Method and system for smartcard emulation

US 9,787,672 B1
Filed: 06/14/2013
Issued: 10/10/2017
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a security agent on a client device, a one-time password and a container PIN for a container, wherein the one-time password is generated at a device registered with the client device and entered into the security agent on the client device;

validating, by the security agent on the client device, the container PIN;

sending, by the security agent on the client device upon validation of the container PIN, a request to validate the one-time password to an authentication server, wherein the request comprises the one-time password, a credential ID associated with the registered device, a key ID associated with a private key, and a user ID associated with a user;

receiving, by the security agent on the client device upon validation of the one-time password by the authentication server, a response from the authentication server, the response comprising a cloud portion of the private key identified via the key ID and an authorization to access a container portion of the private key stored locally in the container;

combining the cloud portion of the private key with the container portion of the private key to construct the private key;

sending, by the security agent on the client device to the authentication server, a request to validate a second one-time password, wherein validation of the second one-time password by the authentication server authorizes exportation of the container portion of the private key from the container to a second device;

receiving, by the security agent on the client device, a response from the authentication server indicating that the second one-time password is valid, wherein exportation of the container portion of the private key to the second device is permitted upon receipt of the response; and

exporting, from the security agent on the client device to the second device, the container portion of the private key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for emulating a smartcard which includes receiving a one time password and a container PIN for a container, validating the container PIN, upon validating the container PIN, and sending a request to validate the one time password to an authentication server based on a credential ID and a user ID, wherein the request includes the credential ID, the user ID, and the one time password. Upon validation of the one time password by the authentication server, a response is received from the authentication server, and the response includes at least one of: at least a portion of a private key or an authorization to access a at least a portion of the private key stored locally.

Citations

15 Claims

1. A method comprising:
- receiving, by a security agent on a client device, a one-time password and a container PIN for a container, wherein the one-time password is generated at a device registered with the client device and entered into the security agent on the client device;
  
  validating, by the security agent on the client device, the container PIN;
  
  sending, by the security agent on the client device upon validation of the container PIN, a request to validate the one-time password to an authentication server, wherein the request comprises the one-time password, a credential ID associated with the registered device, a key ID associated with a private key, and a user ID associated with a user;
  
  receiving, by the security agent on the client device upon validation of the one-time password by the authentication server, a response from the authentication server, the response comprising a cloud portion of the private key identified via the key ID and an authorization to access a container portion of the private key stored locally in the container;
  
  combining the cloud portion of the private key with the container portion of the private key to construct the private key;
  
  sending, by the security agent on the client device to the authentication server, a request to validate a second one-time password, wherein validation of the second one-time password by the authentication server authorizes exportation of the container portion of the private key from the container to a second device;
  
  receiving, by the security agent on the client device, a response from the authentication server indicating that the second one-time password is valid, wherein exportation of the container portion of the private key to the second device is permitted upon receipt of the response; and
  
  exporting, from the security agent on the client device to the second device, the container portion of the private key.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising:
    - executing an initial key generation function; and
      
      sending the cloud portion of the private key to the authentication server.
  - 3. The method of claim 1, further comprising:
    - sending a request to the authentication server to validate a third one-time password for importation of the container portion of the private key from a device into the container; and
      
      receiving a response from the authentication server indicating that the third one-time password for importation of the container portion of the private key is valid, wherein importation of the container portion of the private key from the device is permitted upon receipt of the response.
  - 4. The method of claim 1, wherein the key ID is one of a plurality of key IDs associated with the user ID.
  - 5. The method of claim 1, wherein a pin policy defining requirements for the pin is exported with the container portion of the private key.

