U.S. patent application number 09/739114 was filed with the patent office on 2003-06-19 for one time password entry to access multiple network sites.
Invention is credited to deSa, Colin, Ganesan, Karuna, Sandhu, Ravi.
Application Number | 20030115452 09/739114 |
Document ID | / |
Family ID | 24970879 |
Filed Date | 2003-06-19 |
United States Patent
Application |
20030115452 |
Kind Code |
A1 |
Sandhu, Ravi ; et
al. |
June 19, 2003 |
One time password entry to access multiple network sites
Abstract
A system for accessing multiple different network stations
without entry of a password includes first, second and third
network stations. The first network station represents a network
entity and transmits a request for authentication of a user seeking
access. The user has an associated password, identifier and
asymmetric crypto-key, including a first private key portion
obtainable with the password, a second private key portion and a
public key portion. A second network station represents the user
and has a user identifier, a combination symmetric crypto-key
corresponding to a first symmetric crypto-key and a second
symmetric crypto-key, and the first private key portion encrypted
with the first symmetric crypto-key stored thereat. In response to
the authentication request, this station (i) transmits the stored
user identifier MAC'd with the stored combination symmetric key,
and (ii) transmits the transmitted authentication request encrypted
with the stored combination symmetric crypto-key. A third network
station represents a sponsor and has the user identifier, the
combination symmetric crypto-key, the first symmetric crypto-key,
and the second private key portion stored thereat. This station (i)
retrieves the stored combination symmetric crypto-key by matching
the transmitted user identifier with the stored user identifier,
(ii) verifies the MAC with the retrieved combination symmetric
crypto-key to verify the identity of the user, (iii) decrypts the
transmitted encrypted authentication request with the retrieved
combination symmetric key to recover the authentication request,
(iv) encrypts the recovered authentication request with the stored
second private key portion and (v) transmits the encrypted
authentication request and the first symmetric crypto-key, both
encrypted with the retrieved combination symmetric crypto-key. The
second network station (i) decrypts the transmitted encrypted
authentication request and first symmetric crypto-key with its
stored combination symmetric crypto-key to recover the encrypted
authentication request and the first symmetric crypto-key, (ii)
decrypts the stored encrypted first private key portion with the
recovered first symmetric crypto-key to recover the first private
key portion, and (iii) transmits the recovered encrypted
authentication request further encrypted with the recovered first
private key portion. The first station decrypts the transmitted
further encrypted authentication request with the user public key
to thereby authenticate the user.
Inventors: |
Sandhu, Ravi; (Fairfax,
VA) ; deSa, Colin; (Herndon, VA) ; Ganesan,
Karuna; (Norcross, GA) |
Correspondence
Address: |
ANTONELLI TERRY STOUT AND KRAUS
SUITE 1800
1300 NORTH SEVENTEENTH STREET
ARLINGTON
VA
22209
|
Family ID: |
24970879 |
Appl. No.: |
09/739114 |
Filed: |
December 19, 2000 |
Current U.S.
Class: |
713/155 |
Current CPC
Class: |
H04L 63/0815 20130101;
H04L 9/0844 20130101; H04L 9/3226 20130101; H04L 63/045 20130101;
H04L 63/083 20130101 |
Class at
Publication: |
713/155 |
International
Class: |
H04L 009/00 |
Claims
What is claimed is:
1. A system for accessing multiple different network stations
without entry of a password, comprising: a first network station
representing a network entity and configured to transmit a request
for authentication of a user seeking access, the user having an
associated password, an associated user identifier, and an
associated asymmetric crypto-key, including a first private key
portion obtainable with the password, a second private key portion
and a public key portion; a second network station representing the
user, and having the user identifier, a combination symmetric
crypto-key corresponding to a first symmetric crypto-key and a
second symmetric crypto-key, and the obtained first private key
portion encrypted with the first symmetric crypto-key stored
thereat, and configured to (i) transmit the stored user identifier
MAC'd with the stored combination symmetric crypto-key responsive
to the transmitted authentication request, and (ii) transmit the
transmitted authentication request encrypted with the stored
combination symmetric crypto-key; and a third network station,
representing a sponsor, having the user identifier, the combination
symmetric crypto-key, the first symmetric crypto-key, and the
second private key portion stored thereat, and configured to (i)
retrieve the stored combination symmetric crypto-key by matching
the transmitted user identifier with the stored user identifier,
(ii) verify the MAC with the retrieved combination symmetric
crypto-key to verify identity of the user, (iii) decrypt the
transmitted encrypted authentication request with the retrieved
combination symmetric crypto-key to recover the authentication
request, (iv) encrypt the recovered authentication request with the
stored second private key portion and (v) transmit the encrypted
authentication request and the first symmetric crypto-key, both
encrypted with the retrieved combination symmetric crypto-key;
wherein the second network station is further configured to (i)
decrypt the transmitted encrypted authentication request and first
symmetric crypto-key, with the stored combination symmetric
crypto-key to recover the encrypted authentication request and the
first symmetric crypto-key, (ii) decrypt the stored encrypted first
private key portion with the recovered first symmetric crypto-key
to recover the first private key portion, (iii) to transmit the
recovered encrypted authentication request further encrypted with
the recovered first private key portion; wherein the first station
is further configured to decrypt the transmitted further encrypted
authentication request with the public key to thereby authenticate
the user.
