data element that can be read by a suitable reader.
194 Citations
16 Claims
-
1. A method for securing an application comprising the steps of:
-
registering data representing a private key for at least one user having a PKI device storing said private key;
said registering comprisingreceiving a representation of a Private Key Code generated by a reader device operating in conjunction with said PKI device where said generation of said Private Key Code by said reader device occurs by said reader device generating and sending a challenge to said PKI device, and instructing said PKI device to perform an asymmetric cryptographic operation on said challenge with said private key, and said reader device receiving from said PKI device a result of said asymmetric cryptographic operation, and deriving from said received result said Private Key Code; deriving from said representation of said Private Key Code a Private Key Related Value, storing said Private Key Related Value linked to said user; receiving from said at least one user at least one dynamic credential that has been generated by a reader device in conjunction with said PKI device and where said generation by said reader device of said dynamic credential comprises obtaining and sending said challenge to said PKI device, instructing said PKI device to perform an asymmetric cryptographic operation on said challenge with said private key, receiving from said PKI device a result of said asymmetric cryptographic operation, deriving from said received result a first Private Key Related Input Parameter, deriving said dynamic credential by cryptographically combining said derived first Private Key Related Input Parameter with at least one dynamic input variable; verifying the received dynamic credentials comprising the steps of; retrieving said stored Private Key Related Value linked to said user, and deriving from said retrieved Private Key Related Value a second Private Key Related Input Parameter, calculating a reference value by cryptographically combining said derived second Private Key Related Input Parameter with a value for at least one dynamic input variable, and comparing said calculated reference value with said received dynamic credential; and protecting access to said application in dependence on the outcome of said verifying. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A reader device for generating dynamic credentials comprising:
-
a communication interface to communicate with a PKI device that stores at least one private key and that is capable of performing asymmetric cryptographic operations with said private key, said communication interface adapted to exchange data and commands with said PKI device; processing components adapted to; generate a challenge, send said challenge to said PKI device, instruct said PKI device to perform an asymmetric cryptographic operation on said challenge, receive from said PKI device a result of said asymmetric cryptographic operation; derive a Private Key Code from said received result; derive a Private Key Related Input Parameter from said received result; and generate dynamic credentials by cryptographically combining said Private Key Related Input Parameter with at least one dynamic variable using a symmetric cryptographic algorithm; said reader device further comprising output components adapted to output data related to said Private Key Code and said generated dynamic credentials. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
Specification