Method for producing a soft token, computer program product and service computer system
First Claim
1. A method for generating a soft token, the method comprising:
- providing a secure element, wherein, in a protected storage area of the secure element, a secret key of a first asymmetric cryptographic key pair is stored and wherein the secure element is associated with a user, setting up a first cryptographically secured connection between an electronic device of the user and a service computer system;
transmitting a request for the generation of the soft token from the electronic device to the service computer system via the first connection;
generating, by the service computer system, a one-time password on the basis of a reception of the request by the service computer system, where the one-time password is generated without knowledge of the secret key of the first asymmetric cryptographic key pair;
registering the one-time password as an identifier of the first connection by the service computer system;
transmitting the one-time password from the service computer system to the electronic, device via the first connection;
issuing the one-time password via a user interface of the electronic device;
setting up a second cryptographically stored connection between a user computer system and the service computer system;
entering the one-time password into the user computer system;
transmitting the entered one-time password from the user computer system to the service computer system via the second connection;
verifying, by means of the service computer system, whether the registered one-time password is in agreement with the one-time password received via the second connection, and if successfully verified, reading at least one attribute stored in an ID token; and
generating the soft token by signing the at least one attribute and a public key of the first cryptographic key pair, transmitting the soft token via the first connection to the electronic device and/or transmitting the soft token via the second connection to the user computer system, wherein a local connection is set up between the user computer system and the secure element, wherein the local connection is a bidirectional ad hoc connection.
1 Assignment
0 Petitions
Accused Products
Abstract
The method relates to a method for generating a soft token, having the following: providing a secure element, wherein, in a protected storage area of the secure element, a secret key of a first asymmetric cryptographic key pair is stored, setting up a first cryptographically secured connection between an electronic device and a service computer system, transmitting a request for the generation of the soft token from the electronic device to the service computer system via the first connection, generating a one-time password on the basis of the reception of the request by the service computer system, registering the one-time password as an identifier of the first connection by the service computer system, transmitting the one-time password from the service computer system to the electronic device via the first connection, issuing the one-time password via a user interface of the electronic device, setting up a second cryptographically stored connection between a user computer system and the service computer system, entering the one-time password into the user computer system, transmitting the entered one-time password from the user computer system to the service computer system via the second connection, verifying, by means of the service computer system, whether the registered one-time password is in agreement with the one-time password received via the second connection, and only if this is the case, reading at least one attribute stored in an ID token, generating the soft token by signing the at least one attribute and the public key of the first cryptographic key pair, transmitting the soft token via the first connection to the electronic device and/or transmitting the soft token via the second connection to the user computer system.
17 Citations
24 Claims
-
1. A method for generating a soft token, the method comprising:
- providing a secure element, wherein, in a protected storage area of the secure element, a secret key of a first asymmetric cryptographic key pair is stored and wherein the secure element is associated with a user, setting up a first cryptographically secured connection between an electronic device of the user and a service computer system;
transmitting a request for the generation of the soft token from the electronic device to the service computer system via the first connection;
generating, by the service computer system, a one-time password on the basis of a reception of the request by the service computer system, where the one-time password is generated without knowledge of the secret key of the first asymmetric cryptographic key pair;
registering the one-time password as an identifier of the first connection by the service computer system;
transmitting the one-time password from the service computer system to the electronic, device via the first connection;
issuing the one-time password via a user interface of the electronic device;
setting up a second cryptographically stored connection between a user computer system and the service computer system;
entering the one-time password into the user computer system;
transmitting the entered one-time password from the user computer system to the service computer system via the second connection;verifying, by means of the service computer system, whether the registered one-time password is in agreement with the one-time password received via the second connection, and if successfully verified, reading at least one attribute stored in an ID token; and
generating the soft token by signing the at least one attribute and a public key of the first cryptographic key pair, transmitting the soft token via the first connection to the electronic device and/or transmitting the soft token via the second connection to the user computer system, wherein a local connection is set up between the user computer system and the secure element, wherein the local connection is a bidirectional ad hoc connection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- providing a secure element, wherein, in a protected storage area of the secure element, a secret key of a first asymmetric cryptographic key pair is stored and wherein the secure element is associated with a user, setting up a first cryptographically secured connection between an electronic device of the user and a service computer system;
-
19. A service computer system for generating a soft token linked to a secure element associated with a user, comprising:
-
means for setting up a first cryptographically secured connection to an electronic device associated with the user; means for receiving a request for the generation of the soft token from the electronic device via the first connection; means for generating a one-time password on the basis of the receipt of the request; means for transmitting the one-time password to the electronic device via the first connection; means for setting up a second cryptographically secured connection to a user computer system, wherein the user computer system is physically distinct from the electronic device associated with the user; means for receiving the one-time password from the user computer system via the second connection; means for verifying whether the generated one-time password is in agreement with the received one-time password; means for generating the soft token by signing at least one attribute, which has been read out of an ID token, and a public key assigned to the secure element, and for transmitting the soft token to the electronic device via the first connection and/or to the user computer system via the second connection under the condition that the verification has confirmed that there is agreement between the generated one-time password and the received one-time password; and having the secure element, wherein the secure element and the user computer system are designed to set up a local connection between the user computer system and the secure element, wherein the local connection is a bidirectional ad hoc connection. - View Dependent Claims (20, 21)
-
-
22. A service computer system for generating a soft token linked to a secure element associated with a user, having:
- a hardware processor, a first program component and a network interface in cooperative arrangement configured to set up a first cryptographically secured connection to an electronic device associated with the user by which a request for generation of the soft token is received from the electronic device, wherein a one-time password is generated by the hardware processor and the first program component upon receipt of the request by the first connection and wherein the hardware processor, the first program component and the network interface are configured in cooperative arrangement to transmit the one-time password to the electronic device via the first connection;
a network interface and a second program component in cooperative arrangement with the hardware processor to set up a second cryptographically secured connection to a user computer system and to receive the one-time password from the user computer system via the second connection, wherein the hardware processor and the second program component are operable to verify whether the generated one-time password is in agreement with the received one-time password, and wherein the user computer system is physically distinct from the electronic device associated with the user;
one or more of the first program component and the second program component further operable in cooperation with the hardware processor to generate the soft token by signing at least one attribute, which has been read out of an ID token, and a public key assigned to the secure element, and to transmit the soft token to the electronic device via the first connection and/or to the user computer system via the second connection under the condition that the verification has confirmed that there is agreement between the generated one-time password and the received one-time password; and
the secure element, wherein the secure element and the user computer system are configured to set up a local connection between the user computer system and the secure element, wherein the local connection is a bidirectional ad hoc connection. - View Dependent Claims (23, 24)
- a hardware processor, a first program component and a network interface in cooperative arrangement configured to set up a first cryptographically secured connection to an electronic device associated with the user by which a request for generation of the soft token is received from the electronic device, wherein a one-time password is generated by the hardware processor and the first program component upon receipt of the request by the first connection and wherein the hardware processor, the first program component and the network interface are configured in cooperative arrangement to transmit the one-time password to the electronic device via the first connection;
Specification