Method for distributed trust authentication

US 9,641,341 B2
Filed: 03/21/2016
Issued: 05/02/2017
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method for distributed trust authentication of one or more users attempting to access one or more service providers operating on a network, the method comprising:

distributing a first private key share of a first private key to a primary authentication system, a second private key share of the first private key to a secondary authentication system, and a public key to a first service provider, wherein the public key corresponds to a private key used to generate the first and second private key shares;

wherein the secondary authentication system and the first service provider do not have access to the first private key share;

wherein the primary authentication system and the first service provider do not have access to the second private key share, wherein the primary authentication system is an identity provider for the first service provider, and wherein the secondary authentication system is an independent authentication service;

performing, at the primary authentication system, in response to a first attempt of a first user operating a computing device to access the first service provider, primary authentication of the first user using a first authentication factor;

generating, at the primary authentication system, a first authentication response to the primary authentication;

generating, at the primary authentication system, a first partial digital signature for the first authentication response using the first private key share;

performing, at the secondary authentication system, in response to the first attempt of the first user to access the first service provider, secondary authentication of the first user using a second authentication factor;

generating, at the secondary authentication system, a second authentication response to the secondary authentication;

generating, at the secondary authentication system, a second partial digital signature for the second authentication response using the second private key share;

combining the first and the second partial digital signatures, resulting in a first composite digital signature;

transmitting, over the network, the first composite digital signature to the first service provider with the first and the second authentication responses;

validating, at the first service provider, the first composite digital signature using the public key; and

providing the first user with access, via the network, to the first service provider in response to successful validation of the first composite digital signature.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for distributed trust authentication of one or more users attempting to access one or more service providers operating on a network includes performing primary authentication of a user using a first authentication factor, generating a first partial digital signature for a first authentication response to the primary authentication, performing secondary authentication of the user using a second authentication factor, generating a second partial digital signature for the second authentication response to the secondary authentication, combining the first and second partial digital signatures to form a composite digital signature, and validating the composite digital signature.

88 Citations

View as Search Results

28 Claims

1. A method for distributed trust authentication of one or more users attempting to access one or more service providers operating on a network, the method comprising:
- distributing a first private key share of a first private key to a primary authentication system, a second private key share of the first private key to a secondary authentication system, and a public key to a first service provider, wherein the public key corresponds to a private key used to generate the first and second private key shares;
  
  wherein the secondary authentication system and the first service provider do not have access to the first private key share;
  
  wherein the primary authentication system and the first service provider do not have access to the second private key share, wherein the primary authentication system is an identity provider for the first service provider, and wherein the secondary authentication system is an independent authentication service;
  
  performing, at the primary authentication system, in response to a first attempt of a first user operating a computing device to access the first service provider, primary authentication of the first user using a first authentication factor;
  
  generating, at the primary authentication system, a first authentication response to the primary authentication;
  
  generating, at the primary authentication system, a first partial digital signature for the first authentication response using the first private key share;
  
  performing, at the secondary authentication system, in response to the first attempt of the first user to access the first service provider, secondary authentication of the first user using a second authentication factor;
  
  generating, at the secondary authentication system, a second authentication response to the secondary authentication;
  
  generating, at the secondary authentication system, a second partial digital signature for the second authentication response using the second private key share;
  
  combining the first and the second partial digital signatures, resulting in a first composite digital signature;
  
  transmitting, over the network, the first composite digital signature to the first service provider with the first and the second authentication responses;
  
  validating, at the first service provider, the first composite digital signature using the public key; and
  
  providing the first user with access, via the network, to the first service provider in response to successful validation of the first composite digital signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the second authentication response is identical to the first authentication response.
  - 3. The method of claim 1, further comprising transmitting the first authentication response to the secondary authentication system;
    - wherein generating the second authentication response comprises generating the second authentication response based on the first authentication response.
  - 4. The method of claim 3, wherein generating the second authentication response comprises duplicating the first authentication response.
  - 5. The method of claim 1, wherein the remote authentication service is a two-factor authentication service.
  - 6. The method of claim 5, wherein the identity provider is an Active Directory service.
  - 7. The method of claim 1 further comprising,performing, at the secondary authentication system, in response to a first attempt of the first user to access a second service provider, authentication of the first user using a third authentication factor;
    - generating, at the secondary authentication system, a third authentication response to the authentication of the first user using the third authentication factor;
      
