US2001034837A1PendingUtilityA1

Method and apparatus for secure distribution of authentication credentials to roaming users

57
Assignee: ARCOT SYSTEMS INCPriority: Dec 23, 1997Filed: Apr 26, 2001Published: Oct 25, 2001
Est. expiryDec 23, 2017(expired)· nominal 20-yr term from priority
G06Q 20/3672H04L 9/0844H04L 9/3271G07F 7/1008G06Q 20/382H04L 9/3218G06Q 20/02G06Q 20/3674H04L 9/3236H04L 2209/56H04L 9/3231G06Q 20/3829G07F 7/1025H04L 63/08G06F 2221/2127G06F 21/6245G06Q 20/367
57
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A roaming user needing an his authentication credential (e.g., private key) to access a computer server to perform an electronic transaction may obtain the authentication credential in an on-demand fashion from a credential server accessible to the user over a computer network. In this way, the user is free to roam on the network without having to physically carry his authentication credential. Access to the credential may be protected by one or more challenge- response protocols involving simple shared secrets, shared secrets with one-to-one hashing, or biometric methods such as fingerprint recognition. If camouflaging is used to protect the authentication credential, decamouflaging may be performed either at the credential server or at the user's computer.

Claims

exact text as granted — not AI-modified
What is claimed is:  
     
         1 . A computer-implemented method for obtaining, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising: 
 (a) accessing, over a network, a server to request therefrom a predetermined authentication credential, said authentication credential: 
 (i) in existence at said server prior to said request therefor,  
 (ii) uniquely identifying a requester thereof, and  
 (iii) suitable for use in conducting an electronic transaction;  
   (b) receiving, from said server, a challenge soliciting a predetermined response associated with a holder of said authentication credential;    (c) transmitting an answer to said challenge; and    (d) in response to a determination by said server that said answer satisfies said challenge, receiving said authentication credential from said server; said method being operable in a repeatable, on-demand manner by said requester from a plurality of requester locations.    
     
     
         2 . The method of    claim 1    where said authentication credential includes a secret credential of said requestor.  
     
     
         3 . The method of    claim 2    where said secret credential is a private key.  
     
     
         4 . The method of    claim 2    further comprising: 
 (e) using said authentication credential to conduct said electronic transaction; and  
 (f) deleting said credential from said requestor's computing device.  
 
     
     
         5 . The method of    claim 2    where said requestor's computing device includes a web browser, and said network is a distributed computer network.  
     
     
         6 . The method of    claim 2    where said requestor's computing device includes a digital wallet.  
     
     
         7 . The method of    claim 2    where said response includes a shared secret between said server and said requestor.  
     
     
         8 . The method of claim I further comprising: 
 (e) using said authentication credential to conduct said electronic transaction; and    (f) deleting said credential from said requestor's computing device.    
     
     
         9 . The method of    claim 8    where said authentication credential includes a private key of said requester.  
     
     
         10 . The method of    claim 1    where said received authentication credential is in cryptographically camouflaged form.  
     
     
         11 . The method of    claim 10    where said authentication credential is encrypted under an access code, and further comprising: 
 (i) receiving from said requester a candidate access code;  
 (ii) verifying that said candidate access code belongs to a family of pseudo-valid responses; and  
 (iii) using said pseudo-valid candidate access code to decrypt said stored authentication credential.  
 
     
     
         12 . The method of    claim 11    where said pseudo-valid responses have the characteristic of being hashable to the same output as said access code.  
     
     
         13 . The method of    claim 12    where said authentication credential includes a private key of said requester.  
     
     
         14 . The method of    claim 10    where said authentication credential includes a secret credential of said requester.  
     
     
         15 . The method of    claim 10    further comprising the steps of: 
 (e) using said authentication credential to conduct said electronic transaction; and  
 (f) deleting said credential from said requestor's computing device.  
 
     
     
         16 . The method of claim l where said challenge and said response are members of a zero knowledge proof protocol.  
     
     
         17 . The method of    claim 1    where said steps (b) and (c) are part of a cryptographic camouflage challenge-response protocol.  
     
     
         18 . The method of    claim 1    further comprising downloading a digital currency from said server along with said authentication credential.  
     
     
         19 . An apparatus for obtaining, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising: 
 (a) a network interface configured to: 
 (i) access, over a network, a server to request therefrom a predetermined authentication credential, said authentication credential:  
 (A) in existence at said server prior to said request therefor,  
 (B) uniquely identifying a requestor thereof, and  
 (C) suitable for use in conducting an electronic transaction, and  
 (ii) receive, from the server, a challenge soliciting a predetermined response associated with said requestor of said authentication credential;  
   (b) an user interface configured to receive, from said requestor, an answer to said challenge;    (c) said network interface configured to receive said authentication credential in response to a determination by said server that said answer satisfies said challenge; and    (d) a memory configured to store said authentication credential at said requestor's computing device;    said apparatus being usable by said requestor to obtain repeated, on-demand access from a plurality of requestor locations.    
     
     
         20 . The apparatus of    claim 19    wherein said authentication credential includes a secret credential of said requestor.  
     
     
         21 . The apparatus of    claim 20    wherein said secret credential is a private key.  
     
     
         22 . The apparatus of    claim 19    configured for use as a web browser, and wherein said network is a distributed computer network.  
     
     
         23 . The apparatus of    claim 19    configured for use as a digital wallet.  
     
