Key management using quasi out of band authentication architecture

US 9,197,406 B2
Filed: 02/21/2014
Issued: 11/24/2015
Est. Priority Date: 04/19/2011
Status: Active Grant

First Claim

Patent Images

1. A system to provide key management layered on a quasi out-of-band authentication system, comprising:

a communications port configured to (i) receive, via a communication channel from a network device associated with a user, a request for activation of a user interface window for that particular user at the network device, (ii) transmit, to an out-of-band authentication system, an activation personal identification number (PIN) to be forwarded to a communications device associated with the user via a voice or text message, and (iii) receive, via the communication channel from the network device, the previously transmitted activation PIN; and

a processor configured to (i) authenticate the user based on the received activation PIN, (ii) establish, on top of the communication channel after authenticating the user, a secure, independent, encrypted communication channel between the user interface window and the security server; and

(iii) at least one of (a) generate and direct transmission, to the user interface window, via the communications port and the secure, independent, encrypted communication channel, key material for cryptography based operations and (b) receive from the user interface window via the secure, independent, encrypted communication channel and the communications port, key material for cryptography based operations.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To provide key management layered on a quasi-out-of-band authentication system, a security server receives a request for activation of a user interface window for a particular user from a network device via a communication channel. It then transmits an activation PIN to an out of band authentication system for forwarding to the user'"'"'s telephone via a voice or text message. It next receives the previously transmitted PIN from the network device via the communication channel, and authenticates the user based on the received PIN. After authenticating the user, it establishes a secure, independent, encrypted communication channel between the user interface window and the security server on top of the original communication channel. It then generates and transmits to the user interface window and/or receives from the user interface window via the secure communication channel, key material and certificate material for public key and/or symmetric key cryptography based operations.

64 Citations

View as Search Results

20 Claims

1. A system to provide key management layered on a quasi out-of-band authentication system, comprising:
- a communications port configured to (i) receive, via a communication channel from a network device associated with a user, a request for activation of a user interface window for that particular user at the network device, (ii) transmit, to an out-of-band authentication system, an activation personal identification number (PIN) to be forwarded to a communications device associated with the user via a voice or text message, and (iii) receive, via the communication channel from the network device, the previously transmitted activation PIN; and
  
  a processor configured to (i) authenticate the user based on the received activation PIN, (ii) establish, on top of the communication channel after authenticating the user, a secure, independent, encrypted communication channel between the user interface window and the security server; and
  
  (iii) at least one of (a) generate and direct transmission, to the user interface window, via the communications port and the secure, independent, encrypted communication channel, key material for cryptography based operations and (b) receive from the user interface window via the secure, independent, encrypted communication channel and the communications port, key material for cryptography based operations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system according to claim 1, wherein:
    - the key material is for symmetric key cryptography based operations and is generated and directed to be transmitted by the processor, and further comprising;
      
      the port is further configured to receive, from the user interface window or a network site, an authenticated request containing unique identifying information associated with the user or with a file;
      
      the processor is further configured to generate, using a one way function, a unique symmetric key K, wherein the value of the key K is derived from the received unique identifying information and a secret known only to the security server; and
      
      the port is further configured to transmit, to the requester, the generated symmetric key K.
  - 3. The system according to claim 1, wherein:
    - the communications port is further configured to at least one of (A) (i) receive, from a network site, a transaction and a request for digital signing of the transaction, (ii) transmit, to the user interface window via the secure, independent, encrypted communication channel, the transaction and a request for a digital signature, (iii) receive, from the user interface window via the secure, independent, encrypted communication channel, a hash of the transmitted transaction digitally signed with a private key Du of a private/public key pair Du/Pu associated with the user, and (iv) transmit to the network site, the received digitally signed hash of the transaction and a certificate, with explicit or implicit instructions for the network site to verify the digital signature by recomputing the hash and comparing it with the hash recovered from the transmitted digitally signed hash by applying the user'"'"'s public key Pu included in the transmitted certificate to the transmitted digitally signed hash, and (B) transmit, to the user interface window for presentation to the user, via the secure, independent, encrypted communication channel, a signature PIN with which to electronically sign the transaction presented in a browser window displayed at the network device; and
      
      if the communications port is further configured to receive the transaction and the request for digital signing of the transaction, the processor is further configured to perform public key cryptography based operations to obtain a digital signature on the transaction.
  - 4. The system according to claim 3, wherein the signature PIN corresponds to a secret shared by the security server and the network site, but not by the user.
  - 5. The system according to claim 3, wherein:
    - if the communications port receives the transaction and the request for digital signing of the transaction, the communications port is further configured to (i) receive, from the user interface window via the secure, independent, encrypted communication channel, the public key Pu, (ii) transmit to the user interface window via the secure, independent, encrypted communication channel, (a) the certificate signed by the processor or an external authenticating authority and associating the user with the received public key Pu, and (b) instructions for storage of the certificate and the user'"'"'s private key Du; and
      
