Method for distributed trust authentication

US 9,942,048 B2
Filed: 09/26/2017
Issued: 04/10/2018
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method for distributed trust authentication, the method comprising:

attempting, by a user operating a computing device, to authenticate to a service provider;

in response to the attempt to authenticate, redirecting the authentication to an identity provider and a remote multi-factor authentication service;

performing a primary authentication with the identity provider by receiving, via one or more communication networks, a primary authentication response from the user;

in response to a successful primary authentication, using a first private key share to generate a first digital signature;

performing a secondary authentication with the remote multi-factor authentication service by receiving, via the one or more communication networks, a secondary authentication response from the user;

in response to a successful secondary authentication, using a second private key share to generate a second digital signature, wherein the first private key share and the second private key share are generated using a common private cryptographic key of a public/private cryptographic key pair;

using the first digital signature and the second digital signature to form a combined digital signature;

using a public cryptographic key of the public/private cryptographic key pair to validate the combined digital signature; and

authenticating the user to the service provider based on a validation of the combined digital signature.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for distributed trust authentication of one or more users attempting to access one or more service providers operating on a network includes performing primary authentication of a user using a first authentication factor, generating a first partial digital signature for a first authentication response to the primary authentication, performing secondary authentication of the user using a second authentication factor, generating a second partial digital signature for the second authentication response to the secondary authentication, combining the first and second partial digital signatures to form a composite digital signature, and validating the composite digital signature.

197 Citations

19 Claims

1. A method for distributed trust authentication, the method comprising:
- attempting, by a user operating a computing device, to authenticate to a service provider;
  
  in response to the attempt to authenticate, redirecting the authentication to an identity provider and a remote multi-factor authentication service;
  
  performing a primary authentication with the identity provider by receiving, via one or more communication networks, a primary authentication response from the user;
  
  in response to a successful primary authentication, using a first private key share to generate a first digital signature;
  
  performing a secondary authentication with the remote multi-factor authentication service by receiving, via the one or more communication networks, a secondary authentication response from the user;
  
  in response to a successful secondary authentication, using a second private key share to generate a second digital signature, wherein the first private key share and the second private key share are generated using a common private cryptographic key of a public/private cryptographic key pair;
  
  using the first digital signature and the second digital signature to form a combined digital signature;
  
  using a public cryptographic key of the public/private cryptographic key pair to validate the combined digital signature; and
  
  authenticating the user to the service provider based on a validation of the combined digital signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - at the remote multi-factor authentication service;
      
      using the common private cryptographic key of the public/private cryptographic key pair to generate the first private key share and the second private key share;
      
      distributing, via the one or more communications networks, one of the first private key share and the second private key share to the identity provider; and
      
      distributing the public cryptographic key of the public/private cryptographic key pair to the service provider, wherein the service provider performs the validation of the combined digital signature.
  - 3. The method of claim 1, further comprising:
    - at the service provider;
      
      using the common private cryptographic key of the public/private cryptographic key pair to generate the first private key share and the second private key share;
      
      distributing, via the one or more communications networks, each of the first private key share and the second private key share to the identity provider and the remote multi-factor authentication service, respectively; and
      
      distributing the public cryptographic key of the public/private cryptographic key pair to one of the identity provider and the remote multi-factor authentication service, wherein whichever one of the identity provider and the remote multi-factor authentication service that has the public cryptographic key performs the validation of the combined digital signature.
  - 4. The method of claim 1, wherein:
    - the multi-factor authentication service comprises a two-factor authentication service that performs the secondary authentication of the user only after an indication of a successful primary authentication of the user is provided by the identity provider.
  - 5. The method of claim 1, further comprising:
    - transmitting by the identity provider, via the one or more communication networks, the first digital signature to the computing device of the user;
      
      transmitting by the multi-factor authentication service, via the one or more communication networks, the second digital signature to the computing device of the user, wherein combining the first digital signature and the second digital signature into the combined digital signature is performed by the computing device of the user, andtransmitting by the computing device of the user, via the one or more communication networks, the combined digital signature to service provider that performs the validation.
  - 6. The method of claim 1, further comprising:
    - transmitting by the identity provider, via the one or more communication networks, the first digital signature to the service provider;
      
      transmitting by the remote multi-factor authentication service, via the one or more communication networks, the second digital signature to the service provider, wherein combining the first digital signature and the second digital signature into the combined digital signature is performed by the service provider, andwherein the validation of the combined digital signature is performed by the service provider.
  - 7. The method of claim 1, further comprising:
    - transmitting by the identity provider, via the one or more communication networks, the first digital signature to the remote multi-factor authentication service;
      
      combining by the remote multi-factor authentication service the first digital signature and the second digital signature into the combined digital signature; and
      
