Method for distributed trust authentication

US 9,825,765 B2
Filed: 03/21/2017
Issued: 11/21/2017
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method for distributed authentication of a user attempting to access a service provider operating on a network, the method comprising:

providing, by the service provider, a private/public cryptographic key pair;

generating, by the service provider, using the private key of the private/public cryptographic key pair, a first private key share and a second private key share;

distributing, by the service provider, to different remote locations via the network each of the public key, the first private key share, and the second private key share;

in response to the user attempting to access, via a computing device, the service provider;

performing a first authentication of the user, wherein when the first authentication is successful, generating a first partial signature using the first private key share;

performing a second authentication of the user, wherein when the second authentication is successful, generating a second partial signature using the second private key share; and

generating a composite digital signature using the first partial signature and the second partial signature;

validating the composite digital signature using the public key; and

providing, to the user, access to the service provider based on a successful validation of the composite digital signature.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for distributed trust authentication of one or more users attempting to access one or more service providers operating on a network includes performing primary authentication of a user using a first authentication factor, generating a first partial digital signature for a first authentication response to the primary authentication, performing secondary authentication of the user using a second authentication factor, generating a second partial digital signature for the second authentication response to the secondary authentication, combining the first and second partial digital signatures to form a composite digital signature, and validating the composite digital signature.

Citations

19 Claims

1. A method for distributed authentication of a user attempting to access a service provider operating on a network, the method comprising:
- providing, by the service provider, a private/public cryptographic key pair;
  
  generating, by the service provider, using the private key of the private/public cryptographic key pair, a first private key share and a second private key share;
  
  distributing, by the service provider, to different remote locations via the network each of the public key, the first private key share, and the second private key share;
  
  in response to the user attempting to access, via a computing device, the service provider;
  
  performing a first authentication of the user, wherein when the first authentication is successful, generating a first partial signature using the first private key share;
  
  performing a second authentication of the user, wherein when the second authentication is successful, generating a second partial signature using the second private key share; and
  
  generating a composite digital signature using the first partial signature and the second partial signature;
  
  validating the composite digital signature using the public key; and
  
  providing, to the user, access to the service provider based on a successful validation of the composite digital signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the different locations comprise a primary authentication system, a secondary authentication system, and the service provider, wherein the public key is distributed to and stored at the service provider.
  - 3. The method of claim 2, wherein:
    - the first authentication is performed at the primary authentication system; and
      
      the second authentication is performed at the secondary authentication system.
  - 4. The method of claim 3, wherein the secondary authentication system and the first service provider do not have access to the first private key share;
    - wherein the primary authentication system and the first service provider do not have access to the second private key share.
  - 5. The method of claim 3, further comprising:
    - transmitting a secondary authentication request from the primary authentication system to the secondary authentication system in response to successful primary authentication of the user,wherein performing the secondary authentication comprises performing the secondary authentication only after receiving the secondary authentication request.
  - 6. The method of claim 2, wherein the primary authentication system comprises an independent identity provider and the secondary authentication system comprises a two-factor authentication service.
  - 7. The method of claim 1, wherein:
    - in response to performing the first authentication, generating a first authentication response;
      
      transmitting the first authentication response; and
      
      generating a second authentication response based on the first authentication response.
  - 8. The method of claim 1, wherein performing the primary authentication of the user and validating the first composite digital signature are conducted by a same entity comprising an identity provider and the service provider.
  - 9. The method of claim 8, wherein performing the secondary authentication of the user includes performing the primary authentication at a remote authentication service that is a two-factor authentication service.
  - 10. The method of claim 1, further comprising:
    - transmitting the first partial digital signature to the computing device of the user;
      
      transmitting the second partial digital signature to the computing device of the user;
      
      wherein combining the first and the second partial digital signatures comprises combining the first and the second partial digital signatures at the computing device of the user.
  - 11. The method of claim 1, wherein generating the second partial digital signature comprises generating the second partial digital signature in response to both of the successful primary authentication and the successful secondary authentication.
  - 12. The method of claim 1,wherein a first authentication factor used in performing the first authentication comprises a knowledge factor, andwherein the first partial digital signature is generated for a first authentication response to the first authentication using the knowledge factor.
  - 13. The method of claim 12, wherein the knowledge factor is a password to a user account associated with the first service provider.

