WO2023073050A1 - Recovering access to a user account - Google Patents

Recovering access to a user account Download PDF

Info

Publication number
WO2023073050A1
WO2023073050A1 PCT/EP2022/079993 EP2022079993W WO2023073050A1 WO 2023073050 A1 WO2023073050 A1 WO 2023073050A1 EP 2022079993 W EP2022079993 W EP 2022079993W WO 2023073050 A1 WO2023073050 A1 WO 2023073050A1
Authority
WO
WIPO (PCT)
Prior art keywords
recovery
access
secret keys
user account
partial secret
Prior art date
Application number
PCT/EP2022/079993
Other languages
French (fr)
Inventor
Frans Lundberg
Andrzej Bohdan KOSTYK
Original Assignee
Assa Abloy Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Assa Abloy Ab filed Critical Assa Abloy Ab
Publication of WO2023073050A1 publication Critical patent/WO2023073050A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present disclosure relates to the field of recovering access to a user account and in particular to recovering access to a user account using a threshold cryptography scheme.
  • One object is to provide a more convenient yet secure way to regain access to a user account.
  • a method for recovering access to a user account the method being performed by a recovery control device.
  • the method comprises: triggering generation of a plurality of partial secret keys by respective recovery devices, the plurality of partial secret keys forming part of a threshold cryptography scheme associated with a public key, wherein the threshold cryptography scheme is associated with the user account; providing the public key to an access verification device; and triggering an access recovery, whereby access recovery messages are transmitted to the recovery devices, wherein a threshold number of the plurality of partial secret keys are required to be applied in the threshold cryptography scheme for recovering access to the user account.
  • the threshold number may be less than the plurality of partial secret keys.
  • the threshold number may be equal to or greater than two.
  • the threshold cryptography scheme may be based on an Elliptic Curve Digital Signature Algorithm, ECDSA.
  • a recovery control device for recovering access to a user account.
  • the recovery control device comprises: a processor; and a memory storing instructions that, when executed by the processor, cause the recovery control device to: trigger generation of a plurality of partial secret keys by respective recovery devices, the plurality of partial secret keys forming part of a threshold cryptography scheme associated with a public key, wherein the threshold cryptography scheme is associated with the user account; provide the public key to an access verification device; and trigger an access recovery, whereby access recovery messages are transmitted to the recovery devices, wherein a threshold number of the plurality of partial secret keys are required to be applied in the threshold cryptography scheme for recovering access to the user account.
  • the threshold number may be less than the plurality of partial secret keys.
  • the threshold number may be equal to or greater than two.
  • the threshold cryptography scheme may be based on an Elliptic Curve Digital Signature Algorithm, ECDSA.
  • a computer program for recovering access to a user account comprises computer program code which, when executed on a recovery control device causes the recovery control device to: trigger generation of a plurality of partial secret keys by respective recovery devices, the plurality of partial secret keys forming part of a threshold cryptography scheme associated with a public key, wherein the threshold cryptography scheme is associated with the user account; provide the public key to an access verification device; and trigger an access recovery, whereby access recovery messages are transmitted to the recovery devices, wherein a threshold number of the plurality of partial secret keys are required to be applied in the threshold cryptography scheme for recovering access to the user account.
  • a computer program product comprising a computer program according to the third aspect and a computer readable means comprising non-transitory memory in which the computer program is stored.
  • FIG 1 is a schematic diagram illustrating an environment in which embodiments presented herein can be applied;
  • FIG. 3 is a flow chart illustrating embodiments of methods for recovering access to a user account
  • Figs 4A-D are schematic diagrams illustrating embodiments of where the recovery control device can be implemented
  • Embodiments presented herein allow recovery of a user account based on threshold cryptography.
  • threshold cryptography enables authorisation of an action based on any t number of n partial secret keys being applied.
  • n trusted recovery devices To set this up (prior to the credentials for the user account being lost), n trusted recovery devices generate their respective partial secret keys.
  • any t out of the n trusted recovery devices need to apply their partial signature.
  • 3 out of 5 trusted recovery devices can apply their signature for recovery of a user account e.g. for accessing a smartphone when the passcode has been lost.
  • the trusted recovery devices can e.g. be other devices of the user and/or devices of family members or trusted friends.
  • the user device 2 is connected to a communication network 7, such as the Internet.
  • a communication network 7 such as the Internet.
  • the recovery devices 4a-g can be under control of the user 5 and/or can be devices of friends or family of the user 5.
  • the recovery devices 4a-g can be any type of electronic device, e.g. smartphones, computers, wearable devices, loT (Internet of Things) devices, such as home speakers, light bulbs, sensors, fridge, etc.
  • a recovery control device 1 is used to allow the user 5 to regain access to a user account, e.g. for accessing the user device 2 or a service provided by a server 3 (e.g. as a web service or an app-based service).
  • a key pair consisting of a public key and a secret key.
  • the public key is associated with an entity or user and is shared publicly.
  • the secret key is coupled to the public key, but the secret key is kept secret.
  • a user device can perform a cryptographic operation, e.g. cryptographic signing or decryption, which can be used to gain access to a user account.
  • threshold cryptography A development in asymmetric cryptography, from its original key pair of a secret key can and a public key, is threshold cryptography.
  • threshold cryptography there is still a single public key 12, but cryptographic operations are achieved by a threshold number of associated partial secret keys loa-g for respective entities. Jointly, the group of entities computes and communicates to generate the set of partial secret keys and the associated public key.
  • Each entity its partial secret key. It is to be noted that each partial secret key is secret and is only known to the entity itself. There is no need for this partial secret key to be exposed to any other entity, not even in the key creation phase. Hence, there is no need for a central authority that distributes these partial secret keys.
