WO2016019086A1 - System and method for authenticating a client to a device - Google Patents

System and method for authenticating a client to a device Download PDF

Info

Publication number
WO2016019086A1
WO2016019086A1 PCT/US2015/042783 US2015042783W WO2016019086A1 WO 2016019086 A1 WO2016019086 A1 WO 2016019086A1 US 2015042783 W US2015042783 W US 2015042783W WO 2016019086 A1 WO2016019086 A1 WO 2016019086A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
key
transaction
client
relying party
Prior art date
Application number
PCT/US2015/042783
Other languages
French (fr)
Inventor
Rolf Lindemann
Original Assignee
Nok Nok Labs, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nok Nok Labs, Inc. filed Critical Nok Nok Labs, Inc.
Priority to KR1020177003444A priority Critical patent/KR102358546B1/en
Priority to EP15826364.0A priority patent/EP3175414B1/en
Priority to JP2017505504A priority patent/JP6648110B2/en
Priority to CN201580041803.4A priority patent/CN106575416B/en
Publication of WO2016019086A1 publication Critical patent/WO2016019086A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/40User authentication by quorum, i.e. whereby two or more security principals are required
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Definitions

  • This invention relates generally to the field of data processing systems. More particularly, the invention relates to a system and method for authenticating a client to a device such as an offline device or a device having limited connectivity to a relying party.
  • Figure 1 illustrates an exemplary client 120 with a biometric device 100.
  • a biometric sensor 102 When operated normally, a biometric sensor 102 reads raw biometric data from the user (e.g., capture the user's fingerprint, record the user's voice, snap a photo of the user, etc) and a feature extraction module 103 extracts specified characteristics of the raw biometric data (e.g., focusing on certain regions of the fingerprint, certain facial features, etc).
  • a matcher module 104 compares the extracted features 133 with biometric reference data 1 10 stored in a secure storage on the client 120 and generates a score 153 based on the similarity between the extracted features and the biometric reference data 1 10.
  • the biometric reference data 1 10 is typically the result of an enrollment process in which the user enrolls a fingerprint, voice sample, image or other biometric data with the device 100.
  • An application 105 may then use the score 135 to determine whether the authentication was successful (e.g., if the score is above a certain specified threshold).
  • Patent Application No. 201 1/0082801 (“'801 Application”) describes a framework for user registration and authentication on a network which provides strong authentication (e.g., protection against identity theft and phishing), secure transactions (e.g., protection against "malware in the browser” and “man in the middle” attacks for transactions), and enrollment/management of client authentication tokens (e.g., fingerprint readers, facial recognition devices, smartcards, trusted platform modules, etc).
  • the Co-Pending Applications describe authentication techniques in which a user enrolls with biometric devices of a client to generate biometric template data (e.g., by swiping a finger, snapping a picture, recording a voice, etc); registers the biometric devices with one or more servers over a network (e.g., Websites or other relying parties equipped with secure transaction services as described in the Co- Pending Applications); and subsequently authenticates with those servers using data exchanged during the registration process (e.g., encryption keys provisioned into the biometric devices). Once authenticated, the user is permitted to perform one or more online transactions with a Website or other relying party.
  • biometric template data e.g., by swiping a finger, snapping a picture, recording a voice, etc
  • servers e.g., Websites or other relying parties equipped with secure transaction services as described in the Co- Pending Applications
  • data exchanged during the registration process e.g., encryption keys provisioned into the biometric devices.
  • sensitive information such as fingerprint data and other data which can be used to uniquely identify the user, may be retained locally on the user's client device (e.g., smartphone, notebook computer, etc) to protect a user's privacy.
  • client device e.g., smartphone, notebook computer, etc
  • FIG. 1 illustrates an exemplary client device having biometric
  • FIGS. 2A-B illustrate two different embodiments of a secure authentication system architecture
  • FIG. 2C illustrates a transaction diagram showing how keys may be registered into authentication devices
  • FIGS. 3A-B illustrates embodiments for secure transaction confirmation using a secure display
  • FIG. 4 illustrate one embodiment of the invention for performing authentication for a transaction with a device without established relation
  • FIGS. 5A-B are transaction diagrams showing two different embodiments for performing authentication for a transaction
  • FIG. 6 illustrates additional architectural features employed in one embodiment of the invention
  • FIGS. 7-8 illustrate different embodiments of bearer tokens employed in different embodiments of the invention.
  • FIG. 9 illustrates exemplary "offline” and "semi-offline” authentication scenarios
  • FIG. 10 illustrates an exemplary system architecture for clients and/or servers
  • FIG. 11 illustrates another exemplary system architecture for clients and/or servers.
  • the embodiments of the invention discussed below involve client devices with authentication capabilities such as biometric devices or PIN entry. These devices are sometimes referred to herein as “tokens,” “authentication devices,” or “authenticators.” While certain embodiments focus on facial recognition hardware/software (e.g., a camera and associated software for recognizing a user's face and tracking a user's eye movement), some embodiments may utilize additional biometric devices including, for example, fingerprint sensors, voice recognition hardware/software (e.g., a microphone and associated software for recognizing a user's voice), and optical recognition capabilities (e.g., an optical scanner and associated software for scanning the retina of a user). The authentication capabilities may also include non-biometric devices such as trusted platform modules (TPMs) and smartcards.
  • TPMs trusted platform modules
  • the biometric device may be remote from the relying party.
  • the term "remote" means that the biometric sensor is not part of the security boundary of the computer it is communicatively coupled to (e.g., it is not embedded into the same physical enclosure as the relying party computer).
  • the biometric device may be coupled to the relying party via a network (e.g., the Internet, a wireless network link, etc) or via a peripheral input such as a USB port.
  • the relying party may know if the device is one which is authorized by the relying party (e.g., one which provides an acceptable level of authentication and integrity protection) and/or whether a hacker has compromised the biometric device. Confidence in the biometric device depends on the particular implementation of the device.
  • the authentication techniques employed to authenticate the user may involve non-location components such as communication over a network with remote servers and/or other data processing devices.
  • non-location components such as communication over a network with remote servers and/or other data processing devices.
  • specific embodiments are described herein (such as an ATM and retail location) it should be noted that the underlying principles of the invention may be implemented within the context of any system in which a transaction is initiated locally or remotely by an end user.
  • the term "relying party" is sometimes used herein to refer, not merely to the entity with which a user transaction is attempted (e.g., a Website or online service performing user transactions), but also to the secure transaction servers implemented on behalf of that entity which may performed the underlying authentication techniques described herein.
  • the secure transaction servers which provided remote authentication capabilities may be owned and/or under the control of the relying party or may be under the control of a third party offering secure transaction services to the relying party as part of a business arrangement.
  • server is used herein to refer to software executed on a hardware platform (or across multiple hardware platforms) that receives requests over a network from a client, responsively performs one or more operations, and transmits a response to the client, typically including the results of the operations.
  • the server responds to client requests to provide, or help to provide, a network "service" to the clients.
  • a server is not limited to a single computer (e.g., a single hardware device for executing the server software) and may, in fact, be spread across multiple hardware platforms, potentially at multiple geographical locations.
  • the embodiments of the invention described herein include techniques for authenticating a user for a transaction initiated through a secure transaction device.
  • the transaction may be a withdrawal, transfer, or other user-initiated operation and the transaction device may be an automatic teller machine (ATM), point- of-sale (PoS) transaction device or other device capable of executing transactions on behalf of the user.
  • ATM automatic teller machine
  • PoS point- of-sale
  • the transaction may involve, for example, completing a payment to purchase goods or services at a retail store or other retail location equipped with the device, withdrawing funds via the device, performing maintenance on the device, or any other transaction for which user authentication is required.
  • One embodiment of the invention provides techniques for authenticating the user locally (i.e. verifying the user), even in circumstances where the device is offline (i.e., not connected to a back-end authentication server) or semi-offline (i.e., only periodically connected to a back-end authentication server).
  • the user's client device is provided with the ability to cache authentication requests generated by a back-end authentication server (e.g., operated on behalf of the relying party) and the device is provided with data needed to verify the authentication response transmitted from the user's client device to the device.
  • Figures 2A-B illustrate two embodiments of a system architecture comprising client-side and server-side components for remotely authenticating a user.
  • the embodiment shown in Figure 2A uses a browser plugin-based architecture for communicating with a website while the embodiment shown in Figure 2B does not require a browser.
  • the various authentication techniques and associated applications described herein may be implemented on either of these system architectures.
  • the authentication engines within client devices described herein may be implemented as part of the secure transaction service 201 including interface 202. It should be noted, however, that the embodiments described above may be implemented using logical arrangements of hardware and software other than those shown in
  • the illustrated embodiment includes a client 200 equipped with one or more authentication devices 210-212 for enrolling and
  • the authentication devices 210-212 may include biometric devices such as fingerprint sensors, voice recognition hardware/software (e.g., a microphone and associated software for recognizing a user's voice), facial recognition hardware/software (e.g., a camera and associated software for recognizing a user's face), and optical recognition capabilities (e.g., an optical scanner and associated software for scanning the retina of a user) and non-biometric devices such as a trusted platform modules (TPMs) and smartcards.
  • TPMs trusted platform modules
  • a user may enroll the biometric devices by providing biometric data (e.g., swiping a finger on the fingerprint device) which the secure transaction service 201 may store as biometric template data in secure storage 220 (via interface 202).
  • each authentication device 210-212 may have its own integrated secure storage. Additionally, each authentication device 210-212 may cryptographically protect the biometric reference data records (e.g., wrapping them using a symmetric key to make the storage 220 secure).
  • the authentication devices 210-212 are communicatively coupled to the client through an interface 202 (e.g., an application programming interface or API) exposed by a secure transaction service 201 .
  • the secure transaction service 201 is a secure application for communicating with one or more secure transaction servers 232-233 over a network and for interfacing with a secure transaction plugin 205 executed within the context of a web browser 204.
  • the Interface 202 may also provide secure access to a secure storage device 220 on the client 200 which stores
  • a device identification code such as an Authenticator Attestation ID (AAID)
  • user identification code such as an Authenticator Attestation ID (AAID)
  • user enrollment data e.g., scanned fingerprint or other biometric data
  • keys used to perform the secure authentication techniques described herein For example, as discussed in detail below, a unique key may be stored into each of the authentication devices and subsequently used when communicating to servers 230 over a network such as the Internet.
  • the secure transaction plugin 205 is initiated in response to specific HTML tags inserted into the HTML code of a web page by the web server 231 within the secure enterprise or Web destination 230 (sometimes simply referred to below as "server 230"). In response to detecting such a tag, the secure transaction plugin 205 may forward transactions to the secure transaction service 201 for processing. In addition, for certain types of transactions (e.g., such as secure key exchange) the secure transaction service 201 may open a direct communication channel with the on-premises transaction server 232 (i.e., co-located with the website) or with an off-premises transaction server 233.
  • the on-premises transaction server 232 i.e., co-located with the website
  • an off-premises transaction server 233 i.e., co-located with the website
  • the secure transaction servers 232-233 are coupled to a secure transaction database 240 for storing user data, authentication device data, keys and other secure information needed to support the secure authentication transactions described below. It should be noted, however, that the underlying principles of the invention do not require the separation of logical components within the secure enterprise or web destination 230 shown in Figure 2A.
  • the website 231 and the secure transaction servers 232-233 may be implemented within a single physical server or separate physical servers.
  • the website 231 and transaction servers 232-233 may be implemented within an integrated software module executed on one or more servers for performing the functions described below.
  • Figure 2B illustrates an alternate implementation in which a stand-alone application 254 utilizes the functionality provided by the secure transaction service 201 to authenticate a user over a network.
  • the application 254 is designed to establish communication sessions with one or more network services 251 which rely on the secure transaction servers 232-233 for performing the user/client authentication techniques described in detail below.
  • the secure transaction servers 232-233 may generate the keys which are then securely transmitted to the secure transaction service 201 and stored into the authentication devices within the secure storage 220. Additionally, the secure transaction servers 232-233 manage the secure transaction database 240 on the server side.
  • FIG. 2C illustrates a series of transactions for registering authentication devices.
  • a key is shared between the authentication device and one of the secure transaction servers 232-233.
  • the key is stored within the secure storage 220 of the client 200 and the secure transaction database 220 used by the secure transaction servers 232-233.
  • the key is a symmetric key generated by one of the secure transaction servers 232-233.
  • asymmetric keys may be used.
  • the public key may be stored by the secure transaction servers 232- 233 and a second, related private key may be stored in the secure storage 220 on the client.
  • the key(s) may be generated on the client 200 (e.g., by the authentication device or the authentication device interface rather than the secure transaction servers 232-233).
  • the underlying principles of the invention are not limited to any particular types of keys or manner of generating the keys.
  • a secure key provisioning protocol such as the Dynamic Symmetric Key Provisioning Protocol (DSKPP) may be used to share the key with the client over a secure communication channel (see, e.g., Request for Comments (RFC) 6063).
  • DSKPP Dynamic Symmetric Key Provisioning Protocol
  • the server 230 generates a randomly generated challenge (e.g., a cryptographic nonce) that must be presented by the client during device registration.
  • the random challenge may be valid for a limited period of time.
  • the secure transaction plugin detects the random challenge and forwards it to the secure transaction service 201 .
  • the secure transaction service initiates an out-of-band session with the server 230 (e.g., an out-of-band transaction) and communicates with the server 230 using the key provisioning protocol.
  • the server 230 locates the user with the user name, validates the random challenge, validates the device's attestation code (e.g., AAID) if one was sent, and creates a new entry in the secure transaction database 220 for the user. It may also generate the key or public/private key pair, write the key(s) to the database 220 and send the key(s) back to the secure transaction service 201 using the key provisioning protocol. Once complete, the authentication device and the server 230 share the same key if a symmetric key was used or different keys if asymmetric keys were used.
  • attestation code e.g., AAID
  • Figure 3A illustrates a secure transaction confirmation for a browser-based implementation. While a browser-based implementation is illustrated, the same basic principles may be implemented using a stand-alone application or mobile device app.
  • the secure transaction confirmation is designed to provide stronger security for certain types of transactions (e.g., financial transactions).
  • the user confirms each transaction prior to committing the transaction.
  • the user confirms exactly what he/she wants to commit and commits exactly what he/she sees displayed in a window 301 of the graphical user interface (GUI).
  • GUI graphical user interface
  • this embodiment ensures that the transaction text cannot be modified by a "man in the middle" (MITM) or "man in the browser” (MITB) to commit a transaction which the user did not confirm.
  • the secure transaction plugin 205 displays a window 301 in the browser context to show the transaction details.
  • the secure transaction server 201 periodically (e.g., with a random interval) verifies that the text that is shown in the window is not being tampered by anyone (e.g., by generating a hash/signature over the displayed text).
  • the authentication device has a trusted user interface (e.g. providing an API compliant to GlobalPlatform's TrustedUI).
  • a user chooses items for purchase from a merchant site and selects "check out.”
  • the merchant site sends the transaction to a service provide which has a secure transaction server 232-233 implementing one or more of the embodiments of the invention described herein (e.g., PayPal).
  • the merchant site authenticates the user and completes the transaction.
  • the secure transaction server 232-233 receives the transaction details (TD) and puts a "Secure Transaction" request in an HTML page and sends to client 200.
  • the Secure Transaction request includes the transaction details and a random challenge.
  • the secure transaction plugin 205 detects the request for transaction confirmation message and forwards all data to the secure transaction service 201 .
  • the information may be sent directly from the secure transaction servers to the secure transaction service on the client 200.
  • the secure transaction plugin 205 displays a window 301 with transaction details to the user (e.g. in a browser context) and asks the user to provide authentication to confirm the transaction.