      the instructions explicitly or implicitly instruct the user interface window to manage storage of the user'"'"'s private key Du and the signed certificate (i) in memory, or (ii) in the key store of an operating system of the network device, or (iii) both for the benefit of other local applications.
  - 6. The system according to claim 1, wherein:
    - the processor is further configured to perform symmetric key cryptography based operations, and the symmetric key cryptography based operations include sharing encryption keys;
      
      the communications port is further configured to receive, from a network site, a request for one or more encryption keys associated with particular combinations of sender identification, recipient identification and document identification, collectively referred to as DocumentlD;
      
      the processor is further configured to generate one or more symmetric encryption keys for each DocumentlD, based on a one way function, the DocumentlD, a secret known only to the processor and other information;
      
      the communications port is further configured to (i) transmit, to the network site, the encryption keys, with explicit or implicit instructions to encrypt the document represented by the applicable DocumentlD with the appropriate encryption key or keys and to transmit the encrypted document to the user, and (ii) receive, from software, other than the user interface window, that is operating on the network device and being used to open the encrypted document represented by the applicable DocumentlD, a request, including the applicable DocumentlD, for the one or more symmetric encryption keys required to decrypt the encrypted document represented by the applicable DocumentlD;
      
      the processor is further configured to (i) recompute, or receive via the communications port, the applicable one or more symmetric encryption keys, and (ii) direct transmission, to the user interface window via the communications port, the recomputed or received applicable one or more symmetric encryption keys, with explicit or implicit instructions to present the applicable one or more symmetric encryption keys to the user for entry into the software to decrypt the encrypted document represented by the applicable DocumentlD.
  - 7. The system according to claim 6, wherein the request for the one or more symmetric encryption keys from the software is received via a network site which is in communication with the software attempting to open the encrypted document.
  - 8. The system, according to claim 6, wherein:
    - the processor receives the applicable one or more symmetric encryption keys from a network site which is in communication with the software attempting to open the document; and
      
      the applicable one or more symmetric encryption keys directed to be transmitted to the user interface window are the applicable one or more symmetric encryption keys received from the network site.
  - 9. The system according to claim 1, wherein:
    - the processor performs symmetric key cryptography based operations, and the symmetric key cryptography based operations include providing a seed for token authenticator hardware or software;
      
      the communications port is further configured to receive, from the user interface window, a request for a token seed, and at least one of (i) a user identifier and (ii) a token identifier for which the seed is requested;
      
      the processor is further configured to generate the seed, based on a one way function, the at least one identifier, a secret known only to the processor and other information; and
      
      the communications port is further configured to transmit, to the user interface window via the secure, independent, encrypted communication channel, the generated seed, with explicit or implicit instructions to either (i) present the transmitted seed to the user on the user interface window display for entry by the user into a seeding interface of the token or (ii) enter the transmitted seed into the seeding interface of the token directly without user intervention.
  - 10. A system according to claim 9, wherein the transmitted seed is an intermediate seed for processing by the token software to generate the final seed.

11. An article of manufacture for providing key management layered on a quasi out-of-band authentication system, comprising:
- non transitory storage media; and
  
  logic stored on the storage media, wherein the stored logic is configured to be executable by a computer and thereby cause the computer to operate so as to;
  
  receive, via a communication channel from a network device associated with a user, a request for activation of a user interface window for that particular user at the network device;
  
  transmit, to an out of band authentication system, an activation personal identification number (PIN) to be forwarded to the user'"'"'s telephone via a voice or text message;
  
  receive, via the communication channel from the network device, the previously transmitted activation PIN;
  
  authenticate the user based on the received activation PIN;
  
  establish, on top of the communication channel after authenticating the user, a secure, independent, encrypted communication channel between the user interface window and the security server; and
  
  at least one of (i) generate and transmit to the user interface window via the secure, independent, encrypted communication channel key material for cryptography based operations and (ii) receiving from the user interface window via the secure, independent, encrypted communication channel, key material for cryptography based operations.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The article of manufacture according to claim 11, wherein:
    - the key material is for symmetric key cryptography based operations and is generated and transmitted by the computer; and
      