  • the partial secret keys can be refreshed. This can be done to limit the lifetime of the partial secret keys, (which makes it even harder for an attacker who needs to compromise at least t parties within a time window defined by the lifetime).
  • the refresh can also be performed done to consolidate the partial secret keys. For instance, if an entity holding a partial secret key is lost, it makes sense to regenerate the partial secret keys, now for the remaining entities of the group. It is to be noted that the refresh does not affect the public key - the same public key that was used prior to the refresh can be used after the refresh. Again, the refresh is performed without sharing any of the partial secret keys while doing the collaborative refresh computation, e.g. based on multi-party computation, known in the art per se, see the Wikipedia article https://en.wikipedia.org/wiki/Secure multi-party computation available at the time that this patent application is filed.
  • Threshold cryptography can e.g. be implemented using an Elliptic Curve Digital Signature Algorithm (ECDSA).
  • EDSA Elliptic Curve Digital Signature Algorithm
  • An example implementation is the Binance implementation, available at https: // github.com/binance-chain/ tss-lib at the time of filing of this patent application.
  • Fig 3 is a flow chart illustrating embodiments of methods for recovering access to a user account. The method is performed by a recovery control device 1.
  • the recovery control device 1 triggers generation of a plurality of partial secret keys loa-g by respective recovery devices 4a-g.
  • the plurality of partial secret keys form part of a threshold cryptography scheme 11 associated with a public key 12.
  • the coordination does not require any hierarchical relationship; the coordination can imply that the recovery control device participates in the generation of the partial secret keys along with the recovery device 4a-g.
  • the threshold cryptography scheme 11, and thus also the public key 12, are both associated with the user account.
  • the recovery devices 4a-g can be devices of the user (of the user account) and/or devices belonging to family or trusted friends.
  • the threshold cryptography scheme 11 can e.g. be based on an Elliptic Curve Digital Signature Algorithm (ECDSA).
  • EDSA Elliptic Curve Digital Signature Algorithm
  • the recovery control device 1 provides the public key 12 to an access verification device 1, 2, 3.
  • the access verification device can be the device that verifies access normally, and can be e.g. the user device 2, an application server 3 or it could also be combined with the role of the recovery control device 1.
  • step 42 the next step can occur much later, at a point in time when access to the user account is to be recovered.
  • a trigger access recovery step 44 the recovery control device 1 triggers an access recovery. This can be based on the user requesting the recovery, in a similar way to a ‘lost password’ action.
  • access recovery messages are transmitted (e.g. by the recovery control device 1 or by another entity by request from the recovery control device 1) to the recovery devices 4a-g.
  • the threshold number of the plurality of partial secret keys loa-g are required to be applied in the threshold cryptography scheme n.
  • Each recovery device qa-g can prompt the user of that device whether to apply its partial secret key loa-g, which the user can then approve, optionally after a separate authentication of the user of the respective device 4a-g.
  • the threshold number can be less than the plurality of partial secret keys 10a- g, whereby not all of the recovery devices 4a-g need to apply their respective partial secret keys loa-g, as this might not be possible (e.g. if somebody has lost or lost access to their recovery device 4a-g or that person is not available at the time).
  • the threshold number is equal to or greater than two. This ensures that no single recovery device can be used to recover the user account, which could otherwise pose a security risk.
  • the device verifying the user access checks against the public key and approves access to the user account. It is to be noted that the public key verification can be performed identically to traditional (non-threshold) asymmetric cryptography.
  • Figs 4A-D are schematic diagrams illustrating embodiments of where the recovery control device 1 can be implemented.
  • Fig 4A the recovery control device 1 shown as implemented in the user device 2.
  • the user device 2 is thus the host device for the recovery control device 1 in this implementation.
  • Fig 4B the recovery control device 1 shown as implemented in a server 3, such as an application server for providing a web service or supporting an app.
  • the server 3 is thus the host device for the recovery control device 1 in this implementation.
  • Fig 4C the recovery control device 1 shown as implemented in a recovery device 4, e.g. one of the recovery devices illustrated in Fig 1.
  • the recovery device 4 is thus the host device for the recovery control device 1 in this implementation.
  • Fig 5 is a schematic diagram illustrating components of the recovery control device 1 of Fig 1 and Figs 4A-D. It is to be noted that when the recovery control device 1 is implemented in a host device, one or more of the mentioned components can be shared with the host device.
  • a processor 60 is provided using any combination of one or more of a suitable central processing unit (CPU), graphics processing unit (GPU), multiprocessor, microcontroller, digital signal processor (DSP), etc., capable of executing software instructions 67 stored in a memory 64, which can thus be a computer program product.
  • the processor 60 could alternatively be implemented using an application specific integrated circuit (ASIC), field programmable gate array (FPGA), etc.
  • the processor 60 can be configured to execute the method described with reference to Fig 4 above.
  • Fig 6 shows one example of a computer program product 90 comprising computer readable means.
  • a computer program 91 can be stored, which computer program can cause a processor to execute a method according to embodiments described herein.
  • the computer program product is in the form of a removable solid-state memory, e.g. a Universal Serial Bus (USB) drive.
  • USB Universal Serial Bus
  • the computer program product could also be embodied in a memory of a device, such as the computer program product 64 of Fig 5.
  • While the computer program 91 is here schematically shown as a section of the removable solid- state memory, the computer program can be stored in any way which is suitable for the computer program product, such as another type of removable solid-state memory, or an optical disc, such as a CD (compact disc), a DVD (digital versatile disc) or a Blu-Ray disc.
  • an optical disc such as a CD (compact disc), a DVD (digital versatile disc) or a Blu-Ray disc.

