System and methods for online authentication

US 9,160,732 B2
Filed: 10/31/2013
Issued: 10/13/2015
Est. Priority Date: 11/04/2008
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a network client to a computer server, the network client being configured to communicate with the computer server over a network and to communicate with a token manager, the token manager being configured to receive data originating from a hardware token interfaced with the token manager, the method comprising:

transmitting user login credentials to the computer server;

receiving authenticator identifying data from the computer server in response to transmission of the user login credentials;

determining that the authenticator identifying data matches identifying data for one of the token manager and the network clients;

one of the token manager and the network client generating a credential associated with the token manager, and transmitting the credential to the computer server, wherein the token manager is configured with a parent digital certificate associated with the token manager, the parent digital certificate including a public encryption key, and the credential generating comprises;

the one of the token manager and the network client generating the credential from the parent digital certificate;

the one of the token manager and the network client generating a child digital certificate from the parent digital certificate and signing the child digital certificate with a private encryption key uniquely associated with the public encryption key, the private encryption key and the public encryption key comprising an asymmetric encryption key pair;

the one of the token manager and the network client generating a pseudo-random code, and incorporating the pseudo-random code into the child digital certificate, the pseudo-random code being verifiable by the computer server; and

the network client receiving an authentication payload from the computer server in accordance with a validity of the credential and the data of the hardware token, the authentication payload facilitating authentication of the network client to the computer server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of establishing a communication channel between a network client and a computer server over a network is described. The network client may be configured to communicate with the computer server over the network and to communicate with a token manager. The token manager may be configured with a parent digital certificate that is associated with the token manager. The token manager or network client generates a credential from the parent digital certificate, and transmits the credential to the computer server. The credential may be associated with the computer server. The network client may establish the communications channel with the computer server in accordance with an outcome of a determination of validity of the credential by, the computer server.

51 Citations

View as Search Results

18 Claims

1. A method of authenticating a network client to a computer server, the network client being configured to communicate with the computer server over a network and to communicate with a token manager, the token manager being configured to receive data originating from a hardware token interfaced with the token manager, the method comprising:
- transmitting user login credentials to the computer server;
  
  receiving authenticator identifying data from the computer server in response to transmission of the user login credentials;
  
  determining that the authenticator identifying data matches identifying data for one of the token manager and the network clients;
  
  one of the token manager and the network client generating a credential associated with the token manager, and transmitting the credential to the computer server, wherein the token manager is configured with a parent digital certificate associated with the token manager, the parent digital certificate including a public encryption key, and the credential generating comprises;
  
  the one of the token manager and the network client generating the credential from the parent digital certificate;
  
  the one of the token manager and the network client generating a child digital certificate from the parent digital certificate and signing the child digital certificate with a private encryption key uniquely associated with the public encryption key, the private encryption key and the public encryption key comprising an asymmetric encryption key pair;
  
  the one of the token manager and the network client generating a pseudo-random code, and incorporating the pseudo-random code into the child digital certificate, the pseudo-random code being verifiable by the computer server; and
  
  the network client receiving an authentication payload from the computer server in accordance with a validity of the credential and the data of the hardware token, the authentication payload facilitating authentication of the network client to the computer server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein the transmitting the credential comprises the one of the token manager and the network client determining a validity of the data of the hardware token, and transmitting the credential and the data of the hardware token in accordance with an outcome of the determining the validity of the data of the hardware token.
  - 3. The method according to claim 2, wherein the determining the validity of the data of the hardware token comprises the one of the token manager and the network client comparing the data of the hardware token with expected data received from the computer server.
  - 4. The method according to claim 1, wherein the credential generating comprises the one of the token manager and the network client incorporating the data of the hardware token into the credential.
  - 5. The method according to claim 1, wherein the credential is uniquely associated with the token manager and the computer server.
  - 6. The method according to claim 1, wherein the hardware token is associated with an entity other than the computer server.
  - 7. The method according to claim 1, wherein the credential generating comprises the one of the token manager and the network client signing the pseudo-random code with the private key uniquely associated with the public encryption key.
  - 8. The method according to claim 1, further comprising the one of the token manager and the network client receiving a server digital certificate associated with the computer server, and the generating the credential comprises the one of the token manager and the network client generating the credential after validating the server digital certificate.
  - 9. The method according to claim 8, further comprising, prior to the network client receiving the authentication payload from the computer server, the one of the token manager and the network client receiving a signed message from the computer server and authenticating the computer server by verifying the signed message from the server digital certificate, and the generating the credential comprises the one of the token manager and the network client generating the credential in accordance with an outcome of the computer server authenticating.
  - 10. The method according to claim 9, wherein the digitally-signed message includes a server pseudo-random code, and the computer server authenticating comprises the one of the token manager and the network client comparing the server pseudo-random code with a pseudo-random code expected for the computer server.

