Methods and systems for securing proofs of knowledge for privacy

US 9,887,993 B2
Filed: 10/17/2016
Issued: 02/06/2018
Est. Priority Date: 08/11/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a client device, comprising;

one or more first processors; and

first memory containing instructions executable by the one or more first processors whereby the client device is operable to;

receive a first encryption key and user data comprising one or more encrypted tests from a Proof of Knowledge (PoK) server;

receive a second encryption key from a Relying Party (RP) server;

decrypt the one or more encrypted tests by using the first encryption key and the second encryption key;

render one or more decrypted tests;

obtain one or more answers for the one or more decrypted tests;

process the one or more answers obtained by the client device for the one or more encrypted tests;

send a communication to the PoK server, the communication comprising one or more processed answers; and

receive a communication from the RP server that authorizes a user of the client device to access one or more services administered by the RP server; and

the PoK server providing a PoK service, comprising;

one or more second processors; and

second memory containing instructions executable by the one or more second processors whereby the PoK server is operable to;

send a communication to the client device comprising the first encryption key and the user data comprising the one or more encrypted tests, the one or more encrypted tests being indecipherable to the PoK server;

receive the communication from the client device comprising the one or more processed answers, the one or more processed answers being indecipherable to the PoK server;

compare the one or more processed answers to pre-provisioned correct answers for the one or more encrypted tests; and

in response to determining a match between the one or more processed answers and the pre-provisioned correct answers, send a communication to a Relying Party (RP) server indicating that the client device has been authenticated; and

the RP server, comprising;

one or more third processors; and

third memory containing instructions executable by the one or more third processors whereby the RP server is operable to;

send the second encryption key to the client device; and

receive the communication from the PoK server indicating that the client device has been authenticated.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments described herein relate to securing the privacy of knowledge used to authenticate a user (i.e., Proof of Knowledge (PoK) test(s)). In some embodiments, a client device is operable to receive a first encryption key and encrypted test(s) from a PoK server. The client device also receives a second encryption key from a Relying Party (RP) server. The client device can decrypt the encrypted test(s) by using the first encryption key and the second encryption key to thereby render decrypted test(s). The client device is further operable to obtain answer(s) for the decrypted test(s), send a communication to the PoK server based on the answer(s), and receive a communication from the RP server that authorizes a user of the client device to access service(s) administered by the RP server.

109 Citations

21 Claims

1. A system comprising:
- a client device, comprising;
  
  one or more first processors; and
  
  first memory containing instructions executable by the one or more first processors whereby the client device is operable to;
  
  receive a first encryption key and user data comprising one or more encrypted tests from a Proof of Knowledge (PoK) server;
  
  receive a second encryption key from a Relying Party (RP) server;
  
  decrypt the one or more encrypted tests by using the first encryption key and the second encryption key;
  
  render one or more decrypted tests;
  
  obtain one or more answers for the one or more decrypted tests;
  
  process the one or more answers obtained by the client device for the one or more encrypted tests;
  
  send a communication to the PoK server, the communication comprising one or more processed answers; and
  
  receive a communication from the RP server that authorizes a user of the client device to access one or more services administered by the RP server; and
  
  the PoK server providing a PoK service, comprising;
  
  one or more second processors; and
  
  second memory containing instructions executable by the one or more second processors whereby the PoK server is operable to;
  
  send a communication to the client device comprising the first encryption key and the user data comprising the one or more encrypted tests, the one or more encrypted tests being indecipherable to the PoK server;
  
  receive the communication from the client device comprising the one or more processed answers, the one or more processed answers being indecipherable to the PoK server;
  
  compare the one or more processed answers to pre-provisioned correct answers for the one or more encrypted tests; and
  
  in response to determining a match between the one or more processed answers and the pre-provisioned correct answers, send a communication to a Relying Party (RP) server indicating that the client device has been authenticated; and
  
  the RP server, comprising;
  
  one or more third processors; and
  
  third memory containing instructions executable by the one or more third processors whereby the RP server is operable to;
  
