One-time passcodes with asymmetric keys

US 9,235,697 B2
Filed: 03/05/2013
Issued: 01/12/2016
Est. Priority Date: 03/05/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

enrolling, by a device, a user in a system based on at least user information, the device including a processor system having at least one processor and a memory system, the memory system having a nontransitory memory;

storing the user information in the memory system of the device; and

at a completion of the enrolling, generating asymmetric keys and a registration code based on quantum information from a semiconductor that detects the arrival of photons, the registration code being a sequence of symbols or bits;

wherein the asymmetric keys include a user key and an administrator key, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the device, the administrator key being required to perform one or more operations on at least one backend server, the backend server including a second processor system having at least one processor and a second memory system;

wherein the administrator key is generated based on information provided by the user;

wherein it is mathematically intractable to guess the user key from the administrator key;

andwherein it is mathematically intractable to guess the administrator key from the user key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protecting the security of an entity by using passcodes is disclosed. A user'"'"'s passcode device generates a passcode. In an embodiment, the passcode is generated in response to receipt of user information. The passcode is received by another system, which authenticates the passcode by at least generating a passcode from a passcode generator, and comparing the generated passcode with the received passcode. The passcode is temporary. At a later use a different passcode is generated from a different passcode generator. In these embodiments, there are asymmetric secrets stored on the passcode device and by the administrator. This adds more security so that if the backend servers are breached, the adversary cannot generate valid passcodes. In some embodiments, the passcode depends on the rounded time.

102 Citations

View as Search Results

52 Claims

1. A method comprising:
- enrolling, by a device, a user in a system based on at least user information, the device including a processor system having at least one processor and a memory system, the memory system having a nontransitory memory;
  
  storing the user information in the memory system of the device; and
  
  at a completion of the enrolling, generating asymmetric keys and a registration code based on quantum information from a semiconductor that detects the arrival of photons, the registration code being a sequence of symbols or bits;
  
  wherein the asymmetric keys include a user key and an administrator key, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the device, the administrator key being required to perform one or more operations on at least one backend server, the backend server including a second processor system having at least one processor and a second memory system;
  
  wherein the administrator key is generated based on information provided by the user;
  
  wherein it is mathematically intractable to guess the user key from the administrator key;
  
  andwherein it is mathematically intractable to guess the administrator key from the user key.
- View Dependent Claims (2, 3, 4, 5, 6, 34, 35, 36, 37, 48, 49)
- - 2. The method of claim 1, further comprising:
    - encrypting information based with the user key, such that the information is decryptable with the administrator key.
  - 3. The method of claim 1, further comprising:
    - generating a passcode generator by applying a function to the registration code, the passcode generator being a string of characters or other form of a code;
      
      generating a temporary passcode by applying a one-way function to the passcode generator; and
      
      encrypting the temporary passcode with the user key to create an encrypted passcode.
  - 4. The method of claim 1 wherein said semiconductor is a single photon avalanche diode.
  - 5. The method of claim 3, wherein the temporary passcode is dependent on time, wherein the one way function has at least two inputs, one of the two inputs is for entering the passcode generator and the other of the two inputs is for the time, and the generating of the temporary passcode by applying the one-way function to the passcode generator, includes at least applying the one-way function to the passcode generator and to the time.
  - 6. The method of claim 1, wherein the enrolling is performed on a mobile phone.
  - 34. The method of claim 1, wherein the user information is at least a biometric print, a Personal Identification Number (PIN), or a sequence of images.
  - 35. The method of claim 1, wherein the passcode device is a standalone device.
  - 36. The method of claim 1, further comprising:
    - receiving, by the device from a sensor, at least one biometric print from the user before the enrolling, the sensor being on the device; and
      
      wherein generating the asymmetric keys and the registration code includes generating the asymmetric keys and the registration code based on at least one biometric print.
  - 37. The method of claim 3, wherein the temporary passcode is dependent on a rounded timestamp, the rounded timestamp being rounded to nearest 90 seconds.
  - 48. The method of claim 1, further comprising generating the photon by a light emitting diode that is close enough to the semiconductor to ensure that at least one photon arrives at the semiconductor within a predetermined time period.
  - 49. The method of claim 48, the light emitting diode and the semiconductor that detects the photons of the light emitting diode being associated with the same device.