  • the secure transaction plugin 205 displays a window 301 with transaction details to the user (e.g. in a browser context) and asks the user to provide authentication to confirm the transaction.
  • the secure transaction service 201 may display the window 301 .
  • the secure transaction service 201 starts a timer and verifies the content of the window 301 being displayed to the user. The period of verification may be randomly chosen.
  • the secure transaction service 201 ensures that user sees the valid transaction details in the window 301 (e.g., generating a hash on the details and verifying that the contents are accurate by comparing against a hash of the correct contents). If it detects that the content has been tampered with it prevents the confirmation token/signature from being generated.
  • the authentication device verifies the user and generates a cryptographic signature (sometimes referred to as a "token") with the transaction details and the random challenge (i.e., the signature is calculated over the transaction details and the nonce).
  • a cryptographic signature sometimes referred to as a "token”
  • the secure transaction service 201 sends the generated signature and username to the secure transaction plugin 205 which forwards the signature to the secure transaction server 232-233.
  • the secure transaction server 232-233 identifies the user with the username and verifies the signature. If verification succeeds, a confirmation message is sent to the client and the transaction is processed.
  • One embodiment of the invention implements a query policy in which a secure transaction server transmits a server policy to the client indicating the
  • the client then analyzes the server policy to identify a subset of authentication capabilities which it supports and/or which the user has indicated a desire to use. The client then registers and/or authenticates the user using the subset of authentication tokens matching the provided policy.
  • the client may include numerous user verification capabilities such as a fingerprint sensor, voice recognition capabilities, facial recognition capabilities, eye/optical recognition capabilities, PIN verification, to name a few.
  • the secure transaction server may transmit a server policy to the client indicating that it supports, for example, fingerprint, optical, or smartcard authentication. The client may then compare the server policy against its own authentication capabilities and choose one or more of the available authentication options.
  • One embodiment of the invention employs transaction signing on the secure transaction server so that no transaction state needs to be maintained on the server to maintain sessions with clients.
  • transaction details such as transaction text displayed within the window 301 may be sent to the client signed by the server.
  • the server may then verify that the signed transaction responses received by the client are valid by verifying the signature.
  • the server does not need to persistently store the transaction content, which would consume a significant amount of storage space for a large number of clients and would open possibility for denial of service type attacks on server.
  • Figure 3B shows a website or other network service 31 1 initiating a transaction with a client 200.
  • the user may have selected items for purchase on the website and may be ready to check out and pay.
  • the website or service 31 1 hands off the transaction to a secure transaction server 312 which includes signature processing logic 313 for generating and verifying signatures (as described herein) and authentication logic for performing client authentication 314 (e.g., using the
  • the authentication request sent from the secure transaction server 312 to the client 200 includes the random challenge such as a cryptographic nonce (as described above), the transaction details (e.g., the specific text presented to complete the transaction), and a signature generated by the signature processing logic 313 over the random challenge and the transaction details using a private key (known only by the secure transaction server).
  • the random challenge such as a cryptographic nonce (as described above)
  • the transaction details e.g., the specific text presented to complete the transaction
  • a signature generated by the signature processing logic 313 over the random challenge and the transaction details using a private key (known only by the secure transaction server).
  • the user may receive an indication that user verification is required to complete the transaction.
  • the user may, for example, swipe a finger across a fingerprint scanner, snap a picture, speak into a microphone, or perform any other type of authentication permitted for the given transaction.
  • the client transmits the following back to the server: (1 ) the random challenge and transaction text (both previously provided to the client by the server), (2) authentication data proving that the user successfully completed
  • the authentication module 314 on the secure transaction server 312 may then confirm that the user has correctly authenticated and the signature processing logic 313 re-generates the signature over the random challenge and the transaction text using the private key. If the signature matches the one sent by the client, then the server can verify that the transaction text is the same as it was when initially received from the website or service 31 1 . Storage and processing resources are conserved because the secure transaction server 312 is not required to persistently store the transaction text (or other transaction data) within the secure transaction database 120.
  • one embodiment of the invention includes techniques for authenticating the user locally (i.e. verifying the user), even in circumstances where the user device and device are offline (i.e., not connected to a back-end authentication server of a relying party) or semi-offline (i.e., where the user device is not connected to the relying party, but the device is).
  • Figure 4 illustrates one such arrangement in which a client 400 with authentication devices previously registered with a relying party 451 establishes a secure channel with a transaction device 450 to complete a transaction.
  • the transaction device may be an ATM, point-of- sale (PoS) transaction device at a retail location, Internet of Things (loT) device, or any other device capable of establishing a channel with the client 400 and allowing the user to perform a transaction.
  • the channel may be implemented using any wireless communication protocol including, by way of example and not limitation, near field communications (NFC) and Bluetooth (e.g., Bluetooth Low Energy (BTLE) as set forth in the Bluetooth Core Specification Version 4.0).
  • NFC near field communications
  • Bluetooth e.g., Bluetooth Low Energy (BTLE) as set forth in the Bluetooth Core Specification Version 4.0
  • BTLE Bluetooth Low Energy
  • connection between the client 400 and the relying party 451 and/or the connection between the transaction device 450 and the relying party 451 may be sporadic or non-existent.
  • Real world applications in the area of payments often rely on such "off-line" use-cases.
  • a user with a client 400 e.g., a Smartphone
  • the client 400 and/or transaction device 450 do exchange some information with the relying party 451 (although not necessarily during the authentication or transaction confirmation process described herein).
  • PIN personal identification number
  • the device e.g. the PoS transaction device or ATM
  • the device would then create an online connection to the relying party in order to verify the secret or would ask the user's authenticator (e.g., EMV banking card) for verifying the PIN.
  • EMV banking card electronic medical record
  • the authentication techniques described herein provide significantly more flexibility in terms of user verification methods and security as they allow the user to rely on his/her own client's authentication capabilities.
  • a mobile application on the user's client caches authentication requests provided by the relying party during a time when the client is connected to the relying party.
  • the authentication requests may include the same (or similar) information as the
  • the mobile application may cache multiple such connection requests (e.g., one for each transaction device or transaction device type).
  • the cached authentication requests may then be used for transactions with the transaction device, in circumstances where the client/mobile app is incapable of connecting with the relying party.
  • the mobile app triggers the creation of the authentication response based on the cached authentication request containing the serverData and additional data received from the transaction device.
  • the authentication response is then transmitted to the transaction device which then verifies the authentication response using a verification key provided from the relying party (e.g., during a time when the transaction device is connected with the relying party).
  • the transaction device may use the key provided by the relying party to verify the signature over the serverData included in the authentication response.
  • the signature is generated by the relying party using a private relying party verification key and the transaction device verifies the signature using a corresponding public relying party verification key (provided to the transaction device by the relying party).
  • the transaction device verifies the serverData extracted from the authentication response, it may then use the public key extracted from the
  • authentication request (e.g., Uauth.pub) to verify the authentication response generated by the client/mobile app (e.g., in the same or a similar manner to the verifications by the relying party described above, when the client is authenticating directly to the relying party).
  • the relying party provides the authentication request directly to the transaction device (rather than through the mobile app on the client device).
  • the transaction device may ask for the authentication request from the relying party upon receiving a request to complete a transaction from the mobile app on the client.
  • it may validate the request and the authentication response as described above (e.g., by generating a signature and comparing it to the existing signature).
  • Figure 5A is a transaction diagram showing interactions between the client 400, transaction device 450 and relying party in an embodiment in which the client 400 caches the authentication request.
  • This embodiment is sometimes referred to as the "full-offline" embodiment because it does not require the transaction device 450 to have an existing connection with the relying party.
  • the client requests a cacheable authentication request from the relying party.
  • the relying party generates the cacheable authentication request
  • the authentication request is sent to the client, and at 504 the client caches the authentication request.
  • the authentication request includes the public key associated with the authenticator to be used for authentication (Uauth.pub) and a signature generated using the relying party verification key (RPVerifyKey) over the public key and a random nonce. If asymmetric keys are used, then RPVerifyKey used by the relying party to generate the signature is a private key having a
  • the authentication request also includes timing information indicating the length of time for which the authentication request will be valid (e.g., MaxCacheTime).
  • authentication request may be generated over the combination of the public
  • the authentication response includes more than one authentication key (e.g., one for each authenticator capable of authenticating the user) and the signature may be generated over all of these keys (e.g., along with the nonce and the MaxCacheTime).
  • the public RPVerifyKey needs to be known the transaction device 450, or any device intended to perform offline verification of the authentication requests/responses. This extension is required because the transaction device does not have any knowledge about the authentication keys registered at the relying party (i.e.
  • the relying party must communicate to the transaction device (or other device), in a secure manner, which key(s) are to be used for authentication response verification.
  • the transaction device will verify the MaxCacheTime to determine whether the cached authentication request is still valid (to comply with the relying party's policy on how long the cached authentication request may be used).
  • the client establishes a secure connection to the transaction device and initiates a transaction.
  • the transaction device is a PoS transaction device
  • the transaction may involve a debit or credit transaction.
  • the transaction device is an ATM
  • the transaction may involve a cash withdrawal or a maintenance task.
  • the client may transmit the cached authentication request to the transaction device.
  • the transaction device may transmit device identity information (e.g., a transaction device identification code), a random challenge (nonce) and optionally transaction text in a defined syntax to complete the transaction.
  • device identity information e.g., a transaction device identification code
  • a random challenge e.g., a random challenge
  • optionally transaction text e.g., a transaction device identification code
  • the random challenge/nonce will then be cryptograph ically bound to the authentication response. This mechanism allows the device to verify that the user verification is fresh and hasn't been cached / reused.
  • the transaction device may be required to create a standardized, and human readable representation of the transaction.
  • Standardized as used herein means a format that can be parsed by the relying party (e.g. for final verification as indicated in operation 51 1 below) and/or the transaction device. It needs to be human readable because transaction confirmations require the authenticator to display it on the secure display of the client 400.
  • An example of such an encoding could be XML where XSLT is used for visualization.
  • an authentication user interface is displayed directing the user to perform authentication on the client using a particular authenticator (e.g., to swipe a finger on a fingerprint sensor, enter a PIN code, speak into a microphone, etc).
  • a particular authenticator e.g., to swipe a finger on a fingerprint sensor, enter a PIN code, speak into a microphone, etc.
  • the authentication engine on the client verifies the identity of the user (e.g., comparing the authentication data collected from the user with the user verification reference data stored in the secure storage of the authenticator) and uses the private key associated with the authentication device to encrypt and/or generate a signature over the random challenge (and also potentially the transaction device ID and/or the transaction text).
  • the authentication response is then transmitted to the transaction device at 508.
  • the transaction device uses the public RPVerifyKey to verify the signature on the serverData (received at 505) if it has not done so already.
  • the serverData knows the public key associated with the authenticator used to perform the authentication (Uauth.pub). It uses this key to verify the authentication response. For example, it may use the public authentication key to decrypt or verify the signature generated over the nonce and any other related information (e.g., the transaction text, the transaction device ID, etc).
  • transaction confirmation is performed by the transaction device, then it may verify the transaction text displayed on the client by validating the signature generated over the transaction text and included in the authentication response at 508.
  • the transaction device could also verify unsigned serverData using an online connection to the relying party - if this is available (semi-offline case).
  • a success or failure indication is sent to the client depending on whether authentication was successful or unsuccessful, respectively. If successful, the transaction device will permit the transaction (e.g., debiting/crediting an account to complete a purchase, dispensing cash, performing administrative task, etc). If not, it will disallow the transaction and/or request additional authentication.
  • the transaction device will permit the transaction (e.g., debiting/crediting an account to complete a purchase, dispensing cash, performing administrative task, etc). If not, it will disallow the transaction and/or request additional authentication.
  • the transaction device may transmit the authentication response to the relying party and/or the transaction text (assuming that the relying party is the entity responsible for verifying the transaction text).
  • a record of the transaction may be recorded at the relying party and/or the relying party may verify the transaction text and confirm the transaction (not shown).
  • FIG. 5B is a transaction diagram showing interactions between the client 400, transaction device 450 and relying party in an embodiment in which the transaction device has a connection with and receives the authentication request from the relying party.
  • This embodiment is sometimes referred to as the "semi-offline" embodiment because although the client does not have a connection to the relying party, the transaction device 450 does.
  • the client initiates a transaction, establishing a secure connection with the transaction device (e.g., NFC, Bluetooth, etc).
  • the transaction device responsively asks for an authentication request from the relying party.
  • the relying party generates the authentication request and at 524 the authentication request is sent to the transaction device.
  • the authentication request may include the public key associated with the authenticator on the client to be used for authentication (Uauth.pub) and a signature generated using the relying party verification key (RPVe fyKey) over the public key and a random nonce. If asymmetric keys are used, then RPVenfyKey used by the relying party to generate the signature is a private key having a corresponding public RPVenfyKey which the relying party provides to the transaction device (potentially far in advance of processing the user authentication request).
  • the transaction device may also verify unsigned serverData using an online connection to the relying party - if this is available (semi-offline case).
  • the serverData also includes timing information indicating the length of time for which the authentication request will be valid (e.g.,
  • the authentication response includes more than one authentication key (e.g., one for each authenticator) and the signature may be generated over all of these keys (e.g., along with the nonce and the MaxCacheTime).
  • the remainder of the transaction diagram in Figure 5B operates substantially as shown in Figure 5A.
  • the transaction device may transmit identity information (e.g., a transaction device identification code), a random challenge (nonce) and optionally transaction text in a defined syntax to complete the transaction.
  • identity information e.g., a transaction device identification code
  • a random challenge once
  • optionally transaction text in a defined syntax to complete the transaction.
  • the random challenge/nonce will then be cryptographically bound to the authentication response. This mechanism allows the device to verify that the user verification is fresh and hasn't been cached.
  • the transaction device may be required to create a standardized, and human readable representation of the transaction.
  • Standardized as used herein means a format that can be parsed by the relying party (e.g. for final verification as indicated in operation 51 1 below) and/or the transaction device. It needs to be human readable because transaction confirmations require the authenticator to display it on the secure display of the client 400.
  • An example of such an encoding could be XML where XSLT is used for visualization.
  • an authentication user interface is displayed directing the user to perform authentication on the client using a particular authenticator (e.g., to swipe a finger on a fingerprint sensor, enter a PIN code, speak into a microphone, etc).
  • a particular authenticator e.g., to swipe a finger on a fingerprint sensor, enter a PIN code, speak into a microphone, etc.
