One-time passcodes with asymmetric keys
First Claim
1. A method comprising:
- enrolling, by a device, a user in a system based on at least user information, the device including a processor system having at least one processor and a memory system, the memory system having a nontransitory memory;
storing the user information in the memory system of the device; and
at a completion of the enrolling, generating asymmetric keys and a registration code based on quantum information from a semiconductor that detects the arrival of photons, the registration code being a sequence of symbols or bits;
wherein the asymmetric keys include a user key and an administrator key, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the device, the administrator key being required to perform one or more operations on at least one backend server, the backend server including a second processor system having at least one processor and a second memory system;
wherein the administrator key is generated based on information provided by the user;
wherein it is mathematically intractable to guess the user key from the administrator key;
andwherein it is mathematically intractable to guess the administrator key from the user key.
1 Assignment
0 Petitions
Accused Products
Abstract
Protecting the security of an entity by using passcodes is disclosed. A user'"'"'s passcode device generates a passcode. In an embodiment, the passcode is generated in response to receipt of user information. The passcode is received by another system, which authenticates the passcode by at least generating a passcode from a passcode generator, and comparing the generated passcode with the received passcode. The passcode is temporary. At a later use a different passcode is generated from a different passcode generator. In these embodiments, there are asymmetric secrets stored on the passcode device and by the administrator. This adds more security so that if the backend servers are breached, the adversary cannot generate valid passcodes. In some embodiments, the passcode depends on the rounded time.
102 Citations
52 Claims
-
1. A method comprising:
-
enrolling, by a device, a user in a system based on at least user information, the device including a processor system having at least one processor and a memory system, the memory system having a nontransitory memory; storing the user information in the memory system of the device; and
at a completion of the enrolling, generating asymmetric keys and a registration code based on quantum information from a semiconductor that detects the arrival of photons, the registration code being a sequence of symbols or bits;wherein the asymmetric keys include a user key and an administrator key, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the device, the administrator key being required to perform one or more operations on at least one backend server, the backend server including a second processor system having at least one processor and a second memory system; wherein the administrator key is generated based on information provided by the user; wherein it is mathematically intractable to guess the user key from the administrator key; and wherein it is mathematically intractable to guess the administrator key from the user key. - View Dependent Claims (2, 3, 4, 5, 6, 34, 35, 36, 37, 48, 49)
-
-
7. A method comprising:
-
generating, by the device, asymmetric keys based on collected user information, the asymmetric keys including a user key and an administrator key, which are different from one another, the device including a processor system having at least one processor and a memory system; generating, via the device, a passcode that is valid temporarily and is based on information associated with a user; encrypting the passcode with the user key, to form an encrypted passcode, the encrypted passcode requiring the administrator key to decrypt the passcode; and sending, by the device to an administrator machine, the passcode to determine whether an attempted access is permitted; wherein the user key is required to perform one or more operations on a physical token or in a secure area of the device, the administrator key is required to perform one or more operations on at least one backend server, the backend server including a second processor system having at least one processor and a second memory system; the administrator machine being associated with the backend server; wherein it is mathematically intractable to guess the user key from the administrator key; and wherein it is mathematically intractable to guess the administrator key from the user key. - View Dependent Claims (8, 9, 10, 38, 39, 40, 41)
-
-
11. A method comprising:
-
generating, at a user machine, a code that is valid temporarily, the code being generated from a function that has time as an input to the function to which the function is applied to generate the code, the user machine including a processor system having at least one processor and a memory system; encrypting, by the processor system of the user machine, the code with a user key, therein forming an encrypted code; sending the encrypted code, from the user machine to an administrator machine; receiving at the user machine from the administrator machine a determination of whether an attempted access of a secure entity is permitted, based on the encrypted code, which was encrypted with the user key; wherein the user key and an administrator key form a pair of asymmetric keys, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the user machine, the administrator key being required to perform one or more operations on at least one backend server, the backend server being associated with the administrator machine, the backend server including a second processor system having at least one processor and a second memory system; wherein the administrator key is generated based on information provided by the user; wherein it is mathematically intractable to guess the user key from the administrator key; and wherein it is mathematically intractable to guess the administrator key from the user key. - View Dependent Claims (12, 13, 14, 15, 16, 17, 42, 43)
-
-
18. A system comprising:
-
at least one nontransitory machine-readable medium storing instructions that cause one or more processors to perform a method including at least determining, by a machine, whether an encrypted submitted passcode is valid, where the encrypted submitted passcode was encrypted with a user key, by at least generating, by the machine, a generated passcode from a passcode generator and, the machine including at least a processor system having at least one processor and memory system; decrypting the encrypted submitted passcode without access to the user key, therein producing the submitted passcode; comparing, by the processor system, the submitted passcode to the generated passcode; and if the submitted passcode matches the generated passcode, granting, by the machine, access to a secure entity; wherein the user key and an administrator key form an asymmetric key pair, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of a user device, the administrator key being required to perform one or more operations on at least one backend server, the machine being associated with the backend server, the user device including a second processor system having at least one processor and a second memory system; wherein the administrator key is generated based on information provided by the user; wherein it is mathematically intractable to guess the user key from the administrator key; and wherein it is mathematically intractable to guess the administrator key from the user key. - View Dependent Claims (19, 20, 21, 22, 23, 44, 45)
-
-
24. A system comprising:
-