7. A method comprising:
- generating, by the device, asymmetric keys based on collected user information, the asymmetric keys including a user key and an administrator key, which are different from one another, the device including a processor system having at least one processor and a memory system;
  
  generating, via the device, a passcode that is valid temporarily and is based on information associated with a user;
  
  encrypting the passcode with the user key, to form an encrypted passcode, the encrypted passcode requiring the administrator key to decrypt the passcode; and
  
  sending, by the device to an administrator machine, the passcode to determine whether an attempted access is permitted;
  
  wherein the user key is required to perform one or more operations on a physical token or in a secure area of the device, the administrator key is required to perform one or more operations on at least one backend server, the backend server including a second processor system having at least one processor and a second memory system;
  
  the administrator machine being associated with the backend server;
  
  wherein it is mathematically intractable to guess the user key from the administrator key;
  
  andwherein it is mathematically intractable to guess the administrator key from the user key.
- View Dependent Claims (8, 9, 10, 38, 39, 40, 41)
- - 8. The method of claim 7, wherein authenticating the user includes displaying visual images for the user to select;
    - wherein at least one of said images is an animal, place, or an object.
  - 9. The method of claim 7, wherein the generating of the passcode based on the user key includes generating the passcode from a passcode generator and the user key, the passcode generator being a string of characters or other form of a code.
  - 10. The method of claim 7, wherein the generating of the passcode based on the user key includes generating the passcode from the passcode generator and a timestamp.
  - 38. The method of claim 7, wherein authenticating the user includes receiving the user'"'"'s biometric print and matching the biometric print with a biometric template stored in the memory system of the device.
  - 39. The method of claim 7, wherein the passcode is generated from a registration code, the registration code being a sequence of symbols or bits and generated from collected user information.
  - 40. The method of claim 7, wherein the asymmetric keys are generated based on zener noise.
  - 41. The method of claim 7, wherein the user key is stored on a physical token or in a secure area of the device;
    - and wherein the administrator key is stored on the administrator machine.

11. A method comprising:
- generating, at a user machine, a code that is valid temporarily, the code being generated from a function that has time as an input to the function to which the function is applied to generate the code, the user machine including a processor system having at least one processor and a memory system;
  
  encrypting, by the processor system of the user machine, the code with a user key, therein forming an encrypted code;
  
  sending the encrypted code, from the user machine to an administrator machine;
  
  receiving at the user machine from the administrator machine a determination of whether an attempted access of a secure entity is permitted, based on the encrypted code, which was encrypted with the user key;
  
  wherein the user key and an administrator key form a pair of asymmetric keys, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the user machine, the administrator key being required to perform one or more operations on at least one backend server, the backend server being associated with the administrator machine, the backend server including a second processor system having at least one processor and a second memory system;
  
  wherein the administrator key is generated based on information provided by the user;
  
  wherein it is mathematically intractable to guess the user key from the administrator key;
  
  andwherein it is mathematically intractable to guess the administrator key from the user key.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 42, 43)
- - 12. The method of claim 11, further comprising:
    - sending, to the administrator machine from the user machine, the administrator key;
      
      the administrator key being unique to the user; and
      
      the administrator key being required by the administrator machine for decrypting code, the encrypted code, which was encrypted with the user key.
  - 13. The method of claim 11, wherein said code also depends upon information derived from a process implemented by physical device that contains a photon detector, where the process involves detecting the photons arriving at the photon detector.
  - 14. The method of claim 11, further comprising:
    - enrolling the user in a security system that includes the machine;
      
      creating, by the machine, the user key; and
      
      wherein the user key is only created after a successful enrollment of the user.
  - 15. The method of claim 11, further comprising:
    - storing the user key in a mobile phone.
  - 16. The method of claim 11, further comprising:
    - storing the user key in a smart card chip.
  - 17. The method of claim 11, wherein the code is only valid after an identification of a user based at least on the user'"'"'s biometric prints.
  - 42. The method of claim 11, wherein the code is only valid after an identification of a user based at least on the user'"'"'s selection of visual images.
  - 43. The method of claim 11, wherein the code is only valid after an identification of a user based at least on the user'"'"'s entry of a PIN.

