Method for distributed trust authentication
First Claim
1. A method for distributed authentication of a user attempting to access a service provider operating on a network, the method comprising:
- providing, by the service provider, a private/public cryptographic key pair;
generating, by the service provider, using the private key of the private/public cryptographic key pair, a first private key share and a second private key share;
distributing, by the service provider, to different remote locations via the network each of the public key, the first private key share, and the second private key share;
in response to the user attempting to access, via a computing device, the service provider;
performing a first authentication of the user, wherein when the first authentication is successful, generating a first partial signature using the first private key share;
performing a second authentication of the user, wherein when the second authentication is successful, generating a second partial signature using the second private key share; and
generating a composite digital signature using the first partial signature and the second partial signature;
validating the composite digital signature using the public key; and
providing, to the user, access to the service provider based on a successful validation of the composite digital signature.
4 Assignments
0 Petitions
Accused Products
Abstract
A method for distributed trust authentication of one or more users attempting to access one or more service providers operating on a network includes performing primary authentication of a user using a first authentication factor, generating a first partial digital signature for a first authentication response to the primary authentication, performing secondary authentication of the user using a second authentication factor, generating a second partial digital signature for the second authentication response to the secondary authentication, combining the first and second partial digital signatures to form a composite digital signature, and validating the composite digital signature.
-
Citations
19 Claims
-
1. A method for distributed authentication of a user attempting to access a service provider operating on a network, the method comprising:
-
providing, by the service provider, a private/public cryptographic key pair; generating, by the service provider, using the private key of the private/public cryptographic key pair, a first private key share and a second private key share; distributing, by the service provider, to different remote locations via the network each of the public key, the first private key share, and the second private key share; in response to the user attempting to access, via a computing device, the service provider; performing a first authentication of the user, wherein when the first authentication is successful, generating a first partial signature using the first private key share; performing a second authentication of the user, wherein when the second authentication is successful, generating a second partial signature using the second private key share; and generating a composite digital signature using the first partial signature and the second partial signature; validating the composite digital signature using the public key; and providing, to the user, access to the service provider based on a successful validation of the composite digital signature. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for distributed authentication of a user attempting to access a service provider operating on a network, the system comprising:
-
a primary authentication system authenticates the user over the network via a computing device; a secondary authentication system authenticates the user over the network via the computing device, subsequent to the primary authentication system; a service provider provides the user with one or more services; wherein; a first private key is distributed to the primary authentication system, a second private key is distributed to the secondary authentication system, a public key is distributed to the service provider, the public key is a part of a private/public key pair, and the first private key and the second private key are generated using the private key of the private/public key pair; at the primary authentication system; in response to the user attempting to access, via the computing device, the service provider performing a first authentication of the user, wherein when the first authentication is successful, generating a first partial signature using the first private key; at the secondary authentication system; performing a second authentication of the user, wherein when the second authentication is successful, generating a second partial signature using the second private key; and at one of the primary authentication system, the secondary authentication system, and the computing device; generating a composite digital signature using the first partial signature and the second partial signature; at the service provider; validating the composite digital signature using the public key; and providing, to the user, access to the one or more services of service provider based on a successful validation of the composite digital signature. - View Dependent Claims (15)
-
-
16. A method for distributed trust authentication of a user attempting to access a service provider operating on a network, the method comprising:
-
distributing, by the service provider, a first private key share, a second private key share, and a third private key share to a first authentication system, a second authentication system, and a third authentication system over the network, respectively, wherein the first authentication system is an identity provider for a first service provider the second authentication system is an independent authentication service; distributing, to the first service provider, a first public key paired with a first private key comprising the first private key share and the second private key share, wherein the first public key corresponds to the first private key used to generate the first and second private key shares; distributing, to a second service provider, a second public key paired with a second private key comprising the second private key share and the third private key share, wherein the second public key corresponds to the second private key used to generate the third private key share, wherein the first and the second public keys are non-identical, performing, in response to an attempt of a user operating a computing device to access the first and the second service providers, a primary authentication of the user using a first authentication factor; generating a first authentication response to the primary authentication; generating a first partial digital signature for the first authentication response using the first private key share; performing a second and a third authentication process;
wherein the second authentication process comprises;performing in response to the attempt of the user to access the first service provider, secondary authentication of the user using a second authentication factor; generating a second authentication response to the secondary authentication of the user using the second authentication factor; generating a second partial digital signature for the second authentication response using the second private key share; combining the first and second partial digital signatures, resulting in a first composite digital signature; transmitting the first composite digital signature to the first service provider with the first and second authentication responses; validating, at the first service provider, the first composite digital signature using the first public key; and providing the user with access to the first service provider in response to successful validation of the first composite digital signature; wherein the third authentication process comprises; performing in response to the attempt of the user to access the second service provider, secondary authentication of the user using a third authentication factor; generating a third authentication response to the secondary authentication of the user using the third authentication factor; generating a third partial digital signature for the third authentication response using the third private key share; combining the first and third partial digital signatures, resulting in a second composite digital signature; transmitting the second composite digital signature to the second service provider with the first and third authentication responses; validating, at the second service provider, the second composite digital signature using the second public key; and providing the user with access to the second service provider in response to successful validation of the second composite digital signature. - View Dependent Claims (17, 18, 19)
-
Specification