  • authentication engine on the client verifies the identity of the user (e.g., comparing the authentication data collected from the user with the user verification reference data stored in the secure storage of the authenticator) and uses the private key associated with the authentication device to encrypt and/or generate a signature over the random challenge (and also potentially the transaction device ID and/or the transaction text).
  • the authentication response is then transmitted to the transaction device at 527.
  • the transaction device uses the public RPVerifyKey to verify the signature on the serverData (received at 524) if it has not done so already.
  • the serverData knows the public key associated with the authenticator used to perform the authentication (Uauth.pub). It uses this key to verify the authentication response. For example, it may use the public authentication key to decrypt or verify the signature generated over the nonce and any other related information (e.g., the transaction text, the transaction device ID, etc).
  • transaction confirmation is performed by the transaction device, then it may verify the transaction text displayed on the client by validating the signature generated over the transaction text and included in the authentication response at 528.
  • the transaction device could also verify unsigned serverData using an online connection to the relying party - if this is available (semi-offline case).
  • a success or failure indication is sent to the client depending on whether authentication was successful or unsuccessful, respectively. If successful, the transaction device will permit the transaction (e.g., debiting/crediting an account to complete a purchase, dispensing cash, performing administrative task, etc). If not, it will disallow the transaction and/or request additional authentication.
  • the transaction device will permit the transaction (e.g., debiting/crediting an account to complete a purchase, dispensing cash, performing administrative task, etc). If not, it will disallow the transaction and/or request additional authentication.
  • the transaction device may transmit the authentication response to the relying party and/or the transaction text (assuming that the relying party is the entity responsible for verifying the transaction text).
  • a record of the transaction may be recorded at the relying party and/or the relying party may verify the transaction text and confirm the transaction (not shown).
  • a mobile app 601 is executed on the client to perform the operations described herein in combination with an authentication client 602 (which may be the secure transaction service 201 and interface 202 shown in Figure 2B).
  • the mobile app 601 may open a secure channel to a web app 61 1 executed on the transaction device 450 using transport layer security (TLS) or other secure communication protocol.
  • TLS transport layer security
  • a web server 612 on the transaction device may also open a secure channel to communicate with the relying party 451 (e.g., to retrieve authentication requests and/or to provide updates to the relying party 451 as discussed above).
  • the authentication client 602 may communicate directly with the relying party 451 to, for example, retrieve cacheable authentication requests (as discussed in detail above).
  • the authentication client 602 may identify the relying party and any authorized Mobile Apps 601 with an "AppID" which is a unique code associated with each application made available by a relying party.
  • AppID an authorized Mobile Apps 601 with an "AppID" which is a unique code associated with each application made available by a relying party.
  • a relying party offers multiple online services
  • a user may have multiple ApplDs with a single relying party (one for each service offered by the relying party).
  • any application identified by an AppID may have multiple "facets" which identify the allowable mechanisms and/or application types for connecting with the relying party.
  • a particular relying party may allow access via a Web service and via different platform-specific mobile apps (e.g., an Android App, an iOS App, etc). Each of these may be identified using a different "FacetID" which may be provided by the relying party to the authentication engine as illustrated.
  • the calling mobile app 601 passes its AppID to the API exposed by the authentication client 602. On each platform, the authentication client 602 identifies the calling app 601 , and determines its FacetID. It then resolves the AppID and checks whether the FacetID is included in a TrustedApps list provided by the relying party 451 .
  • the cacheable authentication requests discussed above may be implemented using bearer tokens such as illustrated in Figures 7 and 8.
  • the token recipient the transaction device 450
  • the token recipient needs to be able to verify the token, the authentication response and the binding of the token to the authentication response without requiring another "online" connection to the token issuer (the relying party).
  • Two classes of bearer tokens should be distinguished: [0084] 1 . Tokens which can only be verified by the recipient (e.g., the transaction device 450) using a different channel to the issuer (e.g., the relying party 451 ), that must exist between the token issuance and the token verification. This class of tokens is referred to herein as "unsigned tokens.”
  • Tokens which can be verified by the recipient due to their cryptographic structure e.g., because they contain a digital signature which can be verified using data received from the token issuer, potentially way before the specific token was issued.
  • This class of tokens is referred to herein as "signed tokens”.
  • signed token structure Is used herein to refer to both the signed token including the Uauth.pub key and the signed structure containing the token.
  • the token issuer (e.g., the relying party 451 ): (a) adds the Authentication public key (Uauth.pub) 702 to the to-be-signed portion 701 of the (to-be-) signed token; and (b) includes that signed token in the to-be-signed portion of the authentication response.
  • the token recipient e.g., the transaction device 450
  • the token recipient can verify the token by validating the signature 703 (e.g., the public RPVerifyKey discussed above). If the verification succeeds, it can extract the public key (Uauth.pub) and use it to verify the authentication response, as previously discussed.
  • the token issuer e.g., the relying party 451
  • the signed structure can be verified by validating the signature 803 using the public key related to the private signing key (e.g., the RPVerifyKey pair discussed above).
  • This public signing key needs to be shared with the token recipient (e.g., the transaction device 450). Sharing can be done once after generation of the signing key pair, potentially way before the first signed structure was generated.
  • the techniques described herein support both the "full-offline” implementation (i.e., the transaction device 450 has no connection to the relying party 451 at the time of the transaction) as well as the "semi-offline” implementation (i.e., the transaction device has a connection to the relying party 451 at the time of the transaction, but the client does not. [0090] Even in the full-offline case, the transaction device 450 is still expected to be connected via a host from time to time to the relying party 451 .
  • the host may collect all responses stored in the transaction device 450 in order to send them to the relying party and may also update (if required) the list of revoked Uauth keys (e.g., the public authentication keys which have been revoked since the last connection).
  • the list of revoked Uauth keys e.g., the public authentication keys which have been revoked since the last connection.
  • Some embodiments also support pure (session) authentication as well as transaction confirmation. Even in the case of transaction confirmation, the relying party 451 can verify the transaction, if the transaction device 450 submits the transaction text along with the authentication response to the relying party 451 .
  • [0093] 1 Payment.
  • a user has registered his authenticator (e.g. a smartphone) with a payment service provider (PSP).
  • PSP payment service provider
  • the user wants to authenticate a payment at some merchant using a Point-of-Sale device (PoS) authorized by the PSP, but the PoS doesn't have a reliable and permanent online connection to the PSP (e.g. located in a Bus).
  • PoS Point-of-Sale device
  • the PoS may be implemented as the transaction device 450 and the PSP may be implemented as the relying party 451 described above to allow the transaction notwithstanding the lack of a reliable and permanent connection.
  • the company can inject a trust anchor (e.g., the public RPVerifyKey) into all devices once (e.g., at installation time).
  • a trust anchor e.g., the public RPVerifyKey
  • Each technician registers with the contracted party (e.g., the relying party 451 which may be the technician's employer).
  • the technician will be able to authenticate to each device.
  • the embodiments of the invention described above may be implemented in any system in which a client with authentication capabilities is registered with a relying party and the authentication operation is performed between this client and a device (a) acting on behalf of the relying party and (b) being offline (i.e.
  • the client receives a cacheable authentication request from the original server and caches it. Once it is required, the client computes the authentication response and sends it to the device.
  • the client adds channel binding data (received in the authentication request) to the response in a cryptographically secure way.
  • the relying party's original server can verify that the request was received by a legitimate client (and not some man-in-the-middle).
  • the relying party adds additional authenticated data to the response such as the Uauth.pub key which allows the device to verify the authentication or transaction confirmation response, without having to contact the relying party server for retrieving the approved Uauth.pub key.
  • the relying party requires the user of the client to perform a successful authentication before issuing the "cacheable" authentication requests (in order to prevent denial of service attacks).
  • the relying party requires the client to indicate whether a request needs to be cacheable or not. If cacheable, the relying party may require additional authentication data in the response (e.g., the MaxCacheTime discussed above).
  • a device such as the transaction device 450 does not have a direct network connection to the relying party and is "synchronized" to the relying party using a separate computer (sometimes referred to herein as the "host").
  • This host retrieves all collected authentication responses from the device and transfers them to the relying party. Additionally the host may also copy a list of revoked Uauth keys to the device to ensure that one of the revoked keys is not used in an authentication response.
  • a device such as the transaction device 450 sends a random value (e.g., nonce) to the client and the client cryptographically adds this random value as an extension to the authentication response before signing it.
  • This signed random value serves as a freshness proof to the device.
  • the client's authenticator adds the current time Ta as an extension to the authentication response before signing it.
  • the device/transaction device may compare that time to the current time Td and only accept the response if the difference between Ta and Td is acceptable (e.g., if the difference is less than two minutes (abs(Td-Ta) ⁇ 2 min)).
  • the relying party adds an authenticated (i.e., signed) expiration time to the cacheable request.
  • an authenticated (i.e., signed) expiration time As discussed above, the device/transaction device will only accept the response as valid if it is received before the expiration time.
  • the relying party adds an authenticated (i.e., signed) data block (e.g., the "signed token structure" mentioned above) including additional information such as (but not limited to) public key, expiration time, maximum transaction value (e.g., Security Assertion Markup Language (SAML) assertions, OAuth tokens, JSON Web Signature (JWS) objects, etc) to the cacheable request.
  • SAML Security Assertion Markup Language
  • JWS JSON Web Signature
  • the device/transaction device may only accept the response as valid if the signed data block can be positively verified and the contents are acceptable.
  • the relying party only adds the unsigned token to the cacheable authentication request, but the transaction device has an online connection to the relying party at the time of transaction.
  • the transaction device verifies the authenticity of the unsigned token using the online connection to the relying party at the time of transaction.
  • FIG. 9 illustrates exemplary "offline” and "semi-offline” authentication scenarios in accordance with one embodiment of the invention.
  • the user with a computing device 910 has an established relation to the relying party 930 and could authenticate to the relying party.
  • the user wants to perform a transaction e.g., an authentication of a transaction confirmation
  • a device 970 which has an established relation to the relying party 930 but not necessarily one to the user's computing device 910.
  • the transaction is referred to as “full offline” if the connection 920 and connection 921 do not exist or are not stable at the relevant time (e.g., the time of authentication of the user's computing device 910 to the device 970 or of the transaction between the user's computing device 910 and the device 970).
  • the transaction is "semi-offline” if the connection 920 between the user's computing device 910 and the relying party 930 is not stable, but the connection 921 between the device 970 and the relying party 930 is stable. Note that in this embodiment, connection 922 between the user's computing device 910 and device 970 is required to be stable at the relevant time.
  • connection 922 could be implemented using any type of communication channels/protocols including, but not limited to, Bluetooth, Bluetooth low energy (BTLE), near field communication (NFC), Wifi, Global System for Mobile
  • GSM Global System for Mobile communications
  • UTMS Universal Mobile Telecommunications System
  • LTE Long- Term Evolution
  • 4G LTE Long- Term Evolution
  • TCP/IP TCP/IP
  • Figure 10 is a block diagram illustrating an exemplary clients and servers which may be used in some embodiments of the invention. It should be understood that while Figure 10 illustrates various components of a computer system, it is not intended to represent any particular architecture or manner of interconnecting the components as such details are not germane to the present invention. It will be appreciated that other computer systems that have fewer components or more components may also be used with the present invention.
  • the computer system 1000 which is a form of a data processing system, includes the bus(es) 1050 which is coupled with the processing system 1020, power supply 1025, memory 1030, and the nonvolatile memory 1040 (e.g., a hard drive, flash memory, Phase-Change Memory (PCM), etc.).
  • the bus(es) 1050 may be connected to each other through various bridges, controllers, and/or adapters as is well known in the art.
  • the processing system 1020 may retrieve instruction(s) from the memory 1030 and/or the nonvolatile memory 1040, and execute the instructions to perform operations as described above.
  • the bus 1050 interconnects the above components together and also interconnects those components to the optional dock 1060, the display controller & display device 1070, Input/Output devices 1080 (e.g., NIC (Network Interface Card), a cursor control (e.g., mouse, touchscreen, touchpad, etc.), a keyboard, etc.), and the optional wireless transceiver(s) 1090 (e.g., Bluetooth, WiFi, Infrared, etc.).
  • NIC Network Interface Card
  • FIG 11 is a block diagram illustrating an exemplary data processing system which may be used in some embodiments of the invention.
  • the data processing system 190 may be a handheld computer, a personal digital assistant (PDA), a mobile telephone, a portable gaming system, a portable media player, a tablet or a handheld computing device which may include a mobile telephone, a media player, and/or a gaming system.
  • the data processing system 1 100 may be a network computer or an embedded processing device within another device.
  • the exemplary architecture of the data processing system 1 100 may be used for the mobile devices described above.
  • the data processing system 1 100 includes the processing system 1 120, which may include one or more microprocessors and/or a system on an integrated circuit.
  • the processing system 1 120 is coupled with a memory 1 1 10, a power supply 1 125 (which includes one or more batteries) an audio input/output 1 140, a display controller and display device 1 160, optional input/output 1 150, input device(s) 1 170, and wireless transceiver(s) 1 130.
  • a power supply 1 125 which includes one or more batteries
  • an audio input/output 1 140 which includes one or more batteries
  • a display controller and display device 1 160 optional input/output 1 150
  • input device(s) 1 170 input device(s) 1 170
  • wireless transceiver(s) 1 130 wireless transceiver
  • the memory 1 1 10 may store data and/or programs for execution by the data processing system 1 100.
  • the audio input/output 1 140 may include a microphone and/or a speaker to, for example, play music and/or provide telephony functionality through the speaker and microphone.
  • the display controller and display device 1 160 may include a graphical user interface (GUI).
  • the wireless (e.g., RF) transceivers 1 130 e.g., a WiFi transceiver, an infrared transceiver, a Bluetooth transceiver, a wireless cellular telephony transceiver, etc.
  • the one or more input devices 1 170 allow a user to provide input to the system. These input devices may be a keypad, keyboard, touch panel, multi touch panel, etc.
  • the optional other input/output 1 150 may be a connector for a dock.
  • Embodiments of the invention may include various steps as set forth above.
  • the steps may be embodied in machine-executable instructions which cause a general- purpose or special-purpose processor to perform certain steps.
  • these steps may be performed by specific hardware components that contain hardwired logic for performing the steps, or by any combination of programmed computer components and custom hardware components.
  • Elements of the present invention may also be provided as a machine- readable medium for storing the machine-executable program code.
  • the machine- readable medium may include, but is not limited to, floppy diskettes, optical disks, CD- ROMs, and magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, magnetic or optical cards, or other type of media/machine-readable medium suitable for storing electronic program code.
  • Embodiments of the invention may include various steps as set forth above.
  • the steps may be embodied in machine-executable instructions which cause a general- purpose or special-purpose processor to perform certain steps.
  • these steps may be performed by specific hardware components that contain hardwired logic for performing the steps, or by any combination of programmed computer components and custom hardware components.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A system, apparatus, method, and machine readable medium are described for authenticating a client to a device. For example, one embodiment of a method comprises: registering an authenticator of a client with a relying party, the registration allowing a user of the client to remotely authenticate the user to the relying party over a network; generating a first authentication structure using at least a first authentication key associated with the authenticator and a signature generated with a first verification key; caching the first authentication structure on the client; providing a second verification key corresponding to the first verification key to a transaction device; performing an authentication transaction between the client and the transaction device in which the client generates a second authentication structure using a second authentication key associated with the first authentication key, the transaction device uses the second verification key to validate the signature on the first authentication structure and uses the first authentication key to validate the second authentication structure.

