Systems and methods to secure user identification

US 9,912,483 B2
Filed: 07/13/2016
Issued: 03/06/2018
Est. Priority Date: 09/21/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, with a server from a user device, a communication including;

a digital signature;

user information of a user of the user device; and

a first user identifier configured to identify the user of the user device among a plurality of first users of the server, wherein the first user identifier is generated by a computing device, separate from the server and the user device, based on a combination of;

the user information of the user that is received in the computing device from the user device before the communication is received in the server; and

a second user identifier of the user configured to identify the user of the user device among a plurality of second users of the computing device;

extracting the second user identifier from the first user identifier; and

validating an integrity of the communication based on the first user identifier, the second user identifier extracted from the first user identifier, and the user information of the user received in the communication, wherein validating the integrity of the communication comprises;

combining, with the server, the second user identifier extracted from the first user identifier and the user information of the user received in the communication with a secret shared between the server and the computing device,generating, with the server, a combined dataset based on combining the second user identifier and the user information of the user with the secret,applying, with the server, a hash function to the combined dataset,generating, with the server, a hash result based on applying the hash function to the combined dataset, andcomparing, with the server, the hash result to the digital signature, anddetermining, with the server, whether the hash result matches the digital signature based on comparing the hash result to the digital signature; and

determining to grant access to a service associated with the server based on validating the integrity of the communication.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing apparatus configured to verify a digital signature applied on a set of data received from a user device, including an user ID assigned by a partner system to uniquely identify a user of the user device among customers of the partner system, and a user device identifier identifying the user device. The digital signature is generated via applying a cryptographic one-way hash function on a combination of the set of data and a secret, shared between the computing apparatus and the partner system via a secure communication channel separate from a channel used to receive the set of data.

Citations

17 Claims

1. A method, comprising:
- receiving, with a server from a user device, a communication including;
  
  a digital signature;
  
  user information of a user of the user device; and
  
  a first user identifier configured to identify the user of the user device among a plurality of first users of the server, wherein the first user identifier is generated by a computing device, separate from the server and the user device, based on a combination of;
  
  the user information of the user that is received in the computing device from the user device before the communication is received in the server; and
  
  a second user identifier of the user configured to identify the user of the user device among a plurality of second users of the computing device;
  
  extracting the second user identifier from the first user identifier; and
  
  validating an integrity of the communication based on the first user identifier, the second user identifier extracted from the first user identifier, and the user information of the user received in the communication, wherein validating the integrity of the communication comprises;
  
  combining, with the server, the second user identifier extracted from the first user identifier and the user information of the user received in the communication with a secret shared between the server and the computing device,generating, with the server, a combined dataset based on combining the second user identifier and the user information of the user with the secret,applying, with the server, a hash function to the combined dataset,generating, with the server, a hash result based on applying the hash function to the combined dataset, andcomparing, with the server, the hash result to the digital signature, anddetermining, with the server, whether the hash result matches the digital signature based on comparing the hash result to the digital signature; and
  
  determining to grant access to a service associated with the server based on validating the integrity of the communication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the secret is not communicated between the computing device and the server through the user device.
  - 3. The method of claim 1, wherein the receiving of the communication is in response to the user device transmitting a query to the server.
  - 4. The method of claim 3, wherein the communication is received via parameters embedded via a query string submitted from the user device.
  - 5. The method of claim 4, further comprising:
    - pre-filling, by the server, a plurality of fields in an enrollment form using the user information of the user received in the communication; and
      
      transmitting, from the server to the user device, the enrollment form pre-filled using the user information received in the communication.
  - 6. The method of claim 1, wherein applying the hash function to the combined dataset includes applying a cryptographic one-way hash function to the combined dataset.
  - 7. The method of claim 6, wherein the dataset further includes a secret that is shared between the server and the computing device and not communicated via the user device.
  - 8. The method of claim 7, wherein the secret represents the computing device in a digital signature applied on the dataset.

