Automated token renewal using OTP-based authentication codes

US 9,432,339 B1
Filed: 09/29/2014
Issued: 08/30/2016
Est. Priority Date: 09/29/2014
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computing system for renewing a remote token, the method comprising:

receiving an activation code from the remote token across a network, the activation code including an identification of the remote token, the identification of the remote token within the activation code including an incomplete portion of a serial number of the remote token, the activation code serving to identify the remote token to the computing system;

verifying that the activation code was cryptographically generated with reference to a one-time passcode (OTP) generated by the identified remote token using an initial key assigned to the remote token, wherein verifying includes;

identifying a set of test tokens such that;

each identified test token has an expiration date within a fixed time period after receiving the activation code; and

each identified test token has a serial number containing the incomplete portion of the serial number;

calculating a plurality of OTPs based on an initial key assigned to various test tokens of the set of test tokens for a plurality of different time values; and

confirming that the activation code was generated with reference to the plurality of OTPs for the plurality of different time values for a particular test token of the set of test tokens; and

in response to verifying, negotiating a new key with the remote token, the new key to be assigned to the remote token for use in producing OTPs in the future, wherein negotiating the new key with the remote token includes using one of the Cryptographic Token Key Initialization Protocol (CT-KIP) and the Dynamic Symmetric Key Provisioning Protocol (DSK-PP).

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment is described of a method performed by a computing device for renewing a remote token. The method includes (a) receiving an activation code from the remote token across a network, the activation code including an identification of the token, (b) verifying that the activation code was cryptographically generated with reference to a one-time passcode (OTP) generated by the identified token using an initial key assigned to the token, and (c) in response to verifying, negotiating a new key with the token, the new key to be assigned to the token for use in producing OTPs in the future. Related computer program products, systems, and apparatuses are also described.

Citations

12 Claims

1. A method performed by a computing system for renewing a remote token, the method comprising:
- receiving an activation code from the remote token across a network, the activation code including an identification of the remote token, the identification of the remote token within the activation code including an incomplete portion of a serial number of the remote token, the activation code serving to identify the remote token to the computing system;
  
  verifying that the activation code was cryptographically generated with reference to a one-time passcode (OTP) generated by the identified remote token using an initial key assigned to the remote token, wherein verifying includes;
  
  identifying a set of test tokens such that;
  
  each identified test token has an expiration date within a fixed time period after receiving the activation code; and
  
  each identified test token has a serial number containing the incomplete portion of the serial number;
  
  calculating a plurality of OTPs based on an initial key assigned to various test tokens of the set of test tokens for a plurality of different time values; and
  
  confirming that the activation code was generated with reference to the plurality of OTPs for the plurality of different time values for a particular test token of the set of test tokens; and
  
  in response to verifying, negotiating a new key with the remote token, the new key to be assigned to the remote token for use in producing OTPs in the future, wherein negotiating the new key with the remote token includes using one of the Cryptographic Token Key Initialization Protocol (CT-KIP) and the Dynamic Symmetric Key Provisioning Protocol (DSK-PP).
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the method further comprises, prior to verifying, determining that the received activation code is not within a database of manually-created activation codes.
  - 3. The method of claim 1 wherein:
    - the received activation code further includes a hashed value; and
      
      confirming that the activation code was generated with reference to the plurality of OTPs for the plurality of different time values for the particular test token of the set of test tokens includes hashing a combination of the plurality of OTPs for the plurality of different time values for the particular test token using a predefined hashing algorithm and comparing the result to the hashed value within the received activation code.
  - 4. The method of claim 1 wherein:
    - the received activation code further includes a salt value and a hashed value; and
      
      confirming that the activation code was generated with reference to the plurality of OTPs for the plurality of different time values for the particular test token of the set of test tokens includes hashing a combination of the salt value and the plurality of OTPs for the plurality of different time values for the particular test token using a predefined hashing algorithm and comparing the result to the hashed value within the received activation code.
  - 5. The method of claim 1 wherein the method further comprises, prior to verifying, determining that the received activation code is not within a database of previously-used activation codes.

