Asymmetric key pair having a kiosk mode

7,599,493

11/056114

February 14, 2005

Techniques for providing different levels of access based upon a same authentication factor are provided. A first message is received that is transformed with a first portion of a split private key, the first portion based upon a user password and another factor, and the split private key associated with an asymmetric key pair having a public key and the split private key. The user is authenticated for a first level of network access based upon the received first message being transformed with the first portion. A second message is received that is transformed with a second portion of the split private key, the second portion based upon the password only and not combinable with the first portion to complete the split private key. The user is authenticated for a second level of network access different that the first level based upon the received second message being transformed with the second portion.

Sandhu, Ravinderpal Singh (Oak Hill, VA, US); Schoppert, Brett Jason (Leesburg, VA, US); Ganesan, Ravi (Half Moon Bay, CA, US); Bellare, Mihir (San Diego, CA, US); deSa, Colin Joseph (Herndon, VA, US)

TriCipher Inc. (San Mateo, CA, US)

1. An article of manufacture for providing different levels of access based upon a same authentication factor, comprising, computer readable storage media: and computer programming stored on the storage media, wherein the stored computer programming is configured to be readable by one or more computers and thereby cause the one or more computers to operate so as to; receive a first message transformed with a first portion of a split private key, the first portion based upon a user password and another factor, different than the user password, with both factors being under the control of the user, and the split private key associated with an asymmetric key pair having a public key and the split private key; authenticate the user for a first level of network access based upon the received first message being transformed with the first portion; receive a second message transformed with a second portion of the split private key, the second portion based upon the user password only and not combinable with the first portion to complete the split private key; and authenticate the user for a second level of network access different that the first level based upon the received second message being transformed with the second portion.

2. The article of manufacture of claim 1 , wherein: if authenticated for the first level of access, first information is available to the user; and if authenticated for the second level access, second information is available to the user.

3. The article of manufacture of claim 2 , wherein the second information is only a portion of the first information.

4. The article of manufacture of claim 1 , wherein: the first message is received from a first network station; the other factor is stored at the first network station; and the second message is received from a second network station at which the other factor is not stored.

5. The article of manufacture of claim 1 , wherein the stored computer programming is further configured to thereby cause the one or more computers to operate so as to: generate an asymmetric key pair having a private key and a public key; split the private key, based upon the password only, into a second set of multiple private portions including the second private portion.

6. The article of manufacture of claim 1 , wherein the stored computer programming is further configured to thereby cause the one or more computers to operate so as to: transform the received first message with a third portion of the split private key, the public key of the asymmetric key pair, and at least one other public key to determine that the received first message is transformed with the first portion; and transform the received second message with only a fourth portion of the split private key and the public key of the asymmetric key pair to determine that the received first message is transformed with the second portion.

7. The article of manufacture of claim 1 , wherein the first portion is generated by cryptographically combining the user password and the other factor.

8. The article of manufacture of claim 1 , wherein: the asymmetric key pair is a first asymmetric key pair; the first portion is based three factors; a first factor is the user password; a second factor is a private key of a second asymmetric key pair; and a third factor is a private key of a third asymmetric key pair.

9. The article of manufacture of claim 8 , wherein: the password is not stored in a persistent state; the private key of the second asymmetric key pair is stored in a first location; and the private key of the third asymmetric key pair is stored in a second location different than the first location.

10. A system for providing different levels of access based upon a same authentication factor, comprising: a communications interface configured to receive i) a first message transformed with a first portion of a split private key, the first portion based upon a user password and another factor, different than the user password, with both factors being under the control of the user, and the split private key associated with an asymmetric key pair having a public key and the split private key, and ii) a second message transformed with a second portion of the split private key, the second portion based upon the user password only and not combinable with the first portion to complete the split private key; and a processor configured to i) authenticate the user for a first level of network access based upon the received first message being transformed with the first portion, and ii) authenticate the user for a second level of network access different that the first level based upon the received second message being transformed with the second portion.

11. The system of claim 10 , wherein: if authenticated for the first level of access, first information is available to the user; and if authenticated for the second level of access, second information is available to the user.

12. The system of claim 11 , wherein the second information is only a portion of the first information.

13. The system of claim 10 , wherein: the first message is received from a first network station; the other factor is stored at the first network station; and the second message is received from a second network station at which the other factor is not stored.

14. The system of claim 11 , wherein the processor is a first processor, and further comprising: a second processor configured to i) generate an asymmetric key pair having a private key and a public key, ii) split the private key, based upon the password and the other factor, into a first set of multiple private portions including the first private portion, and iii) split the private key, based upon the password only, into a second set of multiple private portions including the second private portion.

15. The system of claim 10 , wherein the processor is further configured to i) transform the received first message with a third portion of the split private key, the public key of the asymmetric key pair, and at least one other public key to determine that the received first message is transformed with the first portion, and ii) transform the received second message with only a fourth portion of the split private key and the public key of the asymmetric key pair to determine that the received first message is transformed with the second portion.

16. The system of claim 10 , wherein the first portion is generated by cryptographically combining the user password and the other factor.

17. The system of claim 10 wherein: the asymmetric key pair is a first asymmetric key pair; the first portion is based three factors; a first factor is the user password; a second factor is a private key of a second asymmetric key pair; and a third factor is a private key of a third asymmetric key pair.

18. The system of claim 17 , wherein: the password is not stored in a persistent state; the private key of the second asymmetric key pair is stored in a first location; and the private key of the third asymmetric key pair is stored in a second location different than the first location.

380/44

5623546 April 1997 Hardy et al.
5768388 June 1998 Goldwasser et al.
5953422 September 1999 Angelo et al.
6026163 February 2000 Micali
6072876 June 2000 Obata et al.
6542608 April 2003 Scheidt et al.
6662299 December 2003 Price, III
6845160 January 2005 Aoki
7095851 August 2006 Scheidt
7260552 August 2007 Riera Jorba et al.
2002/0078345 June 2002 Sandhu et al.
2003/0147536 August 2003 Andivahis et al.
2003/0172298 September 2003 Gunter et al.
2005/0002532 January 2005 Zhou et al.

RSA Laboratories, “PKCS #5 v2.0: Password-Based Cryptography Standard”, Dec. 10, 1998, pp. 1-25. cited by other

edspgr.07599493