ABDS system and verification status for authenticating entity access

US 6,938,156 B2
Filed: 01/31/2003
Issued: 08/30/2005
Est. Priority Date: 08/04/2000
Status: Expired due to Term

First Claim

Patent Images

1. A system for authenticating a requesting entity for access to a controlled resource, comprising:

(a) a device possessed by the requesting entity, the device maintaining securely therein pre-stored verification data of the requesting entity, the device configured to generate, upon receipt of suspect verification data input into the device, a verification status indicator based on a comparison of the suspect verification data with the pre-stored verification data of the requesting entity, the device also maintaining securely therein a private key of a public-private key pair and adapted to generate a digital signature of a message using the private key, the digitally-signed message comprising;

(i) a unique identifier, (ii) a request by the requesting entity for access to the controlled resource, and (iii) the verification status indicator generated by the device;

(b) an access authentication component having authority to allow or deny the request for access to the controlled resource, the access authentication component separate from the device but in electronic communication over a communications medium with the device for receipt of the digitally-signed message; and

(c) a database accessible by the access authentication component, the database containing predetermined authorization rights of the requesting entity and the public key of the public-private key pair but not containing the private key or the verification data of the requesting entity, wherein the unique identifier is associated with the public key in the database prior to receipt of the digitally-signed message and wherein the public key is accessible from the database based on the unique identifier;

wherein, in response to receipt of the digitally-signed message, the access authentication component verifies that the message was digitally-signed using the private key maintained within the device by decrypting the digital signature using the public key obtained from the database, and if the digitally-signed message verifies, the access authentication component authenticates the requesting entity for access to the controlled resource as a function of (i) the verification status indicator obtained from the digitally-signed message and (ii) the predetermined authorization rights of the requesting entity.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system in which a requesting entity seeking access to a controlled resource is authenticated by an access authentication component includes the requesting entity initially opening a security account with the access authentication component, the access authentication component establishing and maintaining a record including information pertaining to the account and being retrievable based on a unique identifier for the requesting entity, and associating a public key of a public-private key pair with record; the requesting entity originating an electronic message and generating a digital signature using a provide key of the key pair, and sending the digitally signed electronic message to the access authentication component with the unique identifier; authenticating the electronic message using the public key associated with the record identified by the unique identifier; and upon successful authentication, authenticating access to the controlled resource. A digitally signed verification status is included with the electronic message.

303 Citations

40 Claims

1. A system for authenticating a requesting entity for access to a controlled resource, comprising:
- (a) a device possessed by the requesting entity, the device maintaining securely therein pre-stored verification data of the requesting entity, the device configured to generate, upon receipt of suspect verification data input into the device, a verification status indicator based on a comparison of the suspect verification data with the pre-stored verification data of the requesting entity, the device also maintaining securely therein a private key of a public-private key pair and adapted to generate a digital signature of a message using the private key, the digitally-signed message comprising;
  
  (i) a unique identifier, (ii) a request by the requesting entity for access to the controlled resource, and (iii) the verification status indicator generated by the device;
  
  (b) an access authentication component having authority to allow or deny the request for access to the controlled resource, the access authentication component separate from the device but in electronic communication over a communications medium with the device for receipt of the digitally-signed message; and
  
  (c) a database accessible by the access authentication component, the database containing predetermined authorization rights of the requesting entity and the public key of the public-private key pair but not containing the private key or the verification data of the requesting entity, wherein the unique identifier is associated with the public key in the database prior to receipt of the digitally-signed message and wherein the public key is accessible from the database based on the unique identifier;
  
  wherein, in response to receipt of the digitally-signed message, the access authentication component verifies that the message was digitally-signed using the private key maintained within the device by decrypting the digital signature using the public key obtained from the database, and if the digitally-signed message verifies, the access authentication component authenticates the requesting entity for access to the controlled resource as a function of (i) the verification status indicator obtained from the digitally-signed message and (ii) the predetermined authorization rights of the requesting entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1 wherein the message is originated by the device.
  - 3. The system of claim 1 wherein the message is input into the device by a message generating component.
  - 4. The system of claim 1 wherein the message and digital signature of the message are communicated by the device to the authentication component.
  - 5. The system of claim 1 wherein the message and digital signature of the message are communicated from the device to the access authentication component by an electronic communication component.
  - 6. The system of claim 1 wherein the request for access is inferred from the message.
  - 7. The system of claim 1 wherein the request for access is explicitly stated as part of the message.
  - 8. The system of claim 1 wherein the verification status indicator indicates that no suspect verification data has been input into the device within a predetermined period of time.
  - 9. The system of claim 1 wherein the verification status indicator indicates that there was a successful comparison of the suspect verification data with the verification data of the requesting entity previously stored in the device.
  - 10. The system of claim 1 wherein the verification status indicator indicates that said indicator was included in a previously digitally-signed message generated by the device.
  - 11. The system of claim 1 wherein the verification status indicator indicates that there was an unsuccessful comparison of the suspect verification data with the verification data of the requesting entity previously stored in the device.
  - 12. The system of claim 1 wherein the verification status indicator indicates the degree of comparison of the suspect verification data with the verification data of the requesting entity previously stored in the device.
  - 13. The system of claim 1 wherein the suspect verification data is input into the device by the requesting entity.
  - 14. The system of claim 1 wherein the verification data is a secret, PIN, or password.
  - 15. The system of claim 1 wherein the verification data is biometric data of the requesting entity.
  - 16. The system of claim 1 wherein the verification data of the requesting entity is not determinable from the verification status indicator.
  - 17. The system of claim 1 wherein the type of suspect verification data input into the device is determinable from the verification status indicator.

