Universal secure messaging for remote security tokens

US 8,209,753 B2
Filed: 12/22/2003
Issued: 06/26/2012
Est. Priority Date: 06/15/2001
Status: Active Grant

First Claim

Patent Images

1. A method for establishing a secure end-to-end communications connection between a security token enabled computer system and a security token associated with a wireless intelligent remote device comprising the steps of:

a. performing a first security transaction which authenticates said security token to said security token enabled computer system;

b. establishing a secure communications connection between said security token and said security token enabled computer system which incorporates a shared symmetric key set generated during said first security transaction;

c. assigning at least one key from said shared symmetric key set to a dedicated communications channel accessible to said security token; and

d. performing a second security transaction which authenticates a user to said security token, the second security transaction being different from the first security transaction and performed after the first security transaction, and wherein, after successfully completing the first security transaction and then the second security transaction, the secure end-to-end communications connection between the security token enabled computer system and the security token is established.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anonymous secure messaging method, system and computer program product for implementation over a wireless connection. The invention allows the securely exchange of information between a security token enabled computer system and an intelligent remote device having an operatively coupled security token thereto over the wireless connection. The invention establishes an anonymous secure messaging channel between the security token and the security token enabled computer system, which allows the intelligent remote device to emulate a locally connected security token peripheral device without requiring a physical connection. A dedicated wireless communications channel is incorporated to prevent several concurrent wireless connections from being established with the security token and potentially compromising the security of the information being sent on concurrent wireless connections.

119 Citations

52 Claims

1. A method for establishing a secure end-to-end communications connection between a security token enabled computer system and a security token associated with a wireless intelligent remote device comprising the steps of:
- a. performing a first security transaction which authenticates said security token to said security token enabled computer system;
  
  b. establishing a secure communications connection between said security token and said security token enabled computer system which incorporates a shared symmetric key set generated during said first security transaction;
  
  c. assigning at least one key from said shared symmetric key set to a dedicated communications channel accessible to said security token; and
  
  d. performing a second security transaction which authenticates a user to said security token, the second security transaction being different from the first security transaction and performed after the first security transaction, and wherein, after successfully completing the first security transaction and then the second security transaction, the secure end-to-end communications connection between the security token enabled computer system and the security token is established.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method according to claim 1 wherein said user is authenticated to said security token by providing a critical security parameter directly or indirectly to said security token via said intelligent remote device.
  - 3. The method according to claim 1 further including the step of setting at least a first security state following the successful completion of said first security transaction.
  - 4. The method according to claim 1 further including the step of setting at least a second security state following the successful completion of said second security transaction.
  - 5. The method according to claim 4 further including the step of enabling the use of said secure communications connection following the setting of said at least a second security state.
  - 6. The method according to claim 1 wherein said secure communications connection is anonymous to but controlled by said security token.
  - 7. The method according to claim 1 wherein said first security transaction comprises a challenge/response protocol which incorporates an asymmetric key pair.
  - 8. The method according to claim 1 further including the step of signaling said security token enabled computer system by said security token if said second security transaction is successful.
  - 9. The method according to claim 1 wherein said secure communications connection is established at least in part over a wireless telecommunications connection.
  - 10. The method according to claim 1 further including the step of allowing said user access to one or more secure resources following successful completion of said second security transaction.
  - 11. The method according to claim 10 wherein said secure communications connection is only available when said security token is in proximity to said security token enabled computer system.
  - 12. The method according to claim 1 wherein step 1.b further includes the steps of;
    - 1.b.1 generating said shared symmetric key set by said security token enabled computer system,1.b.2 encrypting said at least one key with a public key associated with said security token,1.b.3 sending the encrypted said at least one key to said security token, and1.b.4 decrypting the said at least one key with a private key associated with said security token.
  - 13. The method according to claim 1 wherein said dedicated communications channel prevents the number of concurrent wireless secure communications connections with said security token from exceeding a predetermined limit.
  - 14. The method according to claim 13 wherein said predetermined limit is 1.
  - 15. The method according to claim 1, further comprising the step of establishing a wireless communications connection between said intelligent remote device and said security token enabled computer system.
  - 16. The method according to claim 15 further including the step of allowing said user access to one or more secure resources following successful completion of said second security transaction.
  - 17. The method according to claim 15 wherein step 15.d further includes the steps of 15.d.1 prompting said user to provide said critical security parameter, and 15.d.2 signaling an affirmative result to said security token enabled computer system if said second security transaction is successful.
  - 18. The method according to claim 15 wherein step 15.a further includes the step of sending a digital certificate to said security token enabled computer system.
  - 19. The method according to claim 15 wherein step 15.a further includes the step of prompting said user to select either a local or remote authentication transaction.
  - 20. The method according to claim 15 wherein step 15.a further includes the step of providing said user a sensory feedback from at least said security token enabled computer system indicative of a remote authentication transaction in progress.
  - 21. The method according to claim 20 wherein said sensory feedback includes visual, tactile, aural or vibratory feedback.
  - 22. The method according to claim 15 wherein said exclusive wireless secure communications connection is associated with a dedicated communications channel which prevents concurrent wireless secure communications connections from being established with said security token.
  - 23. The method according to claim 15 wherein said exclusive wireless secure communications connection is only available when said security token is in the proximity of said security token enabled computer system.