at least one nontransitory machine-readable medium storing instructions that cause one or more processors to perform a method including at least receiving, by a machine, a submitted passcode, the machine including at least a processor system having at least one processor and a memory system, the submitted passcode being encrypted when submitted; generating, by the machine, a generated passcode from a timestamp and generating by the machine an administrator key; decrypting, by the machine, the submitted passcode with the administrator key to form a decrypted passcode; after the decrypting, comparing, by the machine, the decrypted passcode to the generated passcode; and if the decrypted passcode matches the generated passcode, then granting, by the machine, access to a secure entity; wherein the administrator key and a user key form a pair of asymmetric keys, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of a user device, the administrator key being required to perform one or more operations on at least one backend server associated with the machine, the user device including a second processor system having at least one processor and a second memory system; wherein the administrator key is generated based on information provided by the user; wherein it is mathematically intractable to guess the user key from the administrator key; and wherein it is mathematically intractable to guess the administrator key from the user key. - View Dependent Claims (25)
-
-
26. A method comprising:
-
generating a registration code, at a user machine, based on a Diffie-Hellman exchange, the machine including a processor system having one or more processors and a memory system having a non-transient memory; wherein the user machine and an administrator machine that grants access to a secure entity both derive the same passcode generator from the registration code; and generating a pair of asymmetric keys; wherein the asymmetric keys include a user key and an administrator key, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the device, the administrator key being required to perform one or more operations on at least one backend server, the backend server being associated the administrator machine, the backend server including a second processor system having at least one processor and a second memory system; wherein the administrator key is generated based on information provided by the user; wherein it is mathematically intractable to guess the user key from the administrator key; and wherein it is mathematically intractable to guess the administrator key from the user key.
-
-
27. A method comprising:
-
acquiring identifying information or unpredictable information; generating at least one registration code and at least one key by at least applying a first method to the identifying or unpredictable information or both, the at least one key being one key of a pair of asymmetric keys; wherein the first method is of a type such that computing the identifying or unpredictable information from the registration code is computationally intractable; submitting the registration code to a system that is distinct from where the acquiring occurred; generating a passcode generator from the registration code, at a device where the acquiring occurred, by at least applying a second method to the registration code; wherein the second method is of a type such that computing the registration code from the passcode generator is computationally intractable; and storing the passcode generator and key at the device; wherein the asymmetric keys include a user key and an administrator key, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the device, the administrator key being required to perform one or more operations on at least one backend server, the backend server including a second processor system having at least one processor and a second memory system; wherein the administrator key is generated based on information provided by the user; wherein it is mathematically intractable to guess the user key from the administrator key; and wherein it is mathematically intractable to guess the administrator key from the user key. - View Dependent Claims (46, 47)
-
-
28. A system comprising:
-
a nontransitory machine-readable medium storing thereon instructions for an Application Program Interface (API) having an argument for a passcode generator, an administrator key, and a user ID, the passcode generator being a string of characters; wherein the passcode generator and administrator key are values generated from user information by applying a one-way function; and wherein the passcode generator and administrator key are values from which deriving the user information is expected to be intractable; wherein the administrator key and a user key form a pair of asymmetric keys, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the device, the administrator key being required to perform one or more operations on at least one backend server, the backend server including a second processor system having at least one processor and a second memory system; wherein the administrator key is generated based on information provided by the user; wherein it is mathematically intractable to guess the user key from the administrator key; and wherein it is mathematically intractable to guess the administrator key from the user key. - View Dependent Claims (29, 30, 31, 32)
-
-
33. A system comprising:
-
a nontransitory machine-readable medium storing thereon machine instructions for generating, by a machine, an Application Program Interface (API) having an argument for an administrator key, time information, and a user ID, the machine including a processor system having one or more processors and a memory system, the administrator key being required for one or more operations on a backend server the backend server having a processor system having one more processors and a memory system, wherein the administrator key is a value generated from user information or random information or both, and wherein the administrator key is a value from which deriving the user information is expected to be intractable; wherein the asymmetric keys include a user key and an administrator key, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of a user device; wherein the administrator key is generated based on information provided by the user; wherein it is mathematically intractable to guess the user key from the administrator key; and wherein it is mathematically intractable to guess the administrator key from the user key.
-
-
50. A method comprising:
-
receiving at a passcode device user identifying information, the passcode device having a processor system including one or more processor and a memory system; storing user identifying information in the memory system of the passcode device; generating, by the passcode device, a first code, the first code being generated based on the user identifying information; sending, by the passcode device, the first code to an administrator system that grants access to a secure entity; receiving, from the administrator system, a second code; generating, by the passcode device, a common registration code from the first code and the second code; and generating, by the passcode device, a passcode generator from the common registration code, the passcode generator being a string of characters or other form of a code; wherein the passcode device and the administrator system both derive the same passcode generator from the common registration code; generating asymmetric keys; wherein the asymmetric keys include a user key and an administrator key, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the device, the administrator key being required to perform one or more operations on at least one backend server, the backend server including a second processor system having at least one processor and a second memory system; wherein the administrator key is generated based on information provided by the user; wherein it is mathematically intractable to guess the user key from the administrator key; and wherein it is mathematically intractable to guess the administrator key from the user key. - View Dependent Claims (51, 52)
-
Specification