Method for generating a soft token, computer program product and service computer system
First Claim
1. A method for generating a soft token, comprising:
- making a secure element available, wherein a secret key of a first asymmetric cryptographic key pair is stored in a protected memory area of the secure element;
establishing a first cryptographically secure connection between an electronic device and a service computer system;
transmitting a request for the generation of a soft token from the electronic device to the service computer system via the first connection;
generating, by the service computer system, a one-time password after having received the request;
recording, by the service computer system, the one-time password as an identifier of the first connection;
transmitting the one-time password from the service computer system to the electronic device via the first connection;
outputting the one-time password via a user interface of the electronic device;
establishing a second cryptographically secure connection between a user computer system and the service computer system;
entering the one-time password into the user computer system;
transmitting the entered one-time password from the user computer system to the service computer system via the second connection; and
checking, by the service computer system, whether the recorded one-time password agrees with the one-time password received via the second connection, and only if this is the case reading at least one attribute stored in an ID token, generating the soft token by signing the at least one attribute and the public key of the first cryptographic key pair, transmitting the soft token to the electronic device via the first connection and/or transmitting the soft token to the user computer system via the second connection.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is provided for generating a soft token by which attributes of a user may be authenticated. A request to generate the soft token is transmitted from an electronic device of the user to a service provider computer via a first secure connection. After receiving the request, the service computer generates a one-time password, records the password as a session identifier, and transmits the password to the electronic device. The password is output by the electronic device via a user interface. The user enters the password into a user computer system, from where it is transmitted, via a second secure connection, to the service computer system. If the recorded password agrees with the received password, one or more attributes are read from an ID token of the user and a corresponding soft token is generated and transmitted to the electronic device or user computer system.
21 Citations
17 Claims
-
1. A method for generating a soft token, comprising:
-
making a secure element available, wherein a secret key of a first asymmetric cryptographic key pair is stored in a protected memory area of the secure element; establishing a first cryptographically secure connection between an electronic device and a service computer system; transmitting a request for the generation of a soft token from the electronic device to the service computer system via the first connection; generating, by the service computer system, a one-time password after having received the request; recording, by the service computer system, the one-time password as an identifier of the first connection; transmitting the one-time password from the service computer system to the electronic device via the first connection; outputting the one-time password via a user interface of the electronic device; establishing a second cryptographically secure connection between a user computer system and the service computer system; entering the one-time password into the user computer system; transmitting the entered one-time password from the user computer system to the service computer system via the second connection; and checking, by the service computer system, whether the recorded one-time password agrees with the one-time password received via the second connection, and only if this is the case reading at least one attribute stored in an ID token, generating the soft token by signing the at least one attribute and the public key of the first cryptographic key pair, transmitting the soft token to the electronic device via the first connection and/or transmitting the soft token to the user computer system via the second connection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable medium having computer-executable instructions that, when executed by a processor, cause the processor to perform a method for generating a soft token, the method comprising:
-
establishing a first cryptographically secure connection to an electronic device; receiving a request for the generation of a soft token from the electronic device via the first connection; generating a one-time password after having received the request; transmitting the one-time password to the electronic device via the first connection; establishing a second cryptographically secure connection to a user computer system; receiving the one-time password from the user computer system via the second connection; checking whether the generated one-time password agrees with the received one-time password; and generating the soft token by signing at least one attribute that is read from an ID token and a public key associated with the secure element, and transmitting the soft token via the first connection to the electronic device and/or via the second connection to the user computer system, provided that the check showed that the generated and the received one-time passwords agree with each other.
-
-
15. A service computer system for generating a soft token that is tied to a secure element, comprising:
-
a first network interface operable to provide a first cryptographically secure connection to an electronic device and operable to receive request for the generation of the soft token from the electronic device; a processor operable to generate a one-time password in response the request and operable to transmit the one-time password to the electronic device via the first connection; and a second network interface, a operable to provide a second cryptographically secure connection to a user computer system and operable to receive the one-time password from the user computer system via the second connection; wherein the processor is further operable to; check whether the generated one-time password agrees with the received one-time password; and
to generate the soft token by signing at least one attribute that is read from an ID token and a public key associated with the secure element, andtransmit the soft token via the first connection to the electronic device and/or via the second connection to the user computer system, provided that the check showed that the generated and the received one-time passwords agree with each other. - View Dependent Claims (16, 17)
-
Specification