      generating, at the secondary authentication system, a third partial digital signature for the third authentication response using the second private key share;
      
      combining the third partial digital signature with an additional partial digital signature, resulting in a second composite digital signature;
      
      transmitting the second composite digital signature to the second service provider;
      
      validating, at the second service provider, the second composite digital signature; and
      
      providing the first user with access to the second service provider in response to successful validation of the second composite digital signature.
  - 8. The method of claim 7, wherein the second service provider is the first service provider.
  - 9. The method of claim 7, wherein the additional partial digital signature is the first partial digital signature or the second partial digital signature.
  - 10. The method of claim 1, further comprising:
    - distributing a first replacement private key share of a second private key to the primary authentication system, a second replacement private key share of the second private key to the secondary authentication system, and a replacement public key paired with the second private key to the first service provider;
      
      performing, at the primary authentication system, in response to a second attempt of the first user to access the first service provider, primary authentication of the first user using the first authentication factor;
      
      generating, at the primary authentication system, a third authentication response to the primary authentication performed in response to the second attempt;
      
      generating, at the primary authentication system, a third partial digital signature for the third authentication response using the first replacement private key share;
      
      performing, at the secondary authentication system, in response to the second attempt of the first user to access the first service provider, secondary authentication of the first user using the second authentication factor;
      
      generating, at the secondary authentication system, a fourth authentication response to the secondary authentication performed in response to the second attempt;
      
      generating, at the secondary authentication system, a fourth partial digital signature for the fourth authentication response using the second replacement private key share;
      
      combining the third and the fourth partial digital signatures, resulting in a second composite digital signature;
      
      transmitting the second composite digital signature to the first service provider with at least one of the third and the fourth authentication responses;
      
      validating, at the first service provider, the second composite digital signature using the replacement public key; and
      
      providing the first user with access to the first service provider in response to successful validation of the second composite digital signature.
  - 11. The method of claim 10, further comprising preventing access to the first service provider using the first and second private key shares after distributing the first and the second replacement private key shares.
  - 12. The method of claim 1, further comprising:
    - performing, at the primary authentication system, in response to a second attempt of the first user to access the first service provider, primary authentication of the first user using a third authentication factor;
      
      generating, at the primary authentication system, a third authentication response to the primary authentication performed in response to the second attempt;
      
      generating, at the primary authentication system, a third partial digital signature for the third authentication response using the first private key share;
      
      performing, at the secondary authentication system, in response to a second attempt of the first user to access the first service provider, secondary authentication of the first user using a fourth authentication factor;
      
      generating, at the secondary authentication system, a fourth authentication response to the secondary authentication performed in response to the second attempt;
      
      generating, at the secondary authentication system, a fourth partial digital signature for the fourth authentication response using the second private key share;
      
      combining the third and the fourth partial digital signatures, resulting in a second composite digital signature;
      
      transmitting the second composite digital signature to the first service provider with at least one of the third and the fourth authentication responses;
      
      validating, at the first service provider, the second composite digital signature using the public key; and
      
      providing the first user with access to the first service provider in response to successful validation of the second composite digital signature.
  - 13. The method of claim 12, further comprising, at the primary authentication system, refusing to perform primary authentication of the first user using the first authentication factor.
  - 14. The method of claim 1, further comprising:
    - performing, at the primary authentication system, in response to an attempt of a second user to access the first service provider, primary authentication of the second user using a second user authentication factor;
      
      generating, at the primary authentication system, a third authentication response to the primary authentication of the second user;
      
      generating, at the primary authentication system, a third partial digital signature for the third authentication response using the first private key share;
      
      performing, at the secondary authentication system, in response to the attempt of the second user to access the first service provider, secondary authentication of the second user using an additional second user authentication factor;
      
      generating, at the secondary authentication system, a fourth authentication response to the secondary authentication of the second user;
      
      generating, at the secondary authentication system, a fourth partial digital signature for the fourth authentication response using the second private key share;
      
      combining the third and the fourth partial digital signatures, resulting in a second composite digital signature;
      
