Method for generating a soft token, computer program product and service computer system

US 9,413,753 B2
Filed: 08/22/2012
Issued: 08/09/2016
Est. Priority Date: 09/02/2011
Status: Active Grant

First Claim

Patent Images

1. A method for generating a soft token, comprising:

making a secure element available, wherein a secret key of a first asymmetric cryptographic key pair is stored in a protected memory area of the secure element;

establishing a first cryptographically secure connection between an electronic device and a service computer system;

transmitting a request for the generation of a soft token from the electronic device to the service computer system via the first connection;

generating, by the service computer system, a one-time password after having received the request;

recording, by the service computer system, the one-time password as an identifier of the first connection;

transmitting the one-time password from the service computer system to the electronic device via the first connection;

outputting the one-time password via a user interface of the electronic device;

establishing a second cryptographically secure connection between a user computer system and the service computer system;

entering the one-time password into the user computer system;

transmitting the entered one-time password from the user computer system to the service computer system via the second connection; and

checking, by the service computer system, whether the recorded one-time password agrees with the one-time password received via the second connection, and only if this is the case reading at least one attribute stored in an ID token, generating the soft token by signing the at least one attribute and the public key of the first cryptographic key pair, transmitting the soft token to the electronic device via the first connection and/or transmitting the soft token to the user computer system via the second connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for generating a soft token by which attributes of a user may be authenticated. A request to generate the soft token is transmitted from an electronic device of the user to a service provider computer via a first secure connection. After receiving the request, the service computer generates a one-time password, records the password as a session identifier, and transmits the password to the electronic device. The password is output by the electronic device via a user interface. The user enters the password into a user computer system, from where it is transmitted, via a second secure connection, to the service computer system. If the recorded password agrees with the received password, one or more attributes are read from an ID token of the user and a corresponding soft token is generated and transmitted to the electronic device or user computer system.

21 Citations

View as Search Results

17 Claims

1. A method for generating a soft token, comprising:
- making a secure element available, wherein a secret key of a first asymmetric cryptographic key pair is stored in a protected memory area of the secure element;
  
  establishing a first cryptographically secure connection between an electronic device and a service computer system;
  
  transmitting a request for the generation of a soft token from the electronic device to the service computer system via the first connection;
  
  generating, by the service computer system, a one-time password after having received the request;
  
  recording, by the service computer system, the one-time password as an identifier of the first connection;
  
  transmitting the one-time password from the service computer system to the electronic device via the first connection;
  
  outputting the one-time password via a user interface of the electronic device;
  
  establishing a second cryptographically secure connection between a user computer system and the service computer system;
  
  entering the one-time password into the user computer system;
  
  transmitting the entered one-time password from the user computer system to the service computer system via the second connection; and
  
  checking, by the service computer system, whether the recorded one-time password agrees with the one-time password received via the second connection, and only if this is the case reading at least one attribute stored in an ID token, generating the soft token by signing the at least one attribute and the public key of the first cryptographic key pair, transmitting the soft token to the electronic device via the first connection and/or transmitting the soft token to the user computer system via the second connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, wherein a public key of the first key pair is stored in a readily readable memory area of the secure element, further comprising:
    - transmitting the public key from the secure element to the electronic device via a local connection;
      
      transmitting the public key from the electronic device to the service computer system via the first cryptographically secure connection;
      
      encrypting, by the service computer system, the one-time password with the public key, wherein the encrypted one-time password is transmitted from the service computer system to the electronic device via the first connection;
      
      transmitting the encrypted one-time password from the electronic device to the secure element via the local connection;
      
      decrypting, by the secure element, the one-time password with the secret key of the first key pair; and
      
      transmitting the decrypted one-time password from the secure element to the electronic device via the local connection for output by the electronic device.
  - 3. The method according to claim 1, wherein the service computer system comprises a first program component for generating the one-time password, for encrypting the one-time password, and for generating the soft token, and a second program component for receiving the one-time password from the user computer system, the first connection being established between the electronic device and the first program component, and the second connection being established between the user computer system and the second program component, the method further comprising:
    - transmitting the one-time password from the first program component to the second program component, the second program component checking whether the one-time password received from the first program component agrees with the one-time password received from the user computer system via the second connection;
      
      receiving, by the second program component, the at least one attribute that is read from the ID token; and
      
      transmitting the at least one attribute from the second program component to the first program component.
  - 4. The method according to claim 1, wherein the electronic device is a mobile terminal, in particular a mobile communication device, a mobile telephone, a smart phone, a portable computer or another mobile battery-operated terminal having a communication interface for establishing the local connection to the secure element.
  - 5. The method according to claim 1, wherein the user computer system performs the function of the electronic device, or the electronic device performs the function of the user computer system.
  - 6. A method according to claim 1, wherein reading the at least one attribute from the ID token comprises:
    - authenticating the user to the ID token;
      
