×

User authentication over networks

  • US 9,674,158 B2
  • Filed: 07/28/2015
  • Issued: 06/06/2017
  • Est. Priority Date: 07/28/2015
  • Status: Active Grant
First Claim
Patent Images

1. A method for authenticating user authentication data, associated with a user ID, at an authentication system comprising an authentication server connected to a network and a secure cryptoprocessor operatively coupled to the authentication server, the method comprising:

  • providing, in a data storage device operatively coupled to the authentication server, a first token for said user ID, the first token being produced by the secure cryptoprocessor by encoding the user authentication data associated with the user ID via a deterministic function using a secret key of the secure cryptoprocessor to produce a preliminary token, and encrypting the preliminary token under a public key of a first public-private key pair to produce the first token;

    at the authentication server, receiving an authentication request for the user ID from a remote computer via the network, the authentication request comprising a ciphertext encrypting user authentication data under the public key of the first public-private key pair the private key of which is secret to the secure cryptoprocessor, and supplying the ciphertext to the secure cryptoprocessor;

    at the secure cryptoprocessor, decrypting the ciphertext using said private key to obtain plaintext user authentication data;

    at the authentication server, retrieving said first token for the user ID from said data storage device;

    in the authentication system, checking for equality of said plaintext user authentication data and the user authentication data encoded in the first token via a cryptographic processing operation in which the authentication data is not exposed outside the secure cryptoprocessor; and

    at the authentication server, in response to said equality, sending an authentication confirmation message to the remote computer via the network, wherein the method includes;

    at the authentication server, supplying the first token to the secure cryptoprocessor;

    at the secure cryptoprocessor, decrypting the first token using said private key to obtain the preliminary token, encoding said plaintext user authentication data via said deterministic function using said secret key to produce a second token, and comparing the second token and the preliminary token to check for said equality; and

    the method further comprising;

    including, in a registration operation for said user ID;

    receiving, at the authentication server, a registration request for the user ID from the remote computer via the network, the registration request comprising a ciphertext encrypting the user authentication data associated with the user ID, and a registration nonce, under said public key, and supplying the ciphertext to the secure cryptoprocessor;

    decrypting, at the secure cryptoprocessor, the ciphertext using said private key to obtain the user authentication data associated with the user ID and the registration nonce, encoding the user authentication data associated with the user ID via said deterministic function using said secret key to produce said preliminary token, encrypting the preliminary token and the registration nonce under said public key to produce the first token, and supplying the first token to the authentication server; and

    storing, at the authentication server, the first token for the user ID in said data storage device.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×