      transmitting the second composite digital signature to the first service provider with at least one of the third and the fourth authentication responses; and
      
      providing the second user with access to the first service provider in response to successful validation of the second composite digital signature.
  - 15. The method of claim 1, further comprising:
    - at a first user device, attempting to access the first service provider;
      
      transmitting the first partial digital signature from the primary authentication system to the first user device;
      
      transmitting the second partial digital signature from the secondary authentication system to the first user device;
      
      wherein combining the first and the second partial digital signatures comprises combining the first and the second partial digital signatures at the first user device.
  - 16. The method of claim 1, wherein generating the first partial digital signature comprises generating the first partial digital signature in response to successful primary authentication of the first user, and wherein generating the second partial digital signature comprises generating the second partial digital signature in response to successful secondary authentication of the first user.
  - 17. The method of claim 16, wherein generating the second partial digital signature comprises generating the second partial digital signature in response to both of the successful primary authentication and the successful secondary authentication.
  - 18. The method of claim 16, further comprising:
    - transmitting a secondary authentication request from the primary authentication system to the secondary authentication system in response to successful primary authentication of the first user,wherein performing the secondary authentication comprises performing the secondary authentication only after receiving the secondary authentication request.
  - 19. The method of claim 1,wherein the first authentication factor comprises a knowledge factor, andwherein the first partial digital signature is generated for the first authentication response to the primary authentication using the knowledge factor.
  - 20. The method of claim 19, wherein the knowledge factor is a password to a user account associated with the first service provider.
  - 21. The method of claim 19,wherein the second authentication factor comprises a possession factor,wherein the second partial digital signature is generated for the second authentication response to the secondary authentication using the possession factor.

22. A method for distributed trust authentication of one or more users attempting to access one or more service providers operating on a network, the method comprising:
- distributing a first private key share of a private key to a first authentication system, a second private key share of the private key to a second authentication system, a third private key share of the private key to a third authentication system, and a public key to a service provider, wherein the public key corresponds to a private key used to generate the first, second, and third private key shares, wherein the second private key share is non-identical to the third private key share, wherein the primary authentication system is an identity provider for the first service provider, and wherein the secondary authentication system is an independent authentication service;
  
  wherein the second authentication system, the third authentication system, and the service provider do not have access to the first private key share,wherein the first authentication system, the third authentication system, and the service provider do not have access to the second private key share, andwherein the first authentication system, the second authentication system, and the service provider do not have access to the third private key share;
  
  performing, at the first authentication system, in response to an attempt of a user operating a computing device to access the service provider, primary authentication of the user using a first authentication factor;
  
  generating, at the first authentication system, a first authentication response to the primary authentication;
  
  generating, at the first authentication system, a first partial digital signature for the first authentication response using the first private key share;
  
  performing a second and a third authentication process;
  
  wherein the second authentication process comprises;
  
  performing, at the second authentication system, in response to the attempt of the user to access the service provider, secondary authentication of the user using a second authentication factor;
  
  generating, at the second authentication system, a second authentication response to the secondary authentication of the user using the second authentication factor;
  
  generating, at the second authentication system, a second partial digital signature for the second authentication response using the second private key share;
  
  combining the first and second partial digital signatures, resulting in a first composite digital signature; and
  
  transmitting the first composite digital signature to the service provider with the first and second authentication responses;
  
  wherein the third authentication process comprises;
  
  performing, at the third authentication system, in response to the attempt of the user to access the service provider, secondary authentication of the user using a third authentication factor;
  
  generating, at the third authentication system, a third authentication response to the secondary authentication of the user using the third authentication factor;
  
  generating, at the third authentication system, a third partial digital signature for the third authentication response using the third private key share;
  
  combining the first and third partial digital signatures, resulting in a second composite digital signature; and
  
  transmitting, over the network, the second composite digital signature to the service provider with the first and third authentication responses;
  
  validating, at the service provider, the first and second composite digital signatures using the public key;
  
  wherein the public key used for validating the first composite digital signature is identical to the public key used for validating the second composite digital signature; and
  
  providing, via the network, the user with access to the service provider in response to successful validation.
- View Dependent Claims (23)
- - 23. The method of claim 22, wherein the second and the third authentication factors are distinct possession factors.