  send the second encryption key to the client device; and
  
  receive the communication from the PoK server indicating that the client device has been authenticated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The system of claim 1 wherein the PoK server is further operable to:
    - send a communication comprising one or more instructions to the RP server that control access by the user of the client device to one or more services administered by the RP server.
  - 3. The system of claim 1 wherein the user data is formed as an encrypted Binary Large Object (BLOB), the encrypted BLOB comprising the one or more encrypted tests and one or more multimedia objects for the one or more encrypted tests.
  - 4. The system of claim 3 wherein the one or more multimedia objects comprise an image for a picture password PoK test.
  - 5. The system of claim 3 wherein the one or more encrypted tests comprise one or more cognitive tests, the one or more cognitive tests comprising the one or more multimedia objects.
  - 6. The system of claim 1 wherein the RP server is further operable to:
    - receive a communication from the PoK server, the communication comprising one or more instructions for access control by the client device to the one or more services administered by the RP server; and
      
      grant the client device access to the one or more services administered by the RP server in accordance with the one or more instructions provided by the PoK server.
  - 7. The system of claim 1, wherein the client device is further operable to:
    - generate a third encryption key from the first encryption key and the second encryption key.
  - 8. The system of claim 7, wherein the decrypting the one or more encrypted tests by using the first encryption key and the second encryption key comprises decrypting the one or more encrypted tests by using the third encryption key.
  - 9. The system of claim 7, wherein processing the one or more answers obtained by the client device for the one or more encrypted tests comprises encrypting the one or more answers by using the third encryption key.
  - 10. The system of claim 9, wherein processing the one or more answers obtained by the client device for the one or more encrypted tests comprises creating a cryptographic hash for the one or more answers, the cryptographic hash based on the third encryption key.
  - 11. The system of claim 9, wherein the pre-provisioned correct answers for the one or more encrypted tests have been encrypted using the third encryption key.
  - 12. The system of claim 10, wherein the pre-provisioned correct answers for the one or more encrypted tests have been hashed using a cryptographic hash, the cryptographic hash based on the third encryption key.
  - 13. The system of claim 7, wherein, in order to generate the third encryption key, the client device is further operable to:
    - generate the third encryption key by performing one or more logical operations on the first encryption key and the second encryption key.
  - 14. The system of claim 13 wherein the one or more logical operations are selected from the group consisting of:
    - AND, OR, Exclusive OR (XOR), NOT, Not AND (NAND), Not OR (NOR), and Exclusive NOR (XNOR).
  - 15. The system of claim 7 wherein, in order to generate the third encryption key, the client device is further operable to:
    - generate the third encryption key by taking a split of the first encryption key and the second encryption key.
  - 16. The system of claim 15 wherein taking the split of the first encryption key and the second encryption key comprises performing an Exclusive OR (XOR) logical operation of the first encryption key and the second encryption key.
  - 17. The system of claim 1, wherein processing the one or more answers obtained by the client device for the one or more encrypted tests comprises creating a cryptographic hash for the one or more answers.
  - 18. The system of claim 17, wherein the pre-provisioned correct answers for the one or more encrypted tests have been hashed using a cryptographic hash, the cryptographic hash based on a third encryption key.
  - 19. The system of claim 1, wherein the first encryption key is unknown to the RP server and the second encryption key is unknown to the PoK server.
  - 20. The system of claim 1, wherein the first encryption key is unique to each client device seeking to access secured services administered by the particular RP server.
  - 21. The system of claim 1, wherein the second encryption key is unique to each client device seeking to access secured services administered by the particular RP server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Antique Books, Inc
Original Assignee
Antique Books, Inc
Inventors
Thibadeau, Sr., Robert H., Donnell, Justin D.
Primary Examiner(s)
LEWIS, LISA C

Application Number

US15/295,701
Publication Number

US 20170041313A1
Time in Patent Office

477 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/31   User authentication

G06F 2212/1052   Security improvement

G06F 2221/2103   Challenge-response

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 9/3242   involving keyed hash functi...

H04L 9/3271   using challenge-response

Methods and systems for securing proofs of knowledge for privacy

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for securing proofs of knowledge for privacy

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links