Protecting passwords and biometrics against back-end security breaches

US 9,887,989 B2
Filed: 04/22/2016
Issued: 02/06/2018
Est. Priority Date: 06/23/2012
Status: Active Grant

First Claim

Patent Images

1. A multifactor authentication method for authenticating a user of an application while mitigating back-end security breaches, the application comprising an application front-end running on a computing device and an application back-end running on a server, the server being part of a back-end subsystem, the back-end subsystem comprising a back-end storage medium, the method comprising:

during a registration phase, the application front-end sending to the application back-end one or more registration-phase bearer tokens;

during the registration phase, the application back-end computing a registration-phase tag derived from a registration-phase joint hash of a public key and the one or more registration-phase bearer tokens, the public key being a component of a key pair pertaining to an asymmetric cryptosystem, the public key being treated by the application as a secret shared between the application front-end and the application back-end, wherein the public key is never communicated by the application front-end or the application back-end to any third party;

during the registration phase, the application back-end storing the registration-phase tag in the back-end storage medium;

during the registration phase, the application back-end deleting the public key and the one or more registration-phase bearer tokens from the back-end subsystem after computing the registration-phase tag;

during an authentication phase, the application front-end sending to the application back-end the public key and one or more authentication-phase bearer tokens;

during the authentication phase, the application front-end proving to the application back-end knowledge of a private key associated with the public key, the private key being a component of the key pair;

during the authentication phase, the application back-end computing an authentication-phase tag derived from an authentication-phase joint hash of the public key and the one or more authentication-phase bearer tokens;

during the authentication phase, the application back-end deleting the public key and the one or more authentication-phase bearer tokens from the back-end subsystem after computing the authentication-phase tag; and

during the authentication phase, the application back-end verifying that the authentication-phase tag is equal to the registration-phase tag.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are provided for authenticating a user to an application back-end using a key pair and one or more bearer tokens such as a password, a biometric code, or a biometric key, while protecting the bearer tokens against back-end security breaches. In one embodiment, an application front-end authenticates the user by sending the bearer tokens and a public key to the application back-end, and demonstrating knowledge of a private key. The application back-end compares an authentication-phase tag derived from a joint hash of the public key and the bearer tokens against a registration-phase tag stored in a device record within a back-end database. The public key is not stored in the database, thereby depriving an adversary who breaches back-end security of information needed to test guesses of the bearer tokens.

Citations

18 Claims

1. A multifactor authentication method for authenticating a user of an application while mitigating back-end security breaches, the application comprising an application front-end running on a computing device and an application back-end running on a server, the server being part of a back-end subsystem, the back-end subsystem comprising a back-end storage medium, the method comprising:
- during a registration phase, the application front-end sending to the application back-end one or more registration-phase bearer tokens;
  
  during the registration phase, the application back-end computing a registration-phase tag derived from a registration-phase joint hash of a public key and the one or more registration-phase bearer tokens, the public key being a component of a key pair pertaining to an asymmetric cryptosystem, the public key being treated by the application as a secret shared between the application front-end and the application back-end, wherein the public key is never communicated by the application front-end or the application back-end to any third party;
  
  during the registration phase, the application back-end storing the registration-phase tag in the back-end storage medium;
  
  during the registration phase, the application back-end deleting the public key and the one or more registration-phase bearer tokens from the back-end subsystem after computing the registration-phase tag;
  
  during an authentication phase, the application front-end sending to the application back-end the public key and one or more authentication-phase bearer tokens;
  
  during the authentication phase, the application front-end proving to the application back-end knowledge of a private key associated with the public key, the private key being a component of the key pair;
  
  during the authentication phase, the application back-end computing an authentication-phase tag derived from an authentication-phase joint hash of the public key and the one or more authentication-phase bearer tokens;
  
  during the authentication phase, the application back-end deleting the public key and the one or more authentication-phase bearer tokens from the back-end subsystem after computing the authentication-phase tag; and
  