      authenticating an ID provider computer system to the ID token; and
      
      after successful authentication of the user and of the ID provider computer system to the ID token, accessing for reading, by the ID provider computer system, the at least one attribute stored in the ID token via a third connection, and transmitting the at least one attribute from the ID provider computer system to the service computer system, the third connection between the ID token and the ID provider computer system being established via the user computer system using end-to-end encryption.
  - 7. The method according to claim 1, wherein the at least one attribute is signed by the ID provider computer system and transmitted to the service computer system via the user computer system.
  - 8. The method according to claim 7, wherein the ID provider computer system transmits the at least one attribute in the form of a SAML object to the service computer system.
  - 9. A method according to claim 1, wherein the soft token is generated by the service computer system by way of a blind signature or as a U-Prove token.
  - 10. A method according to claim 1, wherein a second asymmetric cryptographic key pair is associated with the soft token, the secret key of the second key pair being encrypted with the public key of the first key pair and stored in a memory of the electronic device.
  - 11. A method according to claim 1, wherein the ID token is a document comprising an electronic memory that is integrated into the document body, the at least one attribute being stored in the electronic memory.
  - 12. A method according to claim 1, wherein the electronic device is designed as a computer system, in particular as a PC, and the user computer system is designed as a mobile computer, in particular as a smart phone, a public key of the first key pair being stored in a readily readable memory area of the secure element, the method further comprising:
    - transmitting the public key from the secure element to the mobile computer via a local connection; and
      
      transmitting the public key and the entered one-time password from the mobile computer to the service computer system via the second cryptographically secure connection.
  - 13. A method according to claim 1, wherein the one-time password is output by displaying a machine-readable optical pattern on a display, and the one-time password is entered by electronically capturing the optical pattern.

14. A non-transitory computer-readable medium having computer-executable instructions that, when executed by a processor, cause the processor to perform a method for generating a soft token, the method comprising:
- establishing a first cryptographically secure connection to an electronic device;
  
  receiving a request for the generation of a soft token from the electronic device via the first connection;
  
  generating a one-time password after having received the request;
  
  transmitting the one-time password to the electronic device via the first connection;
  
  establishing a second cryptographically secure connection to a user computer system;
  
  receiving the one-time password from the user computer system via the second connection;
  
  checking whether the generated one-time password agrees with the received one-time password; and
  
  generating the soft token by signing at least one attribute that is read from an ID token and a public key associated with the secure element, and transmitting the soft token via the first connection to the electronic device and/or via the second connection to the user computer system, provided that the check showed that the generated and the received one-time passwords agree with each other.

15. A service computer system for generating a soft token that is tied to a secure element, comprising:
- a first network interface operable to provide a first cryptographically secure connection to an electronic device and operable to receive request for the generation of the soft token from the electronic device;
  
  a processor operable to generate a one-time password in response the request and operable to transmit the one-time password to the electronic device via the first connection; and
  
  a second network interface, a operable to provide a second cryptographically secure connection to a user computer system and operable to receive the one-time password from the user computer system via the second connection;
  
  wherein the processor is further operable to;
  
  check whether the generated one-time password agrees with the received one-time password; and
  
  to generate the soft token by signing at least one attribute that is read from an ID token and a public key associated with the secure element, andtransmit the soft token via the first connection to the electronic device and/or via the second connection to the user computer system, provided that the check showed that the generated and the received one-time passwords agree with each other.
- View Dependent Claims (16, 17)
- - 16. A data processing system comprising a service computer system according to claim 15 and an ID provider computer system, wherein the ID provider computer system comprises:
    - a network interface, operable to receive an attribute specification from the service computer system, the attribute specification specifying at least one attribute;
      
      a processor operable to authenticate the ID token; and
      
      operable to read the at least one attribute from the ID token via a protected connection using end-to-end encryption provided that a user associated with the ID token and the ID provider computer system have authenticated themselves with respect to the ID token.
  - 17. The data processing system according to claim 16, further comprising the secure element, wherein the secure element comprises a protected memory area in which a secret key of the first key pair is stored.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bundesdruckerei GmbH (Government of Germany)
Original Assignee
Bundesdruckerei GmbH (Government of Germany)
Inventors
Dietrich, Frank, Kraus, Micha
Primary Examiner(s)
Smithers, Matthew

Application Number

US14/241,909
Publication Number

US 20140215589A1
Time in Patent Office

1,448 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/41   where a single sign-on prov...

H04L 63/0407   wherein the identity of one...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 63/18   using different networks or...

Method for generating a soft token, computer program product and service computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Method for generating a soft token, computer program product and service computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others