Patents

We currently own the following patent families. Please contact us if you are interested in licensing any of them.

Scheme for frictionless cardholder authentication

US patents 10,825,025 and 11,263,638. These patents describe a cardholder authentication method where the merchant redirects the cardholder’s browser to the card issuer’s web site, but a Service Worker registered with the browser by the issuer intercepts the redirected request and authenticates the user by proof of possession of a private key, which is used to sign a description of the transaction and thus provide a defense against transaction repudiation to the merchant. The private key is associated with a credit card certificate that contains the corresponding public key and a cryptographic hash of the data printed on the credit card. The card data is not included in the certificate to avoid exposing it to an attacker who uses malware or physical capture of the cardholder’s device to obtain the certificate. When the merchant’s site or native app receives the certificate along with signature, it verifies the hash against the printed card data entered by the cardholder.

For more information see the Cardholder Authentication page.

Operation of a certificate authority on a distributed ledger

US patent 10,764,067. An on-ledger certificate authority operates a node of a distributed ledger that controls a certificate issuance store and a certificate revocation store. When the certificate authority issues a certificate, the node issues a ledger transaction with an instruction to store a validation hash of the certificate in the issuance store, and when a certificate is revoked, a ledger transaction with an instruction to store the serial number of the certificate in the revocation store. As such transactions propagate throughout the ledger, the instructions are executed by on-ledger verifiers in their local replicas of the stores. An onledger verifier validates a certificate by verifying that its serial number is not in the revocation store while its validation hash is in the verifier’s replica of the issuance store.

For more information see the blog post Pomcor Granted Patent on How to Implement a PKI on a Blockchain.

Multifactor privacy-enhanced remote identification using a rich credential

US patents 10,567,377 and 11,329,981. These patents describe a method and a system for multifactor identification of a subject over a network using a rich credential, with selective disclosure of attributes and selective presentation of verification factors. A credential presentation application negotiates with a verifying server to agree on attributes to be disclosed and verification factors to be presented, and removes unneeded attributes and verification data from the rich credential by pruning subtrees from a typed hash tree without invalidating a signature that covers the root label of the tree. The credential presentation application proves knowledge of a private key, and as agreed upon may prove knowledge of a password and may arrange for biometric presentation applications to present one or more biometric samples to the verifier, which performs presentation attack detection and verifies the samples against verification data in the rich credential.

For more information see the blog posts Pomcor Granted Patent on Rich Credentials and A New Tool Against the Surge of Application Fraud.

Protecting passwords and biometrics against back-end security breaches

US Patent 9,887,989. This patent describes a multifactor authentication technique that uses a cryptographic key pair in conjunction with a password and/or a biometric key while protecting the password and biometric data against back-end security breaches. In a two-factor embodiment with a key pair and a password, the user of a web application registers the password and the public key component of the key pair with the back-end of the application. Instead of storing the public key and a salted hash of the password, the back-end stores a joint hash of the public key and the password, then deletes the public key and the password. An attacker who breaches the back-end database and obtains the joint hash cannot mount a brute-force or dictionary attack against the password without knowing the public key, which is unconventionally treated as a joint secret between the browser and the back-end. The password may also be protected against exploits of other back-end vulnerabilities besides database breaches, and against phishing attacks and reuse at malicious or insecure sites, by hashing it at the browser with a secret salt before submitting it to the back-end. Other embodiments are described in this blog post.

Cryptographic authentication techniques for mobile devices

US patent 9,185,111. This patent describes a method of authenticating a computing device to a back-end subsystem. In one embodiment a prover black-box in the computing device regenerates a credential containing a key pair from a PIN and a protocredential, and authenticates cryptographically to a verifier black-box in the back-end subsystem; then the verifier black-box sends an authentication token to the prover black-box as verifiable confirmation of the cryptographic authentication, the prover black-box sends the authentication token to an application front-end in the computing device, the application front-end sends the authentication token to an application back-end in the back-end subsystem, and the application back-end verifies the authentication token.