Method for distributed trust authentication
First Claim
1. A method for distributed trust authentication of one or more users attempting to access one or more service providers operating on a network, the method comprising:
- distributing a first private key share of a first private key to a primary authentication system, a second private key share of the first private key to a secondary authentication system, and a public key to a first service provider, wherein the public key corresponds to a private key used to generate the first and second private key shares;
wherein the secondary authentication system and the first service provider do not have access to the first private key share;
wherein the primary authentication system and the first service provider do not have access to the second private key share, wherein the primary authentication system is an identity provider for the first service provider, and wherein the secondary authentication system is an independent authentication service;
performing, at the primary authentication system, in response to a first attempt of a first user operating a computing device to access the first service provider, primary authentication of the first user using a first authentication factor;
generating, at the primary authentication system, a first authentication response to the primary authentication;
generating, at the primary authentication system, a first partial digital signature for the first authentication response using the first private key share;
performing, at the secondary authentication system, in response to the first attempt of the first user to access the first service provider, secondary authentication of the first user using a second authentication factor;
generating, at the secondary authentication system, a second authentication response to the secondary authentication;
generating, at the secondary authentication system, a second partial digital signature for the second authentication response using the second private key share;
combining the first and the second partial digital signatures, resulting in a first composite digital signature;
transmitting, over the network, the first composite digital signature to the first service provider with the first and the second authentication responses;
validating, at the first service provider, the first composite digital signature using the public key; and
providing the first user with access, via the network, to the first service provider in response to successful validation of the first composite digital signature.
4 Assignments
0 Petitions
Accused Products
Abstract
A method for distributed trust authentication of one or more users attempting to access one or more service providers operating on a network includes performing primary authentication of a user using a first authentication factor, generating a first partial digital signature for a first authentication response to the primary authentication, performing secondary authentication of the user using a second authentication factor, generating a second partial digital signature for the second authentication response to the secondary authentication, combining the first and second partial digital signatures to form a composite digital signature, and validating the composite digital signature.
-
Citations
28 Claims
-
1. A method for distributed trust authentication of one or more users attempting to access one or more service providers operating on a network, the method comprising:
-
distributing a first private key share of a first private key to a primary authentication system, a second private key share of the first private key to a secondary authentication system, and a public key to a first service provider, wherein the public key corresponds to a private key used to generate the first and second private key shares;
wherein the secondary authentication system and the first service provider do not have access to the first private key share;
wherein the primary authentication system and the first service provider do not have access to the second private key share, wherein the primary authentication system is an identity provider for the first service provider, and wherein the secondary authentication system is an independent authentication service;performing, at the primary authentication system, in response to a first attempt of a first user operating a computing device to access the first service provider, primary authentication of the first user using a first authentication factor; generating, at the primary authentication system, a first authentication response to the primary authentication; generating, at the primary authentication system, a first partial digital signature for the first authentication response using the first private key share; performing, at the secondary authentication system, in response to the first attempt of the first user to access the first service provider, secondary authentication of the first user using a second authentication factor; generating, at the secondary authentication system, a second authentication response to the secondary authentication; generating, at the secondary authentication system, a second partial digital signature for the second authentication response using the second private key share; combining the first and the second partial digital signatures, resulting in a first composite digital signature; transmitting, over the network, the first composite digital signature to the first service provider with the first and the second authentication responses; validating, at the first service provider, the first composite digital signature using the public key; and providing the first user with access, via the network, to the first service provider in response to successful validation of the first composite digital signature. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A method for distributed trust authentication of one or more users attempting to access one or more service providers operating on a network, the method comprising:
-
distributing a first private key share of a private key to a first authentication system, a second private key share of the private key to a second authentication system, a third private key share of the private key to a third authentication system, and a public key to a service provider, wherein the public key corresponds to a private key used to generate the first, second, and third private key shares, wherein the second private key share is non-identical to the third private key share, wherein the primary authentication system is an identity provider for the first service provider, and wherein the secondary authentication system is an independent authentication service; wherein the second authentication system, the third authentication system, and the service provider do not have access to the first private key share, wherein the first authentication system, the third authentication system, and the service provider do not have access to the second private key share, and wherein the first authentication system, the second authentication system, and the service provider do not have access to the third private key share; performing, at the first authentication system, in response to an attempt of a user operating a computing device to access the service provider, primary authentication of the user using a first authentication factor; generating, at the first authentication system, a first authentication response to the primary authentication; generating, at the first authentication system, a first partial digital signature for the first authentication response using the first private key share; performing a second and a third authentication process;