24. A method for distributed trust authentication of one or more users attempting to access one or more service providers operating on a network, the method comprising:
- distributing a first private key share, a second private key share, and a third private key share to a first authentication system, a second authentication system, and a third authentication system, respectively, wherein the second and the third private key shares are non-identical, wherein the first authentication system is an identity provider for a first service provider the second authentication system is an independent authentication service;
  
  distributing, to the first service provider, a first public key paired with a first private key comprising the first private key share and the second private key share wherein the public key corresponds to the first private key used to generate the first and second private key shares;
  
  distributing, to a second service provider, a second public key paired with a second private key comprising the second private key share and the third private key share, wherein the second public key corresponds to the second private key used to generate the third private key share, wherein the first and the second public keys are non-identical,wherein the second and the third authentication systems, and the first and the second service providers, do not have access to the first private key share,wherein the first and the third authentication systems, and the first and the second service providers, do not have access to the second private key share,wherein the first and the second authentication systems, and the first and the second service providers, do not have access to the third private key share;
  
  performing, at the first authentication system, in response to an attempt of a user operating a computing device to access the first and the second service providers, primary authentication of the user using a first authentication factor;
  
  generating, at the first authentication system, a first authentication response to the primary authentication;
  
  generating, at the first authentication system, a first partial digital signature for the first authentication response using the first private key share;
  
  performing a second and a third authentication process;
  
  wherein the second authentication process comprises;
  
  performing, at the second authentication system, in response to the attempt of the user to access the first service provider, secondary authentication of the user using a second authentication factor;
  
  generating, at the second authentication system, a second authentication response to the secondary authentication of the user using the second authentication factor;
  
  generating, at the second authentication system, a second partial digital signature for the second authentication response using the second private key share;
  
  combining the first and second partial digital signatures, resulting in a first composite digital signature;
  
  transmitting, over the network, the first composite digital signature to the first service provider with the first and second authentication responses;
  
  validating, at the first service provider, the first composite digital signature using the first public key; and
  
  providing, via the network, the user with access to the first service provider in response to successful validation of the first composite digital signature;
  
  wherein the third authentication process comprises;
  
  performing, at the third authentication system, in response to the attempt of the user to access the second service provider, secondary authentication of the user using a third authentication factor;
  
  generating, at the third authentication system, a third authentication response to the secondary authentication of the user using the third authentication factor;
  
  generating, at the third authentication system, a third partial digital signature for the third authentication response using the third private key share;
  
  combining the first and third partial digital signatures, resulting in a second composite digital signature;
  
  transmitting, over the network, the second composite digital signature to the second service provider with the first and third authentication responses;
  
  validating, at the second service provider, the second composite digital signature using the second public key; and
  
  providing, via the network, the user with access to the second service provider in response to successful validation of the second composite digital signature.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The method of claim 24, wherein the first and the second service provider are a same service provider and the first and the second public keys are stored at the same service provider.
  - 26. The method of claim 25, wherein validating the first composite digital signature using the first public key comprises attempting to validate the first composite digital signature using both of the first public key and the second public key;
    - wherein validating the second composite digital signature using the second public key comprises attempting to validate the second composite digital signature using both of the first public key and the second public key;
      
      the method further comprising providing the user with access to the same service provider in response to successful validation using either of the first public key or the second public key.
  - 27. The method of claim 26, wherein providing the user with access comprises providing a different scope of access if the first composite digital signature is successfully validated than if the second composite digital signature is successfully validated.
  - 28. The method of claim 24, wherein the second and the third authentication system are a same authentication system, such that the second and the third private key shares are stored at the same authentication system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Song, Dug, Goodman, Adam
Primary Examiner(s)
GRACIA, GARY S

Application Number

US15/075,826
Publication Number

US 20160294562A1
Time in Patent Office

407 Days
Field of Search

713155, 713175
US Class Current
CPC Class Codes

G06F 21/40   by quorum, i.e. whereby two...

H04L 2463/082   applying multi-factor authe...

H04L 63/0815   providing single-sign-on or...

H04L 63/0838   using one-time-passwords

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 9/085   Secret sharing or secret sp...

H04L 9/0863   involving passwords or one-...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

Method for distributed trust authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

88 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method for distributed trust authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links