Abstract

It is provided a method for recovering access to a user account, the method being performed by a recovery control device (1). The method comprises: triggering (40) generation of a plurality of partial secret keys (10a-g) by respective recovery devices (4a- g), the plurality of partial secret keys forming part of a threshold cryptography scheme (11) associated with a public key (12), wherein the threshold cryptography scheme (11) is associated with the user account; providing (42) the public key (12) to an access verification device (2, 3); and triggering (44) an access recovery, whereby access recovery messages are transmitted to the recovery devices (4a-g), wherein a threshold number of the plurality of partial secret keys (10a-g) are required to be applied in the threshold cryptography scheme (11) for recovering access to the user account.

Description

RECOVERING ACCESS TO A USER ACCOUNT
TECHNICAL FIELD
[0001] The present disclosure relates to the field of recovering access to a user account and in particular to recovering access to a user account using a threshold cryptography scheme.
BACKGROUND
[0002] Almost every person today has access to electronic devices with login accounts. Sometimes, the passcode or password for a device is lost or forgotten. To regain access, reset links can often be sent to a pre-registered e-mail address. But the user may have lost access also to the pre-registered e-mail address. Services often then apply the use of previously answered personal question, such as “what was your mother’s maiden name?”, “who was your favourite teacher in primary school?” or “what was the name of your first pet?”. This poses another problem, since there are often multiple questions to answer, and while your mother’s maiden name may be remembered, the favourite teacher might not be so conclusively remembered, or you may not remember if you originally counted your goldfish as a five-year old as your first pet or the dog that your family got when you were eight years old. These problems are only aggravated by the fact that often years have passed since the account was opened and these validation questions were first answered.
[0003] It is thus a real problem of recovering access to a user account without having access to a specific e-mail address or needing to remember the answers to detailed questions.
SUMMARY
[0004] One object is to provide a more convenient yet secure way to regain access to a user account.
[0005] According to a first aspect, it is provided a method for recovering access to a user account, the method being performed by a recovery control device. The method comprises: triggering generation of a plurality of partial secret keys by respective recovery devices, the plurality of partial secret keys forming part of a threshold cryptography scheme associated with a public key, wherein the threshold cryptography scheme is associated with the user account; providing the public key to an access verification device; and triggering an access recovery, whereby access recovery messages are transmitted to the recovery devices, wherein a threshold number of the plurality of partial secret keys are required to be applied in the threshold cryptography scheme for recovering access to the user account.
[0006] The threshold number may be less than the plurality of partial secret keys.
[0007] The threshold number may be equal to or greater than two.
[0008] The threshold cryptography scheme may be based on an Elliptic Curve Digital Signature Algorithm, ECDSA.
[0009] According to a second aspect, it is provided a recovery control device for recovering access to a user account. The recovery control device comprises: a processor; and a memory storing instructions that, when executed by the processor, cause the recovery control device to: trigger generation of a plurality of partial secret keys by respective recovery devices, the plurality of partial secret keys forming part of a threshold cryptography scheme associated with a public key, wherein the threshold cryptography scheme is associated with the user account; provide the public key to an access verification device; and trigger an access recovery, whereby access recovery messages are transmitted to the recovery devices, wherein a threshold number of the plurality of partial secret keys are required to be applied in the threshold cryptography scheme for recovering access to the user account.
[0010] The threshold number may be less than the plurality of partial secret keys.
[0011] The threshold number may be equal to or greater than two.
[0012] The threshold cryptography scheme may be based on an Elliptic Curve Digital Signature Algorithm, ECDSA.
[0013] According to a third aspect, it is provided a computer program for recovering access to a user account. The computer program comprises computer program code which, when executed on a recovery control device causes the recovery control device to: trigger generation of a plurality of partial secret keys by respective recovery devices, the plurality of partial secret keys forming part of a threshold cryptography scheme associated with a public key, wherein the threshold cryptography scheme is associated with the user account; provide the public key to an access verification device; and trigger an access recovery, whereby access recovery messages are transmitted to the recovery devices, wherein a threshold number of the plurality of partial secret keys are required to be applied in the threshold cryptography scheme for recovering access to the user account.