6. A system comprising:
- network interface circuitry for communicating with a remote token over a network;
  
  processing circuitry configured to;
  
  receive, via the network interface, an activation code from the remote token across the network, the activation code including an identification of the remote token, the identification of the remote token within the activation code including an incomplete portion of a serial number of the remote token, the activation code serving to identify the remote token to the system;
  
  verify that the activation code was cryptographically generated with reference to a one-time passcode (OTP) generated by the identified remote token using an initial key assigned to the remote token, wherein verifying includes;
  
  identifying a set of test tokens such that;
  
  each identified test token has an expiration date within a fixed time period after receiving the activation code; and
  
  each identified test token has a serial number containing the incomplete portion of the serial number;
  
  calculating a plurality of OTPs based on an initial key assigned to various test tokens of the set of test tokens for a plurality of different time values; and
  
  confirming that the activation code was generated with reference to the plurality of OTPs for the plurality of different time values for a particular test token of the set of test tokens; and
  
  in response to verifying, negotiate, via the network interface, a new key with the remote token, the new key to be assigned to the remote token for use in producing OTPs in the future, wherein negotiating the new key with the remote token includes using one of the Cryptographic Token Key Initialization Protocol (CT-KIP) and the Dynamic Symmetric Key Provisioning Protocol (DSK-PP).
- View Dependent Claims (7, 8, 9)
- - 7. The system of claim 6 wherein:
    - the system includes a first computing device and a second computing device separate from the first computing device;
      
      the first computing device includes;
      
      the network interface circuitry for communicating with the remote token over the network;
      
      the processing circuitry configured to receive the activation code from the remote token across the network;
      
      the processing circuitry configured to, in response to verifying, negotiate the new key with the remote token; and
      
      processing circuitry configured to;
      
      send the received activation code to the second computing device for verification; and
      
      receive a verification result from the second computing device in response to sending the received activation code to the second computing device; and
      
      the second computing device includes the processing circuitry configured to verify that the activation code was cryptographically generated with reference to the OTP generated by the identified remote token using the initial key assigned to the remote token.
  - 8. The system of claim 7 wherein the second computing device further includes processing circuitry configured to, prior to verifying, determine that the received activation code is not within a database of manually-created activation codes.
  - 9. The system of claim 7 wherein the second computing device further includes processing circuitry configured to, prior to verifying, determine that the received activation code is not within a database of previously-used activation codes.

10. A computer program product comprising a non-transitory computer-readable storage medium that stores a set of instructions, which, when executed by a computing device, causes the computing device to renew a token operating thereon by:
- cryptographically generating an activation code with reference to a one-time passcode (OTP) generated by the token using an initial key assigned to the token, wherein cryptographically generating the activation code includes;
  
  calculating a plurality of OTPs based on the initial key assigned to the token for a plurality of different time values;
  
  cryptographically combining the plurality of OTPs;
  
  placing an incomplete portion of a serial number of the token within the activation code; and
  
  placing the cryptographic combination of the plurality of OTPs within the activation code;
  
  sending the generated activation code to a remote key negotiation service across a network, the activation code serving to identify the token to the remote key negotiation service;
  
  in response to the activation code being verified by the remote key negotiation service, negotiating a new key with the remote key negotiation service, wherein negotiating the new key with the token includes using one of the Cryptographic Token Key Initialization Protocol (CT-KIP) and the Dynamic Symmetric Key Provisioning Protocol (DSK-PP); and
  
  in response to negotiating the new key, assigning the new key to the token operating on the computing device for use in producing OTPs in the future.
- View Dependent Claims (11, 12)
- - 11. The computer program product of claim 10 wherein:
    - cryptographically combining the plurality of OTPs includes hashing a combination of the plurality of OTPs using a predefined hashing algorithm to yield a hashed value; and
      
      cryptographically generating the activation code further includes placing the hashed value within the activation code.
  - 12. The computer program product of claim 10 wherein:
    - cryptographically combining the plurality of OTPs includes;
      
      generating a salt value; and
      
      hashing a combination of the salt value and the plurality of OTPs using a predefined hashing algorithm to yield a hashed value; and
      
      cryptographically generating the activation code further includes placing the hashed value and the salt value within the activation code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RSA Security LLC (Symphony Technology Group LLC)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Bowness, Piers
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Huang, Cheng-Feng

Application Number

US14/500,135
Time in Patent Office

701 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0428 wherein the data content is...

H04L 63/0838 using one-time-passwords

Automated token renewal using OTP-based authentication codes

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Automated token renewal using OTP-based authentication codes

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links