18. A system comprising:
- at least one nontransitory machine-readable medium storing instructions that cause one or more processors to perform a method including at least determining, by a machine, whether an encrypted submitted passcode is valid, where the encrypted submitted passcode was encrypted with a user key, by at least generating, by the machine, a generated passcode from a passcode generator and, the machine including at least a processor system having at least one processor and memory system;
  
  decrypting the encrypted submitted passcode without access to the user key, therein producing the submitted passcode;
  
  comparing, by the processor system, the submitted passcode to the generated passcode; and
  
  if the submitted passcode matches the generated passcode, granting, by the machine, access to a secure entity;
  
  wherein the user key and an administrator key form an asymmetric key pair, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of a user device, the administrator key being required to perform one or more operations on at least one backend server, the machine being associated with the backend server, the user device including a second processor system having at least one processor and a second memory system;
  
  wherein the administrator key is generated based on information provided by the user;
  
  wherein it is mathematically intractable to guess the user key from the administrator key;
  
  andwherein it is mathematically intractable to guess the administrator key from the user key.
- View Dependent Claims (19, 20, 21, 22, 23, 44, 45)
- - 19. The system of claim 18, further comprising:
    - decrypting the encrypted submitted passcode with the administrator key;
      
      the administrator key being unique to the user.
  - 20. The system of claim 18, wherein the method further includes encrypting the submitted passcode before the comparing by the processor system, the submitted passcode to the generated passcode.
  - 21. The system of claim 20, wherein administrator key is used to decrypt the encrypted, submitted passcode.
  - 22. The system of claim 18, wherein the method further including generating the submitted passcode after at least biometric print of a user is acquired.
  - 23. The system of claim 18, wherein the method further including generating the submitted passcode on a chip inside a mobile phone.
  - 44. The system of claim 18, wherein the method further includes generating the submitted passcode after at least the user selects some visual images.
  - 45. The system of claim 18, wherein the method further includes generating the submitted passcode after at least the user enters a PIN.

24. A system comprising:
- at least one nontransitory machine-readable medium storing instructions that cause one or more processors to perform a method including at leastreceiving, by a machine, a submitted passcode, the machine including at least a processor system having at least one processor and a memory system, the submitted passcode being encrypted when submitted;
  
  generating, by the machine, a generated passcode from a timestamp and generating by the machine an administrator key;
  
  decrypting, by the machine, the submitted passcode with the administrator key to form a decrypted passcode;
  
  after the decrypting, comparing, by the machine, the decrypted passcode to the generated passcode; and
  
  if the decrypted passcode matches the generated passcode, then granting, by the machine, access to a secure entity;
  
  wherein the administrator key and a user key form a pair of asymmetric keys, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of a user device, the administrator key being required to perform one or more operations on at least one backend server associated with the machine, the user device including a second processor system having at least one processor and a second memory system;
  
  wherein the administrator key is generated based on information provided by the user;
  
  wherein it is mathematically intractable to guess the user key from the administrator key;
  
  andwherein it is mathematically intractable to guess the administrator key from the user key.
- View Dependent Claims (25)
- - 25. The system of claim 24, wherein submitted passcode is encrypted with a user key.

26. A method comprising:
- generating a registration code, at a user machine, based on a Diffie-Hellman exchange, the machine including a processor system having one or more processors and a memory system having a non-transient memory;
  
  wherein the user machine and an administrator machine that grants access to a secure entity both derive the same passcode generator from the registration code; and
  
  generating a pair of asymmetric keys;
  
  wherein the asymmetric keys include a user key and an administrator key, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the device, the administrator key being required to perform one or more operations on at least one backend server, the backend server being associated the administrator machine, the backend server including a second processor system having at least one processor and a second memory system;
  
  wherein the administrator key is generated based on information provided by the user;
  
  wherein it is mathematically intractable to guess the user key from the administrator key;
  
  andwherein it is mathematically intractable to guess the administrator key from the user key.

27. A method comprising:
- acquiring identifying information or unpredictable information;
  
  generating at least one registration code and at least one key by at least applying a first method to the identifying or unpredictable information or both, the at least one key being one key of a pair of asymmetric keys;
  
  wherein the first method is of a type such that computing the identifying or unpredictable information from the registration code is computationally intractable;
  
  submitting the registration code to a system that is distinct from where the acquiring occurred;
  
  generating a passcode generator from the registration code, at a device where the acquiring occurred, by at least applying a second method to the registration code;
  
  wherein the second method is of a type such that computing the registration code from the passcode generator is computationally intractable; and
  
  storing the passcode generator and key at the device;
  
  wherein the asymmetric keys include a user key and an administrator key, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the device, the administrator key being required to perform one or more operations on at least one backend server, the backend server including a second processor system having at least one processor and a second memory system;
  
  wherein the administrator key is generated based on information provided by the user;
  
  wherein it is mathematically intractable to guess the user key from the administrator key;
  
  andwherein it is mathematically intractable to guess the administrator key from the user key.
- View Dependent Claims (46, 47)
- - 46. The system of claim 27, wherein the registration code is a sequence of symbols or bits.
  - 47. The system of claim 27, wherein the passcode generator is a string of characters or other form of a code similar to the registration code.