Description

SYSTEM AND METHOD FOR AUTHENTICATING A CLIENT TO A DEVICE
BACKGROUND
Field of the Invention
[0001] This invention relates generally to the field of data processing systems. More particularly, the invention relates to a system and method for authenticating a client to a device such as an offline device or a device having limited connectivity to a relying party.
Description of Related Art
[0002] Figure 1 illustrates an exemplary client 120 with a biometric device 100.
When operated normally, a biometric sensor 102 reads raw biometric data from the user (e.g., capture the user's fingerprint, record the user's voice, snap a photo of the user, etc) and a feature extraction module 103 extracts specified characteristics of the raw biometric data (e.g., focusing on certain regions of the fingerprint, certain facial features, etc). A matcher module 104 compares the extracted features 133 with biometric reference data 1 10 stored in a secure storage on the client 120 and generates a score 153 based on the similarity between the extracted features and the biometric reference data 1 10. The biometric reference data 1 10 is typically the result of an enrollment process in which the user enrolls a fingerprint, voice sample, image or other biometric data with the device 100. An application 105 may then use the score 135 to determine whether the authentication was successful (e.g., if the score is above a certain specified threshold).
[0003] Systems have also been designed for providing secure user
authentication over a network using biometric sensors. In such systems, the score 135 generated by the application 105, and/or other authentication data, may be sent over a network to authenticate the user with a remote server. For example, Patent Application No. 201 1/0082801 ("'801 Application") describes a framework for user registration and authentication on a network which provides strong authentication (e.g., protection against identity theft and phishing), secure transactions (e.g., protection against "malware in the browser" and "man in the middle" attacks for transactions), and enrollment/management of client authentication tokens (e.g., fingerprint readers, facial recognition devices, smartcards, trusted platform modules, etc).
[0004] The assignee of the present application has developed a variety of improvements to the authentication framework described in the '801 application. Some of these improvements are described in the following set of US Patent Applications ("Co-pending Applications"), all filed December 29, 1012, which are assigned to the present assignee: Serial No. 13/730,761 , Query System and Method to Determine Authentication Capabilities; Serial No. 13/730,776, System and Method for Efficiently Enrolling, Registering, and Authenticating With Multiple Authentication Devices;
13/730,780, System and Method for Processing Random Challenges Within an
Authentication Framework; Serial No. 13/730,791 , System and Method for
Implementing Privacy Classes Within an Authentication Framework; Serial No.
13/730,795, System and Method for Implementing Transaction Signaling Within an Authentication Framework.
[0005] Briefly, the Co-Pending Applications describe authentication techniques in which a user enrolls with biometric devices of a client to generate biometric template data (e.g., by swiping a finger, snapping a picture, recording a voice, etc); registers the biometric devices with one or more servers over a network (e.g., Websites or other relying parties equipped with secure transaction services as described in the Co- Pending Applications); and subsequently authenticates with those servers using data exchanged during the registration process (e.g., encryption keys provisioned into the biometric devices). Once authenticated, the user is permitted to perform one or more online transactions with a Website or other relying party. In the framework described in the Co-Pending Applications, sensitive information such as fingerprint data and other data which can be used to uniquely identify the user, may be retained locally on the user's client device (e.g., smartphone, notebook computer, etc) to protect a user's privacy.
BRIEF DESCRIPTION OF THE DRAWINGS
[0006] A better understanding of the present invention can be obtained from the following detailed description in conjunction with the following drawings, in which:
[0007] FIG. 1 illustrates an exemplary client device having biometric
authentication capabilities;
[0008] FIGS. 2A-B illustrate two different embodiments of a secure authentication system architecture;
[0009] FIG. 2C illustrates a transaction diagram showing how keys may be registered into authentication devices;
[0010] FIGS. 3A-B illustrates embodiments for secure transaction confirmation using a secure display;
[0011] FIG. 4 illustrate one embodiment of the invention for performing authentication for a transaction with a device without established relation; [0012] FIGS. 5A-B are transaction diagrams showing two different embodiments for performing authentication for a transaction;
[0013] FIG. 6 illustrates additional architectural features employed in one embodiment of the invention;
[0014] FIGS. 7-8 illustrate different embodiments of bearer tokens employed in different embodiments of the invention;
[0015] FIG. 9 illustrates exemplary "offline" and "semi-offline" authentication scenarios;
[0016] FIG. 10 illustrates an exemplary system architecture for clients and/or servers; and
[0017] FIG. 11 illustrates another exemplary system architecture for clients and/or servers.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
[0018] Described below are embodiments of an apparatus, method, and machine- readable medium for implementing advanced authentication techniques and associated applications. Throughout the description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without some of these specific details. In other instances, well-known structures and devices are not shown or are shown in a block diagram form to avoid obscuring the underlying principles of the present invention.
[0019] The embodiments of the invention discussed below involve client devices with authentication capabilities such as biometric devices or PIN entry. These devices are sometimes referred to herein as "tokens," "authentication devices," or "authenticators." While certain embodiments focus on facial recognition hardware/software (e.g., a camera and associated software for recognizing a user's face and tracking a user's eye movement), some embodiments may utilize additional biometric devices including, for example, fingerprint sensors, voice recognition hardware/software (e.g., a microphone and associated software for recognizing a user's voice), and optical recognition capabilities (e.g., an optical scanner and associated software for scanning the retina of a user). The authentication capabilities may also include non-biometric devices such as trusted platform modules (TPMs) and smartcards.
[0020] In a mobile biometric implementation, the biometric device may be remote from the relying party. As used herein, the term "remote" means that the biometric sensor is not part of the security boundary of the computer it is communicatively coupled to (e.g., it is not embedded into the same physical enclosure as the relying party computer). By way of example, the biometric device may be coupled to the relying party via a network (e.g., the Internet, a wireless network link, etc) or via a peripheral input such as a USB port. Under these conditions, there may be no way for the relying party to know if the device is one which is authorized by the relying party (e.g., one which provides an acceptable level of authentication and integrity protection) and/or whether a hacker has compromised the biometric device. Confidence in the biometric device depends on the particular implementation of the device.
[0021] However, as discussed below, the authentication techniques employed to authenticate the user may involve non-location components such as communication over a network with remote servers and/or other data processing devices. Moreover, while specific embodiments are described herein (such as an ATM and retail location) it should be noted that the underlying principles of the invention may be implemented within the context of any system in which a transaction is initiated locally or remotely by an end user.
[0022] The term "relying party" is sometimes used herein to refer, not merely to the entity with which a user transaction is attempted (e.g., a Website or online service performing user transactions), but also to the secure transaction servers implemented on behalf of that entity which may performed the underlying authentication techniques described herein. The secure transaction servers which provided remote authentication capabilities may be owned and/or under the control of the relying party or may be under the control of a third party offering secure transaction services to the relying party as part of a business arrangement.
[0023] The term "server" is used herein to refer to software executed on a hardware platform (or across multiple hardware platforms) that receives requests over a network from a client, responsively performs one or more operations, and transmits a response to the client, typically including the results of the operations. The server responds to client requests to provide, or help to provide, a network "service" to the clients.
Significantly, a server is not limited to a single computer (e.g., a single hardware device for executing the server software) and may, in fact, be spread across multiple hardware platforms, potentially at multiple geographical locations.
[0024] The embodiments of the invention described herein include techniques for authenticating a user for a transaction initiated through a secure transaction device. By way of example, the transaction may be a withdrawal, transfer, or other user-initiated operation and the transaction device may be an automatic teller machine (ATM), point- of-sale (PoS) transaction device or other device capable of executing transactions on behalf of the user. The transaction may involve, for example, completing a payment to purchase goods or services at a retail store or other retail location equipped with the device, withdrawing funds via the device, performing maintenance on the device, or any other transaction for which user authentication is required.
[0025] One embodiment of the invention provides techniques for authenticating the user locally (i.e. verifying the user), even in circumstances where the device is offline (i.e., not connected to a back-end authentication server) or semi-offline (i.e., only periodically connected to a back-end authentication server). In one embodiment, the user's client device is provided with the ability to cache authentication requests generated by a back-end authentication server (e.g., operated on behalf of the relying party) and the device is provided with data needed to verify the authentication response transmitted from the user's client device to the device.
[0026] Prior to discussing the details of these embodiments of the invention, an overview of remote user authentication techniques will be provided. These and other remote user authentication techniques are described in the co-pending applications, which are assigned to the assignee of the present application and incorporated herein by reference.
REMOTE USER AUTHENTICATION TECHNIQUES
[0027] Figures 2A-B illustrate two embodiments of a system architecture comprising client-side and server-side components for remotely authenticating a user. The embodiment shown in Figure 2A uses a browser plugin-based architecture for communicating with a website while the embodiment shown in Figure 2B does not require a browser. The various authentication techniques and associated applications described herein may be implemented on either of these system architectures. For example, the authentication engines within client devices described herein may be implemented as part of the secure transaction service 201 including interface 202. It should be noted, however, that the embodiments described above may be implemented using logical arrangements of hardware and software other than those shown in
Figures 2A-B.
[0028] Turning to Figure 2A, the illustrated embodiment includes a client 200 equipped with one or more authentication devices 210-212 for enrolling and
authenticating an end user. As mentioned above, the authentication devices 210-212 may include biometric devices such as fingerprint sensors, voice recognition hardware/software (e.g., a microphone and associated software for recognizing a user's voice), facial recognition hardware/software (e.g., a camera and associated software for recognizing a user's face), and optical recognition capabilities (e.g., an optical scanner and associated software for scanning the retina of a user) and non-biometric devices such as a trusted platform modules (TPMs) and smartcards. A user may enroll the biometric devices by providing biometric data (e.g., swiping a finger on the fingerprint device) which the secure transaction service 201 may store as biometric template data in secure storage 220 (via interface 202).
[0029] While the secure storage 220 is illustrated outside of the secure perimeter of the authentication device(s) 210-212, in one embodiment, each authentication device 210-212 may have its own integrated secure storage. Additionally, each authentication device 210-212 may cryptographically protect the biometric reference data records (e.g., wrapping them using a symmetric key to make the storage 220 secure).
[0030] The authentication devices 210-212 are communicatively coupled to the client through an interface 202 (e.g., an application programming interface or API) exposed by a secure transaction service 201 . The secure transaction service 201 is a secure application for communicating with one or more secure transaction servers 232-233 over a network and for interfacing with a secure transaction plugin 205 executed within the context of a web browser 204. As illustrated, the Interface 202 may also provide secure access to a secure storage device 220 on the client 200 which stores
information related to each of the authentication devices 210-212 such as a device identification code (such as an Authenticator Attestation ID (AAID)), user identification code, user enrollment data (e.g., scanned fingerprint or other biometric data), and keys used to perform the secure authentication techniques described herein. For example, as discussed in detail below, a unique key may be stored into each of the authentication devices and subsequently used when communicating to servers 230 over a network such as the Internet.
[0031] As discussed below, certain types of network transactions are supported by the secure transaction plugin 205 such as HTTP or HTTPS transactions with websites 231 or other servers. In one embodiment, the secure transaction plugin is initiated in response to specific HTML tags inserted into the HTML code of a web page by the web server 231 within the secure enterprise or Web destination 230 (sometimes simply referred to below as "server 230"). In response to detecting such a tag, the secure transaction plugin 205 may forward transactions to the secure transaction service 201 for processing. In addition, for certain types of transactions (e.g., such as secure key exchange) the secure transaction service 201 may open a direct communication channel with the on-premises transaction server 232 (i.e., co-located with the website) or with an off-premises transaction server 233.
[0032] The secure transaction servers 232-233 are coupled to a secure transaction database 240 for storing user data, authentication device data, keys and other secure information needed to support the secure authentication transactions described below. It should be noted, however, that the underlying principles of the invention do not require the separation of logical components within the secure enterprise or web destination 230 shown in Figure 2A. For example, the website 231 and the secure transaction servers 232-233 may be implemented within a single physical server or separate physical servers. Moreover, the website 231 and transaction servers 232-233 may be implemented within an integrated software module executed on one or more servers for performing the functions described below.
[0033] As mentioned above, the underlying principles of the invention are not limited to a browser-based architecture shown in Figure 2A. Figure 2B illustrates an alternate implementation in which a stand-alone application 254 utilizes the functionality provided by the secure transaction service 201 to authenticate a user over a network. In one embodiment, the application 254 is designed to establish communication sessions with one or more network services 251 which rely on the secure transaction servers 232-233 for performing the user/client authentication techniques described in detail below.
[0034] In either of the embodiments shown in Figures 2A-B, the secure transaction servers 232-233 may generate the keys which are then securely transmitted to the secure transaction service 201 and stored into the authentication devices within the secure storage 220. Additionally, the secure transaction servers 232-233 manage the secure transaction database 240 on the server side.
[0035] Figure 2C illustrates a series of transactions for registering authentication devices. As mentioned above, during registration, a key is shared between the authentication device and one of the secure transaction servers 232-233. The key is stored within the secure storage 220 of the client 200 and the secure transaction database 220 used by the secure transaction servers 232-233. In one embodiment, the key is a symmetric key generated by one of the secure transaction servers 232-233. However, in another embodiment discussed below, asymmetric keys may be used. In this embodiment, the public key may be stored by the secure transaction servers 232- 233 and a second, related private key may be stored in the secure storage 220 on the client. Moreover, in another embodiment, the key(s) may be generated on the client 200 (e.g., by the authentication device or the authentication device interface rather than the secure transaction servers 232-233). The underlying principles of the invention are not limited to any particular types of keys or manner of generating the keys.
[0036] A secure key provisioning protocol such as the Dynamic Symmetric Key Provisioning Protocol (DSKPP) may be used to share the key with the client over a secure communication channel (see, e.g., Request for Comments (RFC) 6063).
However, the underlying principles of the invention are not limited to any particular key provisioning protocol.
[0037] Turning to the specific details shown in Figure 2C, once the user enrollment or user verification is complete, the server 230 generates a randomly generated challenge (e.g., a cryptographic nonce) that must be presented by the client during device registration. The random challenge may be valid for a limited period of time. The secure transaction plugin detects the random challenge and forwards it to the secure transaction service 201 . In response, the secure transaction service initiates an out-of-band session with the server 230 (e.g., an out-of-band transaction) and communicates with the server 230 using the key provisioning protocol. The server 230 locates the user with the user name, validates the random challenge, validates the device's attestation code (e.g., AAID) if one was sent, and creates a new entry in the secure transaction database 220 for the user. It may also generate the key or public/private key pair, write the key(s) to the database 220 and send the key(s) back to the secure transaction service 201 using the key provisioning protocol. Once complete, the authentication device and the server 230 share the same key if a symmetric key was used or different keys if asymmetric keys were used.
[0038] Figure 3A illustrates a secure transaction confirmation for a browser-based implementation. While a browser-based implementation is illustrated, the same basic principles may be implemented using a stand-alone application or mobile device app.
[0039] The secure transaction confirmation is designed to provide stronger security for certain types of transactions (e.g., financial transactions). In the illustrated embodiment, the user confirms each transaction prior to committing the transaction. Using the illustrated techniques, the user confirms exactly what he/she wants to commit and commits exactly what he/she sees displayed in a window 301 of the graphical user interface (GUI). In other words, this embodiment ensures that the transaction text cannot be modified by a "man in the middle" (MITM) or "man in the browser" (MITB) to commit a transaction which the user did not confirm. [0040] In one embodiment, the secure transaction plugin 205 displays a window 301 in the browser context to show the transaction details. The secure transaction server 201 periodically (e.g., with a random interval) verifies that the text that is shown in the window is not being tampered by anyone (e.g., by generating a hash/signature over the displayed text). In a different embodiment, the authentication device has a trusted user interface (e.g. providing an API compliant to GlobalPlatform's TrustedUI).
[0041] The following example will help to highlight the operation of this embodiment. A user chooses items for purchase from a merchant site and selects "check out." The merchant site sends the transaction to a service provide which has a secure transaction server 232-233 implementing one or more of the embodiments of the invention described herein (e.g., PayPal). The merchant site authenticates the user and completes the transaction.
[0042] The secure transaction server 232-233 receives the transaction details (TD) and puts a "Secure Transaction" request in an HTML page and sends to client 200. The Secure Transaction request includes the transaction details and a random challenge. The secure transaction plugin 205 detects the request for transaction confirmation message and forwards all data to the secure transaction service 201 . In an
embodiment which does not use a browser or plugin, the information may be sent directly from the secure transaction servers to the secure transaction service on the client 200.
[0043] For a browser-based implementation, the secure transaction plugin 205 displays a window 301 with transaction details to the user (e.g. in a browser context) and asks the user to provide authentication to confirm the transaction. In an