9. A non-transitory computer storage medium storing instructions configured to instruct a server to perform a method, the method comprising:
- receiving, with the server from a user device, a communication including;
  
  a digital signature;
  
  user information of a user of the user device; and
  
  a first user identifier configured to identify the user of the user device among a plurality of first users of the server, wherein the first user identifier is generated by a computing device, separate from the server and the user device, based on a combination of;
  
  the user information of the user that is received in the computing device from the user device before the communication is received in the server; and
  
  a second user identifier of the user among a plurality of second users of the computing device;
  
  extracting the second user identifier from the first user identifier; and
  
  validating an integrity of the communication based on the first user identifier, the second user identifier extracted from the first user identifier, and the user information of the user received in the communication, wherein validating the integrity of the communication comprises;
  
  combining, with the server, the second user identifier extracted from the first user identifier and the user information of the user received in the communication with a secret shared between the server and the computing device,generating, with the server, a combined dataset based on combining the second user identifier and the user information of the user with the secret,applying, with the server, a hash function to the combined dataset,generating, with the server, a hash result based on applying the hash function to the combined dataset, andcomparing, with the server, the hash result to the digital signature, anddetermining, with the server, whether the hash result matches the digital signature based on comparing the hash result to the digital signature; and
  
  determining to grant access to a service associated with the server based on validating the integrity of the communication.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The non-transitory computer storage medium of claim 9, wherein the secret is not communicated between the computing device and the server through the user device.
  - 11. The non-transitory computer storage medium of claim 9, wherein the receiving of the communication is in response to the user device transmitting a query to the server.
  - 12. The non-transitory computer storage medium of claim 11, wherein the communication is received in the server via parameters embedded via a query string submitted from the user device.
  - 13. The non-transitory computer storage medium of claim 12, wherein the method further comprises:
    - pre-filling, by the server, a plurality of fields in an enrollment form using the user information of the user received in the communication; and
      
      transmitting, from the server to the user device, the enrollment form pre-filled using the user information received in the communication.

14. A server, comprising:
- at least one microprocessor; and
  
  a memory storing instructions configured to instruct the at least one microprocessor to;
  
  receive, with the server from a user device, a communication including;
  
  a digital signature;
  
  user information of a user of the user device; and
  
  a first user identifier configured to identify the user of the user device among a plurality of first users of the server, wherein the first user identifier is generated by a computing device, separate from the server and the user device, based on a combination of;
  
  the user information of the user that is received in the computing device from the user device before the communication is received in the server; and
  
  a second user identifier of the user among a plurality of second users of the computing device;
  
  extract the second user identifier from the first user identifier; and
  
  validate an integrity of the communication based on the first user identifier, the second user identifier extracted from the first user identifier, and the user information of the user received in the communication, wherein the instructions that are configured to instruct the at least one microprocessor to validate the integrity of the communication, are to instruct the at least one microprocessor to;
  
  combine the second user identifier extracted from the first user identifier and the user information of the user received in the communication with a secret shared between the server and the computing device,generate a combined dataset based on combining the second user identifier and the user information of the user with the secret,apply a hash function to the combined dataset,generate a hash result based on applying the hash function to the combined dataset, andcompare the hash result to the digital signature, anddetermine whether the hash result matches the digital signature based on comparing the hash result to the digital signature; and
  
  determine to grant access to a service associated with the server based on validating the integrity of the communication.
- View Dependent Claims (15, 16, 17)
- - 15. The server of claim 14, wherein the secret is shared between the server and the computing device and not communicated via the user device.
  - 16. The server of claim 15, wherein the secret represents the computing device in the digital signature.
  - 17. The server of claim 16, wherein the hash function is a cryptographic one-way hash function based on SHA-256 designed by the National Security Agency (NSA) and published in 2001 by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Carlson, Mark, Bankston, Michael Steven, Jogi, Kalpana, Gallagher, Timothy, Panagiotides, Alesia
Primary Examiner(s)
Leung, Robert
Assistant Examiner(s)
Alata, Ayoub

Application Number

US15/209,631
Publication Number

US 20160323259A1
Time in Patent Office

601 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/9535   Search customisation based ...

G06Q 20/325   using wireless networks

G06Q 20/3825   Use of electronic signatures

G06Q 20/387   Payment using discounts or ...

G06Q 20/389   Keeping log of transactions...

G06Q 20/4014   Identity check for transact...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04L 67/10   in which an application is ...

H04L 9/3215   using a plurality of channe...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

Systems and methods to secure user identification

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods to secure user identification

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links