wherein the second authentication process comprises;performing, at the second authentication system, in response to the attempt of the user to access the service provider, secondary authentication of the user using a second authentication factor; generating, at the second authentication system, a second authentication response to the secondary authentication of the user using the second authentication factor; generating, at the second authentication system, a second partial digital signature for the second authentication response using the second private key share; combining the first and second partial digital signatures, resulting in a first composite digital signature; and transmitting the first composite digital signature to the service provider with the first and second authentication responses; wherein the third authentication process comprises; performing, at the third authentication system, in response to the attempt of the user to access the service provider, secondary authentication of the user using a third authentication factor; generating, at the third authentication system, a third authentication response to the secondary authentication of the user using the third authentication factor; generating, at the third authentication system, a third partial digital signature for the third authentication response using the third private key share; combining the first and third partial digital signatures, resulting in a second composite digital signature; and transmitting, over the network, the second composite digital signature to the service provider with the first and third authentication responses; validating, at the service provider, the first and second composite digital signatures using the public key;
wherein the public key used for validating the first composite digital signature is identical to the public key used for validating the second composite digital signature; andproviding, via the network, the user with access to the service provider in response to successful validation. - View Dependent Claims (23)
-
-
24. A method for distributed trust authentication of one or more users attempting to access one or more service providers operating on a network, the method comprising:
-
distributing a first private key share, a second private key share, and a third private key share to a first authentication system, a second authentication system, and a third authentication system, respectively, wherein the second and the third private key shares are non-identical, wherein the first authentication system is an identity provider for a first service provider the second authentication system is an independent authentication service; distributing, to the first service provider, a first public key paired with a first private key comprising the first private key share and the second private key share wherein the public key corresponds to the first private key used to generate the first and second private key shares; distributing, to a second service provider, a second public key paired with a second private key comprising the second private key share and the third private key share, wherein the second public key corresponds to the second private key used to generate the third private key share, wherein the first and the second public keys are non-identical, wherein the second and the third authentication systems, and the first and the second service providers, do not have access to the first private key share, wherein the first and the third authentication systems, and the first and the second service providers, do not have access to the second private key share, wherein the first and the second authentication systems, and the first and the second service providers, do not have access to the third private key share; performing, at the first authentication system, in response to an attempt of a user operating a computing device to access the first and the second service providers, primary authentication of the user using a first authentication factor; generating, at the first authentication system, a first authentication response to the primary authentication; generating, at the first authentication system, a first partial digital signature for the first authentication response using the first private key share; performing a second and a third authentication process;
wherein the second authentication process comprises;performing, at the second authentication system, in response to the attempt of the user to access the first service provider, secondary authentication of the user using a second authentication factor; generating, at the second authentication system, a second authentication response to the secondary authentication of the user using the second authentication factor; generating, at the second authentication system, a second partial digital signature for the second authentication response using the second private key share; combining the first and second partial digital signatures, resulting in a first composite digital signature; transmitting, over the network, the first composite digital signature to the first service provider with the first and second authentication responses; validating, at the first service provider, the first composite digital signature using the first public key; and providing, via the network, the user with access to the first service provider in response to successful validation of the first composite digital signature; wherein the third authentication process comprises; performing, at the third authentication system, in response to the attempt of the user to access the second service provider, secondary authentication of the user using a third authentication factor; generating, at the third authentication system, a third authentication response to the secondary authentication of the user using the third authentication factor; generating, at the third authentication system, a third partial digital signature for the third authentication response using the third private key share; combining the first and third partial digital signatures, resulting in a second composite digital signature; transmitting, over the network, the second composite digital signature to the second service provider with the first and third authentication responses; validating, at the second service provider, the second composite digital signature using the second public key; and providing, via the network, the user with access to the second service provider in response to successful validation of the second composite digital signature. - View Dependent Claims (25, 26, 27, 28)
-
Specification