US2014149742A1PendingUtilityA1

Method and system of providing authentication of user access to a computer resource via a mobile device using multiple separate security factors

43
Assignee: YAU ARNOLDPriority: Nov 28, 2012Filed: Nov 26, 2013Published: May 29, 2014
Est. expiryNov 28, 2032(~6.4 yrs left)· nominal 20-yr term from priority
Inventors:Arnold Yau
H04L 63/0869H04L 9/3226H04L 63/0428H04L 2463/082G06F 21/445H04L 9/0637G06F 21/34H04L 63/18H04L 9/3213H04L 63/083H04L 63/0807H04W 12/069
43
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method and system of authenticating a computer resource such as an application or data on a mobile device uses a contactless token to provide multi-factor user authentication. User credentials are stored on the token in the form of private keys, and encrypted data and passwords are stored on the device. When application user requires access to the resource an encrypted password is transmitted to and decrypted on the token using a stored private key. An unencrypted data encryption key or password is then transmitted back to the device under the protection of a cryptographic session key which is generated as a result of strong mutual authentication between the device and the token.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method of authenticating access to a computer resource via a mobile device comprising:
 storing an encrypted resource authorization;   transmitting the encrypted authorization to a separate portable security token;   on the token, decrypting the encrypted authorization and generating at least partially therefrom an unlock response;   securely transmitting the unlock response to the mobile device;   requiring a user to authenticate separately on the mobile device;   unlocking the resource if the required unlock response and the separate authentication are both valid.   
     
     
         2 . A method as claimed in  claim 1  in which the unlock response comprises a plain authorization, obtained by decrypting the encrypted authorization, or a function of a plain authorization, obtained by decrypting the encrypted authorization, and additional information. 
     
     
         3 . A method as claimed in  claim 1  in which the authorization comprises a password, a PIN or a cryptographic key. 
     
     
         4 . A method as claimed in  claim 1  in which the unlock response is transmitted to the mobile device under the protection of an encryption key, such as a session key. 
     
     
         5 . A method as claimed in  claim 1  in which the token stores user credentials, the decryption on the token being based on the user credentials. 
     
     
         6 . A method as claimed in  claim 1  in which the encrypted authorization is stored on the mobile device. 
     
     
         7 . A method as claimed in  claim 1  in which the encrypted authorization is stored in the cloud and is retrieved from the cloud to the mobile device. 
     
     
         8 . A method as claimed in  claim 1  which the authentication on the mobile device is validated on the token before the unlock response is sent. 
     
     
         9 . A method as claimed in  claim 1  including running a service on the mobile device which controls device cryptographic functions and access to the resource. 
     
     
         10 . A method as claimed in  claim 1  including running an applet on the token which provides token cryptographic functions. 
     
     
         11 . A method as claimed in  claim 5  in which the user credentials are generated by the token and never leave the token. 
     
     
         12 . A method as claimed in  claim 1 , in which the encrypted authorization can be decrypted solely with the corresponding user credentials stored on the token. 
     
     
         13 . A method as claimed in  claim 1  including verifying integrity on the token by a message authentication code received from the device. 
     
     
         14 . A method as claimed in  claim 1  in which the integrity of the encrypted authorization is verified on the token prior to decryption. 
     
     
         15 . A method as claimed in  claim 1  in which the device and the token perform cryptographic mutual authentication before transmission of the encrypted authorization. 
     
     
         16 . A method as claimed in  claim 1  in which a user secret is passed from the device to the token and is validated by the token before the decryption operation takes place. 
     
     
         17 . A method as claimed in  claim 1  in which the resource comprises an application running or stored on the mobile device, or accessible therefrom, or in which the resource comprises data stored on the mobile device or accessible therefrom. 
     
     
         18 . A system of authenticating access to a computer resource via a mobile device with a portable security token, comprising:
 a mobile device;   a token including a token communications system and a token processor providing cryptographic functions;   and wherein in use an encrypted authorization is transmitted by the device communications system to the token; is decrypted on the token; the token generating at least partially therefrom an unlock response, the unlock response being securely transmitted by the token communications system to the mobile device; requiring a user to authenticate separately on the mobile device; and unlocking the resource if the required unlock response and the separate authentication are both valid.   
     
     
         19 . A system as claimed in  claim 18  in which the authorization comprises an application password, a PIN or a cryptographic key. 
     
     
         20 . A system as claimed in  claim 18  in which the token comprises a token storage for storing private user credentials and wherein the decryption on the token is based on the user credentials. 
     
     
         21 . A system as claimed in  claim 18  including means for retrieving the encrypted authorization from the cloud. 
     
     
         22 . A system as claimed in  claim 18  in which the unlock response is transmitted by the token communications system to the mobile device under the protection of an encryption key such as a session key. 
     
     
         23 . A system as claimed in  claim 18  in which the token is a card. 
     
     
         24 . A system as claimed in  claim 18  in which the device communications system and the token communications system communicate over the air, or communicate when the token is placed in close proximity to or is touched to the device. 
     
     
         25 . A system as claimed in  claim 18  in which the separate authentication on the mobile device is validated on the token before the unlock response is sent. 
     
     
         26 . A system as claimed in  claim 18  in which the device communications system sends a user secret to the token which is validated by the token before the decryption operation takes place. 
     
     
         27 . A system as claimed in  claim 18  in which the device communications system sends a message authentication code (MAC) to the token, which is validated by the token before the decryption operation takes place. 
     
     
         28 . A system as claimed in  claim 18  in which the integrity of the encrypted authorization is verified on the token prior to decryption. 
     
     
         29 . A system as claimed in  claim 18  in which the device and the token are arranged to perform cryptographic mutual authentication before transmission of the encrypted authorization. 
     
     
         30 . A system as claimed in  claim 18  in which the token sends the unlock response only on positive confirmation by the user, for example by pressing a button on the token.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.