embodiment which does not use a browser or plugin, the secure transaction service 201 , the application 254 (Figure 2B), or the authentication device 210 may display the window 301 . The secure transaction service 201 starts a timer and verifies the content of the window 301 being displayed to the user. The period of verification may be randomly chosen. The secure transaction service 201 ensures that user sees the valid transaction details in the window 301 (e.g., generating a hash on the details and verifying that the contents are accurate by comparing against a hash of the correct contents). If it detects that the content has been tampered with it prevents the confirmation token/signature from being generated.
[0044] After the user provides valid verification data (e.g. by, swiping a finger on the fingerprint sensor), the authentication device verifies the user and generates a cryptographic signature (sometimes referred to as a "token") with the transaction details and the random challenge (i.e., the signature is calculated over the transaction details and the nonce). This allows the secure transaction server 232-233 to ensure that the transaction details have not been modified between the server and the client. The secure transaction service 201 sends the generated signature and username to the secure transaction plugin 205 which forwards the signature to the secure transaction server 232-233. The secure transaction server 232-233 identifies the user with the username and verifies the signature. If verification succeeds, a confirmation message is sent to the client and the transaction is processed.
[0045] One embodiment of the invention implements a query policy in which a secure transaction server transmits a server policy to the client indicating the
authentication capabilities accepted by the server. The client then analyzes the server policy to identify a subset of authentication capabilities which it supports and/or which the user has indicated a desire to use. The client then registers and/or authenticates the user using the subset of authentication tokens matching the provided policy.
Consequently, there is a lower impact to the client's privacy because the client is not required to transmit exhaustive information about its authentication capabilities (e.g., all of its authentication devices) or other information which might be used to uniquely identify the client.
[0046] By way of example, and not limitation, the client may include numerous user verification capabilities such as a fingerprint sensor, voice recognition capabilities, facial recognition capabilities, eye/optical recognition capabilities, PIN verification, to name a few. However, for privacy reasons, the user may not wish to divulge the details for all of its capabilities to a requesting server. Thus, using the techniques described herein, the secure transaction server may transmit a server policy to the client indicating that it supports, for example, fingerprint, optical, or smartcard authentication. The client may then compare the server policy against its own authentication capabilities and choose one or more of the available authentication options.
[0047] One embodiment of the invention employs transaction signing on the secure transaction server so that no transaction state needs to be maintained on the server to maintain sessions with clients. In particular, transaction details such as transaction text displayed within the window 301 may be sent to the client signed by the server. The server may then verify that the signed transaction responses received by the client are valid by verifying the signature. The server does not need to persistently store the transaction content, which would consume a significant amount of storage space for a large number of clients and would open possibility for denial of service type attacks on server.
[0048] One embodiment of the invention is illustrated in Figure 3B which shows a website or other network service 31 1 initiating a transaction with a client 200. For example, the user may have selected items for purchase on the website and may be ready to check out and pay. In the illustrated example, the website or service 31 1 hands off the transaction to a secure transaction server 312 which includes signature processing logic 313 for generating and verifying signatures (as described herein) and authentication logic for performing client authentication 314 (e.g., using the
authentication techniques previously described).
[0049] In one embodiment, the authentication request sent from the secure transaction server 312 to the client 200 includes the random challenge such as a cryptographic nonce (as described above), the transaction details (e.g., the specific text presented to complete the transaction), and a signature generated by the signature processing logic 313 over the random challenge and the transaction details using a private key (known only by the secure transaction server).
[0050] Once the above information is received by the client, the user may receive an indication that user verification is required to complete the transaction. In response, the user may, for example, swipe a finger across a fingerprint scanner, snap a picture, speak into a microphone, or perform any other type of authentication permitted for the given transaction. In one embodiment, once the user has been successfully verified by the authentication device 210, the client transmits the following back to the server: (1 ) the random challenge and transaction text (both previously provided to the client by the server), (2) authentication data proving that the user successfully completed
authentication, and (3) the signature.
[0051] The authentication module 314 on the secure transaction server 312 may then confirm that the user has correctly authenticated and the signature processing logic 313 re-generates the signature over the random challenge and the transaction text using the private key. If the signature matches the one sent by the client, then the server can verify that the transaction text is the same as it was when initially received from the website or service 31 1 . Storage and processing resources are conserved because the secure transaction server 312 is not required to persistently store the transaction text (or other transaction data) within the secure transaction database 120. SYSTEM AND METHOD FOR AUTHENTICATING A CLIENT TO AN OFFLINE DEVICE OR A DEVICE HAVING LIMITED CONNECTIVITY
[0052] As mentioned, one embodiment of the invention includes techniques for authenticating the user locally (i.e. verifying the user), even in circumstances where the user device and device are offline (i.e., not connected to a back-end authentication server of a relying party) or semi-offline (i.e., where the user device is not connected to the relying party, but the device is). Figure 4 illustrates one such arrangement in which a client 400 with authentication devices previously registered with a relying party 451 establishes a secure channel with a transaction device 450 to complete a transaction. By way of example, and not limitation, the transaction device may be an ATM, point-of- sale (PoS) transaction device at a retail location, Internet of Things (loT) device, or any other device capable of establishing a channel with the client 400 and allowing the user to perform a transaction. The channel may be implemented using any wireless communication protocol including, by way of example and not limitation, near field communications (NFC) and Bluetooth (e.g., Bluetooth Low Energy (BTLE) as set forth in the Bluetooth Core Specification Version 4.0). Of course, the underlying principles of the invention are not limited to any particular communication standard.
[0053] As indicated by the dotted arrows, the connection between the client 400 and the relying party 451 and/or the connection between the transaction device 450 and the relying party 451 may be sporadic or non-existent. Real world applications in the area of payments often rely on such "off-line" use-cases. For example, a user with a client 400 (e.g., a Smartphone) may not have connectivity to the relying party 451 at the time of the transaction but may want to authorize a transaction (e.g. a payment) by authenticating to the transaction device 450. However, in some embodiments of the invention, the client 400 and/or transaction device 450 do exchange some information with the relying party 451 (although not necessarily during the authentication or transaction confirmation process described herein).
[0054] Traditionally, user verification has been implemented using a secret such as a personal identification number (PIN) to be captured by the device (e.g. the PoS transaction device or ATM). The device would then create an online connection to the relying party in order to verify the secret or would ask the user's authenticator (e.g., EMV banking card) for verifying the PIN. Such implementation has several
disadvantages. It might require an online connection - which might be available sometimes, but not always. It also requires the user to enter a long-term valid secret into potentially untrusted devices, which are subject to shoulder-surfing and other attacks. Additionally it is inherently tied to the specific user verification method (e.g. PIN in this case). Finally, it requires the user to remember a secret such as a PIN, which may be inconvenient to the user.
[0055] The authentication techniques described herein provide significantly more flexibility in terms of user verification methods and security as they allow the user to rely on his/her own client's authentication capabilities. In particular, in one embodiment, a mobile application on the user's client caches authentication requests provided by the relying party during a time when the client is connected to the relying party. The authentication requests may include the same (or similar) information as the
authentication requests described above (e.g., a nonce and a public key associated with an authenticator) as well as additional information including a signature over (at least parts of) the authentication request generated by a relying party, the verification key and potentially timing data indicating the time period within which the authentication request will remain valid (or conversely, the time after which the authentication request will expire). In one embodiment, the mobile application may cache multiple such connection requests (e.g., one for each transaction device or transaction device type).
[0056] In one embodiment, the cached authentication requests may then be used for transactions with the transaction device, in circumstances where the client/mobile app is incapable of connecting with the relying party. In one embodiment, the mobile app triggers the creation of the authentication response based on the cached authentication request containing the serverData and additional data received from the transaction device. The authentication response is then transmitted to the transaction device which then verifies the authentication response using a verification key provided from the relying party (e.g., during a time when the transaction device is connected with the relying party). In particular, the transaction device may use the key provided by the relying party to verify the signature over the serverData included in the authentication response. In one embodiment, the signature is generated by the relying party using a private relying party verification key and the transaction device verifies the signature using a corresponding public relying party verification key (provided to the transaction device by the relying party).
[0057] Once the transaction device verifies the serverData extracted from the authentication response, it may then use the public key extracted from the
authentication request (e.g., Uauth.pub) to verify the authentication response generated by the client/mobile app (e.g., in the same or a similar manner to the verifications by the relying party described above, when the client is authenticating directly to the relying party).
[0058] In an alternate embodiment described below, the relying party provides the authentication request directly to the transaction device (rather than through the mobile app on the client device). In this embodiment, the transaction device may ask for the authentication request from the relying party upon receiving a request to complete a transaction from the mobile app on the client. Once it has the authentication request, it may validate the request and the authentication response as described above (e.g., by generating a signature and comparing it to the existing signature).
[0059] Figure 5A is a transaction diagram showing interactions between the client 400, transaction device 450 and relying party in an embodiment in which the client 400 caches the authentication request. This embodiment is sometimes referred to as the "full-offline" embodiment because it does not require the transaction device 450 to have an existing connection with the relying party.
[0060] At 501 , the client requests a cacheable authentication request from the relying party. At 502, the relying party generates the cacheable authentication request, at 503 the authentication request is sent to the client, and at 504 the client caches the authentication request. In one embodiment, the authentication request includes the public key associated with the authenticator to be used for authentication (Uauth.pub) and a signature generated using the relying party verification key (RPVerifyKey) over the public key and a random nonce. If asymmetric keys are used, then RPVerifyKey used by the relying party to generate the signature is a private key having a
corresponding public RPVerifyKey which the relying party has provided to the transaction device (potentially far in advance of processing the user authentication request).
[0061] In one embodiment, the authentication request also includes timing information indicating the length of time for which the authentication request will be valid (e.g., MaxCacheTime). In this embodiment, the signature for the cacheable
authentication request may be generated over the combination of the public
authentication key, the nonce, and the MaxCacheTime (e.g., ServerData = Uauth.pub | MaxCacheTime | serverNonce | Sign (RPVerifyKey, Uauth.pub | MaxCacheTime | serverNonce)). In one embodiment, the authentication response includes more than one authentication key (e.g., one for each authenticator capable of authenticating the user) and the signature may be generated over all of these keys (e.g., along with the nonce and the MaxCacheTime). [0062] As mentioned, the public RPVerifyKey needs to be known the transaction device 450, or any device intended to perform offline verification of the authentication requests/responses. This extension is required because the transaction device does not have any knowledge about the authentication keys registered at the relying party (i.e. no established relation exists between user device and the transaction device). Consequently, the relying party must communicate to the transaction device (or other device), in a secure manner, which key(s) are to be used for authentication response verification. The transaction device will verify the MaxCacheTime to determine whether the cached authentication request is still valid (to comply with the relying party's policy on how long the cached authentication request may be used).
[0063] At 505, the client establishes a secure connection to the transaction device and initiates a transaction. For example, if the transaction device is a PoS transaction device, the transaction may involve a debit or credit transaction. If the transaction device is an ATM, the transaction may involve a cash withdrawal or a maintenance task. The underlying principles of the invention are not limited to any particular type of transaction device or secure connection. In addition, at 505, the client may transmit the cached authentication request to the transaction device.
[0064] In response, at 506 the transaction device may transmit device identity information (e.g., a transaction device identification code), a random challenge (nonce) and optionally transaction text in a defined syntax to complete the transaction. The random challenge/nonce will then be cryptograph ically bound to the authentication response. This mechanism allows the device to verify that the user verification is fresh and hasn't been cached / reused.
[0065] In order to support transaction confirmations such as described above (see, e.g., Figures 3A-B and associated text), the transaction device may be required to create a standardized, and human readable representation of the transaction.
"Standardized" as used herein means a format that can be parsed by the relying party (e.g. for final verification as indicated in operation 51 1 below) and/or the transaction device. It needs to be human readable because transaction confirmations require the authenticator to display it on the secure display of the client 400. An example of such an encoding could be XML where XSLT is used for visualization.
[0066] At 507, to generate the authentication response, an authentication user interface is displayed directing the user to perform authentication on the client using a particular authenticator (e.g., to swipe a finger on a fingerprint sensor, enter a PIN code, speak into a microphone, etc). Once the user provides authentication, the authentication engine on the client verifies the identity of the user (e.g., comparing the authentication data collected from the user with the user verification reference data stored in the secure storage of the authenticator) and uses the private key associated with the authentication device to encrypt and/or generate a signature over the random challenge (and also potentially the transaction device ID and/or the transaction text). The authentication response is then transmitted to the transaction device at 508.
[0067] At 509, the transaction device uses the public RPVerifyKey to verify the signature on the serverData (received at 505) if it has not done so already. Once the serverData is verified, it knows the public key associated with the authenticator used to perform the authentication (Uauth.pub). It uses this key to verify the authentication response. For example, it may use the public authentication key to decrypt or verify the signature generated over the nonce and any other related information (e.g., the transaction text, the transaction device ID, etc). If transaction confirmation is performed by the transaction device, then it may verify the transaction text displayed on the client by validating the signature generated over the transaction text and included in the authentication response at 508. Instead of having a cryptographically secured serverData structure, the transaction device could also verify unsigned serverData using an online connection to the relying party - if this is available (semi-offline case).
[0068] At 510, a success or failure indication is sent to the client depending on whether authentication was successful or unsuccessful, respectively. If successful, the transaction device will permit the transaction (e.g., debiting/crediting an account to complete a purchase, dispensing cash, performing administrative task, etc). If not, it will disallow the transaction and/or request additional authentication.
[0069] If a connection to the relying party is present, then at 51 1 the transaction device may transmit the authentication response to the relying party and/or the transaction text (assuming that the relying party is the entity responsible for verifying the transaction text). A record of the transaction may be recorded at the relying party and/or the relying party may verify the transaction text and confirm the transaction (not shown).
[0070] Figure 5B is a transaction diagram showing interactions between the client 400, transaction device 450 and relying party in an embodiment in which the transaction device has a connection with and receives the authentication request from the relying party. This embodiment is sometimes referred to as the "semi-offline" embodiment because although the client does not have a connection to the relying party, the transaction device 450 does. [0071] At 521 , the client initiates a transaction, establishing a secure connection with the transaction device (e.g., NFC, Bluetooth, etc). At 522, the transaction device responsively asks for an authentication request from the relying party. At 523, the relying party generates the authentication request and at 524 the authentication request is sent to the transaction device. As in the embodiment shown in Figure 5A, the authentication request may include the public key associated with the authenticator on the client to be used for authentication (Uauth.pub) and a signature generated using the relying party verification key (RPVe fyKey) over the public key and a random nonce. If asymmetric keys are used, then RPVenfyKey used by the relying party to generate the signature is a private key having a corresponding public RPVenfyKey which the relying party provides to the transaction device (potentially far in advance of processing the user authentication request). Instead of having a cryptographically secured serverData structure, the transaction device may also verify unsigned serverData using an online connection to the relying party - if this is available (semi-offline case).
[0072] In one embodiment, the serverData also includes timing information indicating the length of time for which the authentication request will be valid (e.g.,
MaxCacheTime). In this embodiment, the signature for the serverData may be generated over the combination of the public authentication key, the nonce, and the MaxCacheTime (e.g., ServerData = Uauth.pub | MaxCacheTime | serverNonce | Sign (RPVenfyKey, Uauth.pub | MaxCacheTime | serverNonce)). In one embodiment, the authentication response includes more than one authentication key (e.g., one for each authenticator) and the signature may be generated over all of these keys (e.g., along with the nonce and the MaxCacheTime).
[0073] In one embodiment, the remainder of the transaction diagram in Figure 5B operates substantially as shown in Figure 5A. At 525 the transaction device may transmit identity information (e.g., a transaction device identification code), a random challenge (nonce) and optionally transaction text in a defined syntax to complete the transaction. The random challenge/nonce will then be cryptographically bound to the authentication response. This mechanism allows the device to verify that the user verification is fresh and hasn't been cached.
[0074] In order to support transaction confirmations such as described above (see, e.g., Figures 3A-B and associated text), the transaction device may be required to create a standardized, and human readable representation of the transaction.
"Standardized" as used herein means a format that can be parsed by the relying party (e.g. for final verification as indicated in operation 51 1 below) and/or the transaction device. It needs to be human readable because transaction confirmations require the authenticator to display it on the secure display of the client 400. An example of such an encoding could be XML where XSLT is used for visualization.
