Token recycling

US 8,832,453 B2
Filed: 02/28/2007
Issued: 09/09/2014
Est. Priority Date: 02/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a first secure connection between a locked token and a security server system through a client device coupled to the locked token;

activating a process to unlock the locked token via the first secure connection;

establishing a second secure connection between the client device and the security server system in response to activating the process to unlock the locked token, wherein the second secure connection differs from the first secure connection;

prompting a user for an authentication credential via the second secure connection;

determining that the user has correctly provided the authentication credential; and

unlocking, by a processor, the locked token in response to determining that the user has correctly provided the authentication credential, the unlocking comprising mutually authenticating the locked token and the security server system using symmetric keys derived from a master key, wherein the symmetric keys are stored in the locked token and the security server system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide for recycling a locked token in an enterprise. A secure connection can be established between a locked token and a server and a security process activated to determine an identity of an authorized user of the locked token. An unlock procedure can be activated to unlock the locked token upon receipt of an out-of-band parameter associated with a requester of the unlock procedure to produce an unlocked token. The out-of-band parameter can be provided by the requester of the unlock procedure in an independent communication to an enterprise agent associated with the security server so as to verify that the requester is the authorized user of the locked token. A password reset process associated with a new password for the unlocked token can be activated to provide an assigned password or a password entered by the requester.

210 Citations

16 Claims

1. A method comprising:
- establishing a first secure connection between a locked token and a security server system through a client device coupled to the locked token;
  
  activating a process to unlock the locked token via the first secure connection;
  
  establishing a second secure connection between the client device and the security server system in response to activating the process to unlock the locked token, wherein the second secure connection differs from the first secure connection;
  
  prompting a user for an authentication credential via the second secure connection;
  
  determining that the user has correctly provided the authentication credential; and
  
  unlocking, by a processor, the locked token in response to determining that the user has correctly provided the authentication credential, the unlocking comprising mutually authenticating the locked token and the security server system using symmetric keys derived from a master key, wherein the symmetric keys are stored in the locked token and the security server system.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising activating a password reset process in response to unlocking the locked token, the password reset process associated with a new password for the unlocked token, wherein the new password comprises one of an assigned password and a password entered by the user.
  - 3. The method of claim 1, further comprising:
    - updating the unlocked token with a new password in response to the mutual authentication.
  - 4. The method of claim 1, wherein the token comprises one of a universal serial bus (USB) token and a smartcard.

5. An apparatus comprising:
- a security server system to;
  
  establish a first secure connection between a locked token and the security server system through a client device coupled to the locked token;
  
  activate a process to unlock the locked token via the first secure connection;
  
  establish a second secure connection between the client device and the security server system in response to activating the process to unlock the locked token, wherein the second secure connection differs from the first secure connection;
  
  prompt a user for an authentication credential via the second secure connection;
  
  determine that the user has correctly provided the authentication credential; and
  
  unlock, by a processor, the locked token in response to determining that the user has correctly provided the authentication credential, the unlock comprising mutually authenticating the locked token and the security server system using symmetric keys derived from a master key, wherein the symmetric keys are stored in the locked token and the security server system.

6. A non-transitory computer readable medium comprising computer executable instructions, that when executed by a processor cause the processor to perform operations comprising:
- establishing a first secure connection between a locked token and a security server system through a client device coupled to the locked token;
  
  activating a process to unlock the locked token via the first secure connection;
  
  establishing a second secure connection between the client device and the security server system in response to activating the process to unlock the locked token, wherein the second secure connection differs from the first secure connection;
  
  prompting a user for an authentication credential via the second secure connection;
  
  determining that the user has correctly provided the authentication credential; and
  
  unlocking, by the processor, the locked token in response to determining that the user has correctly provided the authentication credential, the unlocking comprising mutually authenticating the locked token and the security server system using symmetric keys derived from a master key, wherein the symmetric keys are stored in the locked token and the security server system.

7. A security server system comprising:
- a communication interface;
  
  a data store; and
  
  a processor coupled to the communication interface and the data store, the processor to;
  
  establish a first secure channel between a locked token and the security server system through a client device coupled to the locked token;
  
  activate a process to unlock the locked token via the first secure channel;
  
  establish a second secure channel between the client device and the security server system in response to activating the process to unlock the locked token, wherein the second secure channel differs from the first secure channel;
  
  prompt a user for an authentication credential via the second secure channel;
  
  determine that the user has correctly provided the authentication credential; and
  
  unlock the locked token in response to determining that the user has correctly provided the authentication credential the unlock comprising mutually authenticating the locked token and the security server system using symmetric keys derived from a master key, wherein the symmetric keys are stored in the locked token and the security server system.
- View Dependent Claims (8)
- - 8. The security server system of claim 7, the processor to store a new password that has been one of selected by the user and assigned by the security system server, in the data store.

9. An enterprise security client (ESC) comprising:
- a token interface;
  
  a communication interface; and
  
  a processor coupled to the token interface and the communication interface, the processor to;
  
  establish a first secure connection between a locked token and a security server system;
  
  activate a process to unlock the locked token via the first secure connection;
  
  establish a second secure connection with the security server system in response to activating the process to unlock the locked token, wherein the second secure connection differs from the first secure connection;
  
  receive an indication that the security server system has verified an identity of a user via the second secure connection; and
  
  unlock the locked token in response to the indication, the unlock comprising mutually authenticating the locked token and the security server system using symmetric keys derived from a master key, wherein the symmetric keys are stored in the locked token and the security server system.
- View Dependent Claims (10)
- - 10. The enterprise security of client of claim 9, the processor to update the unlocked token with a new password in response to unlocking the locked token.

11. A computer system comprising:
- a memory; and
  
  a processor coupled to the memory, the processor to;
  
  establish a first secure channel between a locked token and a security server system through an enterprise security client (ESC), wherein the ESC is coupled to the locked token;
  
  activate a process to unlock the locked token via the first secure channel;
  
  establish a second secure channel between the ESC and the security server system in response to activating the process to unlock the locked token, wherein the second secure channel differs from the first secure channel;
  
  prompt a user for an authentication credential via the second secure channel;
  
  determine that the user has correctly provided the authentication credential; and
  
  unlock the locked token in response to determining that the user has correctly provided the authentication credential, the unlock comprising mutually authenticating the locked token and the security server system using symmetric keys derived from a master key, wherein the symmetric keys are stored in the locked token and the security server system.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer system of claim 11, the computer system to activate a password reset process in the ESC to provide a new password for the unlocked token in response to unlocking the locked token.
  - 13. The computer system of claim 12, wherein the new password comprises one of a pre-assigned password or a password entered by the user.
  - 14. The computer system of claim 11, wherein the authentication credential comprises an identity verification question.
  - 15. The computer system of claim 14, wherein the second secure channel comprises a telephone channel.
  - 16. The computer system of claim 11, wherein the token comprises one of a universal serial bus (USB) token or a smartcard.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Lord, Robert
Primary Examiner(s)
Le, Vu
Assistant Examiner(s)
Mangialaschi, Tracy

Application Number

US11/679,976
Publication Number

US 20080209224A1
Time in Patent Office

2,750 Days
Field of Search

713/185, 726/6, 726/9
US Class Current

713/185
CPC Class Codes

G06F 21/31   User authentication

G06F 21/34   involving the use of extern...

G06F 21/42   using separate channels for...

G06F 21/604   Tools and structures for ma...

H04L 63/083   using passwords cryptograph...

H04L 63/0869   for achieving mutual authen...

H04L 63/166   at the transport layer

Token recycling

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

210 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Token recycling

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

210 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links