System and methods for online authentication

US 8,943,311 B2
Filed: 11/04/2009
Issued: 01/27/2015
Est. Priority Date: 11/04/2008
Status: Active Grant

First Claim

Patent Images

1. A method of establishing a communication channel between a network client and a computer server over a network, the network client being configured to communicate with the computer server over the network and to communicate with a token manager, the token manager being configured with a parent digital certificate associated with the token manager, the method comprising:

one of the token manager and the network client generating a credential from the parent digital certificate, the credential being associated with the computer server, wherein the parent digital certificate includes a public encryption key, and wherein generating the credential comprises;

the token manager generating a pseudo-random code; and

the one of the token manager and the network client generating a child digital certificate from the parent digital certificate;

incorporating the pseudo-random code in the child digital certificate; and

the one of the token manager and the network client signing the child digital certificate with a private encryption key unique to the token manager and uniquely associated with the public encryption key,wherein the private encryption key and the public encryption key comprise an asymmetric encryption key pair, and wherein the credential comprises the signed child digital certificate;

the one of the token manager and the network client transmitting the credential to the computer server; and

the network client establishing the communications channel with the computer server in accordance with, an outcome of a determination of validity of the credential by the computer server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of establishing a communication channel between a network client and a computer server over a network is described. The network client may be configured to communicate with the computer server over the network and to communicate with a token manager. The token manager may be configured with a parent digital certificate that is associated with the token manager. The token manager or network client generates a credential from the parent digital certificate, and transmits the credential to the computer server. The credential may be associated with the computer server. The network client may establish the communications channel with the computer server in accordance with an outcome of a determination of validity of the credential by the computer server.

Citations

19 Claims

1. A method of establishing a communication channel between a network client and a computer server over a network, the network client being configured to communicate with the computer server over the network and to communicate with a token manager, the token manager being configured with a parent digital certificate associated with the token manager, the method comprising:
- one of the token manager and the network client generating a credential from the parent digital certificate, the credential being associated with the computer server, wherein the parent digital certificate includes a public encryption key, and wherein generating the credential comprises;
  
  the token manager generating a pseudo-random code; and
  
  the one of the token manager and the network client generating a child digital certificate from the parent digital certificate;
  
  incorporating the pseudo-random code in the child digital certificate; and
  
  the one of the token manager and the network client signing the child digital certificate with a private encryption key unique to the token manager and uniquely associated with the public encryption key,wherein the private encryption key and the public encryption key comprise an asymmetric encryption key pair, and wherein the credential comprises the signed child digital certificate;
  
  the one of the token manager and the network client transmitting the credential to the computer server; and
  
  the network client establishing the communications channel with the computer server in accordance with, an outcome of a determination of validity of the credential by the computer server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method according to claim 1, wherein the credential generating comprises the one of the token manager and the network client receiving data from a hardware token, interfaced with the token manager, and incorporating the data of the hardware token into the credential.
  - 3. The method according to claim 1, wherein the credential generating comprises the one of the token manager and the network client receiving data from a hardware token, interfaced with the token manager, comparing the data of the hardware token with expected data, and generating the credential in accordance with an outcome of the hardware token data comparing.
  - 4. The method according to claim 3, wherein the credential generating comprises the one of the token manager and the network client receiving the expected data from the computer server.
  - 5. The method, according to claim 1, further comprising the one of the token manager and the network client receiving a session token from the computer server, and the credential generating comprises the one of the token manager and the network client incorporating the session token into the child digital certificate.
  - 6. The method according to claim 5, wherein the pseudo-random code is verifiable by the computer server.
  - 7. The method according to claim 1, wherein the parent digital certificate is uniquely associated with the token manager and the computer server.
  - 8. The method according to claim 1, wherein the establishing the communications channel comprises receiving a server digital certificate from the computer server, and establishing a mutually-authenticated encrypted communications channel using the server digital certificate after the one of the token manager and the network client validates the server digital certificate.
  - 9. The method according to claim 8, further comprising, prior to establishing the encrypted communications channel, the one of the token manager and the network client receiving a signed message from the computer server and authenticating the computer server by verifying the signed message from the server digital certificate, and the credential generating comprises the one of the token manager and the network client generating the credential in accordance with an outcome of the computer server authenticating.
  - 10. The method according to claim 9, wherein the digitally-signed message includes a server pseudo-random code, and the computer server authenticating comprises the one of the token manager and the network client comparing the server pseudo-random code with a pseudo-random code expected for the computer server.
  - 11. A non-transitory computer-readable medium comprising computer processing instructions stored thereon for execution by a computer, the computer processing instructions, when executed by the computer, causing the computer to perform the method of claim 1.

