Systems and methods to secure user identification

US 8,838,982 B2
Filed: 09/20/2012
Issued: 09/16/2014
Est. Priority Date: 09/21/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, in a computing apparatus, a request from a user device, the request including a user identifier and user information provided by the user device, the user identifier configured to representing a user of the user device;

extracting, by the computing apparatus, a digital signature from the user identifier, the digital signature generated by a partner device separated from the user device and the computing apparatus;

generating, by the computing apparatus, a dataset based at least on the user information received in the request; and

verifying, by the computing apparatus, the dataset against the digital signature extracted from the user identifier, wherein the verifying of the dataset against the digital signature comprisescombining, by the computing apparatus, the dataset with a secret shared between the computing apparatus and the partner device to generate a combined dataset;

applying, by the computing apparatus, a cryptographic one-way hash function on the combined dataset to generate a hash result; and

comparing, by the computing apparatus, the hash result with the digital signature to determine whether the hash result matches with the digital signature; and

rejecting, by the computing apparatus, the request if the dataset fails verification against the digital signature.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, a computing apparatus is configured to verify a digital signature applied on a set of data received from a user device, including an user ID assigned by a partner system to uniquely identify a user of the user device among customers of the partner system, and a user device identifier identifying the user device. The digital signature is generated via applying a cryptographic one-way hash function on a combination of the set of data and a secret, shared between the computing apparatus and the partner system via a secure communication channel separate from a channel used to receive the set of data.

Citations

19 Claims

1. A computer-implemented method, comprising:
- receiving, in a computing apparatus, a request from a user device, the request including a user identifier and user information provided by the user device, the user identifier configured to representing a user of the user device;
  
  extracting, by the computing apparatus, a digital signature from the user identifier, the digital signature generated by a partner device separated from the user device and the computing apparatus;
  
  generating, by the computing apparatus, a dataset based at least on the user information received in the request; and
  
  verifying, by the computing apparatus, the dataset against the digital signature extracted from the user identifier, wherein the verifying of the dataset against the digital signature comprisescombining, by the computing apparatus, the dataset with a secret shared between the computing apparatus and the partner device to generate a combined dataset;
  
  applying, by the computing apparatus, a cryptographic one-way hash function on the combined dataset to generate a hash result; and
  
  comparing, by the computing apparatus, the hash result with the digital signature to determine whether the hash result matches with the digital signature; and
  
  rejecting, by the computing apparatus, the request if the dataset fails verification against the digital signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - extracting a user identification from the user identifier, the user identification assigned by the partner device to uniquely represent the user of the user device among a plurality of users of the partner device;
      
      wherein the dataset including the user identification assigned by the partner device.
  - 3. The method of claim 2, wherein the secret is not communicated through the user device.
  - 4. The method of claim 2, wherein the digital signature comprises a hash of the combined dataset.
  - 5. The method of claim 1, wherein the user information includes a user identification assigned by the partner device to uniquely represent the user of the user device among a plurality of users of the partner device.
  - 6. The method of claim 1, wherein the cryptographic one-way hash function is based on SHA-256 designed by the National Security Agency (NSA) and published in 2001 by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard.
  - 7. The method of claim 1, wherein the user information includes an identification of the user device extracted from the request received from the user device.
  - 8. The method of claim 7, wherein the user information includes information submitted from the user device to the partner device and verified by the partner device.
  - 9. The method of claim 7, wherein the user information includes information assigned by the partner device to the user device.
  - 10. The method of claim 1, further comprising:
    - communicating the secret between the computing apparatus and the partner device using a secure, out-of-band channel that does not go through the user device, wherein the digital signature is generated using the secret.
  - 11. The method of claim 1, wherein the secret represents the partner device in the digital signature provided in the user identifier.

12. A non-transitory computer storage medium storing instructions configured to instruct a user device to at least:
- communicate with a first computing apparatus to exchange user information;
  
  prior to communicate with a second computing apparatus, request a user identifier from the first computing apparatus, wherein the user identifier includes a digital signature generated by the first computing apparatus;
  
  transmit a request to the second computing apparatus, the request including the user information and the user identifier, wherein the user identifier configured to representing a user of the user device, and the second computing apparatus is configured to determine whether or not to reject the request based on verifying a dataset generated based on the user information against the digital signature included in the user identifier, wherein the verifying of the dataset against the digital signature comprisescombining the dataset with a secret shared between the second computing apparatus and the first computing apparatus to generate a combined dataset;
  
  applying a cryptographic one-way hash function on the combined dataset to generate a hash result; and
  
  comparing the hash result with the digital signature to determine whether the hash result matches with the digital signature.
- View Dependent Claims (13, 14, 15)
- - 13. The computer storage medium of claim 12, wherein the instructions are configured to instruct the user device to provide at least a portion of the user information to the first computing apparatus and to the second computing apparatus separately.
  - 14. The computer storage medium of claim 12, wherein the request is transmitted to the second computing apparatus in response to an instruction from the first computing apparatus.
  - 15. The computing storage medium of claim 12, wherein the user information includes a communication reference of the user to receive communications on the user device;
    - and the user identifier includes an identification assigned by the first computing apparatus to uniquely identify the user among a plurality of users of the first computing apparatus.

16. A computing device, comprising:
- a least one processor;
  
  a memory storing instructions configured to instruct the at least one processor to;
  
  authenticate a user of a user device;
  
  communicate with the user device to identify user information;
  
  forming a dataset including the user information;
  
  generate a digital signature on the dataset by using a secret to represent the computing device;
  
  generate a user identifier for the user using the digital signature; and
  
  provide the user identifier to the user device to represent the user;
  
  wherein the user device is configured to use the user identifier to identify the user in a communication with a separate computing apparatus separate from the user device and the computing device, the communication configured to provide the user information to the separate computing apparatus; and
  
  wherein the digital signature provided in the user identifier is usable by the separate computing apparatus to validate the user information provided in the communication bycombining the dataset with the secret shared between the separate computing apparatus and the computing device to generate a combined dataset;
  
  applying a cryptographic one-way hash function on the combined dataset to generate a hash result; and
  
  comparing the hash result with the digital signature to determine whether the hash result matches with the digital signature.
- View Dependent Claims (17, 18, 19)
- - 17. The computing device of claim 16, wherein the instructions are further configured to instruct the at least one processor to assign a user identification to the user of the user device to uniquely identify the user among a plurality of users of the computing device;
    - and the user identifier includes the user identification.
  - 18. The computing device of claim 17, wherein the user device comprises a mobile phone;
    - and the user information includes a phone number of the mobile phone.
  - 19. The computing device of claim 18, wherein the memory stores the secret that is shared between the computing apparatus and the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Carlson, Mark, Bankston, Michael Steven, Jogi, Kalpana, Gallagher, Timothy, Panagiotides, Alesia
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Alata, Ayoub

Application Number

US13/623,784
Publication Number

US 20130073859A1
Time in Patent Office

726 Days
Field of Search

713/176, 726/26, 726/27, 726/28, 726/29, 726/10
US Class Current

713/176
CPC Class Codes

G06F 16/9535   Search customisation based ...

G06Q 20/325   using wireless networks

G06Q 20/3825   Use of electronic signatures

G06Q 20/387   Payment using discounts or ...

G06Q 20/389   Keeping log of transactions...

G06Q 20/4014   Identity check for transact...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04L 67/10   in which an application is ...

H04L 9/3215   using a plurality of channe...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

Systems and methods to secure user identification

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods to secure user identification

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links