24. A system for establishing a secure end-to-end communications connection between a security token enabled computer system and a security token associated with a wireless intelligent remote device comprising:
- said security token enabled computer system including;
  
  a first security transaction section for at least authenticating said security token to said security token enabled computer system in a first security transaction;
  
  a first secure communications connection section for at least establishing a cryptographically encoded link between said security token enabled computer system and said security token, wherein said first secure communications connection section includes a symmetric key set generation section and a secure symmetric key exchange section;
  
  said intelligent remote device including;
  
  a security token interface section for at least operatively coupling said security token to said intelligent remote device;
  
  a user interface section for at least receiving and routing a critical security parameter provided by said user to said security token interface section;
  
  said security token including;
  
  a second secure communications connection section for at least establishing said cryptographically encoded link in conjunction with said first secure communications connection section;
  
  a dedicated communications channel section for preventing a concurrent cryptographically encoded link from being established with said security token; and
  
  a second security transaction section for at least authenticating said user to said security token using at least said critical security parameter in a second security transaction, the second security transaction being different from the first security transaction and performed after the first security transaction, and wherein, after successfully completing the first security transaction and then the second security transaction, the secure end-to-end communications connection between the security token enabled computer system and the security token is established.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 25. The system according to claim 24 wherein said user interface section includes conditional section for conditionally receiving said critical security parameter.
  - 26. The system according to claim 25 wherein said conditional section limits or prevents receiving said critical security parameter until said cryptographically encoded link is established.
  - 27. The system according to claim 24 wherein said security token enabled computer system is in wireless communications with said intelligent remote device and said operatively coupled security token.
  - 28. The system according to claim 24 wherein said first security transaction section includes a challenge/response protocol section and an asymmetric cryptography section.
  - 29. The system according to claim 24 wherein said security token interface section includes security token communications section and electromagnetic power transfer section.
  - 30. The system according to claim 24 wherein said dedicated communications channel section includes a unique channel identifier section which is accessible by said security token enabled computer system.
  - 31. The system according to claim 24 wherein successful execution of said first security transaction section sets a first computer system security state associated with said security token enabled client.
  - 32. The system according to claim 24 wherein establishment of said cryptographically encoded link sets a first token security state associated with said security token.
  - 33. The system according to claim 24 wherein successful execution of said second security transaction section sets a second token security state associated with said security token.
  - 34. The system according to claim 24 wherein said security token enabled computer system further includes proximity sensing section.

35. A system for establishing a secure end-to-end communications connection between a security token enabled computer system and a security token associated with a wireless intelligent remote device comprising:
- said security token enabled computer system including;
  
  a first processor;
  
  a first memory coupled to said first processor;
  
  at least one remote authentication application operatively stored in a first portion of said first memory having logical instructions executable by said first processor to;
  
  authenticate said security token to the security token enabled computer system in a first security transaction;
  
  establish a secure end-to-end communications connection with said security token;
  
  said intelligent remote device including;
  
  a second processor;
  
  a second memory coupled to said second processor;
  
  a security token interface coupled to said second processor;
  
  a user interface coupled to said second processor; and
  
  ,at least one remote device interface application operatively stored in a portion of said second memory having logical instructions executable by said second processor to;
  
  emulate a security token device interface locally coupled to at least said security token enabled computer system; and
  
  ,conditionally receive and route a critical security parameter provided by said user via said user interface to said security token; and
  
  said security token including;
  
  at least a third processor;
  
  a third memory coupled to said at least a third processor;
  
  a communications and electromagnetic power interface coupled to said at least a third processor and said security token interface;
  
  at least one token remote authentication application operatively stored in a second portion of said third memory having logical instructions executable by said at least a third processor to;
  
  establish said secure end-to-end communications connection in conjunction with said security token enabled computer system;
  
  restrict said secure end-to-end communications connection to a single wireless communications channel; and
  
