Key management using quasi out of band authentication architecture

US 8,713,325 B2
Filed: 04/19/2011
Issued: 04/29/2014
Est. Priority Date: 04/19/2011
Status: Active Grant

First Claim

Patent Images

1. A method of operating a security server to provide key management layered on a quasi out of band authentication system, comprising:

receiving, via a communication channel from a network device associated with a user, a request for activation of a user interface window for that particular user at the network device;

transmitting, to an out of band authentication system, an activation personal identification number (PIN) to be forwarded to the user'"'"'s telephone via a voice or text message;

receiving, via the communication channel from the network device, the previously transmitted activation PIN;

authenticating the user based on the received activation PIN;

establishing, on top of the communication channel after authenticating the user, a secure, independent, encrypted communication channel between the user interface window and the security server; and

at least one of (i) generating and transmitting to the user interface window via the secure, independent, encrypted communication channel key material for cryptography based operations and (ii) receiving from the user interface window via the secure, independent, encrypted communication channel, key material for cryptography based operations.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To provide key management layered on a quasi-out-of-band authentication system, a security server receives a request for activation of a user interface window for a particular user from a network device via a communication channel. It then transmits an activation PIN to an out of band authentication system for forwarding to the user'"'"'s telephone via a voice or text message. It next receives the previously transmitted PIN from the network device via the communication channel, and authenticates the user based on the received PIN. After authenticating the user, it establishes a secure, independent, encrypted communication channel between the user interface window and the security server on top of the original communication channel. It then generates and transmits to the user interface window and/or receives from the user interface window via the secure communication channel, key material and certificate material for public key and/or symmetric key cryptography based operations.

122 Citations

View as Search Results

19 Claims

1. A method of operating a security server to provide key management layered on a quasi out of band authentication system, comprising:
- receiving, via a communication channel from a network device associated with a user, a request for activation of a user interface window for that particular user at the network device;
  
  transmitting, to an out of band authentication system, an activation personal identification number (PIN) to be forwarded to the user'"'"'s telephone via a voice or text message;
  
  receiving, via the communication channel from the network device, the previously transmitted activation PIN;
  
  authenticating the user based on the received activation PIN;
  
  establishing, on top of the communication channel after authenticating the user, a secure, independent, encrypted communication channel between the user interface window and the security server; and
  
  at least one of (i) generating and transmitting to the user interface window via the secure, independent, encrypted communication channel key material for cryptography based operations and (ii) receiving from the user interface window via the secure, independent, encrypted communication channel, key material for cryptography based operations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method according to claim 1, wherein the key material is for public key cryptography based operations and is generated and transmitted, and further comprising:
    - receiving, from the user interface window via the secure, independent, encrypted communication channel, a public key Pu of a private/public key pair Du/Pu associated with the user and previously generated at user interface window; and
      
      transmitting to the user interface window via the secure, independent, encrypted communication channel, a certificate, which is signed by the security server or an external certificate authority and associates the user with the received public key Pu, and instructions for storage of the certificate.
  - 3. The method according to claim 2, wherein the security server acts as an Intermediate or Root Certificate Authority, and further comprising:
    - generating and signing the certificate using locally stored certificate authority key material.
  - 4. The method according to claim 2, wherein the certificate is signed by an external certificate authority, and further comprising:
    - transmitting an unsigned certificate to the external certificate authority; and
      
      receiving the signed certificate from the certificate authority prior to transmitting the signed certificate to the user interface window.
  - 5. The method according to claim 2, wherein the transmitted storage instruction requires storage of the user private key Du and signed certificate (i) in memory, or (ii) in the key store of an operating system of the network device, or (iii) both.
  - 6. The method according to claim 2, wherein the transmitted storage instruction explicitly or implicitly, by providing no instruction, leaves the storage decision to the user interface window.
  - 7. The method according to claim 1, wherein the key material is for symmetric key cryptography based operations and is generated and transmitted by the security server, and further comprising:
    - receiving, from the user interface window or a network site, an authenticated request containing unique identifying information associated with the user or with a file;
      
      generating, using a one way function, a unique symmetric key K, wherein the value of the key K is derived from the received unique identifying information and a secret known only to the security server; and
      
      ;
      
      transmitting, to the requester, the generated symmetric key K.
  - 8. The method according to claim 1, wherein the security server performs public key cryptography based operations to obtain a digital signature on a transaction, and further comprising:
    - receiving, from a network site, the transaction and a request for digital signing of the transaction;
      
      transmitting, to the user interface window via the secure, independent, encrypted communication channel, the transaction and a request for a digital signature;
      
      receiving, from the user interface window via the secure, independent, encrypted communication channel, a hash of the transmitted transaction digitally signed with a private key Du of a private/public key pair Du/Pu associated with the user; and
      