18. A system for providing a requesting entity with access to a controlled resource, comprising:
- (a) a device possessed by the requesting entity, the device maintaining securely therein pre-stored verification data of the requesting entity, the device configured to generate a verification status indicator based on a comparison of the suspect verification data input into the device with the pre-stored verification data of the requesting entity, the device also maintaining securely therein a private key of a public-private key pair and adapted to generate digital signatures of a message using the private key, the digitally-signed message comprising;
  
  (i) a unique identifier, (ii) a request by the requesting entity for access to the controlled resource, and (iii) the verification status indicator generated by the device;
  
  (b) an access authentication component having authority to allow or deny the request for access to the controlled resource, the access authentication component maintaining in a database a security account of the requesting entity, the security account including information accessible by the access authentication component based on the unique identifier, the information including the public key of the public-private key pair and predetermined authorization of the requesting entity to access the controlled resource; and
  
  (c) a transmitter component in electronic communication of a communication medium with the device and with the access authentication component, the transmitter component configured to transmit the digitally-signed message from the device to the access authentication component;
  
  wherein, in response to receipt of the digitally-signed message, the access authentication component verifies that the message was digitally-signed using the private key by decrypting the digital signature using the public key obtained from the database, such verification not requiring a digital certificate and, upon successful verification of the message, the access authentication component grants the requesting entity with access to the controlled resource as a function of the verification status indicator obtained from the digitally-signed message and the predetermined authorization of the requesting entity.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The system of claim 18 wherein the transmitter component provides the message to the device.
  - 20. The system of claim 18 wherein the access authentication component does not reside in and is not part of the device.
  - 21. The system of claim 18 wherein the requesting entity is required to input further suspect verification data into the device to generate a new verification status indicator required before the requesting entity is granted access to the controlled resource.
  - 22. The system of claim 18 wherein the requesting entity already has access to the controlled resources and wherein the requesting entity is required to input further suspect verification data into the device to generate a new verification status indicator required for the requesting entity to have continued access to the controlled resource.
  - 23. The system of claim 18 wherein the controlled resource is a computer system.
  - 24. The system of claim 18 wherein the controlled resource is a physical space.
  - 25. The system of claim 18 wherein the controlled resource is a data record.
  - 26. The system of claim 18 wherein the suspect verification data is input into the device by the requesting entity.

27. A system for authenticating a requesting entity for access to a controlled resource, wherein, prior to a request for access to the controlled resource, the requesting entity is provided with a secure device, verification data of the requesting entity is input into and stored securely within the secure device, a private key of a public-private key pair is stored securely within the secure device, the public key of the public-private key is stored in a database of an access authentication component having authority to allow or deny the request for access to the controlled resource, a unique identifier is associated with the public key such that the public key is retrievable from the database by the access authentication component based on the unique identifier, and authorization rights of the requesting entity to access the controlled resource are assigned to the requesting entity, the system further comprising:
- (a) the secure device which receives suspect verification data, generates a verification status indicator based on a comparison of the suspect verification data with the pre-stored verification data of the requesting entity, and digitally signs a message that includes;
  
  (i) the unique identifier, (ii) the request by the requesting entity for access to the controlled resource, and (iii) the verification status indicator;
  
  (b) a data transmission component in electronic communication with the secure device and in electronic communication over a communications medium with the access authentication component, the data transmission component receives the digital signature of the message from the device and transmits the message and digital signature of the message to the access authentication component;
  
  (c) upon receipt of the message and digital signature of the message, the access authentication component retrieves the public key from the database based on the unique identifier obtained from the message and verifies that the message was digitally-signed using the private key maintained within the device by decrypting the digital signature with the public key; and
  
  (d) upon successful verification of the message and without need of a digital certificate to attest to the validity of the private key or to attest to the integrity of the secure device, the access authentication component grants the requesting entity with access to the controlled resource solely as a function of the verification status indicator obtained from the digitally-signed message and the pre-assigned authorization rights of the requesting entity.