[0075] At 526, to generate the authentication response, an authentication user interface is displayed directing the user to perform authentication on the client using a particular authenticator (e.g., to swipe a finger on a fingerprint sensor, enter a PIN code, speak into a microphone, etc). Once the user provides authentication, the
authentication engine on the client verifies the identity of the user (e.g., comparing the authentication data collected from the user with the user verification reference data stored in the secure storage of the authenticator) and uses the private key associated with the authentication device to encrypt and/or generate a signature over the random challenge (and also potentially the transaction device ID and/or the transaction text). The authentication response is then transmitted to the transaction device at 527.
[0076] At 528, the transaction device uses the public RPVerifyKey to verify the signature on the serverData (received at 524) if it has not done so already. Once the serverData is verified, it knows the public key associated with the authenticator used to perform the authentication (Uauth.pub). It uses this key to verify the authentication response. For example, it may use the public authentication key to decrypt or verify the signature generated over the nonce and any other related information (e.g., the transaction text, the transaction device ID, etc). If transaction confirmation is performed by the transaction device, then it may verify the transaction text displayed on the client by validating the signature generated over the transaction text and included in the authentication response at 528. Instead of having a cryptographically secured serverData structure, the transaction device could also verify unsigned serverData using an online connection to the relying party - if this is available (semi-offline case).
[0077] At 529, a success or failure indication is sent to the client depending on whether authentication was successful or unsuccessful, respectively. If successful, the transaction device will permit the transaction (e.g., debiting/crediting an account to complete a purchase, dispensing cash, performing administrative task, etc). If not, it will disallow the transaction and/or request additional authentication.
[0078] At 530 the transaction device may transmit the authentication response to the relying party and/or the transaction text (assuming that the relying party is the entity responsible for verifying the transaction text). A record of the transaction may be recorded at the relying party and/or the relying party may verify the transaction text and confirm the transaction (not shown). [0079] As illustrated in Figure 6, in one embodiment, a mobile app 601 is executed on the client to perform the operations described herein in combination with an authentication client 602 (which may be the secure transaction service 201 and interface 202 shown in Figure 2B). In particular, the mobile app 601 may open a secure channel to a web app 61 1 executed on the transaction device 450 using transport layer security (TLS) or other secure communication protocol. A web server 612 on the transaction device may also open a secure channel to communicate with the relying party 451 (e.g., to retrieve authentication requests and/or to provide updates to the relying party 451 as discussed above). The authentication client 602 may communicate directly with the relying party 451 to, for example, retrieve cacheable authentication requests (as discussed in detail above).
In one embodiment, the authentication client 602 may identify the relying party and any authorized Mobile Apps 601 with an "AppID" which is a unique code associated with each application made available by a relying party. In some embodiments, where a relying party offers multiple online services, a user may have multiple ApplDs with a single relying party (one for each service offered by the relying party).
[0080] In one embodiment, any application identified by an AppID may have multiple "facets" which identify the allowable mechanisms and/or application types for connecting with the relying party. For example, a particular relying party may allow access via a Web service and via different platform-specific mobile apps (e.g., an Android App, an iOS App, etc). Each of these may be identified using a different "FacetID" which may be provided by the relying party to the authentication engine as illustrated.
[0081] In one embodiment, the calling mobile app 601 passes its AppID to the API exposed by the authentication client 602. On each platform, the authentication client 602 identifies the calling app 601 , and determines its FacetID. It then resolves the AppID and checks whether the FacetID is included in a TrustedApps list provided by the relying party 451 .
[0082] In one embodiment, the cacheable authentication requests discussed above may be implemented using bearer tokens such as illustrated in Figures 7 and 8. In the embodiments of the invention described herein, the token recipient (the transaction device 450), needs to be able to verify the token, the authentication response and the binding of the token to the authentication response without requiring another "online" connection to the token issuer (the relying party).
[0083] Two classes of bearer tokens should be distinguished: [0084] 1 . Tokens which can only be verified by the recipient (e.g., the transaction device 450) using a different channel to the issuer (e.g., the relying party 451 ), that must exist between the token issuance and the token verification. This class of tokens is referred to herein as "unsigned tokens."
[0085] 2. Tokens which can be verified by the recipient due to their cryptographic structure, e.g., because they contain a digital signature which can be verified using data received from the token issuer, potentially way before the specific token was issued. This class of tokens is referred to herein as "signed tokens".
[0086] The term "signed token structure" Is used herein to refer to both the signed token including the Uauth.pub key and the signed structure containing the token.
Binding Signed Tokens to Authentication Keys
[0087] As illustrated in Figure 7, in one embodiment, in order to bind signed tokens to the Authentication Key, the token issuer (e.g., the relying party 451 ): (a) adds the Authentication public key (Uauth.pub) 702 to the to-be-signed portion 701 of the (to-be-) signed token; and (b) includes that signed token in the to-be-signed portion of the authentication response. By doing this, the token recipient (e.g., the transaction device 450) can verify the token by validating the signature 703 (e.g., the public RPVerifyKey discussed above). If the verification succeeds, it can extract the public key (Uauth.pub) and use it to verify the authentication response, as previously discussed.
Binding Unsigned Tokens to Authentication Keys
[0088] As illustrated in Figure 8, in order to bind unsigned tokens 802 to the
Authentication Key, in one embodiment, the token issuer (e.g., the relying party 451 ) creates a signed structure covering (at least) the original token 802 and to-be-signed data 801 which includes the authentication public key (Uauth.pub). The signed structure can be verified by validating the signature 803 using the public key related to the private signing key (e.g., the RPVerifyKey pair discussed above). This public signing key needs to be shared with the token recipient (e.g., the transaction device 450). Sharing can be done once after generation of the signing key pair, potentially way before the first signed structure was generated.
[0089] The techniques described herein support both the "full-offline" implementation (i.e., the transaction device 450 has no connection to the relying party 451 at the time of the transaction) as well as the "semi-offline" implementation (i.e., the transaction device has a connection to the relying party 451 at the time of the transaction, but the client does not. [0090] Even in the full-offline case, the transaction device 450 is still expected to be connected via a host from time to time to the relying party 451 . For example, the host may collect all responses stored in the transaction device 450 in order to send them to the relying party and may also update (if required) the list of revoked Uauth keys (e.g., the public authentication keys which have been revoked since the last connection).
[0091] Some embodiments also support pure (session) authentication as well as transaction confirmation. Even in the case of transaction confirmation, the relying party 451 can verify the transaction, if the transaction device 450 submits the transaction text along with the authentication response to the relying party 451 .
[0092] There several different use cases / applications for the techniques described herein. For example:
[0093] 1 . Payment. A user has registered his authenticator (e.g. a smartphone) with a payment service provider (PSP). The user wants to authenticate a payment at some merchant using a Point-of-Sale device (PoS) authorized by the PSP, but the PoS doesn't have a reliable and permanent online connection to the PSP (e.g. located in a Bus). In this example, the PoS may be implemented as the transaction device 450 and the PSP may be implemented as the relying party 451 described above to allow the transaction notwithstanding the lack of a reliable and permanent connection.
[0094] 2. Internet-of-Thinqs. A company has installed several embedded devices (e.g. in a factory, building, etc.). Maintenance of such devices is performed by a technicians employed by a contracted party. For performing the maintenance the technician has to authenticate to the device in order to prove his eligibility for the task. The following assumptions are made (based on realistic frame conditions):
[0095] a. The technician cannot perform registration with each of such devices (as there are too many of them).
[0096] b. There are too many technicians and too much fluctuation of such technicians in order to keep the list of eligible technicians up-to-date on each of the devices.
[0097] c. Neither the device nor the technician's computer has a reliable network connection at the time of maintenance.
[0098] Using the techniques described above, the company can inject a trust anchor (e.g., the public RPVerifyKey) into all devices once (e.g., at installation time). Each technician then registers with the contracted party (e.g., the relying party 451 which may be the technician's employer). Using the above techniques, the technician will be able to authenticate to each device. [0099] The embodiments of the invention described above may be implemented in any system in which a client with authentication capabilities is registered with a relying party and the authentication operation is performed between this client and a device (a) acting on behalf of the relying party and (b) being offline (i.e. not having a reliable network connection to the relying party's original server the client has been registered with) at the time of transaction. In such a case, the client receives a cacheable authentication request from the original server and caches it. Once it is required, the client computes the authentication response and sends it to the device.
[00100] In another embodiment, the client adds channel binding data (received in the authentication request) to the response in a cryptographically secure way. By doing this, the relying party's original server can verify that the request was received by a legitimate client (and not some man-in-the-middle).
[00101] In one embodiment, the relying party adds additional authenticated data to the response such as the Uauth.pub key which allows the device to verify the authentication or transaction confirmation response, without having to contact the relying party server for retrieving the approved Uauth.pub key. In another embodiment, the relying party requires the user of the client to perform a successful authentication before issuing the "cacheable" authentication requests (in order to prevent denial of service attacks). In one embodiment, the relying party requires the client to indicate whether a request needs to be cacheable or not. If cacheable, the relying party may require additional authentication data in the response (e.g., the MaxCacheTime discussed above).
[00102] In one embodiment, a device such as the transaction device 450 does not have a direct network connection to the relying party and is "synchronized" to the relying party using a separate computer (sometimes referred to herein as the "host"). This host retrieves all collected authentication responses from the device and transfers them to the relying party. Additionally the host may also copy a list of revoked Uauth keys to the device to ensure that one of the revoked keys is not used in an authentication response.
[00103] In one embodiment, a device such as the transaction device 450 sends a random value (e.g., nonce) to the client and the client cryptographically adds this random value as an extension to the authentication response before signing it. This signed random value serves as a freshness proof to the device.
[00104] In one embodiment, the client's authenticator adds the current time Ta as an extension to the authentication response before signing it. The device/transaction device may compare that time to the current time Td and only accept the response if the difference between Ta and Td is acceptable (e.g., if the difference is less than two minutes (abs(Td-Ta)<2 min)).
[00105] In one embodiment, the relying party adds an authenticated (i.e., signed) expiration time to the cacheable request. As discussed above, the device/transaction device will only accept the response as valid if it is received before the expiration time.
[00106] In one embodiment, the relying party adds an authenticated (i.e., signed) data block (e.g., the "signed token structure" mentioned above) including additional information such as (but not limited to) public key, expiration time, maximum transaction value (e.g., Security Assertion Markup Language (SAML) assertions, OAuth tokens, JSON Web Signature (JWS) objects, etc) to the cacheable request. The
device/transaction device may only accept the response as valid if the signed data block can be positively verified and the contents are acceptable.
[00107] In one embodiment, the relying party only adds the unsigned token to the cacheable authentication request, but the transaction device has an online connection to the relying party at the time of transaction. The transaction device verifies the authenticity of the unsigned token using the online connection to the relying party at the time of transaction.
[00108] FIG. 9 illustrates exemplary "offline" and "semi-offline" authentication scenarios in accordance with one embodiment of the invention. In this embodiment, the user with a computing device 910 has an established relation to the relying party 930 and could authenticate to the relying party. However, in some circumstances, the user wants to perform a transaction (e.g., an authentication of a transaction confirmation) with a device 970 which has an established relation to the relying party 930 but not necessarily one to the user's computing device 910. With respect to this embodiment, the transaction is referred to as "full offline" if the connection 920 and connection 921 do not exist or are not stable at the relevant time (e.g., the time of authentication of the user's computing device 910 to the device 970 or of the transaction between the user's computing device 910 and the device 970). With respect to this embodiment, the transaction is "semi-offline" if the connection 920 between the user's computing device 910 and the relying party 930 is not stable, but the connection 921 between the device 970 and the relying party 930 is stable. Note that in this embodiment, connection 922 between the user's computing device 910 and device 970 is required to be stable at the relevant time. It is also expected that the Authenticator to be connected to the user's computing device 910. The connection 922 could be implemented using any type of communication channels/protocols including, but not limited to, Bluetooth, Bluetooth low energy (BTLE), near field communication (NFC), Wifi, Global System for Mobile
Communications (GSM), Universal Mobile Telecommunications System (UTMS), Long- Term Evolution (LTE) (e.g., 4G LTE), and TCP/IP.
Exemplary Data Processing Devices
[00109] Figure 10 is a block diagram illustrating an exemplary clients and servers which may be used in some embodiments of the invention. It should be understood that while Figure 10 illustrates various components of a computer system, it is not intended to represent any particular architecture or manner of interconnecting the components as such details are not germane to the present invention. It will be appreciated that other computer systems that have fewer components or more components may also be used with the present invention.
[00110] As illustrated in Figure 10, the computer system 1000, which is a form of a data processing system, includes the bus(es) 1050 which is coupled with the processing system 1020, power supply 1025, memory 1030, and the nonvolatile memory 1040 (e.g., a hard drive, flash memory, Phase-Change Memory (PCM), etc.). The bus(es) 1050 may be connected to each other through various bridges, controllers, and/or adapters as is well known in the art. The processing system 1020 may retrieve instruction(s) from the memory 1030 and/or the nonvolatile memory 1040, and execute the instructions to perform operations as described above. The bus 1050 interconnects the above components together and also interconnects those components to the optional dock 1060, the display controller & display device 1070, Input/Output devices 1080 (e.g., NIC (Network Interface Card), a cursor control (e.g., mouse, touchscreen, touchpad, etc.), a keyboard, etc.), and the optional wireless transceiver(s) 1090 (e.g., Bluetooth, WiFi, Infrared, etc.).
[00111] Figure 11 is a block diagram illustrating an exemplary data processing system which may be used in some embodiments of the invention. For example, the data processing system 190 may be a handheld computer, a personal digital assistant (PDA), a mobile telephone, a portable gaming system, a portable media player, a tablet or a handheld computing device which may include a mobile telephone, a media player, and/or a gaming system. As another example, the data processing system 1 100 may be a network computer or an embedded processing device within another device.
[00112] According to one embodiment of the invention, the exemplary architecture of the data processing system 1 100 may be used for the mobile devices described above. The data processing system 1 100 includes the processing system 1 120, which may include one or more microprocessors and/or a system on an integrated circuit. The processing system 1 120 is coupled with a memory 1 1 10, a power supply 1 125 (which includes one or more batteries) an audio input/output 1 140, a display controller and display device 1 160, optional input/output 1 150, input device(s) 1 170, and wireless transceiver(s) 1 130. It will be appreciated that additional components, not shown in Figure 11 , may also be a part of the data processing system 1 100 in certain
embodiments of the invention, and in certain embodiments of the invention fewer components than shown in Figure 11 may be used. In addition, it will be appreciated that one or more buses, not shown in Figure 11 , may be used to interconnect the various components as is well known in the art.
[00113] The memory 1 1 10 may store data and/or programs for execution by the data processing system 1 100. The audio input/output 1 140 may include a microphone and/or a speaker to, for example, play music and/or provide telephony functionality through the speaker and microphone. The display controller and display device 1 160 may include a graphical user interface (GUI). The wireless (e.g., RF) transceivers 1 130 (e.g., a WiFi transceiver, an infrared transceiver, a Bluetooth transceiver, a wireless cellular telephony transceiver, etc.) may be used to communicate with other data processing systems. The one or more input devices 1 170 allow a user to provide input to the system. These input devices may be a keypad, keyboard, touch panel, multi touch panel, etc. The optional other input/output 1 150 may be a connector for a dock.
[00114] Embodiments of the invention may include various steps as set forth above. The steps may be embodied in machine-executable instructions which cause a general- purpose or special-purpose processor to perform certain steps. Alternatively, these steps may be performed by specific hardware components that contain hardwired logic for performing the steps, or by any combination of programmed computer components and custom hardware components.
[00115] Elements of the present invention may also be provided as a machine- readable medium for storing the machine-executable program code. The machine- readable medium may include, but is not limited to, floppy diskettes, optical disks, CD- ROMs, and magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, magnetic or optical cards, or other type of media/machine-readable medium suitable for storing electronic program code.
[00116] Throughout the foregoing description, for the purposes of explanation, numerous specific details were set forth in order to provide a thorough understanding of the invention. It will be apparent, however, to one skilled in the art that the invention may be practiced without some of these specific details. For example, it will be readily apparent to those of skill in the art that the functional modules and methods described herein may be implemented as software, hardware or any combination thereof.
Moreover, although some embodiments of the invention are described herein within the context of a mobile computing environment, the underlying principles of the invention are not limited to a mobile computing implementation. Virtually any type of client or peer data processing devices may be used in some embodiments including, for example, desktop or workstation computers. Accordingly, the scope and spirit of the invention should be judged in terms of the claims which follow.
[00117] Embodiments of the invention may include various steps as set forth above. The steps may be embodied in machine-executable instructions which cause a general- purpose or special-purpose processor to perform certain steps. Alternatively, these steps may be performed by specific hardware components that contain hardwired logic for performing the steps, or by any combination of programmed computer components and custom hardware components.