28. A system comprising:
- a nontransitory machine-readable medium storing thereon instructions for an Application Program Interface (API) having an argument for a passcode generator, an administrator key, and a user ID, the passcode generator being a string of characters;
  
  wherein the passcode generator and administrator key are values generated from user information by applying a one-way function; and
  
  wherein the passcode generator and administrator key are values from which deriving the user information is expected to be intractable;
  
  wherein the administrator key and a user key form a pair of asymmetric keys, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the device, the administrator key being required to perform one or more operations on at least one backend server, the backend server including a second processor system having at least one processor and a second memory system;
  
  wherein the administrator key is generated based on information provided by the user;
  
  wherein it is mathematically intractable to guess the user key from the administrator key;
  
  andwherein it is mathematically intractable to guess the administrator key from the user key.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The system of claim 28, further comprising a database storing one or more passcode generators and administrator keys indexed according to user ID.
  - 30. The system of claim 28, wherein the machine-readable medium stores thereon installation instructions, which cause one or more processors to perform a method including at least:
    - installing the instructions for the API on another system, andreceiving an input from which a decision is made as to whether;
      
      to store the passcode generator and administrator key in a preexisting database, orto set aside a storage space for the passcode generator and administrator key, wherein the storage space is unrelated to any preexisting database.
  - 31. The system of claim 30, wherein the installation instructions cause the one or more processors to offer a choice, and the input is the reply to the offer.
  - 32. The system of claim 28 wherein for each user ID a positive integer is also stored in the database that indicates how many times the said passcode generator has been updated by the administrator.

33. A system comprising:
- a nontransitory machine-readable medium storing thereon machine instructions for generating, by a machine, an Application Program Interface (API) having an argument for an administrator key, time information, and a user ID, the machine including a processor system having one or more processors and a memory system, the administrator key being required for one or more operations on a backend server the backend server having a processor system having one more processors and a memory system,wherein the administrator key is a value generated from user information or random information or both, andwherein the administrator key is a value from which deriving the user information is expected to be intractable;
  
  wherein the asymmetric keys include a user key and an administrator key, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of a user device;
  
  wherein the administrator key is generated based on information provided by the user;
  
  wherein it is mathematically intractable to guess the user key from the administrator key;
  
  andwherein it is mathematically intractable to guess the administrator key from the user key.

50. A method comprising:
- receiving at a passcode device user identifying information, the passcode device having a processor system including one or more processor and a memory system;
  
  storing user identifying information in the memory system of the passcode device;
  
  generating, by the passcode device, a first code, the first code being generated based on the user identifying information;
  
  sending, by the passcode device, the first code to an administrator system that grants access to a secure entity;
  
  receiving, from the administrator system, a second code;
  
  generating, by the passcode device, a common registration code from the first code and the second code; and
  
  generating, by the passcode device, a passcode generator from the common registration code, the passcode generator being a string of characters or other form of a code;
  
  wherein the passcode device and the administrator system both derive the same passcode generator from the common registration code;
  
  generating asymmetric keys;
  
  wherein the asymmetric keys include a user key and an administrator key, which are different from one another, the user key being required to perform one or more operations on a physical token or in a secure area of the device, the administrator key being required to perform one or more operations on at least one backend server, the backend server including a second processor system having at least one processor and a second memory system;
  
  wherein the administrator key is generated based on information provided by the user;
  
  wherein it is mathematically intractable to guess the user key from the administrator key;
  
  andwherein it is mathematically intractable to guess the administrator key from the user key.
- View Dependent Claims (51, 52)
- - 51. The method of claim 50, wherein the first code and the second code are generated based on the quantum information from a photon detector.
  - 52. The claim of method 51, wherein said photon detector is made from a semiconductor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Biogy, Inc.
Original Assignee
Biogy, Inc.
Inventors
Fiske, Michael Stephen
Primary Examiner(s)
Patel, Nirav B
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US13/785,766
Publication Number

US 20140201536A1
Time in Patent Office

1,043 Days
Field of Search

713/183, 726/18
US Class Current

1/1
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0844   with user authentication or...

H04L 9/3228   One-time or temporary data,...

H04L 9/3231   Biological data, e.g. finge...

One-time passcodes with asymmetric keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

102 Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

One-time passcodes with asymmetric keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links