[0014] According to a fourth aspect, it is provided a computer program product comprising a computer program according to the third aspect and a computer readable means comprising non-transitory memory in which the computer program is stored.
[0015] Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/an/the element, apparatus, component, means, step, etc." are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
BRIEF DESCRIPTION OF THE DRAWINGS
[0016] Aspects and embodiments are now described, by way of example, with reference to the accompanying drawings, in which:
[0017] Fig 1 is a schematic diagram illustrating an environment in which embodiments presented herein can be applied;
[0018] Fig 2 is a schematic diagram illustrating the concept of threshold cryptography;
[0019] Fig 3 is a flow chart illustrating embodiments of methods for recovering access to a user account;
[0020] Figs 4A-D are schematic diagrams illustrating embodiments of where the recovery control device can be implemented;
[0021] Fig 5 is a schematic diagram illustrating components of the recovery control device 1 of Fig 1 and Figs 4A-D; and [0022] Fig 6 shows one example of a computer program product comprising computer readable means.
DETAILED DESCRIPTION
[0023] The aspects of the present disclosure will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the invention are shown. These aspects may, however, be embodied in many different forms and should not be construed as limiting; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and to fully convey the scope of all aspects of invention to those skilled in the art. Like numbers refer to like elements throughout the description.
[0024] Embodiments presented herein allow recovery of a user account based on threshold cryptography. As explained in more detail below, the use of threshold cryptography enables authorisation of an action based on any t number of n partial secret keys being applied. To set this up (prior to the credentials for the user account being lost), n trusted recovery devices generate their respective partial secret keys. For recovery of the credentials, any t out of the n trusted recovery devices need to apply their partial signature. For instance, 3 out of 5 trusted recovery devices can apply their signature for recovery of a user account e.g. for accessing a smartphone when the passcode has been lost. The trusted recovery devices can e.g. be other devices of the user and/or devices of family members or trusted friends.
[0025] Fig 1 is a schematic diagram illustrating an environment in which embodiments presented herein can be applied. A user device 2 of a user 5 can be any suitable electronic device, e.g. a smartphone, mobile phone, wearable device, tablet computer, laptop computer, desktop computer, etc.
[0026] The user device 2 is connected to a communication network 7, such as the Internet. There are also a number of at least partly trusted recovery devices 4a-g. The recovery devices can be under control of the user 5 and/or can be devices of friends or family of the user 5. The recovery devices 4a-g can be any type of electronic device, e.g. smartphones, computers, wearable devices, loT (Internet of Things) devices, such as home speakers, light bulbs, sensors, fridge, etc. [0027] A recovery control device 1 is used to allow the user 5 to regain access to a user account, e.g. for accessing the user device 2 or a service provided by a server 3 (e.g. as a web service or an app-based service). The access to the user account could have been lost e.g. if a credential, such as a passcode or password, is lost by the user or if the user 5 passes away and surviving family members need access to the user account. Prior to the credential being lost, the user 5 initiates the recovery possibility, which causes a recovery threshold cryptography scheme to be set up and the partial secret keys loa-g being generated, respectively, by each one of the recovery devices 4a-g. A public key 12 of the threshold cryptography scheme is provided to the recovery control device 1. The recovery control device 1 can also be a recovery device itself.
[0028] As explained in more detail below, if the user 5 subsequently loses access to the user account (e.g. by losing the passcode for accessing the user device 2, access can be recovered if a predetermined number of the recovery devices 4a-g apply their respective partial secret keys, which can be verified against the public key 12 in the recovery control device 1, resulting in access being granted to the user account. At that point, a new everyday authentication can be selected, e.g. based on biometrics or passcode / password.
[0029] Fig 2 is a schematic diagram illustrating the concept of threshold cryptography, which is employed by embodiments presented herein.
[0030] Starting with a summary of traditional asymmetric cryptography, there is a key pair consisting of a public key and a secret key. The public key is associated with an entity or user and is shared publicly. The secret key is coupled to the public key, but the secret key is kept secret. Using the secret key, a user device can perform a cryptographic operation, e.g. cryptographic signing or decryption, which can be used to gain access to a user account.