6. A system comprising:
- a hardware memory; and
  
  a security agent on a client device coupled to or containing the hardware memory, the security agent configured to;
  
  receive, by the security agent on the client device, a one-time password and a container PIN for a container, wherein the one-time password is generated at a device registered with the client device and entered into the security agent on the client device;
  
  validate, by the security agent on the client device, the container PIN;
  
  send, by the security agent on the client device upon validation of the container PIN, a request to validate the one-time password to an authentication server, wherein the request comprises the one-time password, a credential ID associated with the registered device, a key ID associated with a private key, and a user ID associated with a user;
  
  receive, by the security agent on the client device upon validation of the one-time password by the authentication server, a response from the authentication server, the response comprising a cloud portion of the private key identified via the key ID and an authorization to access a container portion of the private key stored locally in the container;
  
  combine the cloud portion of the private key with the container portion of the private key to construct the private key;
  
  send, by the security agent on the client device to the authentication server, a request to validate a second one-time password, wherein validation of the second one-time password by the authentication server authorizes exportation of the container portion of the private key from the container to a second device;
  
  receive, by the security agent on the client device, a response from the authentication server indicating that the second one-time password is valid, wherein exportation of the container portion of the private key to the second device is permitted upon receipt of the response; and
  
  export, from the security agent on the client device to the second device, the container portion of the private key.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the security agent is further configured to:
    - execute an initial key generation function; and
      
      send the cloud portion of the private key to the authentication server.
  - 8. The system of claim 6, wherein the processing device security agent is further configured to:
    - send a request to the authentication server to validate a third one-time password for importation of the container portion of the private key from a device into the container; and
      
      receive a response from the authentication server indicating that the third one-time password for importation of the container portion of the private key is valid, wherein importation of the container portion of the private key from the device is permitted upon receipt of the response.
  - 9. The system of claim 6, wherein the key ID is one of a plurality of key IDs associated with the user ID.
  - 10. The system of claim 6, wherein a pin policy defining requirements for the pin is exported with the container portion of the private key.

11. A non-transitory computer readable storage medium comprising instructions that, when executed by a security agent on a client device, cause the security agent to perform a set of operations comprising:
- receiving, by the security agent on the client device, a one-time password and a container PIN for a container, wherein the one-time password is generated at a device registered with the client device and entered into the security agent on the client device;
  
  validating, by the security agent on the client device, the container PIN;
  
  sending, by the security agent on the client device upon validation of the container PIN, a request to validate the one-time password to an authentication server, wherein the request comprises the one-time password, a credential ID associated with the registered device, a key ID associated with a private key, and a user ID associated with a user;
  
  receiving, by the security agent on the client device upon validation of the one-time password by the authentication server, a response from the authentication server, the response comprising a cloud portion of the private key identified via the key ID and an authorization to access a container portion of the private key stored locally in the container;
  
  combining the cloud portion of the private key with the container portion of the private key to construct the private key;
  
  sending, by the security agent on the client device to the authentication server, a request to validate a second one-time password, wherein validation of the second one-time password by the authentication server authorizes exportation of the container portion of the private key from the container to a second device;
  
  receiving, by the security agent on the client device, a response from the authentication server indicating that the second one-time password is valid, wherein exportation of the container portion of the private key to the second device is permitted upon receipt of the response; and
  
  exporting, from the security agent on the client device to the second device, the container portion of the private key.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer readable storage medium of claim 11, wherein the set of operations further comprises:
    - executing an initial key generation function; and
      
      sending the cloud portion of the private key to the authentication server.
  - 13. The non-transitory computer readable storage medium of claim 11:
    - sending a request from to the authentication server to validate a third one-time password for importation of the container portion of the private key from a device into the container; and
      
      receiving a response from the authentication server indicating that third the one-time password for importation of the container portion of the private key is valid, wherein importation of the container portion of the private key from the device is permitted upon receipt of the response.
  - 14. The non-transitory computer readable storage medium of claim 11, wherein the key ID is one of a plurality of key IDs associated with the user ID.
  - 15. The non-transitory computer readable storage medium of claim 11, wherein a pin policy defining requirements for the pin is exported with the container portion of the private key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Dundas, Alan, Herskedal, Eirik
Primary Examiner(s)
Lagor, Alexander
Assistant Examiner(s)
Bechtel, Kevin

Application Number

US13/918,326
Time in Patent Office

1,579 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 9/006   involving public key infras...

H04L 9/08   Key distribution or managem...

H04L 9/0897   involving additional device...

H04L 9/321   involving a third party or ...

H04L 9/3228   One-time or temporary data,...

H04L 9/3247   involving digital signatures

Method and system for smartcard emulation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for smartcard emulation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links