Identity authentication system and method

US 7,502,933 B2
Filed: 11/26/2003
Issued: 03/10/2009
Est. Priority Date: 11/27/2002
Status: Active Grant

First Claim

Patent Images

1. A method of generating an identity authentication code associated with an authentication device, comprising:

providing event state data that specifies an operating condition of the authentication device, the operating condition specifying information on the likelihood that the authentication device has or will develop an operational problem; and

generating an identity authentication code that depends on (i) the event state data, and (ii) a secret associated with the device;

wherein the operating condition of the authentication device includes information about whether a battery supplying power to the authentication device has fallen below an expected power level.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for generating an authentication code that depends at least in part on a dynamic value that changes over time, an event state associated with the occurrence of an event, and a secret associated with an authentication device. By generating the authentication code responsive to an event state, an identity authentication code can be used to verify identity and to communicate event state information, and to do so in a secure manner.

385 Citations

69 Claims

1. A method of generating an identity authentication code associated with an authentication device, comprising:
- providing event state data that specifies an operating condition of the authentication device, the operating condition specifying information on the likelihood that the authentication device has or will develop an operational problem; and
  
  generating an identity authentication code that depends on (i) the event state data, and (ii) a secret associated with the device;
  
  wherein the operating condition of the authentication device includes information about whether a battery supplying power to the authentication device has fallen below an expected power level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the identity authentication code further depends on a dynamic value.
  - 3. The method of claim 2, wherein the dynamic value includes one or more of a time value, a challenge, and a counter.
  - 4. The method of claim 1, further including changing the event state data when the operating condition of the authentication device changes.
  - 5. The method of claim 1, wherein the operating condition of the device is covertly encoded in the identity authentication code.
  - 6. The method of claim 1, wherein the event state data is derived from an associated event secret.
  - 7. The method of claim 6, further including periodically changing the event secret.
  - 8. The method of claim 6, further including changing the event secret each time the dynamic value changes.
  - 9. The method of claim 1, wherein the event state data includes one or more event state bits, a subset of bits being employed in generating identity authentication codes for different time intervals.
  - 10. The method of claim 2, wherein the operational problem is a device reset.
  - 11. The method of claim 2, wherein the identity authentication code further depends on of one or more of a PIN, a password, data derived from a biometric observation, user data, verifier data, and a generation value.
  - 12. The method of claim 2, further including, before generating the authentication code, receiving user input data, wherein the user input data is at least one of a PIN, a password, and biometric data.
  - 13. The method of claim 12, further including, before generating the authentication code, verifying whether the user input data is correct, and providing the identity authentication code only if the user input data is verified to be correct.
  - 14. The method of claim 2, further including transmitting the identity authentication code to a verifier.
  - 15. The method of claim 14, further including receiving, by the verifier, authentication information comprising the identity authentication code;
    - and,determining, by the verifier, the correctness of the identity authentication code and the event state data.
  - 16. The method of claim 14, wherein the verifier includes a representation of the secret associated with the device.
  - 17. The method of claim 15, wherein the authentication information further includes a user identifier.
  - 18. The method of claim 15, wherein the authentication information further includes at least one of a PIN, a password, and biometric data.
  - 19. The method of claim 2, further including the step of displaying the identity authentication code on the device.

20. A method of generating an identity authentication code associated with an authentication device, comprising:
- providing event state data that is a security indicator for an authentication system of which the authentication device is a component; and
  
  ,generating an identity authentication code that depends on (ii the event state data, and (ii) a secret associated with the device;
  