Claims

CLAIMS We claim :
1 . A method comprising:
registering an authenticator of a client with a relying party, the registration allowing a user of the client to remotely authenticate the user to the relying party over a network;
generating a first authentication structure using at least a first authentication key associated with the authenticator and a signature generated with a first verification key; caching the first authentication structure on the client;
providing a second verification key corresponding to the first verification key to a transaction device;
performing an authentication transaction between the client and the transaction device in which the client generates a second authentication structure using a second authentication key associated with the first authentication key, the transaction device uses the second verification key to validate the signature on the first authentication structure and uses the first authentication key to validate the second authentication structure.
2. The method as in claim 1 wherein the first verification key is a private key used to generate the signature and the second verification key provided to the transaction device is a corresponding public verification key capable of validating the signature.
3. The method as in claim 1 wherein the second authentication key comprises a private authentication key associated with the authenticator and the first authentication key is a corresponding public authentication key.
4. The method as in claim 1 wherein the first and second verification keys are the same keys and/or wherein the first and second authentication keys are the same keys.
5. The method as in claim 1 wherein the operation of generating the first authentication structure is performed at the relying party.
6. The method as in claim 5 wherein the first authentication key comprises a public key associated with the authenticator (Uauth.pub) and the signature is generated over at least the public key using the first verification key.
7. The method as in claim 6 wherein the first authentication structure comprises a combination of a nonce generated by the relying party, the public key and the signature generated over the combination of the nonce and the public key.
8. The method as in claim 6 wherein the first authentication structure comprises a combination of a nonce generated by the relying party, cache timing data indicating an amount of time the first authentication structure can be cached on the client, the public key and the signature generated over the combination of the nonce, the cache timing data, and the public key.
9. The method as in claim 6 wherein the second authentication structure comprises the nonce or a value provided by the transaction device and a signature generated by applying the second authentication key over at least the nonce and/or the value provided by the transaction device.
10. The method as in claim 6 wherein the second authentication structure comprises a signature generated by applying the second authentication key over transaction text securely displayed on the client during a transaction with the transaction device.
1 1 . The method as in claim 10 wherein the signature is verified by the transaction device and/or the relying party using the first authentication key.
12. A method comprising:
registering an authenticator of a client with a relying party, the registration allowing a user of the client to remotely authenticate the user to the relying party over a network;
generating a first authentication structure using at least a first authentication key associated with the authenticator and a signature generated with a first verification key; storing the first authentication structure on a transaction device responsive to a user request to initiate a transaction through the transaction device; providing a second verification key corresponding to the first verification key to the transaction device;
performing an authentication transaction between the client and the transaction device in which the client generates a second authentication structure using a second authentication key associated with the first authentication key, the transaction device uses the second verification key to validate the signature on the first authentication structure and uses the first authentication key to validate the second authentication structure.
13. The method as in claim 12 wherein the first verification key is a private key used to generate the signature and the second verification key provided to the transaction device is a corresponding public verification key capable of validating the signature.
14. The method as in claim 12 wherein the second authentication key comprises a private authentication key associated with the authenticator and the first authentication key is a corresponding public authentication key.
15. The method as in claim 12 wherein the first and second verification keys are the same keys and/or wherein the first and second authentication keys are the same keys.
16. The method as in claim 12 wherein the operation of generating the first authentication structure is performed at the relying party.
17. The method as in claim 16 wherein the first authentication key comprises a public key associated with the authenticator (Uauth.pub) and the signature is generated over at least the public key using the first verification key.
18. The method as in claim 17 wherein the first authentication structure comprises a combination of a nonce generated by the relying party, the public key and the signature generated over the combination of the nonce and the public key.
19. The method as in claim 17 wherein the first authentication structure comprises a combination of a nonce generated by the relying party, cache timing data indicating an amount of time the first authentication structure can be cached on the client, the public key and the signature generated over the combination of the nonce, the cache timing data, and the public key.
20. The method as in claim 17 wherein the second authentication structure comprises the nonce or a value provided by the transaction device and a signature generated by applying the second authentication key over at least the nonce and/or the value provided by the transaction device.
21 . The method as in claim 17 wherein the second authentication structure comprises a signature generated by applying the second authentication key over transaction text securely displayed on the client during a transaction with the transaction device.
22. The method as in claim 21 wherein the signature is verified by the transaction device and/or the relying party using the first authentication key.
23. A method comprising:
registering an authenticator of a client with a relying party, the registration allowing a user of the client to remotely authenticate the user to the relying party over a network;
generating a first authentication structure using at least a first authentication key associated with the authenticator
caching the first authentication structure on the client;
performing an authentication transaction between the client and the transaction device in which the client generates a second authentication structure using a second authentication key associated with the first authentication key, the transaction device uses an online or out-of-band connection to the relying party to validate the first authentication structure and uses the first authentication key to validate the second authentication structure.
24. The method as in claim 23 wherein the second authentication key comprises a private authentication key associated with the authenticator and the first authentication key is a corresponding public authentication key.
25. The method as in claim 23 wherein the operation of generating the first authentication structure is performed at the relying party.
26. The method as in claim 25 wherein the first authentication key comprises a public key associated with the authenticator (Uauth.pub).
27. The method as in claim 26 wherein the first authentication structure comprises a combination of a nonce generated by the relying party, the public key and the signature generated over the combination of the nonce and the public key.
28. The method as in claim 26 wherein the first authentication structure comprises a combination of a nonce generated by the relying party, cache timing data indicating an amount of time the first authentication structure can be cached on the client, the public key and the signature generated over the combination of the nonce, the cache timing data, and the public key.
29. The method as in claim 26 wherein the second authentication structure comprises the nonce or a value provided by the transaction device and a signature generated by applying the second authentication key over at least the nonce and/or the value provided by the transaction device.
30. The method as in claim 26 wherein the second authentication structure comprises a signature generated by applying the second authentication key over transaction text securely displayed on the client during a transaction with the transaction device.
31 . The method as in claim 30 wherein the signature is verified by the transaction device and/or the relying party using the first authentication key.
PCT/US2015/042783 2014-07-31 2015-07-30 System and method for authenticating a client to a device WO2016019086A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
KR1020177003444A KR102358546B1 (en) 2014-07-31 2015-07-30 System and method for authenticating a client to a device
EP15826364.0A EP3175414B1 (en) 2014-07-31 2015-07-30 System and method for authenticating a client to a device
JP2017505504A JP6648110B2 (en) 2014-07-31 2015-07-30 System and method for authenticating a client to a device
CN201580041803.4A CN106575416B (en) 2014-07-31 2015-07-30 System and method for authenticating a client to a device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US14/448,641 US9450760B2 (en) 2014-07-31 2014-07-31 System and method for authenticating a client to a device
US14/448,641 2014-07-31

Publications (1)

Publication Number Publication Date
WO2016019086A1 true WO2016019086A1 (en) 2016-02-04