[0031] A development in asymmetric cryptography, from its original key pair of a secret key can and a public key, is threshold cryptography. In threshold cryptography, there is still a single public key 12, but cryptographic operations are achieved by a threshold number of associated partial secret keys loa-g for respective entities. Jointly, the group of entities computes and communicates to generate the set of partial secret keys and the associated public key. Each entity its partial secret key. It is to be noted that each partial secret key is secret and is only known to the entity itself. There is no need for this partial secret key to be exposed to any other entity, not even in the key creation phase. Hence, there is no need for a central authority that distributes these partial secret keys.
[0032] The threshold condition can be expressed as (t, n), where n denotes the number of available partial secret keys and t denotes the number of partial secret keys that are needed to perform a cryptographic operation (e.g. signing or decryption) corresponding to the (single) public key. For instance, in correspondence with the example of Fig 2, a (3, 7) threshold cryptography scheme requires that at least 3 out of 7 associated partial secret keys loa-g are applied to perform the cryptographic operation. When at least the threshold number of partial secret keys are applied, this cryptographic operation, that is secured by the threshold cryptography scheme 11, is performed. It does not matter which ones of the partial secret keys that are applied, as long as at least the threshold number of partial secret keys are applied. The threshold cryptography scheme is defined when the partial secret keys are generated.
[0033] Optionally, the partial secret keys can be refreshed. This can be done to limit the lifetime of the partial secret keys, (which makes it even harder for an attacker who needs to compromise at least t parties within a time window defined by the lifetime). The refresh can also be performed done to consolidate the partial secret keys. For instance, if an entity holding a partial secret key is lost, it makes sense to regenerate the partial secret keys, now for the remaining entities of the group. It is to be noted that the refresh does not affect the public key - the same public key that was used prior to the refresh can be used after the refresh. Again, the refresh is performed without sharing any of the partial secret keys while doing the collaborative refresh computation, e.g. based on multi-party computation, known in the art per se, see the Wikipedia article https://en.wikipedia.org/wiki/Secure multi-party computation available at the time that this patent application is filed.
[0034] Using threshold cryptography, a compromise of a single device never least to a compromise of the whole threshold cryptography scheme, significantly increasing security.
[0035] Threshold cryptography can e.g. be implemented using an Elliptic Curve Digital Signature Algorithm (ECDSA). An example implementation is the Binance implementation, available at https: // github.com/binance-chain/ tss-lib at the time of filing of this patent application.
[0036] Fig 3 is a flow chart illustrating embodiments of methods for recovering access to a user account. The method is performed by a recovery control device 1.
[0037] In a trigger generation of partial secret keys step 40, the recovery control device 1 triggers generation of a plurality of partial secret keys loa-g by respective recovery devices 4a-g. In other words, there is no central generation of the partial secret keys - such generation only occurs in each one of the recovery devices 4a-g. In this way, no single entity ever needs to be in possession of any more than a single partial secret key, significantly reducing vulnerability of any single entity. The plurality of partial secret keys form part of a threshold cryptography scheme 11 associated with a public key 12. It is to be noted that the coordination does not require any hierarchical relationship; the coordination can imply that the recovery control device participates in the generation of the partial secret keys along with the recovery device 4a-g. The threshold cryptography scheme 11, and thus also the public key 12, are both associated with the user account. As explained above, the recovery devices 4a-g can be devices of the user (of the user account) and/or devices belonging to family or trusted friends.
[0038] As explained above, the threshold cryptography scheme 11 can e.g. be based on an Elliptic Curve Digital Signature Algorithm (ECDSA).
[0039] In a provide public key step 42, the recovery control device 1 provides the public key 12 to an access verification device 1, 2, 3. The access verification device can be the device that verifies access normally, and can be e.g. the user device 2, an application server 3 or it could also be combined with the role of the recovery control device 1.
[0040] After step 42, the next step can occur much later, at a point in time when access to the user account is to be recovered.
[0041] In a trigger access recovery step 44, the recovery control device 1 triggers an access recovery. This can be based on the user requesting the recovery, in a similar way to a ‘lost password’ action. When the access recovery is triggered, access recovery messages are transmitted (e.g. by the recovery control device 1 or by another entity by request from the recovery control device 1) to the recovery devices 4a-g. In order to recover access to the user account, the threshold number of the plurality of partial secret keys loa-g are required to be applied in the threshold cryptography scheme n. Each recovery device qa-g can prompt the user of that device whether to apply its partial secret key loa-g, which the user can then approve, optionally after a separate authentication of the user of the respective device 4a-g.