      execution of the stored logic thereby causes the computer to operate so as to also (i) receive, from the user interface window or a network site, an authenticated request containing unique identifying information associated with the user or with a file, (ii) generate, using a one way function, a unique symmetric key K, wherein the value of the key K is derived from the received unique identifying information and a secret known only to the security server, and (iii) transmit, to the requester, the generated symmetric key K.
  - 13. The article of manufacture according to claim 11, wherein:
    - execution of the stored logic thereby causes the computer to operate so as to at least one of (A) (i) perform public key cryptography based operations to obtain a digital signature on a transaction, (ii) receive, from a network site, the transaction and a request for digital signing of the transaction, (iii) transmit, to the user interface window via the secure, independent, encrypted communication channel, the transaction and a request for a digital signature, (iv) receive, from the user interface window via the secure, independent, encrypted communication channel, a hash of the transmitted transaction digitally signed with a private key Du of a private/public key pair Du/Pu associated with the user, and (v) transmit to the network site, the received digitally signed hash of the transaction and a certificate, with explicit or implicit instructions for the network site to verify the digital signature by recomputing the hash and comparing it with the hash recovered from the transmitted digitally signed hash by applying the user'"'"'s public key Pu included in the transmitted certificate to the transmitted digitally signed hash, and (B) transmit, to the user interface window, for presentation to the user, via the secure, independent, encrypted communication channel, a signature PIN with which to electronically sign the transaction presented in a browser window displayed at the network device.
  - 14. The article of manufacture according to claim 13, wherein the signature PIN corresponds to a secret shared by the security server and the network site, but not by the user.
  - 15. The article of manufacture according to claim 13, wherein:
    - if execution of the stored logic causes the computer to operate so as to perform public key cryptography based operations to obtain a digital signature on a transaction, execution of the stored logic thereby causes the computer to operate so as to also (i) receive, from the user interface window via the secure, independent, encrypted communication channel, the public key Pu, and (ii) transmit to the user interface window via the secure, independent, encrypted communication channel, the certificate signed by the computer or an external authenticating authority and associating the user with the received public key Pu, and instructions for storage of the certificate and the user'"'"'s private key Du;
      
      the instructions explicitly or implicitly instruct the user interface window to manage storage of the user'"'"'s private key Du and the signed certificate (i) in memory, or (ii) in the key store of an operating system of the network device, or (iii) both for the benefit of other local applications.
  - 16. The article of manufacture according to claim 11, wherein:
    - execution of the stored logic thereby causes the computer to operate so as to (i) perform symmetric key cryptography based operations, including sharing encryption keys, (ii) receive, from a network site, a request for one or more encryption keys associated with particular combinations of sender identification, recipient identification and document identification, collectively referred to as DocumentlD, (iii) generate one or more symmetric encryption keys for each DocumentlD, based on a one way function, the DocumentlD, a secret known only to the computer and other information, (iv) transmit, to the network site, the encryption keys, with explicit or implicit instructions to encrypt the document represented by the applicable DocumentlD with the appropriate encryption key or keys and to transmit the encrypted document to the user, (v) receive, from software, other than the user interface window, that is operating on the network device and being used to open the encrypted document represented by the applicable DocumentlD, a request, including the applicable DocumentlD, for the one or more symmetric encryption keys required to decrypt the encrypted document represented by the applicable DocumentlD, (vi) recompute or receive the applicable one or more symmetric encryption keys; and
      
      (vii) transmit, to the user interface window, the recomputed or received applicable one or more symmetric encryption keys, with explicit or implicit instructions to present the applicable one or more symmetric encryption keys to the user for entry into the software to decrypt the encrypted document represented by the applicable DocumentlD.
  - 17. The article of manufacture according to claim 16, wherein the request for the one or more symmetric encryption keys from the software is received via a network site which is in communication with the software attempting to open the encrypted document.
  - 18. The article of manufacture according to claim 16, wherein:
    - execution of the stored logic thereby causes the computer to operate so as to also receive the applicable one or more symmetric encryption keys from a network site which is in communication with the software attempting to open the document; and
      
      the applicable one or more symmetric encryption keys transmitted to the user interface window are the applicable one or more symmetric encryption keys received from the network site.
  - 19. A article of manufacture according to claim 11, wherein execution of the stored logic thereby causes the computer to operate so as to (i) perform symmetric key cryptography based operations, including providing a seed for token authenticator hardware or software, (ii) receive, from the user interface window, a request for a token seed, and at least one of (a) a user identifier and (b) a token identifier for which the seed is requested, (iii) generate the seed based on a one way function, the at least one identifier, a secret known only to the computer and other information, and (iv) transmit, to the user interface window via the secure, independent, encrypted communication channel, the generated seed, with explicit or implicit instructions to either (a) present the transmitted seed to the user on the user interface window display for entry by the user into a seeding interface of the token or (b) enter the transmitted seed into the seeding interface of the token directly without user intervention.
  - 20. A article of manufacture according to claim 19, wherein the transmitted seed is an intermediate seed for processing by the token software to generate the final seed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Payfone Incorporated
Original Assignee
Authentify, Inc. (Early Warning Services, LLC)
Inventors
Ganesan, Ravi
Primary Examiner(s)
CHAO, MICHAEL W

Application Number

US14/187,097
Publication Number

US 20140173284A1
Time in Patent Office

641 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 63/126   the source of the received ...

H04L 63/1483   service impersonation, e.g....

H04L 63/18   using different networks or...

H04L 9/0819   Key transport or distributi...

H04L 9/3215   using a plurality of channe...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 12/0433   Key management protocols

Key management using quasi out of band authentication architecture

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Key management using quasi out of band authentication architecture

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links