Apparatus and method for implementing composite authenticators

US 9,887,983 B2
Filed: 10/29/2013
Issued: 02/06/2018
Est. Priority Date: 10/29/2013
Status: Active Grant

First Claim

Patent Images

1. A client device comprising:

one or more authenticators for authenticating a user of the client device with a relying party, each authenticator comprising a plurality of authentication components, each of the authentication components within the client device performing a different function within the context of the authenticator within which it is used; and

component authentication logic on the client device to attest to a model or integrity of at least one of the plurality of authentication components to one or more of the other authentication components prior to allowing the authentication components to be combined on the client device to form the authenticator,wherein authenticating the user with the relying party comprises;

reading biometric authentication data from a user and determining whether to successfully authenticate the user based on a comparison with biometric reference data;

establishing communication with a remote relying party;

performing an attestation transaction with the relying party to attest to the model and/or integrity of a biometric device to the relying party by receiving a challenge from the relying party, signing the challenge using an attestation key to generate a signature, and sending the signature to the relying party, wherein the relying party verifies that the signature is valid using a key of the relying party.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, method, and machine readable medium are described for implementing a composite authenticator. For example, an apparatus in accordance with one embodiment comprises: an authenticator for authenticating a user of the apparatus with a relying party, the authenticator comprising a plurality of authentication components; and component authentication logic to attest to the model and/or integrity of at least one authentication component to one or more of the other authentication components prior to allowing the authentication components to form the authenticator.

316 Citations

19 Claims

1. A client device comprising:
- one or more authenticators for authenticating a user of the client device with a relying party, each authenticator comprising a plurality of authentication components, each of the authentication components within the client device performing a different function within the context of the authenticator within which it is used; and
  
  component authentication logic on the client device to attest to a model or integrity of at least one of the plurality of authentication components to one or more of the other authentication components prior to allowing the authentication components to be combined on the client device to form the authenticator,wherein authenticating the user with the relying party comprises;
  
  reading biometric authentication data from a user and determining whether to successfully authenticate the user based on a comparison with biometric reference data;
  
  establishing communication with a remote relying party;
  
  performing an attestation transaction with the relying party to attest to the model and/or integrity of a biometric device to the relying party by receiving a challenge from the relying party, signing the challenge using an attestation key to generate a signature, and sending the signature to the relying party, wherein the relying party verifies that the signature is valid using a key of the relying party.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The client device as in claim 1 wherein the authentication components include a user verification component to authenticate a user and an authentication kernel component to establish secure communication with the relying party.
  - 3. The client device as in claim 1 wherein the authentication components include a display component to securely display information for the user and an authentication kernel component to establish secure communication with the relying party.
  - 4. The client device as in claim 1 wherein one of the authentication components comprises a first authentication component and a second authentication component and wherein attesting to the model and/or integrity of the first authentication component to the second authentication component comprises the operations of:
    - receiving a challenge from the second authentication component;
      
      generating a signature or message authentication code (MAC) over the challenge using a key of the first authentication component; and
      
      verifying the signature or MAC by the second authentication component.
  - 5. The client device as in claim 4 wherein the key comprises a private key and wherein the second component uses a corresponding public key and the challenge to verify the signature.
  - 6. The client device as in claim 1 wherein the challenge comprises a randomly generated nonce.
  - 7. The client device as in claim 1 wherein the at least one authentication component includes a component authentication key (CAK) pair managed by the component authentication logic, the CAK pair usable to attest to the model and/or integrity of the at least one authentication component.
  - 8. The client device as in claim 7 wherein each authentication component of the plurality of authentication components includes a CAK pair managed by the component authentication logic, the CAK pair of each authentication component usable to attest to the model and/or integrity of each of the other authentication components.
  - 9. The client device as in claim 1 wherein the authenticator comprises a first authenticator, the client device further comprising a second authenticator sharing at least one of the plurality of authentication components with the first authenticator.
  - 10. The client device as in claim 9 wherein the authentication components include a user verification component to authenticate a user, a display component to securely display information for the user and an authentication kernel component to establish secure communication with the relying party, wherein at least the authentication kernel component is shared between the first and second authenticators.
  - 11. The client device as in claim 1 wherein at least one of the components is implemented as a trusted application executed within a trusted execution environment (TEE) on the client device.
  - 12. The client device as in claim 11 wherein at least one of the components is implemented as a Secure Element (SE) defined within the client device.
  - 13. The client device as in claim 12 wherein at least one of the components is implemented using a Trusted User Interface.
  - 14. The client device as in claim 1 wherein attesting to the model and/or integrity of the at least one authentication component is performed using a direct anonymous attestation (DAA) scheme.
  - 15. The client device as in claim 1 wherein the operation of attesting to the model and/or integrity of the at least one authentication component further comprises:
    - checking a revocation status of a certificate containing at least one component'"'"'s public keys.
  - 16. The client device as in claim 1 wherein different combinations of components are combined to form different authenticators, wherein at least some of the components are shared between authenticators and wherein each of the different authenticators are identified by the relying party using a unique authenticator attestation ID (AAID) code.
  - 17. The client device as in claim 1 wherein different authentication components are combined to form different authenticators, wherein at least some of the different authentication components are shared between authenticators and wherein each of the different authentication components are uniquely identified by the relying party using a unique component ID code.
  - 18. The client device as in claim 1 wherein the relying party comprises a cloud service.
  - 19. The client device as in claim 1 further comprising:
    - a client application and/or browser to establish remote communication with the relying party, wherein the authenticator authenticates the user of the client device with the relying party using the remote communication established via the client application and/or browser.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nok Nok Labs Incorporated
Original Assignee
Nok Nok Labs Incorporated
Inventors
Lindemann, Rolf, Baghdasaryan, Davit
Primary Examiner(s)
Chang, Kenneth
Assistant Examiner(s)
LANE, GREGORY A

Application Number

US14/066,384
Publication Number

US 20150121068A1
Time in Patent Office

1,561 Days
Field of Search

713158, 726 6
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0823   using certificates cryptogr...

H04L 63/0861   using biometrical features,...

H04L 63/123   received data contents, e.g...

H04L 9/006   involving public key infras...

H04L 9/3265   using certificate chains, t...

Apparatus and method for implementing composite authenticators

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

316 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for implementing composite authenticators

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

316 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links