[0042] The threshold number can be less than the plurality of partial secret keys 10a- g, whereby not all of the recovery devices 4a-g need to apply their respective partial secret keys loa-g, as this might not be possible (e.g. if somebody has lost or lost access to their recovery device 4a-g or that person is not available at the time). The threshold number is equal to or greater than two. This ensures that no single recovery device can be used to recover the user account, which could otherwise pose a security risk.
[0043] When the threshold number of the plurality of partial secret keys loa-g have been applied, the device verifying the user access checks against the public key and approves access to the user account. It is to be noted that the public key verification can be performed identically to traditional (non-threshold) asymmetric cryptography.
[0044] Using the embodiments presented herein a convenient and secure solution is provided for recovering access to a user account, e.g. if the user loses the credential to the device or the user passes away.
[0045] A secure way to recover an account is thus provided where no details need to be remembered by the user other than what devices, or what family members or friends, have been given the partial secret keys.
[0046] Figs 4A-D are schematic diagrams illustrating embodiments of where the recovery control device 1 can be implemented.
[0047] In Fig 4A, the recovery control device 1 shown as implemented in the user device 2. The user device 2 is thus the host device for the recovery control device 1 in this implementation.
[0048] In Fig 4B, the recovery control device 1 shown as implemented in a server 3, such as an application server for providing a web service or supporting an app. The server 3 is thus the host device for the recovery control device 1 in this implementation. [0049] In Fig 4C, the recovery control device 1 shown as implemented in a recovery device 4, e.g. one of the recovery devices illustrated in Fig 1. The recovery device 4 is thus the host device for the recovery control device 1 in this implementation.
[0050] In Fig 4D, the recovery control device 1 is shown as implemented as a standalone device. The recovery control device 1 thus does not have a host device in this implementation.
[0051] Fig 5 is a schematic diagram illustrating components of the recovery control device 1 of Fig 1 and Figs 4A-D. It is to be noted that when the recovery control device 1 is implemented in a host device, one or more of the mentioned components can be shared with the host device. A processor 60 is provided using any combination of one or more of a suitable central processing unit (CPU), graphics processing unit (GPU), multiprocessor, microcontroller, digital signal processor (DSP), etc., capable of executing software instructions 67 stored in a memory 64, which can thus be a computer program product. The processor 60 could alternatively be implemented using an application specific integrated circuit (ASIC), field programmable gate array (FPGA), etc. The processor 60 can be configured to execute the method described with reference to Fig 4 above.
[0052] The memory 64 can be any combination of random-access memory (RAM) and/or read-only memory (ROM). The memory 64 also comprises non-transitory persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid-state memory or even remotely mounted memory.
[0053] A data memory 66 is also provided for reading and/ or storing data during execution of software instructions in the processor 60. The data memory 66 can be any combination of RAM and/or ROM.
[0054] The recovery control device 1 further comprises an 1/ O interface 62 for communicating with external and/ or internal entities.
[0055] Other components of the recovery control device 1 are omitted in order not to obscure the concepts presented herein. [0056] Fig 6 shows one example of a computer program product 90 comprising computer readable means. On this computer readable means, a computer program 91 can be stored, which computer program can cause a processor to execute a method according to embodiments described herein. In this example, the computer program product is in the form of a removable solid-state memory, e.g. a Universal Serial Bus (USB) drive. As explained above, the computer program product could also be embodied in a memory of a device, such as the computer program product 64 of Fig 5. While the computer program 91 is here schematically shown as a section of the removable solid- state memory, the computer program can be stored in any way which is suitable for the computer program product, such as another type of removable solid-state memory, or an optical disc, such as a CD (compact disc), a DVD (digital versatile disc) or a Blu-Ray disc.
[0057] The aspects of the present disclosure have mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the invention, as defined by the appended patent claims. Thus, while various aspects and embodiments have been disclosed herein, other aspects and embodiments will be apparent to those skilled in the art. The various aspects and embodiments disclosed herein are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated by the following claims.

