×

Back-end matching method supporting front-end knowledge-based probabilistic authentication systems for enhanced credential security

  • US 9,215,072 B1
  • Filed: 10/23/2012
  • Issued: 12/15/2015
  • Est. Priority Date: 10/23/2012
  • Status: Active Grant
First Claim
Patent Images

1. A method for knowledge-based probabilistic authentication of a client by server side resources, using a client identifier and a client credential having a number of elements, where each element of the credential represents a character that is mapped to a selected grid location parameter, indicated in a challenge, from a set of N×

  • N grid parameters, the method comprising;

    storing data in a computer memory including a first data set for a client identifier including a representation of a client credential accessible by a first server in server side resources, wherein the representation includes at least one of processed credential elements generated from a one-way function of the at least one credential element and protected data, and wherein the protected data cannot be determined by the first server, and a second data set including at least part of said protected data accessible by a second server in the server side resources;

    sending from the first server, to authenticate a user, a set of N×

    N grid parameters (N as a greater than zero integer) of fields filled with random digital content different in each of a plurality of sessions and a challenge of a plurality of session values, and in response from the user, receiving using the first server via data communications, a client identifier and an authentication response corresponding to the challenge that comprises said plurality of session values and each of the plurality of session values can be specified as, at least, a character that is mapped to a selected grid location parameter, indicated in the challenge, from the set of N×

    N grid parameters;

    transforming in the server side resources, said session values of the authentication response into corresponding sets of intermediate values, each set in said sets of intermediate values having a member for the selected grid location parameter to which the corresponding session value of the response can be mapped, and sending said sets of intermediate values to the second server;

    generating a plurality of sets of processed credential element match values using the second server, wherein each set of processed credential element match values of the authentication response is derived based upon said one-way function of said protected data and a corresponding one of said sets of intermediate values, and sending said plurality of sets of processed credential element match values to the first server in an order different from an order in which the sets of intermediate values were received using the second server;

    determining using the first server, whether each of the sets of processed credential element match values includes one member that matches one of the processed credential elements in the representation of the client credential; and

    if all of the sets of processed credential element match values for a given authentication response include one member that matches one of the processed credential elements in the representation of the client credential, then signaling authentication success.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×