  authenticate said user to the security token based at least in part on said critical security parameter in a second security transaction, the second security transaction being different from the first security transaction and performed after the first security transaction, and wherein, after successfully completing the first security transaction and then the second security transaction, the secure end-to-end communications connection between the security token enabled computer system and the security token is established.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 36. The system according to claim 35 further including a first wireless transceiver functionally coupled to said first processor in processing communications with a second wireless transceiver functionally coupled to said second processor.
  - 37. The system according to claim 35 further including a public key associated with said security token retrievably stored in a second portion of said first memory and a private key retrievably stored in a second portion of said third memory, wherein said private key is a counterpart to said public key
  - 38. The system according to claim 37 wherein said public and private keys are incorporated into a challenge/response protocol used to authenticate said security token to said security token enabled computer system.
  - 39. The system according to claim 38 wherein said at least one remote authentication application further includes logical instructions executable by said first processor to generate a symmetric key set and perform a secure key exchange with said security token.
  - 40. The system according to claim 39 wherein said secure key exchange is performed using said public and private keys.
  - 41. The system according to claim 40 wherein said dedicated communications channel includes a unique identifier available by said security token enabled computer system.
  - 42. The system according to claim 39 wherein said symmetric key set is incorporated into said secure end-to-end communications connection.
  - 43. The system according to claim 35 further including a reference critical security parameter retrievably stored in a third portion of said third memory.
  - 44. The system according to claim 43 wherein said user is authenticated by said at least one token remote authentication application by comparing said provided critical security parameter to said reference critical security parameter.
  - 45. The system according to claim 35 wherein said at least one token remote authentication application restricts usage of said secure end-to-end communications connection until said user is authenticated.
  - 46. The system according to claim 35 wherein said secure end-to-end communications connection is restricted to a single wireless connection with said security token using a dedicated communications channel controlled by said at least one token remote authentication application.
  - 47. The system according to claim 35 wherein said communications and electromagnetic power interface includes inductive means, capacitive means or electric contact means.

48. A non-transitory computer readable medium storing computer software for establishing a secure end-to-end communications connection between a security token enabled computer system and a security token associated with a wireless intelligent remote device, said computer software comprising:
- executable instructions for causing said security token processor to;
  
  utilize one or more security token emulation services provided by an intelligent remote device processor;
  
  establish a secure end-to-end communications connection in conjunction with a security token enabled computer system processor;
  
  restrict said secure end-to-end communications connection to a single wireless secure communications channel, andauthenticate a user;
  
  executable instructions for causing said intelligent remote device processor to;
  
  provide said one or more security token emulation services to said security token processor; and
  
  receive and route a critical security parameter provided by said user via said user interface to said security token to authenticate the user to the security token in a first security transaction; and
  
  executable instructions for causing said security token enabled computer system processor to;
  
  authenticate said security token to the security token enabled computer system processor in a second security transaction, wherein the second security transaction is performed after the first security transaction, and wherein after successful completion of the first security transaction and then the second security transaction, the secure end-to-end communications connection between the security token enabled computer system and the security token is established.
- View Dependent Claims (49, 50, 51)
- - 49. The non-transitory computer readable medium according to claim 48, wherein the computer software further comprises:
    - executable instructions stored thereon for causing said security token enabled computer system processor to allow said user access to one or more secure resources following authentication of said user in the second security transaction.
  - 50. The non-transitory computer readable medium according to claim 48, wherein the non-transitory computer readable medium includes magnetic media, optical media or logical media.
  - 51. The non-transitory computer readable medium according to claim 48, wherein said executable instructions are stored in a code format comprising byte code, compiled, interpreted, compliable and interpretable.

52. A method for establishing a secure end-to-end communications connection between a security token enabled computer system and a security token associated with a wireless intelligent remote device, the method comprising:
- performing a first security transaction which authenticates said security token to said security token enabled computer system;
  
  establishing a secure communications connection between said security token and said security token enabled computer system according to a result of the first security transaction; and
  
  performing a second security transaction which authenticates a user to said security token, the second security transaction being different from the first security transaction, wherein the second security transaction is performed after successfully completing the first security transaction and includes authenticating the user to said security token using a critical security parameter received from the user via said intelligent remote device, and wherein, after successfully completing the first security transaction and then the second security transaction, the secure end-to-end communications connection between the security token enabled computer system and the security token is established.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assa Abloy AB
Original Assignee
ActivCard, Inc.
Inventors
Wen, Wu, Le Saint, Eric F., Becquart, Jerome Antoine Marie
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US10/740,920
Publication Number

US 20040143730A1
Time in Patent Office

3,109 Days
Field of Search

713/159, 713/169, 713/172, 380/259, 726/20, 705/65, 705/67
US Class Current

726/20
CPC Class Codes

G06Q 20/3674   involving authentication

H04L 2209/42   Anonymization, e.g. involvi...

H04L 2209/80   Wireless network architectu...

H04L 63/0421   Anonymous communication, i....

H04L 63/0442   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

H04W 12/06   Authentication

Universal secure messaging for remote security tokens

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

52 Claims

Specification

Use Cases

Quick Links

Others

Universal secure messaging for remote security tokens

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

52 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others