Secure authentication in a multi-party system

US 9,641,520 B2
Filed: 03/28/2013
Issued: 05/02/2017
Est. Priority Date: 04/01/2012
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a network user to another network entity, comprising:

executing, on a first user operated device, a first program to;

receive user inputted validation information;

store a user credential on the first user operated device;

executing, on a second user operated device, a second program to;

receive information from another network entity via the network;

further executing the first program to;

receive an input transferring, to the first program, the information received by the second program from the other network entity;

direct transmission, to an authentication server via the network, of the transferred information;

receive, from the authentication server via the network, an identifier of the other network entity, other information, and authentication policy requirements of the other network entity;

direct transmission, to the authentication server via the network, of the input validation information corresponding to the received other network entity authentication policy requirements;

receive, from the authentication server via the network after directing transmission of the validation information, a request for a user credential;

sign a message, including the transferred information and the received other information, with the stored user credential;

direct transmission, to the authentication server via the network, of the signed message to authenticate the user; and

generate user secret data;

divide the generated secret data into multiple portions including a first portion and a second portion;

encrypt the user credential with the generated secret data, wherein the stored credential is the encrypted credential;

direct transmission, to the authentication server via the network, of the second portion of secret data;

receive, from the authentication server via the network after directing transmission of the validation information, the second portion of secret data;

combine the stored first portion of secret data with the received second portion of secret data; and

decrypt the stored encrypted credential with the combined portions of secret data;

wherein the message is signed with the decrypted user credential; and

further executing the second program to;

receive, from at least one of the authentication server and the other network entity via the network, an indication that the user has been successfully authenticated.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network user is authenticated to another network entity by using a first program to receive user input validation information, and store a user credential. A second program receives information, such as a random number, from the other entity. The first program receives an input transferring the information to it, transmits the information to the authentication server, and receives an identifier of the other entity, other information, and authentication policy requirements from the authentication server. It then transmits the input validation information corresponding to the received authentication policy requirements to the authentication server, and in response receives a request for a user credential. It signs a message, including the transferred information and the received other information, with the stored user credential, and transmits the signed message to the authentication server to authenticate the user.

Citations

16 Claims

1. A method of authenticating a network user to another network entity, comprising:
- executing, on a first user operated device, a first program to;
  
  receive user inputted validation information;
  
  store a user credential on the first user operated device;
  
  executing, on a second user operated device, a second program to;
  
  receive information from another network entity via the network;
  
  further executing the first program to;
  
  receive an input transferring, to the first program, the information received by the second program from the other network entity;
  
  direct transmission, to an authentication server via the network, of the transferred information;
  
  receive, from the authentication server via the network, an identifier of the other network entity, other information, and authentication policy requirements of the other network entity;
  
  direct transmission, to the authentication server via the network, of the input validation information corresponding to the received other network entity authentication policy requirements;
  
  receive, from the authentication server via the network after directing transmission of the validation information, a request for a user credential;
  
  sign a message, including the transferred information and the received other information, with the stored user credential;
  
  direct transmission, to the authentication server via the network, of the signed message to authenticate the user; and
  
  generate user secret data;
  
  divide the generated secret data into multiple portions including a first portion and a second portion;
  
  encrypt the user credential with the generated secret data, wherein the stored credential is the encrypted credential;
  
  direct transmission, to the authentication server via the network, of the second portion of secret data;
  
  receive, from the authentication server via the network after directing transmission of the validation information, the second portion of secret data;
  
  combine the stored first portion of secret data with the received second portion of secret data; and
  
  decrypt the stored encrypted credential with the combined portions of secret data;
  
  wherein the message is signed with the decrypted user credential; and
  
  further executing the second program to;
  
  receive, from at least one of the authentication server and the other network entity via the network, an indication that the user has been successfully authenticated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein:
    - the first user operated device and the second user operated device are the same device;
      
      the information is a random number that serves as a session identifier; and
      
      the other information is another random number.
  - 3. The method of claim 1, further comprising further executing the first program to:
    - generate a private/public key pair for the user, wherein the stored user credential is the private key of the generated user private/public key pair; and
      
      direct transmission, to the authentication server via the network, of the public key of the generated user private/public key pair.
  - 4. The method of claim 1, further comprising further executing the first program to:
    - receive user inputted user authentication policy requirements;
      
      direct transmission of the received user authentication policy requirements to the authentication server;
      
      receive from the authentication server with the authentication policy requirements of the other network entity, any additional authentication policy requirements based on any differences between the user authentication policy requirements and the other network entity authentication policy requirements; and
      
      direct transmission, to the authentication server via the network, of the received validation information corresponding to any received additional authentication policy requirements.
  - 5. The method of claim 1, wherein the information is first information and the other information is first other information, and further comprising, after the authentication server has been notified that the first user operated device is no longer in use or has been lost or stolen or the user credential has otherwise been compromised:
    - further executing the second program to;
      
      receive, from the other network entity via the network, second information;
      
      executing, on the first or a third user operated device, the first program to;
      
      receive an input transferring, to the first program, the second information received by the second program from the other network entity;
      
      direct transmission, to the authentication server via the network, of the transferred second information;
      
      receive, from the authentication server via the network, an identifier of the other network entity, second other information, and authentication policy requirements of the other network entity;
      
      direct transmission, to the authentication server via the network, of the input validation information corresponding to the received other network entity authentication policy requirements; and
      
      receive, from the authentication server via the network in response to the transmitted validation information, a notification that the user has been validated but cannot be authenticated because the user credential has been invalidated.
  - 6. The method of claim 5, further comprising further executing the second program to receive, from the authentication server via the network, a redirection instruction, redirecting the user to the other network entity'"'"'s reenrollment website on the network.
  - 7. The method of claim 5, further comprising further executing the first program to:
    - receive a request for a replacement credential from the authentication server via the network; and
      
