Cryptographic device that binds an additional authentication factor to multiple identities

US 8,819,437 B2
Filed: 09/30/2010
Issued: 08/26/2014
Est. Priority Date: 09/30/2010
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a method of binding a security artifact to a user'"'"'s account at a service provider, the method comprising a computing system performing the following:

accessing a first pseudonym for a security artifact, wherein the security artifact comprises at least one of a cryptographic hardware device or a software module that provides an additional authentication factor that is reusable across accounts from multiple service providers to authenticate to the different service providers either directly or by unlocking security tokens that have already been issued by the service providers, and wherein the security artifact is configured to perform cryptographic operations to prove its presence during authentication, and wherein the first pseudonym is an identifier of the security artifact to a first service provider and wherein the first pseudonym uniquely identifies the particular security artifact to the first service provider over other different security artifacts when the user has other security artifacts to authenticate to the same service provider to access a user account at the first service for the user;

providing the first pseudonym for the security artifact to the first service provider, wherein the first pseudonym for the security artifact is bound with a user account at the first service provider for the user associated with the security artifact;

accessing a second pseudonym, different than the first pseudonym, for the same security artifact, wherein the second pseudonym is an identifier of the security artifact to a second service provider, different than the first service provider, and wherein the second pseudonym uniquely identifies the particular security artifact to the second service provider over other different security artifacts when the user has other security artifacts to authenticate to the same service provider to access a user account at the second service for the user;

providing the second pseudonym for the security artifact to the second service provider, wherein the second pseudonym for the security artifact is bound with a user account at the second service provider for the user associated with the security artifact; and

wherein using the first pseudonym for the first service provider and the second pseudonym for the second service provider prevents activity using the security artifact from being correlated across the first service provider and the second service provider by using the first and second pseudonyms with the first and second service providers respectively when using the security artifact with the first and second service providers.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Binding a security artifact to a service provider. A method includes generating a pseudonym for a security artifact. The pseudonym is an identifier of the security artifact to the service provider that is unique to the service provider in that the pseudonym is not used to identify the security artifact to other service providers. Further, the pseudonym uniquely identifies the particular security artifact to the service provider even when a user has available a number of different security artifacts to authenticate to the same service provider to access a user account for the user. The method further includes providing the pseudonym for the security artifact to the service provider. The pseudonym for the security artifact is bound with a user account at the service provider for a user associated with the security artifact.

29 Citations

View as Search Results

17 Claims

1. In a computing environment, a method of binding a security artifact to a user'"'"'s account at a service provider, the method comprising a computing system performing the following:
- accessing a first pseudonym for a security artifact, wherein the security artifact comprises at least one of a cryptographic hardware device or a software module that provides an additional authentication factor that is reusable across accounts from multiple service providers to authenticate to the different service providers either directly or by unlocking security tokens that have already been issued by the service providers, and wherein the security artifact is configured to perform cryptographic operations to prove its presence during authentication, and wherein the first pseudonym is an identifier of the security artifact to a first service provider and wherein the first pseudonym uniquely identifies the particular security artifact to the first service provider over other different security artifacts when the user has other security artifacts to authenticate to the same service provider to access a user account at the first service for the user;
  
  providing the first pseudonym for the security artifact to the first service provider, wherein the first pseudonym for the security artifact is bound with a user account at the first service provider for the user associated with the security artifact;
  
  accessing a second pseudonym, different than the first pseudonym, for the same security artifact, wherein the second pseudonym is an identifier of the security artifact to a second service provider, different than the first service provider, and wherein the second pseudonym uniquely identifies the particular security artifact to the second service provider over other different security artifacts when the user has other security artifacts to authenticate to the same service provider to access a user account at the second service for the user;
  
  providing the second pseudonym for the security artifact to the second service provider, wherein the second pseudonym for the security artifact is bound with a user account at the second service provider for the user associated with the security artifact; and
  
  wherein using the first pseudonym for the first service provider and the second pseudonym for the second service provider prevents activity using the security artifact from being correlated across the first service provider and the second service provider by using the first and second pseudonyms with the first and second service providers respectively when using the security artifact with the first and second service providers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein accessing a first pseudonym for a security artifact comprises using a service provider identifier to generate the first pseudonym for the security artifact, the service provider identifier uniquely identifying the first service provider, and a security artifact secret, the security artifact secret uniquely identifying the security artifact.
  - 3. The method of claim 1, wherein accessing a first pseudonym for a security artifact comprises the security artifact generating the first pseudonym and wherein providing the first pseudonym for the security artifact to the first service provider comprises the security artifact providing the first pseudonym to the first service provider as part of a binding protocol exchange.
  - 4. The method of claim 1, wherein accessing a first pseudonym for a security artifact comprises randomly generating the first pseudonym whereafter the first pseudonym is associated with both the security artifact and the first service provider.
  - 5. The method of claim 1, wherein the first pseudonym for the security artifact comprises a public key of an asymmetric key set.
  - 6. The method of claim 1, wherein the acts of claim 1 directed to the first service provider are repeated with a different security artifact, but with the same first service provider, resulting in generating a different pseudonym that is used by the different security artifact with the same first service provider, such that the user account at the first service provider is associated with a plurality of different security artifacts, any one or more of which may be used to access the user account at the first service provider.
  - 7. The method of claim 1, wherein the security artifact comprises a portable hardware device including at least one of a USB dongle, smart chip on a card or a SIM card in mobile phone.
  - 8. The method of claim 1, wherein the security artifact includes functionality for accepting second factor authentication including at least one of provisions for biometric validation or pin entry.
  - 9. The method of claim 1, wherein the security artifact comprises a software module implemented on a computer system by storing computer readable instructions in one or more physical computer readable media devices and executing the computer readable instructions using one or more processors.
  - 10. The method of claim 1 further comprising, using the security artifact to authenticate directly to the first service provider upon access.
  - 11. The method of claim 1 further comprising, using the security artifact to protect one or more ephemeral or long-lived security tokens that have been issued for one or multiple uses.