  wherein the security indicator includes information regarding a length of time the authentication device has been inserted into a device reader.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 28, 29, 30, 31, 32, 33, 34, 35, 62, 63)
- - 21. The method of claim 20, wherein the identity authentication code further depends on a dynamic value.
  - 22. The method of claim 21, wherein the dynamic value includes one or more of a time value, a challenge, and a counter.
  - 23. The method of claim 20, wherein the security indicator includes information regarding strength of a biometric match,
  - 24. The method of claim 20, wherein the security indicator includes information regarding accuracy of a PIN entry.
  - 25. The method of claim 20, wherein the security indicator includes information regarding a device type associated with the authentication device.
  - 26. The method of claim 20, wherein the security indicator includes information regarding a device signature or pattern associated with the authentication device.
  - 28. The method of claim 20, wherein the identity authentication code further depends on one or more of a PIN, a password, data derived from a biometric observation, user data, verifier data, and a generation value.
  - 29. The method of claim 20, further including, before generating the authentication code, receiving user input data, wherein the user input data is at least one of a PIN, a password, and biometric data.
  - 30. The method of claim 29, further including, before generating the authentication code, verifying whether the user input data is correct, and providing the identity authentication code only if the user input data is verified to be correct.
  - 31. The method of claim 20, further including transmitting the identity authentication code to a verifier.
  - 32. The method of claim 31, further including receiving, by the verifier, authentication information comprising the identity authentication code;
    - and,determining, by the verifier, the correctness of the identity authentication code and the event state data.
  - 33. The method of claim 31, wherein the verifier includes a representation of the secret associated with the device.
  - 34. The method of claim 32, wherein the authentication information further includes a user identifier.
  - 35. The method of claim 32, wherein the authentication information further includes at least one of a PIN, a password, and biometric data.
  - 62. The method of claim 20 wherein:
    - a first secret and a second secret are stored within the authentication device;
      
      the event state data encodes a first state or a second state, the first state indicating that no tampering has occurred, and the second state indicating that tampering has occurred;
      
      wherein, if the event state data encodes the first state;
      
      the secret associated with the device is the first secret; and
      
      generating an identity authentication code includes cryptographically combining the first secret with a dynamic value; and
      
      wherein, if the event state data encodes the second state;
      
      the secret associated with the device is the second secret; and
      
      generating an identity authentication code includes cryptographically combining the second secret with a dynamic value.
  - 63. The method of claim 24, wherein the method further includes:
    - if the security indicator indicates that the PIN of a user using the authentication device has been entered incorrectly more than a specified number of times, then restricting access of the user by eliminating the user'"'"'s access to highly confidential information, while permitting access to non-confidential information.

27. A method of generating an identity authentication code associated with an authentication device, comprising:
- providing event state data that is a security indicator for an authentication system of which the authentication device is a component; and
  
  ,generating an identity authentication code that depends on (i) the event state data, and (ii) a secret associated with the device;
  
  wherein the security indicator includes information regarding a protection level of the secret associated with the device.

36. A method of generating an identity authentication code associated with an authentication device, comprising:
- providing event state data that specifies information about environmental conditions associated with the authentication device; and
  
  ,generating an identity authentication code that depends on (i) the event state data, and (ii) a secret associated with the device;
  
  wherein the information includes temperature characteristics associated with the authentication device
- View Dependent Claims (37, 38, 39, 40, 43, 44, 45, 46, 47, 48, 49, 50)
- - 37. The method of claim 36, wherein the identity code further depends on a dynamic value.
  - 38. The method of claim 37, wherein the dynamic value includes one or more of a time value, a challenge, and a counter.
  - 39. The method of claim 36 wherein the temperature characteristics include an ambient temperature to which the authentication device is exposed.
  - 40. The method of claim 36 wherein the temperature characteristics include a temperature of a component of the authentication device.
  - 43. The method of claim 36, wherein the identity authentication code further depends on one or more of a PIN, a password, data derived from a biometric observation, user data, verifier data, and a generation value.
  - 44. The method of claim 36, further including, before generating the authentication code, receiving user input data, wherein the user input data is at least one of a PIN, a password, and biometric data.
  - 45. The method of claim 44, further comprising, before generating the authentication code, verifying whether the user input data is correct, and providing the identity authentication code only if the user input data is verified to be correct.
  - 46. The method of claim 36, further including transmitting the identity authentication code to a verifier.
  - 47. The method of claim 46, further including receiving, by the verifier, authentication information comprising the identity authentication code;
    - and,determining, by the verifier, the correctness of the identity authentication code and the event state data.
  - 48. The method of claim 46, wherein the verifier includes a representation of the secret associated with the device.
  - 49. The method of claim 47, wherein the authentication information further includes a user identifier.
  - 50. The method of claim 47, wherein the authentication information further includes at least one of a PIN, a password, and biometric data.