      transmitting by the remote multi-factor authentication service, via the one or more communication networks, the combined digital signature to the service provider,wherein the validation of the combined digital signature is performed by the service provider.
  - 8. The method of claim 1, wherein:
    - generating the second digital signature by the multi-factor authentication service comprises generating the second digital signature in response to both of the successful primary authentication and the successful secondary authentication of the user.
  - 9. The method of claim 1, wherein:
    - the primary authentication at the identity provider involves an authentication factor requiring authentication credentials from the user, andthe secondary authentication at the multi-factor authentication service involves a disparate authentication factor requiring an authentication response other than authentication credentials, provided via an authentication device of the user, from the user.
  - 10. The method of claim 1, wherein:
    - providing the user with authenticated access to the service provider includes providing a restricted scope of access to the service provider when only one of the first digital signature and the second digital signature of the combined digital signature is successfully validated using the public cryptographic key.
  - 11. The method of claim 1, further comprising:
    - transmitting a secondary authentication request from the identity system to the secondary authentication system in response to successful primary authentication of the user,wherein performing the secondary authentication comprises performing the secondary authentication only after receiving the secondary authentication request.

12. A method for distributed authentication, the method comprising:
- severing a private cryptographic key of a public/private cryptographic key pair into a first private key share and a second private key share;
  
  providing, via one or more networks, access to the first private key share to a first authenticator;
  
  providing, via one or more networks, access to the second private key share to a remote second authenticator, wherein the remote second authenticator operates independently and remotely of the first authenticator;
  
  using, by the first authenticator, the first private key share to generate a first derivation of the first private key share based on a successful authentication of a user operating a computing device with the first authenticator;
  
  using, by the remote second authenticator, the second private key share to generate a second derivation of the second private key share based on a successful authentication of the user operating the computing device or a different computing device with the remote second authenticator;
  
  forming, by one of the first authenticator or the second authenticator, a derivations composition using the first derivation and the second derivation; and
  
  enabling the user operating a computing device to authenticate to one or more services of an entity based on a successful validation of the derivations composition using a public cryptographic key of the public/private cryptographic key pair.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, wherein:
    - at the remote second authenticator;
      
      using the private cryptographic key of the public/private cryptographic key pair to generate the first private key share and the second private key share;
      
      distributing, via the one or more communications networks, one of the first private key share and the second private key share to the first authenticator; and
      
      distributing the public cryptographic key of the public/private cryptographic key pair to the entity, wherein the entity performs the validation of the derivations composition.
  - 14. The method of claim 12, further comprising:
    - at the entity;
      
      using the private cryptographic key of the public/private cryptographic key pair to generate the first private key share and the second private key share;
      
      distributing, via the one or more communications networks, each of the first private key share and the second private key share to the first authenticator and the second authenticator, respectively; and
      
      distributing the public cryptographic key of the public/private cryptographic key pair to one of the first authenticator and the second authenticator, wherein whichever one of the first authenticator and the second authenticator that has the public cryptographic key performs the validation of the derivations composition.
  - 15. The method of claim 12, further comprising:
    - at the entity;
      
      using the private cryptographic key of the public/private cryptographic key pair to generate the first private key share and the second private key share;
      
      distributing, via the one or more communications networks, each of the first private key share and the second private key share to the first authenticator and the second authenticator, respectively; and
      
      retaining the public cryptographic key of the public/private cryptographic key pair, wherein the validation of the derivations composition is performed by the entity.
  - 16. The method of claim 12, wherein:
    - the second authenticator comprises a two-factor authentication service that performs the secondary authentication of the user only after an indication of a successful primary authentication of the user is provided by the first authenticator comprising an identity provider.

17. A method for distributed authentication of a user attempting to access, via a network, a service provider, the method comprising:
- using a private cryptographic key of a private/public cryptographic key pair to generate, at least, a first private key share and a second private key share;
  
  separately storing the first private key share and the second private key share at disparate authenticators, wherein the disparate authenticators include a first authenticator and a second authenticator;
  
  in response to receiving, via one or more networks, a primary authentication request, accessing by the first authenticator the first private key share and using the first private key share to generate a first digital signature;
  
  in response to receiving, via the one or more networks, a second authentication request, accessing by the second authenticator the second private key share and using the second private key share to generate a second digital signature;
  
  generating a composite digital signature; and
  
  validating the composite digital signature using a public cryptographic key of the private/public cryptographic key pair to enable authentication of a user operating a computing device to access a service provider.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, wherein:
    - the first authenticator comprising an identity provider, andthe second authenticator comprises a remote multi-factor authentication service operating independently of the identity provider.
  - 19. The method of claim 17, wherein:
    - the second authenticator does not have access to the first private key share, andthe first authenticator does not have access to the second private key share.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Dug, Goodman, Adam
Primary Examiner(s)
Gracia, Gary S

Application Number

US15/715,599
Publication Number

US 20180026796A1
Time in Patent Office

196 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/40   by quorum, i.e. whereby two...

H04L 2463/082   applying multi-factor authe...

H04L 63/0815   providing single-sign-on or...

H04L 63/0838   using one-time-passwords

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 9/085   Secret sharing or secret sp...

H04L 9/0863   involving passwords or one-...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

Method for distributed trust authentication

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

197 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method for distributed trust authentication

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

197 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links