2. A system according to claim 1, wherein the authentication
request is a hash message.
3. A system according to claim 1, wherein the second network
station is further configured to receive the password as a user
input and obtain the first private key portion with the input
password, prior to transmission of the authorization request by the
first station.
4. A system according to claim 1, wherein the combination symmetric
crypto-key corresponds to the first symmetric crypto-key XOR'd with
the second symmetric crypto-key.
5. A system according to claim 1, wherein the second network
station is further configured to automatically respond to the
authentication request without the user inputting the password.
6. A system according to claim 1, wherein the first symmetric
crypto-key is a first random number having a length of 192 bits and
the second symmetric crypto-key is a second random number,
different than the first random number, having a length of 192
bits.
7. A system according to claim 1, wherein the third station has a
time value, representing a time period for authenticating the user,
stored thereat, and is further configured to retrieve the stored
time value prior to encrypting the recovered authentication request
and to only encrypt the recovered authentication request if the
present time is within the time period represented by the time
value.
8. A system according to claim 1, wherein the second network
station is further configured to generate the first symmetric
crypto-key, and transmit the first symmetric crypto-key encrypted
with the obtained first private key portion to the third network
station; the third station is further configured to decrypt the
transmitted encrypted first symmetric crypto-key with the second
private key portion to recover the first symmetric crypto-key and
thereby authenticate the user, to store the decrypted first
symmetric crypto-key, to generate the second symmetric crypto-key,
to combine the first and the second symmetric crypto-key to form
the combination symmetric crypto-key, to store the combination
symmetric crypto-key, to transmit the second symmetric crypto-key
encrypted with the first symmetric crypto-key to the second network
station, and to destroy the second symmetric crypto-key; and the
second network station is further configured to decrypt the
transmitted encrypted second symmetric crypto-key with the first
symmetric crypto-key to recover the second symmetric crypto-key and
thereby authenticate the sponsor, to combine the recovered second
symmetric crypto-key with the first symmetric crypto-key to form
the combination symmetric crypto-key, to store the combination
symmetric crypto-key, to encrypt the first private key portion with
the first symmetric crypto-key, to store the encrypted first
private key portion, and to destroy the first symmetric crypto-key
and the unencrypted first private key portion.