14. A system for distributed authentication of a user attempting to access a service provider operating on a network, the system comprising:
- a primary authentication system authenticates the user over the network via a computing device;
  
  a secondary authentication system authenticates the user over the network via the computing device, subsequent to the primary authentication system;
  
  a service provider provides the user with one or more services;
  
  wherein;
  
  a first private key is distributed to the primary authentication system,a second private key is distributed to the secondary authentication system,a public key is distributed to the service provider,the public key is a part of a private/public key pair, and the first private key and the second private key are generated using the private key of the private/public key pair;
  
  at the primary authentication system;
  
  in response to the user attempting to access, via the computing device, the service provider performing a first authentication of the user, wherein when the first authentication is successful, generating a first partial signature using the first private key;
  
  at the secondary authentication system;
  
  performing a second authentication of the user, wherein when the second authentication is successful, generating a second partial signature using the second private key; and
  
  at one of the primary authentication system, the secondary authentication system, and the computing device;
  
  generating a composite digital signature using the first partial signature and the second partial signature;
  
  at the service provider;
  
  validating the composite digital signature using the public key; and
  
  providing, to the user, access to the one or more services of service provider based on a successful validation of the composite digital signature.
- View Dependent Claims (15)
- - 15. The system of claim 14, wherein:
    - the primary authentication system comprises an identity provider; and
      
      the second authentication system comprises a two-factor authentication service.

16. A method for distributed trust authentication of a user attempting to access a service provider operating on a network, the method comprising:
- distributing, by the service provider, a first private key share, a second private key share, and a third private key share to a first authentication system, a second authentication system, and a third authentication system over the network, respectively, wherein the first authentication system is an identity provider for a first service provider the second authentication system is an independent authentication service;
  
  distributing, to the first service provider, a first public key paired with a first private key comprising the first private key share and the second private key share, wherein the first public key corresponds to the first private key used to generate the first and second private key shares;
  
  distributing, to a second service provider, a second public key paired with a second private key comprising the second private key share and the third private key share, wherein the second public key corresponds to the second private key used to generate the third private key share, wherein the first and the second public keys are non-identical,performing, in response to an attempt of a user operating a computing device to access the first and the second service providers, a primary authentication of the user using a first authentication factor;
  
  generating a first authentication response to the primary authentication;
  
  generating a first partial digital signature for the first authentication response using the first private key share;
  
  performing a second and a third authentication process;
  
  wherein the second authentication process comprises;
  
  performing in response to the attempt of the user to access the first service provider, secondary authentication of the user using a second authentication factor;
  
  generating a second authentication response to the secondary authentication of the user using the second authentication factor;
  
  generating a second partial digital signature for the second authentication response using the second private key share;
  
  combining the first and second partial digital signatures, resulting in a first composite digital signature;
  
  transmitting the first composite digital signature to the first service provider with the first and second authentication responses;
  
  validating, at the first service provider, the first composite digital signature using the first public key; and
  
  providing the user with access to the first service provider in response to successful validation of the first composite digital signature;
  
  wherein the third authentication process comprises;
  
  performing in response to the attempt of the user to access the second service provider, secondary authentication of the user using a third authentication factor;
  
  generating a third authentication response to the secondary authentication of the user using the third authentication factor;
  
  generating a third partial digital signature for the third authentication response using the third private key share;
  
  combining the first and third partial digital signatures, resulting in a second composite digital signature;
  
  transmitting the second composite digital signature to the second service provider with the first and third authentication responses;
  
  validating, at the second service provider, the second composite digital signature using the second public key; and
  
  providing the user with access to the second service provider in response to successful validation of the second composite digital signature.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, wherein the first and the second service provider are a same service provider and the first and the second public keys are stored at a same service provider.
  - 18. The method of claim 17, wherein validating the first composite digital signature using the first public key comprises attempting to validate the first composite digital signature using both of the first public key and the second public key;
    - wherein validating the second composite digital signature using the second public key comprises attempting to validate the second composite digital signature using both of the first public key and the second public key;
      
      the method further comprising providing the user with access to the same service provider in response to successful validation using either of the first public key or the second public key.
  - 19. The method of claim18, wherein providing the user with access comprises providing a different scope of access if the first composite digital signature is successfully validated than if the second composite digital signature is successfully validated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Dug, Goodman, Adam
Primary Examiner(s)
GRACIA, GARY S

Application Number

US15/465,467
Publication Number

US 20170195123A1
Time in Patent Office

245 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/40   by quorum, i.e. whereby two...

H04L 2463/082   applying multi-factor authe...

H04L 63/0815   providing single-sign-on or...

H04L 63/0838   using one-time-passwords

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 9/085   Secret sharing or secret sp...

H04L 9/0863   involving passwords or one-...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

Method for distributed trust authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method for distributed trust authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links