Claims

1. A method for recovering access to a user account, the method being performed by a recovery control device (1), the method comprising: triggering (40) generation of a plurality of partial secret keys (loa-g) by respective recovery devices (4a-g), the plurality of partial secret keys forming part of a threshold cryptography scheme (11) associated with a public key (12), wherein the threshold cryptography scheme (11) is associated with the user account; providing (42) the public key (12) to an access verification device (2, 3); and triggering (44) an access recovery, whereby access recovery messages are transmitted to the recovery devices (4a-g), wherein a threshold number of the plurality of partial secret keys (loa-g) are required to be applied in the threshold cryptography scheme (11) for recovering access to the user account.
2. The method according to claim 1, wherein the threshold number is less than the plurality of partial secret keys (loa-g).
3. The method according to claim 1 or 2, wherein the threshold number is equal to or greater than two.
4. The method according to any one of the preceding claims, wherein the threshold cryptography scheme (11) is based on an Elliptic Curve Digital Signature Algorithm, ECDSA.
5. A recovery control device (1) for recovering access to a user account, the recovery control device (1) comprising: a processor (60); and a memory (64) storing instructions (67) that, when executed by the processor, cause the recovery control device (1) to: trigger generation of a plurality of partial secret keys (loa-g) by respective recovery devices (4a-g), the plurality of partial secret keys forming part of a threshold cryptography scheme (11) associated with a public key (12), wherein the threshold cryptography scheme (11) is associated with the user account; provide the public key (12) to an access verification device (2, 3); and trigger an access recovery, whereby access recovery messages are transmitted to the recovery devices (4a-g), wherein a threshold number of the plurality of partial secret keys (loa-g) are required to be applied in the threshold cryptography scheme (n) for recovering access to the user account.
6. The recovery control device (1) according to claim 5, wherein the threshold number is less than the plurality of partial secret keys (loa-g).
7. The recovery control device (1) according to claim 5 or 6, wherein the threshold number is equal to or greater than two.
8. The recovery control device (1) according to any one of claims 5 to 7, wherein the threshold cryptography scheme (11) is based on an Elliptic Curve Digital Signature Algorithm, ECDSA.
9. A computer program (67, 91) for recovering access to a user account, the computer program comprising computer program code which, when executed on a recovery control device (1) causes the recovery control device (1) to: trigger generation of a plurality of partial secret keys (loa-g) by respective recovery devices (4a-g), the plurality of partial secret keys forming part of a threshold cryptography scheme (11) associated with a public key (12), wherein the threshold cryptography scheme (11) is associated with the user account; provide the public key (12) to an access verification device (2, 3); and trigger an access recovery, whereby access recovery messages are transmitted to the recovery devices (4a-g), wherein a threshold number of the plurality of partial secret keys (loa-g) are required to be applied in the threshold cryptography scheme (11) for recovering access to the user account.
10. A computer program product (64, 90) comprising a computer program according to claim 9 and a computer readable means comprising non-transitory memory in which the computer program is stored.
PCT/EP2022/079993 2021-10-26 2022-10-26 Recovering access to a user account WO2023073050A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE2151305-6 2021-10-26
SE2151305A SE2151305A1 (en) 2021-10-26 2021-10-26 Recovering access to a user account