12. In a computing environment, a method of using a security artifact bound to a user account at a service provider to authenticate the security artifact to the service provider, the method comprising the security artifact performing the following:
- accessing a unique identifier for a service provider;
  
  using the unique identifier from the service provider and a unique secret for a security artifact, generating an asymmetric private key and pseudonym for the security artifact, wherein the pseudonym for the security artifact is an asymmetric public key;
  
  sending the pseudonym for the security artifact to the service providerperforming cryptographic operations to prove the presence of the security artifact during authentication, wherein performing cryptographic operations comprises;
  
  receiving a security artifact challenge from a service provider;
  
  accessing a nonce;
  
  signing the nonce with the asymmetric private key; and
  
  sending the signature on the nonce to the service provider, whereafter the service provider validates the signature on the nonce using the pseudonym of the security artifact to authenticate the security artifact;
  
  accessing the service provider as a result of the service provider authenticating the security artifact; and
  
  repeating the acts above for the same security artifact, but with a different service provider, such that the same security artifact is used with a different service provider using a different pseudonym for the security artifact where the different pseudonym is based on a unique identifier of the different service provider, such that using different pseudonyms for different service providers prevents activity using the security artifact from being correlated across the different service providers by using the different pseudonyms with the different service providers when using the security artifact with the different service providers.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, wherein sending the signature on the nonce to the service provider comprises sending the signature on the nonce to an application which forwards the signature to the service provider.
  - 14. The method of claim 12, wherein the security artifact challenge is received as a result of an application sending an access request.
  - 15. The method of claim 12, wherein the security artifact comprises a portable hardware device including at least one of a USB dongle, smart chip on a card or a SIM card in mobile phone.
  - 16. The method of claim 12, wherein the security artifact comprises a software module implemented on a computer system by storing computer readable instructions in one or more physical computer readable media devices and executing the computer readable instructions using one or more processors.

17. In a computing environment, a method of validating a user using a security artifact at a service provider, the method comprisingreceiving a request from a security artifact for a site key, wherein the security artifact comprises at least one of a cryptographic hardware device or a software module that provides an additional authentication factor that is reusable across accounts from multiple service providers to authenticate to the different service providers either directly or by unlocking security tokens that have already been issued by the service providers, and wherein the security artifact is configured to perform cryptographic operations to prove its presence during authentication;
- in response to the request from the security artifact for a site key, returning a service provider unique identifier to the security artifact;
  
  receiving from the security artifact a pseudonym for the security artifact, wherein the pseudonym is generated using the service provider unique identifier and a security artifact secret unique to the security artifact to generate a pseudonym for the security artifact, wherein the pseudonym comprises a public key of an asymmetric key pair, and wherein the pseudonym is different than one or more other pseudonyms for the security artifact when the security artifact is used for different service providers than the service provider, which prevents activity using the security artifact from being correlated across different service providers by using different pseudonyms with different service providers when using the security artifact with different service providers;
  
  registering the pseudonym with a user account at a service provider;
  
  receiving a request for access of the user account from an application;
  
  sending a message to the application indicating that authentication is required to service the request;
  
  receiving a request from the application for authentication;
  
  in response to receiving a request from the application for authentication, sending a security artifact challenge to the application, wherein the security artifact challenge comprises the service provider unique identifier and a nonce;
  
  receiving a security artifact response comprising the signature on a nonce generated using a private key generated using the service provider unique identifier and the security artifact secret unique to the security artifact, the nonce being signed by the security artifact to prove the security artifact'"'"'s presence during authentication; and
  
  validating the security artifact response using the pseudonym.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wittenberg, Craig Henry, Paquin, Christian, Malaviarachchi, Rushmi U.
Primary Examiner(s)
Rahman, Mahfuzur
Assistant Examiner(s)
LANE, GREGORY A

Application Number

US12/894,391
Publication Number

US 20120084565A1
Time in Patent Office

1,426 Days
Field of Search

713/168, 713/169, 713/172, 713/184, 713/185, 726/5
US Class Current

713/172
CPC Class Codes

H04L 2209/42   Anonymization, e.g. involvi...

H04L 9/32   including means for verifyi...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

Cryptographic device that binds an additional authentication factor to multiple identities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic device that binds an additional authentication factor to multiple identities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links