Family

ID=55218297

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/042783 WO2016019086A1 (en) 2014-07-31 2015-07-30 System and method for authenticating a client to a device

Country Status (6)

Country Link
US (1) US9450760B2 (en)
EP (1) EP3175414B1 (en)
JP (1) JP6648110B2 (en)
KR (1) KR102358546B1 (en)
CN (1) CN106575416B (en)
WO (1) WO2016019086A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107566335A (en) * 2017-07-21 2018-01-09 北京海泰方圆科技股份有限公司 The treating method and apparatus of message
WO2018011267A1 (en) * 2016-07-13 2018-01-18 Luxtrust S.A. Method for providing secure digital signatures
EP3422798A1 (en) * 2017-06-28 2019-01-02 Guangdong OPPO Mobile Telecommunications Corp., Ltd. Communication method and device
US10230756B2 (en) 2015-11-25 2019-03-12 International Business Machines Corporation Resisting replay attacks efficiently in a permissioned and privacy-preserving blockchain network
US20200012772A1 (en) * 2018-07-03 2020-01-09 Tinoq Inc. Systems and methods for matching identity and readily accessible personal identifier information based on transaction timestamp

Families Citing this family (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8412947B2 (en) * 2006-10-05 2013-04-02 Ceelox Patents, LLC System and method of secure encryption for electronic data transfer
JP6354407B2 (en) * 2014-07-11 2018-07-11 株式会社リコー Authentication system, authentication method, program, and communication system
US10032011B2 (en) * 2014-08-12 2018-07-24 At&T Intellectual Property I, L.P. Method and device for managing authentication using an identity avatar
US10275962B2 (en) * 2015-12-14 2019-04-30 Afero, Inc. Apparatus and method for internet of things (IOT) security lock and notification device
US9917824B2 (en) * 2015-12-14 2018-03-13 Afero, Inc. Apparatus and method for Internet of Things (IoT) authentication for a mass storage device
US20170180360A1 (en) * 2015-12-22 2017-06-22 Centre For Development Of Advanced Computing (Cdac) System for securing user identity information and a device thereof
US11170094B2 (en) * 2016-01-27 2021-11-09 Secret Double Octopus Ltd. System and method for securing a communication channel
US10790978B2 (en) 2016-05-25 2020-09-29 Intel Corporation Technologies for collective authorization with hierarchical group keys
US11086842B1 (en) * 2016-06-30 2021-08-10 EMC IP Holding Company LLC Highly scalable and consistent pluggable messaging system
US10650621B1 (en) 2016-09-13 2020-05-12 Iocurrents, Inc. Interfacing with a vehicular controller area network
US10440014B1 (en) * 2016-09-30 2019-10-08 Assa Abloy Ab Portable secure access module
US20180095500A1 (en) * 2016-09-30 2018-04-05 Intel Corporation Tap-to-dock
US11093207B1 (en) 2016-10-28 2021-08-17 Assa Abloy Ab Visual verification of virtual credentials and licenses
US10567539B2 (en) 2016-11-23 2020-02-18 Cisco Technology, Inc. Managing metadata in cloud driven, thin client video applications
US11928201B2 (en) 2016-12-22 2024-03-12 Hid Global Cid Sas Mobile credential with online/offline delivery
US10757103B2 (en) * 2017-04-11 2020-08-25 Xage Security, Inc. Single authentication portal for diverse industrial network protocols across multiple OSI layers
KR102071984B1 (en) * 2017-07-19 2020-02-03 라온시큐어(주) Method and device for providing authentication service using mobile terminal
US11868995B2 (en) * 2017-11-27 2024-01-09 Nok Nok Labs, Inc. Extending a secure key storage for transaction confirmation and cryptocurrency
WO2020005948A1 (en) * 2018-06-25 2020-01-02 Jpmorgan Chase Bank, N.A. Systems and methods for using an oauth client secret to encrypt data sent to browser
JP6937280B2 (en) * 2018-09-13 2021-09-22 株式会社東芝 Information processing device, resource providing device, information processing method, information processing program, resource providing method, resource providing program
CN111125675B (en) * 2018-10-30 2023-04-25 阿里巴巴集团控股有限公司 Method and system for controlling debug port and test method
US10326802B1 (en) * 2018-12-04 2019-06-18 Xage Security, Inc. Centrally managing data for orchestrating and managing user accounts and access control and security policies remotely across multiple devices
DE112019006051T5 (en) * 2019-01-09 2021-09-30 Mitsubishi Electric Corporation SECURE COMPUTING SETUP AND CLIENT SETUP
US12041039B2 (en) 2019-02-28 2024-07-16 Nok Nok Labs, Inc. System and method for endorsing a new authenticator
US11792024B2 (en) * 2019-03-29 2023-10-17 Nok Nok Labs, Inc. System and method for efficient challenge-response authentication
KR102248270B1 (en) * 2019-05-23 2021-05-03 김성완 Node device constituting a block-chain network and an operation method of the node device
JP6896813B2 (en) * 2019-08-30 2021-06-30 株式会社日立製作所 Transaction execution method and system
CN110601847B (en) * 2019-09-05 2021-03-05 北京海益同展信息科技有限公司 Accident processing method, device and system
WO2021212009A1 (en) * 2020-04-16 2021-10-21 Mastercard International Incorporated Systems, methods, and non-transitory computer-readable media for secure biometrically-enhanced data exchanges and data storage
DE102020125570A1 (en) 2020-09-30 2022-03-31 Novar Gmbh METHOD, SYSTEM AND COMPUTER PROGRAM FOR AUTHENTICATION OF FIRE CONTROL SYSTEMS
CN115080949A (en) * 2021-03-12 2022-09-20 华为技术有限公司 Electronic equipment unlocking method and related equipment
US20220329577A1 (en) * 2021-04-13 2022-10-13 Biosense Webster (Israel) Ltd. Two-Factor Authentication to Authenticate Users in Unconnected Devices
US11671260B2 (en) * 2021-05-12 2023-06-06 Mozarc Medical Us Llc Expiring software key for unlocking a mode on a device
US11665141B1 (en) 2022-03-04 2023-05-30 Oversec, Uab Virtual private network connection status detection
US12113774B2 (en) 2022-03-04 2024-10-08 Oversec, Uab Virtual private network resource management
US11647084B1 (en) 2022-03-04 2023-05-09 Oversec, Uab Virtual private network connection management with echo packets
US11627191B1 (en) 2022-03-04 2023-04-11 Oversec, Uab Network connection management
US12021933B2 (en) 2022-03-04 2024-06-25 Oversec, Uab Network connection status detection
US12015672B2 (en) 2022-03-04 2024-06-18 Oversec, Uab Network reconnection request handling
US12015674B2 (en) * 2022-03-04 2024-06-18 Oversec, Uab Virtual private network connection status detection
WO2024206861A1 (en) * 2023-03-29 2024-10-03 Visa International Service Association Enterprise controlled authentication

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060282670A1 (en) * 2005-06-08 2006-12-14 International Business Machines Corporation Relying party trust anchor based public key technology framework
US20110082801A1 (en) * 2009-10-06 2011-04-07 Validity Sensors, Inc. Secure Transaction Systems and Methods
US20110307949A1 (en) * 2009-02-19 2011-12-15 Troy Jacob Ronda System and methods for online authentication
US20140189791A1 (en) * 2012-12-28 2014-07-03 Rolf Lindemann System and method for implementing privacy classes within an authentication framework
US20140189350A1 (en) * 2012-12-28 2014-07-03 Davit Baghdasaryan System and method for efficiently enrolling, registering, and authenticating with multiple authentication devices

Family Cites Families (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5588061A (en) * 1994-07-20 1996-12-24 Bell Atlantic Network Services, Inc. System and method for identity verification, forming joint signatures and session key agreement in an RSA public cryptosystem
WO2001044968A2 (en) * 1999-12-02 2001-06-21 Oakington Technologies Limited Transaction system and method
US7233926B2 (en) * 2000-03-07 2007-06-19 Thomson Licensing Electronic wallet system with secure inter-purses operations
KR100954640B1 (en) 2002-02-05 2010-04-27 파나소닉 주식회사 Personal authentication method and device
CN1882963A (en) * 2003-06-30 2006-12-20 塞尔维纳坦·纳拉因萨米 Transaction verification system
EP1811421A1 (en) * 2005-12-29 2007-07-25 AXSionics AG Security token and method for authentication of a user with the security token
US7512567B2 (en) 2006-06-29 2009-03-31 Yt Acquisition Corporation Method and system for providing biometric authentication at a point-of-sale via a mobile device
CN101101687B (en) * 2006-07-05 2010-09-01 山谷科技有限责任公司 Method, apparatus, server and system using biological character for identity authentication
US8818904B2 (en) * 2007-01-17 2014-08-26 The Western Union Company Generation systems and methods for transaction identifiers having biometric keys associated therewith
CN101276448A (en) * 2007-03-29 2008-10-01 阿里巴巴集团控股有限公司 Payment system and method performing trading with identification card including IC card
CN101051908B (en) * 2007-05-21 2011-05-18 北京飞天诚信科技有限公司 Dynamic cipher certifying system and method
US8134449B2 (en) * 2007-10-23 2012-03-13 Minebea Co., Ltd Method and system for biometric keyboard
US8220032B2 (en) 2008-01-29 2012-07-10 International Business Machines Corporation Methods, devices, and computer program products for discovering authentication servers and establishing trust relationships therewith
US8555078B2 (en) * 2008-02-29 2013-10-08 Adobe Systems Incorporated Relying party specifiable format for assertion provider token
JP2009223452A (en) * 2008-03-14 2009-10-01 Hitachi Ltd Authentication system, and authentication server device and user device and application server device
US20090307140A1 (en) 2008-06-06 2009-12-10 Upendra Mardikar Mobile device over-the-air (ota) registration and point-of-sale (pos) payment
US20100299738A1 (en) * 2009-05-19 2010-11-25 Microsoft Corporation Claims-based authorization at an identity provider
US8584224B1 (en) * 2011-04-13 2013-11-12 Symantec Corporation Ticket based strong authentication with web service
US8953789B2 (en) * 2011-06-01 2015-02-10 International Business Machines Corporation Combining key control information in common cryptographic architecture services
CN102255917B (en) * 2011-08-15 2014-09-03 北京宏基恒信科技有限责任公司 Method, system and device for updating and synchronizing keys of dynamic token
TW201345217A (en) * 2012-01-20 2013-11-01 Interdigital Patent Holdings Identity management with local functionality
EP3916593B1 (en) * 2012-12-28 2023-09-13 Nok Nok Labs, Inc. System and method for efficiently enrolling, registering, and authenticating with multiple authentication devices
CN103220145B (en) * 2013-04-03 2015-06-17 天地融科技股份有限公司 Method and system for electronic signature token to respond to operation request, and electronic signature token
CN103475666B (en) * 2013-09-23 2017-01-04 中国科学院声学研究所 A kind of digital signature authentication method of Internet of Things resource

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060282670A1 (en) * 2005-06-08 2006-12-14 International Business Machines Corporation Relying party trust anchor based public key technology framework
US20110307949A1 (en) * 2009-02-19 2011-12-15 Troy Jacob Ronda System and methods for online authentication
US20110082801A1 (en) * 2009-10-06 2011-04-07 Validity Sensors, Inc. Secure Transaction Systems and Methods
US20110083016A1 (en) * 2009-10-06 2011-04-07 Validity Sensors, Inc. Secure User Authentication Using Biometric Information
US20140189791A1 (en) * 2012-12-28 2014-07-03 Rolf Lindemann System and method for implementing privacy classes within an authentication framework
US20140189350A1 (en) * 2012-12-28 2014-07-03 Davit Baghdasaryan System and method for efficiently enrolling, registering, and authenticating with multiple authentication devices

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
BARKER ET AL.: "Recommendation for key management part 3: Application-specific key management guidance.", NIST SPECIAL PUBLICATION 800-57., December 2009 (2009-12-01), XP055390228, Retrieved from the Internet <URL:http://www.immagic.com/eLibrary/ARCHIVES/TECH/US_DOC/N091200B.pdf> *
See also references of EP3175414A4 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10230756B2 (en) 2015-11-25 2019-03-12 International Business Machines Corporation Resisting replay attacks efficiently in a permissioned and privacy-preserving blockchain network
WO2018011267A1 (en) * 2016-07-13 2018-01-18 Luxtrust S.A. Method for providing secure digital signatures
LU93150B1 (en) * 2016-07-13 2018-03-05 Luxtrust S A Method for providing secure digital signatures
US11082236B2 (en) 2016-07-13 2021-08-03 Luxtrust S.A. Method for providing secure digital signatures
EP3422798A1 (en) * 2017-06-28 2019-01-02 Guangdong OPPO Mobile Telecommunications Corp., Ltd. Communication method and device
US10938806B2 (en) 2017-06-28 2021-03-02 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Communication method and device
CN107566335A (en) * 2017-07-21 2018-01-09 北京海泰方圆科技股份有限公司 The treating method and apparatus of message
CN107566335B (en) * 2017-07-21 2019-04-02 北京海泰方圆科技股份有限公司 The treating method and apparatus of message
US20200012772A1 (en) * 2018-07-03 2020-01-09 Tinoq Inc. Systems and methods for matching identity and readily accessible personal identifier information based on transaction timestamp

Also Published As

Publication number Publication date
US20160241403A1 (en) 2016-08-18
EP3175414B1 (en) 2020-07-29
CN106575416A (en) 2017-04-19
US9450760B2 (en) 2016-09-20
EP3175414A4 (en) 2018-03-21
KR102358546B1 (en) 2022-02-03
CN106575416B (en) 2020-12-04
KR20170039672A (en) 2017-04-11
JP6648110B2 (en) 2020-02-14
JP2017530586A (en) 2017-10-12
EP3175414A1 (en) 2017-06-07

Similar Documents

Publication Publication Date Title
EP3175414B1 (en) System and method for authenticating a client to a device
CN106664208B (en) System and method for establishing trust using secure transport protocol
US11792024B2 (en) System and method for efficient challenge-response authentication
EP3195108B1 (en) System and method for integrating an authentication service within a network architecture
EP3138265B1 (en) Enhanced security for registration of authentication devices
KR102439782B1 (en) System and method for implementing a hosted authentication service
US12126647B2 (en) System and method for protection against malicious program code injection
US20210194919A1 (en) System and method for protection against malicious program code injection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15826364

Country of ref document: EP

Kind code of ref document: A1

REEP Request for entry into the european phase

Ref document number: 2015826364

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2017505504

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 20177003444

Country of ref document: KR

Kind code of ref document: A