9. A system for accessing multiple different network stations,
comprising: a first station representing a user having a password,
an identifier, and an asymmetric crypto-key, including a first
private key portion, a second private key portion and a public key
portion, and configured to transmit a log-in request including the
user identifier; and a second station representing a sponsor and
configured to transmit a challenge responsive to the transmitted
log-in request; wherein the first station is further configured (i)
to process the user password to obtain the first private key
portion, (ii) to encrypt a first symmetric crypto-key and the
transmitted challenge with the obtained first private key portion
to form a first encrypted message, and (iii) to transmit the first
encrypted message; wherein the second station is further configured
(i) to decrypt the transmitted first encrypted message with the
second private key portion to recover the challenge and the first
symmetric crypto-key, thereby authenticating the user, (ii) to
combine the recovered first symmetric crypto-key with a second
symmetric crypto-key to form a combined symmetric crypto-key, (iii)
to store the combined symmetric crypto-key, (iv) to encrypt the
second symmetric crypto-key and a time value with the first
symmetric crypto-key to form a second encrypted message, and (v) to
transmit the second encrypted message; wherein the first station is
further configured (i) to decrypt the transmitted second encrypted
message with the first symmetric crypto-key to recover the second
symmetric crypto-key and the time value, thereby authenticating the
sponsor, (ii) to combine the recovered second symmetric crypto-key
with the first symmetric crypto-key to form the combined symmetric
crypto-key, (iii) to encrypt the first private key portion with the
first symmetric crypto-key, (iv) to destroy the first symmetric
crypto-key and the obtained first private key portion, (v) to
encrypt a request for user authentication from another network
entity with the combined symmetric crypto-key to form a third
encrypted message and (vi) to transmit the user identifier, MAC'd
with the combined symmetric crypto-key, and the third encrypted
message; wherein the second station is further configured (i) to
match the transmitted user identifier with the previously
transmitted user identifier to retrieve the combined symmetric
crypto-key, (ii) verify the MAC with the retrieved combined
symmetric crypto-key to verify identity of the user, (iii) to
decrypt the third encrypted message with the combined symmetric
crypto-key to recover the request for user authentication, (iv) to
encrypt the request for user authentication with the second private
key portion to form a fourth encrypted message, (v) to encrypt the
first symmetric crypto-key and the fourth encrypted message with
the combined symmetric crypto-key to form a fifth encrypted message
and (vi) to transmit the fifth encrypted message; wherein the first
network station is further configured (i) to decrypt the
transmitted fifth encrypted message with the combined symmetric
crypto-key to recover the transmitted first symmetric crypto-key
and the transmitted fourth encrypted message, and thereby verify an
identity of the sponsor, (ii) to decrypt the encrypted first
private key portion with the recovered first symmetric crypto-key,
(iii) to further encrypt the recovered fourth encrypted message
with the decrypted first private key portion to form an
authentication message, (iv) to transmit the authentication message
to the other network entity to authenticate the user.
10. A method for accessing multiple different network stations
without entry of a password associated with a user also having an
associated identifier and an associated asymmetric crypto-key,
including a first private key portion obtainable with the password,
a second private key portion and a public key portion, comprising:
receiving a request for authentication of the user; retrieving from
a first memory, without entry of the user password, the user
identifier, a combination symmetric crypto-key corresponding to a
first symmetric crypto-key and a second symmetric crypto-key, and
the first private key portion encrypted with the first symmetric
crypto-key; encrypting the transmitted authentication request with
the retrieved combination symmetric crypto-key; transmitting the
retrieved user identifier MAC'd with the retrieved combination
symmetric crypto-key, and the received authentication request
encrypted with the retrieved combination symmetric crypto-key;
matching the transmitted user identifier with a user identifier
stored in a second memory, different than the first memory, to
retrieve the combination symmetric crypto-key from the second
memory; verifying the MAC with the retrieved combination symmetric
crypto-key to verify identity of the user; decrypting the
transmitted encrypted authentication request with the combination
symmetric crypto-key to recover the authorization request;
retrieving the second private key portion and the first symmetric
crypto-key from the second memory; encrypting the recovered
authorization request with the retrieved second private key portion
to form an authentication message; transmitting the authentication
message and the retrieved first symmetric crypto-key, both
encrypted with the combination symmetric crypto-key; decrypting the
transmitted encrypted authentication message and first symmetric
crypto-key, with the combination symmetric crypto-key retrieved
from the first memory to recover the authentication message and the
first symmetric crypto-key; decrypting the retrieved encrypted
first private key portion with the recovered first symmetric
crypto-key; encrypting the recovered authentication message with
the decrypted first private key portion to complete the
authentication message; transmitting the completed authentication
message; and decrypting the transmitted completed authentication
message with the user public key to thereby authenticate the
user.
11. A method according to claim 10, wherein the authentication
request is a hash message.
12. A method according to claim 10, further comprising: processing
the user password to obtain the first private key portion, prior to
receipt of the authentication request.