      transmitting to the network site, the received digitally signed hash of the transaction and a certificate, with explicit or implicit instructions for the network site to verify the digital signature by recomputing the hash and comparing it with the hash recovered from the transmitted digitally signed hash by applying the user'"'"'s public key Pu included in the transmitted certificate to the transmitted digitally signed hash.
  - 9. The method according to claim 8, further comprising:
    - transmitting, to the user interface window, for presentation to the user, via the secure, independent, encrypted communication channel, a signature PIN with which to electronically sign the transaction presented in a browser window displayed at the network device.
  - 10. The method according to claim 9, wherein the signature PIN corresponds to a secret shared by the security server and the network site, but not by the user.
  - 11. The method according to claim 8, wherein the transmitted transaction includes an explicit or implicit instruction to present the transaction to the user in the user interface window and obtain approval of the user prior to digitally signing of the transaction.
  - 12. The method according to claim 8, further comprising:
    - receiving, from the user interface window via the secure, independent, encrypted communication channel, the public key Pu; and
      
      transmitting to the user interface window via the secure, independent, encrypted communication channel, the certificate signed by the security server or an external authenticating authority and associating the user with the received public key Pu, and instructions for storage of the certificate and the user'"'"'s private key Du;
      
      wherein the instructions explicitly or implicitly instruct the user interface window to manage storage of the user'"'"'s private key Du and the signed certificate (i) in memory, or (ii) in the key store of an operating system of the network device, or (iii) both for the benefit of other local applications.
  - 13. The method according to claim 8, further comprising:
    - recomputing the hash and comparing it with the hash recovered from the received digitally signed hash by applying the user'"'"'s public key Pu included in the received certificate to the received digitally signed hash, to thereby verify the digital signature.
  - 14. The method according to claim 1, wherein the security server performs symmetric key cryptography based operations, and the symmetric key cryptography based operations include sharing encryption keys, and further comprising:
    - receiving, from a network site, a request for one or more encryption keys associated with particular combinations of sender identification, recipient identification and document identification, collectively referred to as DocumentID;
      
      generating, one or more symmetric encryption keys for each DocumentID, based on a one way function, the DocumentID, a secret known only to the security server and other information;
      
      transmitting, to the network site, the encryption keys, with explicit or implicit instructions to encrypt the document represented by the applicable DocumentID with the appropriate encryption key or keys and to transmit the encrypted document to the user;
      
      receiving, from software, other than the user interface window, that is operating on the network device and being used to open the encrypted document represented by an applicable DocumentID, a request for the one or more symmetric encryption keys required to decrypt the encrypted document represented by the applicable DocumentID, wherein the request includes the applicable DocumentID;
      
      recomputing or receiving the applicable one or more symmetric encryption keys; and
      
      transmitting, to the user interface window, the recomputed or received applicable one or more symmetric encryption keys, with explicit or implicit instructions to present the applicable one or more symmetric encryption keys to the user for entry into the software to decrypt the encrypted document represented by the applicable DocumentID.
  - 15. The method according to claim 14, wherein the request for the one or more symmetric encryption keys from the software is received via a network site which is in communication with the software attempting to open the encrypted document.
  - 16. The method according to claim 14, wherein:
    - the security server receives the applicable one or more symmetric encryption keys from a network site which is in communication with the software attempting to open the document; and
      
      the applicable one or more symmetric encryption keys transmitted to the user interface window are the applicable one or more symmetric encryption keys received from the network site.
  - 17. The method according to claim 14, wherein:
    - the security server recomputes, based on the one way function, the applicable DocumentID, the secret known only to the security server and the other information, the applicable one or more symmetric encryption keys; and
      
      the applicable one or more symmetric encryption keys transmitted to the user interface window are the recomputed one or more symmetric encryption keys.
  - 18. A method according to claim 1, wherein the security server performs symmetric key cryptography based operations, and the symmetric key cryptography based operations include providing a seed for token authenticator hardware or software, and further comprising:
    - receiving, from the user interface window, a request for a token seed, and at least one of (i) a user identifier and (ii) a token identifier for which the seed is requested;
      
      generating, the seed, based on a one way function, the at least one identifier, a secret known only to the security server and other information; and
      
      transmitting, to the user interface window via the secure, independent, encrypted communication channel, the generated seed, with explicit or implicit instructions to either (i) present the transmitted seed to the user on the user interface window display for entry by the user into a seeding interface of the token or (ii) enter the transmitted seed into the seeding interface of the token directly without user intervention.
  - 19. A method according to claim 18, wherein the transmitted seed is an intermediate seed for processing by the token software to generate the final seed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Payfone Incorporated
Original Assignee
Authentify, Inc. (Early Warning Services, LLC)
Inventors
Ganesan, Ravi
Primary Examiner(s)
CHAO, MICHAEL W

Application Number

US13/089,430
Publication Number

US 20120272056A1
Time in Patent Office

1,106 Days
Field of Search

713/185
US Class Current

713/184
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 63/126   the source of the received ...

H04L 63/1483   service impersonation, e.g....

H04L 63/18   using different networks or...

H04L 9/0819   Key transport or distributi...

H04L 9/3215   using a plurality of channe...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 12/0433   Key management protocols

Key management using quasi out of band authentication architecture

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Key management using quasi out of band authentication architecture

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others