12. A communications device comprising;
- an interface configured to interface the communications device to a computer;
  
  a memory storing a parent digital certificate associated with the communications device; and
  
  a data processor coupled to the interface and the memory, the data processor being configured to;
  
  (i) generate a credential from the parent digital certificate, the credential being associated with a computer server in communication with the computer, wherein the parent digital certificate includes a public encryption key, and wherein in order to generate the credential, the data processor is configured to;
  
  generate a pseudo-random code,generate a child digital certificate from the parent digital certificate,incorporate the pseudo-random code in the child digital certificate, andsign the child digital certificate with a private encryption key unique to the communications device and uniquely associated with the public encryption key,wherein the private encryption key and the public encryption key comprise an asymmetric encryption key pair, and wherein the credential comprises the signed child digital certificate;
  
  (ii) initiate transmission of the credential to the computer server; and
  
  (iii) facilitate establishment of a communications channel between the computer and the computer server in accordance with an outcome of a determination of validity of the credential by the computer server.

13. A method of establishing a communication channel between a network client and a computer server over a network, the network client being configured to communicate with the computer server over the network and to communicate with a token manager, the token manager being configured with a parent digital certificate associated with the token manager, the method comprising:
- the computer server receiving a credential from one of the token manager and the network client;
  
  the computer server determining a validity of the credential, the determining the validity of the credential comprising verifying that the credential comprises a child digital certificate that incorporates a pseudo-random code generated by the token manager, that the child digital certificate is generated from the parent digital certificate, and that the credential is associated with the computer server, wherein the parent digital certificate includes a public encryption key, wherein the determining the validity of the credential comprises verifying that the credential was signed with a private encryption key unique to the token manager and uniquely associated with the public encryption key, the private encryption key and the public encryption key comprising an asymmetric encryption key pair; and
  
  in accordance with an outcome of the determining the validity of the credential, the computer server establishing the communications channel with the network client.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method according to claim 13, wherein the credential comprises data associated with a hardware token interfaced with the token manager, and the determining the validity of the credential comprises comparing the data of the hardware token with expected data.
  - 15. The method according to claim 14, further comprising transmitting a session token from the computer server to the one of the token manager and the network client, and the determining the validity of the credential comprises comparing the transmitted session token with a session token included in the credential.
  - 16. The method according to claim 14, wherein the determining the validity of the credential comprises comparing the pseudo-random code included in the credential with an expected pseudo-random code,
  - 17. The method according to claim 14, wherein the determining the validity of the credential comprises verifying that the credential is uniquely associated with the token manager and the computer server.
  - 18. The method according to claim 14, wherein the establishing the communications channel comprises, in accordance with the outcome of the determining the validity of the credential, the computer server transmitting a server digital certificate to the network client and establishing a mutually-authenticated encrypted communications channel with the network client using the credential and the server digital certificate.
  - 19. A non-transitory computer-readable medium comprising computer processing instructions stored thereon for execution by a computer, the computer processing instructions, when executed by the computer, causing the computer to perform the method of claim 14.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureKey Technologies, Inc. (Gen Digital Inc.)
Original Assignee
SecureKey Technologies, Inc. (Gen Digital Inc.)
Inventors
Ronda, Troy Jacob, Roberge, Pierre Antoine, Engel, Patrick Hans, McIver, Rene, Wolfond, Gregory Howard, Boysen, Andre Michel
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US13/127,672
Publication Number

US 20120072718A1
Time in Patent Office

1,910 Days
Field of Search

713/156, 726/6, 726/9
US Class Current

713/156
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

System and methods for online authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for online authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links