  during the authentication phase, the application back-end verifying that the authentication-phase tag is equal to the registration-phase tag.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the public key and the associated private key pertain to an asymmetric digital signature cryptosystem and the application front-end proves knowledge of the private key to the application back-end by using the private key to compute a signature, the signature being verified by the application back-end.
  - 3. The method of claim 1, wherein the public key and the associated private key pertain to an asymmetric key-exchange cryptosystem and the application front-end proves knowledge of the private key to the application back-end by using the private key to perform a key exchange with the application back-end.
  - 4. The method of claim 1, wherein the public key and the associated private key pertain to an asymmetric encryption cryptosystem and the application front-end proves knowledge of the private key to the application back-end by using the private key to decrypt a nonce encrypted by the application back-end.
  - 5. The method of claim 1, wherein one of the one or more registration-phase bearer tokens is a registration-phase password, and one of the one or more authentication-phase bearer tokens is an authentication-phase password.
  - 6. The method of claim 1, wherein the application front-end is part of a front-end subsystem that comprises a front-end storage medium, and one of the one or more authentication-phase bearer tokens sent by the application front-end to the application back-end is derived from a joint hash of a salt stored in the storage medium and an authentication-phase password.
  - 7. The method of claim 1, wherein one of the one or more authentication-phase bearer tokens is an authentication-phase biometric key.
  - 8. The method of claim 1, wherein the application front-end is part of a front-end subsystem that comprises a front-end storage medium, and one of the one or more authentication-phase bearer tokens sent by the application front-end to the application back-end is derived from a joint hash of a salt stored in the front-end storage medium and an authentication-phase biometric key.
  - 9. The method of claim 1, wherein one of the one or more authentication-phase bearer tokens is an authentication-phase biometric code and computing the authentication-phase tag comprises computing an authentication phase biometric key derived from the authentication-phase biometric code.

10. A system for authenticating a user while mitigating back-end security breaches, comprising:
- a computing device;
  
  a network;
  
  a server connected to the computing device by the network, the server being part of a back-end subsystem, the back-end subsystem comprising a back-end storage; and
  
  an application comprising an application front-end running on the computing device and an application back-end running on the server,wherein the application front-end and the application back-end jointly perform a method of authenticating a user of the application, the method comprising;
  
  during a registration phase, the application front-end sending to the application back-end one or more registration-phase bearer tokens;
  
  during the registration phase, the application back-end computing a registration-phase tag derived from a registration-phase joint hash of a public key and the one or more registration-phase bearer tokens, the public key being a component of a key pair pertaining to an asymmetric cryptosystem, the public key being treated by the application as a secret shared between the application front-end and the application back-end, wherein the public key is never communicated by the application front-end or the application back-end to any third party;
  
  during the registration phase, the application back-end storing the registration-phase tag in the back-end storage medium;
  
  during the registration phase, the application back-end deleting the public key and the one or more registration-phase bearer tokens from the back-end subsystem after computing the registration-phase tag;
  
  during an authentication phase, the application front-end sending to the application back-end the public key and one or more authentication-phase bearer tokens;
  
  during the authentication phase, the application front-end proving to the application back-end knowledge of a private key associated with the public key, the private key being a component of the key pair;
  
  during the authentication phase, the application back-end computing an authentication-phase tag derived from an authentication-phase joint hash of the public key and the one or more authentication-phase bearer tokens;
  
  during the authentication phase, the application back-end deleting the public key and the one or more authentication-phase bearer tokens from the back-end subsystem after computing the authentication-phase tag; and
  
  during the authentication phase, the application back-end verifying that the authentication-phase tag is equal to the registration-phase tag.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein one of the one or more registration-phase bearer tokens is a registration-phase password, and one of the one or more authentication-phase bearer tokens is an authentication-phase password.
  - 12. The system of claim 10, wherein the application front-end is part of a front-end subsystem that comprises a front-end storage medium, and one of the one or more authentication-phase bearer tokens sent by the application front-end to the application back-end is derived from a joint hash of a salt stored in the storage medium and an authentication-phase password.
  - 13. The system of claim 10, wherein one of the one or more authentication-phase bearer tokens is an authentication-phase biometric key.
  - 14. The system of claim 13, wherein the authentication-phase biometric key is a randomized biometric key derived from an authentication-phase biometric code and biometric helper data.
  - 15. The system of claim 10, wherein the application front-end is part of a front-end subsystem that comprises a front-end storage medium, and one of the one or more authentication-phase bearer tokens sent by the application front-end to the application back-end is derived from a joint hash of a salt stored in the front-end storage medium and an authentication-phase biometric key.
  - 16. The system of claim 15, wherein the authentication-phase biometric key is a randomized biometric key derived from an authentication-phase biometric code and biometric helper data.
  - 17. The system of claim 10, wherein one of the one or more authentication-phase bearer tokens is an authentication-phase biometric code and computing the authentication-phase tag comprises computing an authentication phase biometric key derived from the authentication-phase biometric code.
  - 18. The system of claim 17, wherein the authentication-phase biometric key is a randomized biometric key that is further derived from biometric helper data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pomian & Corella LLC
Original Assignee
Pomian & Corella LLC
Inventors
Corella, Francisco, Lewison, Karen Pomian
Primary Examiner(s)
King, John B

Application Number

US15/136,834
Publication Number

US 20160269393A1
Time in Patent Office

655 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

G06F 21/45   Structures or tools for the...

H04L 63/045   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 9/0866   involving user or device id...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

Protecting passwords and biometrics against back-end security breaches

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting passwords and biometrics against back-end security breaches

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links