Method and system for accessing a service

US 9,444,815 B2
Filed: 11/27/2013
Issued: 09/13/2016
Est. Priority Date: 11/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method for accessing a service,wherein the method is implemented by at least one user device storing at least one first key and at least one user terminal storing or accessing the at least one first key, and wherein the at least one user device is connected to a first server,the method comprising the following steps:

a) the terminal sends to at least one second server a connection request for connecting to the second server;

b) the second server determines a challenge and an associated transaction identifier;

c) the second server sends to the terminal the transaction identifier and the challenge;

d) the terminal determines a first result depending upon the first key and at least one of the challenge and the transaction identifier;

e) the terminal sends to the first server the first result, and a data item relating to the user device;

f) the first server sends, based upon the data item relating to the user device, to the user device, the first result;

g) the user device determines at least one of the challenge and the transaction identifier based upon the first result and the first key;

h) the user device sends to the second server the transaction identifier and the challenge;

i) the second server verifies whether the transaction identifier and the challenge received from the user device do or do not match the transaction identifier and the challenge sent to the terminal; and

j) only if the transaction identifier and the challenge received from the user device match the transaction identifier and the challenge sent to the terminal, the second server authorizes the terminal to connect to the second server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To access a service, each user device stores one first key. The user device is connected to a first server. A terminal sends to a second server a connection request. The second server responds with first data relating to a transaction identifier and an associated challenge. The terminal determines a first result depending upon the first data and the first key. The terminal sends to the first server the first result and user device data. The first server identifies a user device based upon the user device data and sends to the device the first result. The device determines the challenge and the transaction identifier based upon the first result and the first key and sends to the second server the challenge and the transaction identifier. The second server verifies whether the data received from the device matches the first data and, if so, authorizes the terminal to connect.

6 Citations

View as Search Results

10 Claims

1. A method for accessing a service,wherein the method is implemented by at least one user device storing at least one first key and at least one user terminal storing or accessing the at least one first key, and wherein the at least one user device is connected to a first server,the method comprising the following steps:
- a) the terminal sends to at least one second server a connection request for connecting to the second server;
  
  b) the second server determines a challenge and an associated transaction identifier;
  
  c) the second server sends to the terminal the transaction identifier and the challenge;
  
  d) the terminal determines a first result depending upon the first key and at least one of the challenge and the transaction identifier;
  
  e) the terminal sends to the first server the first result, and a data item relating to the user device;
  
  f) the first server sends, based upon the data item relating to the user device, to the user device, the first result;
  
  g) the user device determines at least one of the challenge and the transaction identifier based upon the first result and the first key;
  
  h) the user device sends to the second server the transaction identifier and the challenge;
  
  i) the second server verifies whether the transaction identifier and the challenge received from the user device do or do not match the transaction identifier and the challenge sent to the terminal; and
  
  j) only if the transaction identifier and the challenge received from the user device match the transaction identifier and the challenge sent to the terminal, the second server authorizes the terminal to connect to the second server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein, each of the at least one user device stores user authentication data, the terminal requests to enter user authentication data, the terminal determines a second result depending on the entered user authentication data and the first key, and at least one of the transaction identifier and the challenge, the terminal sends, through the first server and to the user device, the second result instead of the first result, the user device determines at least one of the challenge and the transaction identifier based upon the second result, the stored user authentication data and the first key while authentication the user or not authentication the user.
  - 3. The method according to claim 1, wherein, the first server stores or accesses a list of at least one token data item and a corresponding list of at least one user device data item, the terminal sends to the first server the first result and a user device data item, the first server determines a token data item that is associated with the user device data item, the first server determines a token, as a user device, based upon the token data item.
  - 4. The method according to claim 1, wherein, prior to sending data from the second server to the terminal:
    - the second server sends, to the first server, a data request for receiving a second key and an identifier relating to the second key;
      
      the first server determines a second key and an associated identifier relating to the second key;
      
      the first server sends, to the second server, the second key and the second key identifier;
      
      the second server sends, to the terminal, the challenge, the third result, and the second key identifier;
      
      the terminal determines a fourth result depending on the challenge and the first key;
      
      the terminal sends, to the first server, the third result, the fourth result, and the second key identifier;
      
      the first server determines, based upon the third result and the second key, the transaction identifier;
      
      the first server determines, based upon the third result and the second key, the transaction identifier;
      
      the first server sends, to the user device, the fourth result and the transaction identifier;
      
      the user device determines, based upon the fourth result and the first key, the challenge; and
      
      steps h), i) and j) are carried out.
  - 5. The method according to claim 1, wherein the first server sends to the user device a first certificate relating to the first server.
  - 6. The method according to claim 1, wherein the user device sends to the first server and/or the second server a second certificate relating to the user device.
  - 7. The method according to claim 1, wherein the user device asks at least once the first server whether at least one connection request for connecting to the second server is pending.
  - 8. The method according to claim 1, wherein the first server stores a first list of at least one identifier relating to an authorized second server and/or a second list of at least one identifier relating to a forbidden second server.
  - 9. The method according to claim 1, wherein the first server, the second server, the terminal and the user device use a secure communication protocol for communicating data.

10. A system for accessing a service,wherein the system comprises a first server and at least one second server, at least one user device and at least one user terminal, each of the at least one user device comprising means for storing at least one first key, at least one user terminal comprising means for storing or accessing the at least one first key, the user device comprising or being connected to means for connecting to the first server,wherein the terminal comprises means for sending to one second server a connection request for connecting to the second server;
- wherein the second server comprises;
  
  means for determining a challenge and an associated transaction identifier;
  
  means for sending, to the terminal the transaction identifier and the challenge;
  
  wherein the terminal comprises;
  
  means for determining a first result depending upon the first key and at least one of the challenge and the transaction identifier;
  
  means for sending to the first server at least the first result and a data item relating to the user device;
  
  wherein the first server comprisesmeans for sending, based upon the data item relating to the user device, to the user device, at least the first result;
  
  wherein the user device comprises;
  
  means for determining at least one of the challenge and the transaction identifier based upon the first result and the first key;
  
  means for sending to the second server the transaction identifier and the challenge; and
  
  wherein the second server further comprises;
  
  means for verifying whether the transaction identifier and the challenge received from the user device does or does not match the transaction identifier and the challenge sent to the terminal;
  
  means for authorizing the terminal to connect to the second server only if the transaction identifier and the challenge received from the user device matches the transaction identifier and the challenge sent to the terminal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gemalto SA (Thales SA)
Original Assignee
Gemalto SA (Thales SA)
Inventors
Chafer, Sylvain, Hecart, Sbastien, Delsuc, Julien
Primary Examiner(s)
BROWN, ANTHONY D

Application Number

US14/647,269
Publication Number

US 20150304318A1
Time in Patent Office

1,021 Days
Field of Search

726/7
US Class Current

1/1
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 63/18   using different networks or...

Method and system for accessing a service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for accessing a service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links