13. A method according to claim 10, further comprising: XOR'ing the
first symmetric crypto-key with the second symmetric crypto-key to
generate the combination symmetric crypto-key. A method according
to claim 10, wherein the first symmetric crypto-key is a first
random number having a length of 192 bits and the second symmetric
crypto-key is a second random number, different than the first
random number, having a length of 192 bits.
14. A method according to claim 10, further comprising: retrieving
a time value, representing a time period for authenticating the
user, from the second memory; and only encrypting the recovered
authentication request if the present time is within the time
period represented by the retrieved time value.
16. A method according to claim 10, further comprising: generating
the first symmetric crypto-key; transmitting the first symmetric
crypto-key encrypted with the obtained first private key portion;
decrypting the transmitted encrypted first symmetric crypto-key
with the second private key portion to recover the first symmetric
crypto-key and thereby authenticate the user; storing the decrypted
first symmetric crypto-key in the second memory; generating the
second symmetric crypto-key; combining the first and the second
symmetric crypto-keys to form the combination symmetric crypto-key;
storing the combination symmetric crypto-key in the second memory;
transmitting the second symmetric crypto-key encrypted with the
first symmetric crypto-key; destroying the second symmetric
crypto-key; decrypting the transmitted encrypted second symmetric
crypto-key with the first symmetric crypto-key to recover the
second symmetric crypto-key and thereby authenticate the sponsor;
combining the recovered second symmetric crypto-key with the first
symmetric crypto-key to form the combination symmetric crypto-key;
storing the combination symmetric crypto-key in the first memory;
encrypting the first private key portion with the first symmetric
crypto-key; storing the encrypted first private key portion in the
first memory; and destroying the first symmetric crypto-key used to
encrypt the first private key portion and the unencrypted first
private key portion.
17. A method for accessing multiple different network stations by a
user having a user identifier, a user password and an asymmetric
crypto-key, including a first private key portion, a second private
key portion and a public key portion; transmitting a log-in request
including the user identifier; transmitting a challenge of a
sponsor responsive to the transmitted log-in request; processing
the user password to obtain the first private key portion;
encrypting a first symmetric crypto-key and the transmitted
challenge with the obtained first private key portion to form a
first encrypted message; transmitting the first encrypted message;
decrypting the transmitted first encrypted message with the second
private key portion to recover the challenge and the first
symmetric crypto-key, and thereby authenticate the user to the
sponsor; combining the recovered first symmetric crypto-key with a
second symmetric crypto-key to form a combined symmetric
crypto-key; storing the combined symmetric crypto-key in a first
memory; encrypting the second symmetric crypto-key with the first
symmetric crypto-key to form a second encrypted message;
transmitting the second encrypted message; decrypting the
transmitted second encrypted message with the first symmetric
crypto-key to recover the second symmetric crypto-key, and thereby
authenticate the sponsor to the user; combining the recovered
second symmetric crypto-key with the first symmetric crypto-key to
form the combined symmetric crypto-key; storing the combined
symmetric crypto-key in a second memory, different than the first
memory; encrypting the first private key portion with the first
symmetric crypto-key; destroying the first symmetric crypto-key
used to encrypt the first private key portion and the obtained
first private key portion; encrypting a request for authentication
of the user with the combined symmetric crypto-key to form a third
encrypted message; transmitting the user identifier, MAC'd with the
combined symmetric crypto-key, and the third encrypted message;
matching the transmitted user identifier with the previously
transmitted user identifier to retrieve the combined symmetric
crypto-key from the second memory; verifying the transmitted MAC
with the retrieved combined symmetric crypto-key to verify an
identity of the user; decrypting the third encrypted message with
the combined symmetric crypto-key to recover the request for user
authentication; encrypting the request for user authentication with
the second private key portion to form a fourth encrypted message;
encrypting the first symmetric crypto-key and the fourth encrypted
message with the combined symmetric crypto-key stored in the first
memory to form a fifth encrypted message; transmitting the fifth
encrypted message; decrypting the transmitted fifth encrypted
message with the combined symmetric crypto-key stored in the second
memory to recover the transmitted first symmetric crypto-key and
the transmitted fourth encrypted message, and thereby verify an
identity of the sponsor; decrypting the encrypted first private key
portion with the recovered first symmetric crypto-key; further
encrypting the recovered fourth encrypted message with the
decrypted first private key portion to form an authentication
message; transmitting the authentication message to the other
network entity to authenticate the user.