      in response to the received request for replacement credential, generate a replacement credential, store the generated replacement credential, and direct transmission of the generated replacement credential to the authentication server via the network.
  - 8. The method of claim 5, further comprising, after directing transmission of the generated replacement credential to the authentication server, further executing the first program to:
    - direct transmission, to the authentication server via the network, of another message, including the second information and the second other information, signed with the replacement credential to authenticate the user.
  - 9. The method of claim 1, further comprising further executing the second program to:
    - direct a presentation, on a display screen, of the received information;
      
      wherein the received information is in the form of an optical code; and
      
      wherein the input transferring the received information to the first program, is a digital photograph of the presented optical code.
  - 10. The method of claim 1, further comprising further executing the second program to:
    - direct printing of the received information;
      
      wherein the input transferring the received information to the first program is a digital photograph of the printed optical code.
  - 11. The method of claim 1, wherein the first user operated device and the second user operated device are different devices operated by the network user.

12. An article of manufacture for authenticating a network user to another network entity, comprising:
- non-transitory storage medium; and
  
  logic stored on the storage medium, wherein the stored logic is configured to be readable by a processor and thereby cause the processor to operate so as to;
  
  receive user inputted validation information;
  
  store a user credential;
  
  receive an input of information, wherein the information was obtained by the user from another network entity;
  
  direct transmission, to an authentication server via the network, of the input information;
  
  receive, from the authentication server via the network after directing transmission of the information, an identifier of the other network entity, other information, and authentication policy requirements of the other network entity;
  
  direct transmission, to the authentication server via the network, of the input validation information corresponding to the received other network entity authentication policy requirements;
  
  receive, from the authentication server via the network after directing transmission of the validation information, a request for a user credential;
  
  sign a message, including the information obtained from the other network entity and the other information received from the authentication server, with the stored user credential;
  
  direct transmission, to the authentication server via the network, of the signed message to authenticate the usergenerate user secret data;
  
  divide the generated secret data into multiple portions including a first portion and a second portion;
  
  encrypt the user credential with the secret data, wherein the stored user credential is the encrypted credential;
  
  direct transmission, to the authentication server via the network, of the second portion of secret data;
  
  receive, from the authentication server via the network after directing transmission of the validation information, the second portion of secret data;
  
  combine the first portion of secret data with the received second portion of secret data; and
  
  decrypt the stored encrypted credential with the combined portions of secret data, wherein the signed message is signed with the decrypted user credential.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The article of manufacture of claim 12, wherein the stored logic is further configured to cause the processor to operate so as to:
    - generate a private/public key pair for the user, wherein the stored user credential is the private key of the generated user private/public key pair; and
      
      direct transmission, to the authentication server via the network, of the public key of the generated user private/public key pair.
  - 14. The article of manufacture of claim 12, wherein the stored logic is further configured to cause the processor to operate so as to:
    - receive user inputted user authentication policy requirements;
      
      direct transmission of the received user authentication policy requirements to the authentication server via the network;
      
      receive, from the authentication server via the network with the authentication policy requirements of the other network entity, any additional authentication policy requirements based on any differences between the user authentication policy requirements and the other network entity authentication policy requirements; and
      
      direct transmission, to the authentication server via the network, of the input validation information corresponding to any received additional authentication policy requirements.
  - 15. The article of manufacture of claim 12, wherein, the information is first information and the other information is first other information and, after the authentication server has been notified that the user credential has been compromised, the stored logic is further configured to cause the processor to operate so as to:
    - receive an input second information, wherein the second information was obtained by the user from the other network entity;
      
      direct transmission, to the authentication server via the network, of the input second information;
      
      receive, from the authentication server via the network after directing transmission of the second information, an identifier of the other network entity, second other information, and authentication policy requirements of the other network entity;
      
      direct transmission, to the authentication server via the network, of input validation information corresponding to the received other network entity authentication policy requirements; and
      
      receive, from the authentication server via the network after directing transmission of the validation information, a notification that the user has been validated but cannot be authenticated because the user credential has been invalidated.
  - 16. The article of manufacture of claim 15, wherein the stored logic is further configured to cause the processor to operate so as to:
    - receive a request for a replacement credential from the authentication server via the network;
      
      in response to the received request for the replacement credential, generate a replacement credential, store the generated replacement credential, and direct transmission of the generated replacement credential to the authentication server via the network; and
      
      direct transmission, to the authentication server via the network, of another message, including the input second information from the other network entity and the second other information from the authentication server, signed with the replacement credential to authenticate the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Payfone Incorporated
Original Assignee
Early Warning Services, LLC (Bank of America Corp.)
Inventors
Neuman, Michael, Neuman, Diana
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/852,012
Publication Number

US 20130262857A1
Time in Patent Office

1,496 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/35   communicating wirelessly

G06Q 20/322   Aspects of commerce using m...

G06Q 20/385   using an alias or single-us...

G06Q 20/401   Transaction verification

H04L 2463/082   applying multi-factor authe...

H04L 63/045   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/0884   by delegation of authentica...

H04L 63/0892   by using authentication-aut...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 67/02   based on web technology, e....

H04L 9/30   Public key, i.e. encryption...

H04L 9/321   involving a third party or ...

H04L 9/3234 : involving additional secure...

H04L 9/3247 : involving digital signatures

H04W 12/06 : Authentication

H04W 12/77 : Graphical identity

View All

Secure authentication in a multi-party system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Secure authentication in a multi-party system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links