28. A system for authenticating a requesting entity for continued access to a controlled resource, wherein the requesting entity already has been granted access to and is currently accessing the controlled resource, wherein an access authentication component has authority to allow or deny the continued access to the controlled resource, wherein the access authentication component has access to a database in which, prior to an original grant of access to the controlled resource for the requesting entity, a unique identifier has been associated with a public key of a public-private key pair and wherein the public key is accessible from the database based on the unique identifier, comprising:
- (a) the access authentication component maintains business rules regarding continued access to the controlled resource, and wherein the access authentication component sends a confirmation request to the requesting entity in accordance with the business rules;
  
  (b) a device possessed by the requesting entity and maintaining securely therein pre-stored verification data of the requesting entity, the device configured to generate a verification status indicator based on a comparison of suspect verification data input into the device with the pre-stored verification data of the requesting entity, the device also maintaining securely therein the private key of the public-private key pair and adapted to generate digital signatures using the private key, wherein, in response to the confirmation request, the requesting entity inputs suspect verification data into the device and wherein, in response to the input of suspect verification data, the device (i) generates the verification status indicator, (ii) includes the verification status indicator in a message, and (iii) digitally-signs the message using the private key; and
  
  wherein the digitally-signed message is provided to the access authentication component;
  
  (c) in response to receipt of the digitally-signed message, the access authentication component verifies that the message was digitally-signed using the private key maintained within the device by decrypting the digital signature using the public key obtained from the database; and
  
  (d) if the digitally-signed message verifies, the access authentication component authenticates the requesting entity for continued access to the controlled resource as a function of the verification status indicator obtained from the digitally-signed message.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 29. The system of claim 28 wherein the message includes the confirmation request.
  - 30. The system of claim 29 wherein the confirmation request is provided to the device by an electronic communication component.
  - 31. The system of claim 28 wherein the access authentication component does not reside in and is not part of the device.
  - 32. The system of claim 28 wherein the digitally-signed message is communicated by the device to the authentication component.
  - 33. The system of claim 28 wherein the digitally-signed message is communicated from the device to the access authentication component by an electronic communication component.
  - 34. The system of claim 28 wherein the verification status indicator indicates that no suspect verification data has been input into the device within a predetermined period of time.
  - 35. The system of claim 28 wherein the verification status indicator indicates that there was a successful comparison of the suspect verification data with the verification data of the requesting entity previously stored in the device.
  - 36. The system of claim 28 wherein the verification status indicator indicates that said indicator was included in a previous digitally-signed message generated by the device.
  - 37. The system of claim 28 wherein the verification status indicator indicates that there was an unsuccessful comparison of the suspect verification data with the verification data of the requesting entity previously stored in the device.
  - 38. The system of claim 28 wherein the verification status indicator indicates the degree of comparison of the suspect verification data with the verification data of the requesting entity previously stored in the device.
  - 39. The system of claim 28 wherein the verification data is a secret, PIN, or password.
  - 40. The system of claim 28 wherein the verification data is biometric data of the requesting entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
First Data Corporation (Fiserv Incorporated)
Original Assignee
First Data Corporation (Fiserv Incorporated)
Inventors
Wheeler, Anne M., Wheeler, Henry Lynn
Primary Examiner(s)
Barron, Gilberto
Assistant Examiner(s)
Zand, Kambiz

Application Number

US10/248,605
Publication Number

US 20030126438A1
Time in Patent Office

942 Days
Field of Search

713/168, 713/170, 713/172, 713/176, 713/182, 713/183, 713/186, 713/202, 713/155, 713/16, 713/200, 380/282, 380/285, 705/53, 705/54, 705/57, 705/58, 705/74
US Class Current

713/170
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 2221/2113   Multi-level security, e.g. ...

G06Q 20/00   Payment architectures, sche...

G06Q 20/02   involving a neutral party, ...

G06Q 20/04   Payment circuits

G06Q 20/0855   involving a third party

G06Q 20/12   specially adapted for elect...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/3558   Preliminary personalisation...

G06Q 20/3674   involving authentication

G06Q 20/3676   Balancing accounts

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/3823   combining multiple encrypti...

G06Q 20/3825   Use of electronic signatures

G06Q 20/3829   involving key management

G06Q 20/385   using an alias or single-us...

G06Q 20/388   using mutual authentication...

G06Q 20/4014   Identity check for transact...

G06Q 20/40145   Biometric identity checks

G06Q 20/403 : Solvency checks

G06Q 20/40975 : using encryption therefor

G06Q 50/188 : Electronic negotiation

G07F 7/0886 : the card reader being porta...

G07F 7/1008 : Active credit-cards provide...

G07F 7/1016 : Devices or methods for secu...

H04L 2209/42 : Anonymization, e.g. involvi...

H04L 2209/56 : Financial cryptography, e.g...

H04L 63/0428 : wherein the data content is...

H04L 63/0442 : wherein the sending and rec...

H04L 63/062 : for key distribution, e.g. ...

H04L 63/0823 : using certificates cryptogr...

H04L 63/083 : using passwords cryptograph...

H04L 63/12 : Applying verification of th...

H04L 9/321 : involving a third party or ...

H04L 9/3247 : involving digital signatures

View All

ABDS system and verification status for authenticating entity access

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

303 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

ABDS system and verification status for authenticating entity access

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

303 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links