Publications (1)

Publication Number Publication Date
WO2023073050A1 true WO2023073050A1 (en) 2023-05-04

Family

ID=84359578

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2022/079993 WO2023073050A1 (en) 2021-10-26 2022-10-26 Recovering access to a user account

Country Status (2)

Country Link
SE (1) SE2151305A1 (en)
WO (1) WO2023073050A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11057210B1 (en) * 2015-09-30 2021-07-06 Apple Inc. Distribution and recovery of a user secret

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6829356B1 (en) * 1999-06-29 2004-12-07 Verisign, Inc. Server-assisted regeneration of a strong secret from a weak secret
US7359507B2 (en) * 2000-03-10 2008-04-15 Rsa Security Inc. Server-assisted regeneration of a strong secret from a weak secret
US9455968B1 (en) * 2014-12-19 2016-09-27 Emc Corporation Protection of a secret on a mobile device using a secret-splitting technique with a fixed user share
GB201709367D0 (en) * 2017-06-13 2017-07-26 Nchain Holdings Ltd Computer-implemented system and method
US11316668B2 (en) * 2018-11-16 2022-04-26 Safetech Bv Methods and systems for cryptographic private key management for secure multiparty storage and transfer of information
CN112054898B (en) * 2020-08-27 2022-10-25 中信银行股份有限公司 User private key backup and recovery method and device and electronic equipment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11057210B1 (en) * 2015-09-30 2021-07-06 Apple Inc. Distribution and recovery of a user secret

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GENNARO ROSARIO ROSARIO@CS CCNY CUNY EDU ET AL: "Fast Multiparty Threshold ECDSA with Fast Trustless Setup", PROCEEDINGS OF THE 2018 IEEE/ACM INTERNATIONAL CONFERENCE ON CONNECTED HEALTH: APPLICATIONS, SYSTEMS AND ENGINEERING TECHNOLOGIES, ACMPUB27, NEW YORK, NY, USA, 15 October 2018 (2018-10-15), pages 1179 - 1194, XP058701173, ISBN: 978-1-4503-6120-0, DOI: 10.1145/3243734.3243859 *
TILLEM G ET AL: "Threshold Signatures using Secure Multiparty Computation", 11 December 2020 (2020-12-11), pages 1 - 10, XP055866119, Retrieved from the Internet <URL:https://www.ingwb.com/binaries/content/assets/insights/themes/distributed-ledger-technology/ing-releases-multiparty-threshold-signing-library-to-improve-customer-security/threshold-signatures-using-secure-multiparty-computation.pdf> [retrieved on 20211125] *

Also Published As

Publication number Publication date
SE2151305A1 (en) 2023-04-27

Similar Documents

Publication Publication Date Title
US10735407B2 (en) System and method for temporary password management
US11233637B2 (en) System and method for validating an entity
US11271926B2 (en) System and method for temporary password management
US10797879B2 (en) Methods and systems to facilitate authentication of a user
US10574648B2 (en) Methods and systems for user authentication
EP3905078A1 (en) Identity verification method and system therefor
US9407632B2 (en) Transformation rules for one-time passwords
US9344413B2 (en) Methods and systems for device disablement
US20190089717A1 (en) System and method for securing a communication channel
US10805090B1 (en) Address whitelisting using public/private keys and ring signature
US20150256539A1 (en) User authentication
US11068570B1 (en) Authentication using third-party data
US11930116B2 (en) Securely communicating service status in a distributed network environment
US20210399897A1 (en) Protection of online applications and webpages using a blockchain
JP2019154055A5 (en)
JP2017073789A (en) Privacy preserving knowledge/factor possession tests for persistent authentication
TW202019124A (en) Systems, methods, and media for managing user credentials
CN114268447A (en) File transmission method and device, electronic equipment and computer readable medium
WO2023073050A1 (en) Recovering access to a user account
Rasmussen A usability study of fido2 roaming software tokens as a password replacement
Yadav et al. A Security and Usability Analysis of Local Attacks Against FIDO2
Jubur On the Security and Usability of New Paradigms of Web Authentication
Salminen Strong authentication based on mobile application
WO2023247998A1 (en) Multi-blind authentication
Algarni et al. A lightweight and secure protocol for teleworking environment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22805900

Country of ref document: EP

Kind code of ref document: A1