41. A method of generating an identity authentication code associated with an authentication device. comprising:
- providing event state data that specifies information about environmental conditions associated with the authentication device; and
  
  ,generating an identity authentication code that depends on (i) the event state data, and (ii) a secret associated with the device;
  
  wherein the information includes radiation levels to which the authentication device has been exposed.

42. method of generating an identity authentication code associated with an authentication device. comprising:
- providing event state data that specifies information about environmental conditions associated with the authentication device; and
  
  ,generating an identity authentication code that depends on (i) the event state data, and (ii) a secret associated with the device;
  
  wherein the information indicates whether static discharge to the device has occurred.

51. A method for verifying the correctness of an identity authentication code, comprising:
- receiving authentication information including the identity authentication code generated by an authentication device that depends on (i) a secret associated with the device, and (ii) event state data that specifies an operating condition of the authentication device, the operating condition specifying information on the likelihood that the authentication device has or will develop an operational problem; and
  
  verifying the correctness of the identity authentication code, and determining the condition of the authentication device in response to the received identity authentication code;
  
  wherein the operating condition of the authentication device includes information about whether a battery supplying power to the authentication device has fallen below an expected power level.
- View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59)
- - 52. The method of claim 51, further including taking an action in response to the event state.
  - 53. The method of claim 51, further including determining whether an event occurred in response to the determined event state.
  - 54. The method of claim 51 wherein the condition of the device is covertly encoded in the authentication code.
  - 55. The method of claim 51, wherein the authentication information further includes a user identifier.
  - 56. The method of claim 55, wherein the authentication information further includes at least one of a PIN, a password, and biometric data.
  - 57. The method of claim 51, wherein the verifying the correctness of the identity authentication code further includes generating an expected identity authentication code that depends an expected event state data.
  - 58. The method of claim 51, wherein the verifying the correctness of the identity authentication code further includes recovering the event state data from the identity authentication code.
  - 59. The method of claim 57, wherein the event state data includes one or more event state bits, a subset of bits being employed in generating identity authentication codes for different time interval.

60. A method for verifying the correctness of an identity authentication code, comprising:
- receiving authentication information including the identity authentication code generated by an authentication device that depends on (i) a secret associated with the device, and (ii) event state data that is a security indicator for an authentication system of which the authentication device is a component andverifying the correctness of the identity authentication code, and determining the event state data in response to the received identity authentication code;
  
  wherein the security indicator includes information about whether the device has been subjected to tampering; and
  
  wherein the event state data was generated using a funkspiel scheme.
- View Dependent Claims (64, 65)
- - 64. The method of claim 60 wherein the security indicator further includes information regarding a length of time the authentication device has been inserted into a device reader.
  - 65. The method of claim 60 wherein the security indicator further includes information regarding a protection level of the secret associated with the device.

61. A method for verifying the correctness of an identity authentication code, comprising:
- receiving authentication information including an identity authentication code generated by an authentication device that depends on (i) a secret associated with the device, and (ii) event state data that specifies information about environmental conditions associated with the authentication device; and
  
  verifying the correctness of an identity authentication code, and determining the event state data in response to the received identity authentication codes;
  
  wherein the information includes temperature characteristics associated with the authentication device.
- View Dependent Claims (66, 67, 68, 69)
- - 66. The method of claim 61 wherein the temperature characteristics include an ambient temperature to which the authentication device is exposed.
  - 67. The method of claim 61 wherein the temperature characteristics include a temperature of a component of the authentication device.
  - 68. The method of claim 61 wherein the information further includes radiation levels to which the authentication device has been exposed.
  - 69. The method of claim 61 wherein the information indicates whether static discharge to the device has occurred.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
RSA Security Incorporated (Symphony Technology Group LLC)
Inventors
Jakobsson, Markus, Juels, Ari, Kaliski, Burton S. Jr.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Lemma; Samson B

Application Number

US10/724,034
Publication Number

US 20040172535A1
Time in Patent Office

1,931 Days
Field of Search

713/168, 713/170, 173/170, 726/3
US Class Current

713/172
CPC Class Codes

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/40975   using encryption therefor

G07F 7/1008   Active credit-cards provide...

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless network architectu...

H04L 9/3226   using a predetermined code,...

Identity authentication system and method

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

385 Citations

69 Claims

Specification

Solutions

Use Cases

Quick Links

Identity authentication system and method

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

385 Citations

69 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links