11. A non-transitory computer-readable medium comprising computer processing instructions stored thereon for execution by a computer, the computer processing instructions, when executed by the computer, causing the computer to perform a method of authenticating a network client to a computer server, the network client being configured to communicate with the computer server over a network and to communicate with a token manager, the token manager being configured to receive data originating from a hardware token interfaced with the token manager, the method comprising:
- transmitting user login credentials to the computer server;
  
  receiving authenticator identifying data from the computer server in response to transmission of the user login credentials;
  
  determining that the authenticator identifying data matches identifying data for one of the token manager and the network clients;
  
  one of the token manager and the network client generating a credential associated with the token manager, and transmitting the credential to the computer server, wherein the token manager is configured with a parent digital certificate associated with the token manager, the parent digital certificate including a public encryption key, and the credential generating comprises;
  
  the one of the token manager and the network client generating the credential from the parent digital certificate;
  
  the one of the token manager and the network client generating a child digital certificate from the parent digital certificate and signing the child digital certificate with a private encryption key uniquely associated with the public encryption key, the private encryption key and the public encryption key comprising an asymmetric encryption key pair;
  
  the one of the token manager and the network client generating a pseudo-random code, and incorporating the pseudo-random code into the child digital certificate, the pseudo-random code being verifiable by the computer server; and
  
  the network client receiving an authentication payload from the computer server in accordance with a validity of the credential and the data of the hardware token, the authentication payload facilitating authentication of the network client to the computer server.

12. A method of authenticating a network client to a computer server, the network client being configured to communicate with the computer server over a network and to communicate with a token manager, the method comprising:
- the computer server receiving user login credentials from the network client;
  
  the computer server retrieving authenticator identifying data associated with the user login credentials;
  
  the computer server transmitting the authenticator identifying data to the network client;
  
  the computer server receiving a credential from one of the token manager and the network client, wherein the token manager is configured with a parent digital certificate associated with the token manager, the parent digital certificate includes a public encryption key, and wherein the credential is generated by;
  
  the one of the token manager and the network client generating the credential from the parent digital certificate;
  
  the one of the token manager and the network client generating a child digital certificate from the parent digital certificate and signing the child digital certificate with a private encryption key uniquely associated with the public encryption key, the private encryption key and the public encryption key comprising an asymmetric encryption key pair; and
  
  the one of the token manager and the network client generating a pseudo-random code, and incorporating the pseudo-random code into the child digital certificate, the pseudo-random code being verifiable by the computer server; and
  
  the computer server transmitting an authentication payload to the network client in accordance with a determination of validity of the credential and data originating from a hardware token interfaced with the token manager, the authentication payload facilitating authentication of the network client to the computer server, wherein the determination of the validity comprises;
  
  verifying that the credential was signed with the private encryption key uniquely associated with the public encryption key; and
  
  comparing the pseudo-random code included in the credential with an expected pseudo-random code.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method according to claim 12, wherein the determination of the validity comprises the computer server comparing the data of the hardware token with expected data.
  - 14. The method according to claim 13, wherein the determination of the validity comprises the computer server verifying that the credential is associated with the token manager.
  - 15. The method according to claim 13, wherein the determination of the validity comprises the computer server verifying that the credential is uniquely associated with the token manager and the computer server.
  - 16. The method according to claim 12, further comprising transmitting a session token from the computer server to the one of the token manager and the network client, and the determination of the validity comprises comparing the transmitted session token with a session token included in the credential.
  - 17. The method according to claim 12, wherein the determination of validity of the credential and the data of the hardware token comprises a determination of a correlation between identifying data of the token manager and identifying data of the hardware token, and a previous token manager-hardware token association.

18. A non-transitory computer-readable medium comprising computer processing instructions stored thereon for execution by a computer server, the computer processing instructions, when executed by the computer server, causing the computer server to perform a method of authenticating a network client to the computer server, the network client being configured to communicate with the computer server over a network and to communicate with a token manager, the method comprising:
- the computer server receiving user login credentials from the network client;
  
  the computer server retrieving authenticator identifying data associated with the user login credentials;
  
  the computer server transmitting the authenticator identifying data to the network client;
  
  the computer server receiving a credential from one of the token manager and the network client, wherein the token manager is configured with a parent digital certificate associated with the token manager, the parent digital certificate includes a public encryption key, and wherein the credential is generated by;
  
  the one of the token manager and the network client generating the credential from the parent digital certificate;
  
  the one of the token manager and the network client generating a child digital certificate from the parent digital certificate and signing the child digital certificate with a private encryption key uniquely associated with the public encryption key, the private encryption key and the public encryption key comprising an asymmetric encryption key pair; and
  
  the one of the token manager and the network client generating a pseudo-random code, and incorporating the pseudo-random code into the child digital certificate, the pseudo-random code being verifiable by the computer server; and
  
  the computer server transmitting an authentication payload to the network client in accordance with a determination of validity of the credential and data originating from a hardware token interfaced with the token manager, the authentication payload facilitating authentication of the network client to the computer server, wherein the determination of the validity comprises;
  
  verifying that the credential was signed with the private encryption key uniquely associated with the public encryption key; and
  
  comparing the pseudo-random code included in the credential with an expected pseudo-random code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureKey Technologies, Inc. (Gen Digital Inc.)
Original Assignee
SecureKey Technologies, Inc. (Gen Digital Inc.)
Inventors
Ronda, Troy Jacob, Roberge, Pierre Antoine, Engel, Patrick Hans, McIver, Rene, Wolfond, Greg, Boysen, Andre
Primary Examiner(s)
BROWN, CHRISTOPHER J

Application Number

US14/068,586
Publication Number

US 20140059348A1
Time in Patent Office

712 Days
Field of Search

726/9, 726/10, 726/20, 713/175, 713/176
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

System and methods for online authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for online authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links