Secure authentication in a multi-party system
First Claim
1. A method of authenticating a network user to another network entity, comprising:
- executing, on a first user operated device, a first program to;
receive user inputted validation information;
store a user credential on the first user operated device;
executing, on a second user operated device, a second program to;
receive information from another network entity via the network;
further executing the first program to;
receive an input transferring, to the first program, the information received by the second program from the other network entity;
direct transmission, to an authentication server via the network, of the transferred information;
receive, from the authentication server via the network, an identifier of the other network entity, other information, and authentication policy requirements of the other network entity;
direct transmission, to the authentication server via the network, of the input validation information corresponding to the received other network entity authentication policy requirements;
receive, from the authentication server via the network after directing transmission of the validation information, a request for a user credential;
sign a message, including the transferred information and the received other information, with the stored user credential;
direct transmission, to the authentication server via the network, of the signed message to authenticate the user; and
generate user secret data;
divide the generated secret data into multiple portions including a first portion and a second portion;
encrypt the user credential with the generated secret data, wherein the stored credential is the encrypted credential;
direct transmission, to the authentication server via the network, of the second portion of secret data;
receive, from the authentication server via the network after directing transmission of the validation information, the second portion of secret data;
combine the stored first portion of secret data with the received second portion of secret data; and
decrypt the stored encrypted credential with the combined portions of secret data;
wherein the message is signed with the decrypted user credential; and
further executing the second program to;
receive, from at least one of the authentication server and the other network entity via the network, an indication that the user has been successfully authenticated.
9 Assignments
0 Petitions
Accused Products
Abstract
A network user is authenticated to another network entity by using a first program to receive user input validation information, and store a user credential. A second program receives information, such as a random number, from the other entity. The first program receives an input transferring the information to it, transmits the information to the authentication server, and receives an identifier of the other entity, other information, and authentication policy requirements from the authentication server. It then transmits the input validation information corresponding to the received authentication policy requirements to the authentication server, and in response receives a request for a user credential. It signs a message, including the transferred information and the received other information, with the stored user credential, and transmits the signed message to the authentication server to authenticate the user.
-
Citations
16 Claims
-
1. A method of authenticating a network user to another network entity, comprising:
-
executing, on a first user operated device, a first program to; receive user inputted validation information; store a user credential on the first user operated device; executing, on a second user operated device, a second program to; receive information from another network entity via the network; further executing the first program to; receive an input transferring, to the first program, the information received by the second program from the other network entity; direct transmission, to an authentication server via the network, of the transferred information; receive, from the authentication server via the network, an identifier of the other network entity, other information, and authentication policy requirements of the other network entity; direct transmission, to the authentication server via the network, of the input validation information corresponding to the received other network entity authentication policy requirements; receive, from the authentication server via the network after directing transmission of the validation information, a request for a user credential; sign a message, including the transferred information and the received other information, with the stored user credential; direct transmission, to the authentication server via the network, of the signed message to authenticate the user; and generate user secret data; divide the generated secret data into multiple portions including a first portion and a second portion; encrypt the user credential with the generated secret data, wherein the stored credential is the encrypted credential; direct transmission, to the authentication server via the network, of the second portion of secret data; receive, from the authentication server via the network after directing transmission of the validation information, the second portion of secret data; combine the stored first portion of secret data with the received second portion of secret data; and decrypt the stored encrypted credential with the combined portions of secret data; wherein the message is signed with the decrypted user credential; and further executing the second program to; receive, from at least one of the authentication server and the other network entity via the network, an indication that the user has been successfully authenticated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An article of manufacture for authenticating a network user to another network entity, comprising:
-
non-transitory storage medium; and logic stored on the storage medium, wherein the stored logic is configured to be readable by a processor and thereby cause the processor to operate so as to; receive user inputted validation information; store a user credential; receive an input of information, wherein the information was obtained by the user from another network entity; direct transmission, to an authentication server via the network, of the input information; receive, from the authentication server via the network after directing transmission of the information, an identifier of the other network entity, other information, and authentication policy requirements of the other network entity; direct transmission, to the authentication server via the network, of the input validation information corresponding to the received other network entity authentication policy requirements; receive, from the authentication server via the network after directing transmission of the validation information, a request for a user credential; sign a message, including the information obtained from the other network entity and the other information received from the authentication server, with the stored user credential; direct transmission, to the authentication server via the network, of the signed message to authenticate the user generate user secret data;
divide the generated secret data into multiple portions including a first portion and a second portion;encrypt the user credential with the secret data, wherein the stored user credential is the encrypted credential; direct transmission, to the authentication server via the network, of the second portion of secret data; receive, from the authentication server via the network after directing transmission of the validation information, the second portion of secret data; combine the first portion of secret data with the received second portion of secret data; and decrypt the stored encrypted credential with the combined portions of secret data, wherein the signed message is signed with the decrypted user credential. - View Dependent Claims (13, 14, 15, 16)
-
Specification