     
         24 . The apparatus of    claim 19    wherein said server is configured to store said authentication credential in cryptographically camouflaged form.  
     
     
         25 . The apparatus of    claim 24    wherein: 
 (i) said authentication credential is encrypted under an access code;  
 (ii) said user interface is configured to receive, from said requestor, a candidate access code; and  
 (iii) further comprising cryptographic logic configured to:  
 (iv) verify that said candidate access code belongs to a family of pseudo-valid responses; and  
 (v) use said pseudo-valid candidate access code to decrypt said stored authentication credential.  
 
     
     
         26 . The apparatus of    claim 25    wherein said pseudo-valid responses have the characteristic of being hashable to the same output as said access code.  
     
     
         27 . The apparatus of    claim 26    wherein said authentication credential includes a private key of said requestor.  
     
     
         28 . The apparatus of    claim 19    wherein said challenge and said predetermined response are part of a cryptographic camouflage challenge-response protocol.  
     
     
         29 . The apparatus of    claim 24    wherein said authentication credential includes a secret credential of said requestor.  
     
     
         30 . A computer-implemented method for providing, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising: 
 (a) receiving from a requester, over a network, a request for a predetermined authentication credential, said authentication credential: 
 (i) in existence at said server prior to said request therefor,  
 (ii) uniquely identifying a requester thereof, and  
 (iii) suitable for use in conducting an electronic transaction;  
   (b) transmitting, to said requestor, a challenge soliciting a predetermined response associated with said requestor;    (c) receiving an answer to said challenge;    (d) determining that said answer satisfies said challenge; and    (e) transmitting said authentication credential for said requestor;    said method being operable to process repeated, on-demand authentication credential requests by said requestor at a plurality of requestor locations.    
     
     
         31 . The method of    claim 30    where said authentication credential includes a secret credential of said requestor.  
     
     
         32 . The method of    claim 31    where said secret credential is a private key.  
     
     
         33 . The method of    claim 31    where said requestor is at a web browser, and said network is a distributed computer network.  
     
     
         34 . The method of    claim 31    where said transmitting is to a digital wallet of said requester.  
     
     
         35 . The method of    claim 31    where said response includes a shared secret between said server and said requestor.  
     
     
         36 . The method of    claim 30    where said server is configured to store said authentication credential in cryptographically camouflaged form.  
     
     
         37 . The method of    claim 36    where said authentication credential is encrypted under an access code, and where said determining that said answer satisfies said challenge includes: 
 (i) verifying that said answer belongs to a family of pseudo-valid responses; and  
 (ii) using said response to decrypt said stored authentication credential.  
 
     
     
         38 . The method of    claim 37    where said pseudo-valid responses have the characteristic of being hashable to the same output as said access code.  
     
     
         39 . The method of    claim 38    where said authentication credential includes a private key of said requestor.  
     
     
         40 . The method of    claim 36    where said authentication credential includes a secret credential of said requestor.  
     
     
         41 . The method of    claim 36    where said step (e) includes transmitting said authentication credential to said requestor in cryptographically camouflaged form for cryptographic decamouflaging by said requestor.  
     
     
         42 . The method of    claim 30    further comprising sending a digital currency to said requestor along with said authentication credential.  
     
     
         43 . An apparatus for providing, in a networked environment, an authentication credential usable to conduct an electronic transaction, comprising: 
 (a) a network interface configured to: 
 (i) receive from a requestor, over a network, a request for a predetermined authentication credential, said authentication credential: 
 (A) in existence at said apparatus prior to said request therefor;  
 (B) uniquely identifying a requestor thereof; and  
 (C) suitable for use in conducting an electronic transaction,  
 
 (ii) transmit a challenge soliciting a predetermined response associated with said requester, and  
 (iii) receive, from said holder, an answer to said challenge;  
   (b) logic configured to determine whether said answer satisfies said challenge; and    (c) a memory configured to store said authentication credential to be released for said requestor;    said apparatus being operable to process repeated, on-demand authentication credential requests by said requestor at a plurality of requester locations.    
     
     
         44 . The apparatus of    claim 43    wherein said authentication credential includes a secret credential of said requestor.  
     
     
         45 . The apparatus of    claim 44    wherein said secret credential is a private key.  
     
     
         46 . The apparatus of    claim 44    wherein said response includes a shared secret between said server and said requestor.  
     
     
         47 . The apparatus of    claim 43    wherein said server is configured to store said authentication credential in cryptographically camouflaged form.  
     
     
         48 . The apparatus of    claim 47    wherein said authentication credential is encrypted under an access code, and where said logic to determine whether said answer satisfies said challenge includes: 
 (i) cryptographic logic for verifying that said answer belongs to a family of pseudo-valid responses; and  
 (ii) cryptographic logic for using said answer to decrypt said stored authentication credential.  
 
     
     
         49 . The apparatus of    claim 48    where said pseudo-valid responses have the characteristic of being hashable to the same output as said access code.  
     
     
         50 . The apparatus of    claim 49    where said authentication credential includes a private key of said requestor.  
     
     
         51 . The apparatus of    claim 47    wherein said network interface is configured to release said authentication credential to said requestor in cryptographically camouflaged form for cryptographic decamouflaging by said requester.  
     
     
         52 . The apparatus of    claim 47    wherein said authentication credential includes a secret. credential of said user.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.