18. A method for accessing multiple different network stations
without entry of a password associated with a user having an
associated first symmetric crypto-key, an associated second
symmetric crypto-key and an associated asymmetric crypto-key,
including a first private key portion, a second private key portion
and a public key portion, comprising: encrypting the first private
key portion with the first symmetric crypto-key; transmitting a
request, of a network station, for authentication of the user,
encrypted with the second symmetric crypto-key to a sponsor;
decrypting the transmitted encrypted authentication request with
the second symmetric crypto-key to recover the authentication
request; encrypting the recovered authentication request with the
second private key portion to form an authentication message;
transmitting the authentication message and the first symmetric
crypto-key, both encrypted with the second symmetric crypto-key to
the user; decrypting both the transmitted encrypted authentication
message and the transmitted encrypted first symmetric crypto-key
with the second symmetric crypto-key to recover the authentication
message and the first symmetric crypto-key; decrypting the first
private key portion with the recovered first symmetric crypto-key;
transmitting the authentication message encrypted the recovered
first symmetric crypto-key to the network station; and decrypting
the transmitted encrypted authentication message with the public
key portion to recover the authentication request and thereby
authenticate the user to the network station.
Description
TECHNICAL FIELD
[0001] This invention relates to cryptosystems. More particularly,
the present invention relates to password access to different
network sites in cryptosystems.
BACKGROUND SYSTEMS
[0002] Today, computing devices are almost always interconnected
via networks. As these networks can be large closed networks, as
within a corporation, or truly public networks as the Internet is,
the network itself might have hundreds, thousands or even millions
of potential users. Consequently it is often required to restrict
access to any given computer or service, or a part of a computer or
service to a subset of the users on the public or closed network.
For instance, a brokerage might have a public website accessible to
all, but would like to only give Ms. Alice Smith access to Ms.
Alice Smith's brokerage account.
[0003] This is an old problem, tracing its roots to the earliest
days of computers, and passwords were among the first techniques
used, and to this day remain the most widely used technique for
protecting resources on a computer or service.
[0004] In its simplest form, every user has a unique password and
the computer has knowledge of the user password. When attempting to
log on Alice would enter her userid, say alice, and password, say
apple23, the computer would compare the pair, i.e. alice, apple23,
with the pair it had stored for Alice, and if there is a match
would establish a session and give Alice access.
[0005] This simple scheme suffers from two problems. First, the
table containing the passwords is stored on the computer, and
represents a single point of compromise. If Eve could somehow steal
this table, she would be able to access every user's account. A
second problem with this approach is that when Alice enters her
password it travels from her terminal to the computer in the clear,
and Eve could potentially eavesdrop. For instance the "terminal"
could be Alice's PC at home, and the computer could be a server on
the Internet, in which case her password travels in the clear on
the Internet.
[0006] Various solutions have been proposed and implemented to
solve these two issues. For instance, to solve the first problem of
storing the password on the computer, the computer could instead
store a one way function of the password. E.g. F(apple23)=XD45DTY,
and the pair {alice, XD45DTY}. In this example as F( ) is a one way
function, computing XD45DTY from apple23 is easy, but as it is a
"one way function", the reverse is believed to be difficult or
close to impossible. So when Alice logs on and sends the computer
{alice, apple23}, the computer can compute F(apple23) and compare
the result with XD45DTY. The UNIX operating system was among the
first to implement such a system in the late 1970's.
[0007] Before discussing more sophisticated conventional techniques
for solving this problem, let us briefly describe symmetric,
asymmetric and `split private key` cryptography.
[0008] In symmetric key cryptography, the two parties who want to
communicate in private share a common secret key, say K. the sender
encrypts messages with K, to generate a cipher, i.e.
C=Encrypt(M,K). The receiver decrypts the cipher to retrieve the
message, i.e. D=Decrypt(C,K). An attacker who does not know K, and
sees C, cannot successfully decrypt the message, if the underlying
algorithms are strong. Examples of such systems are DES and RC4.
Encryption and decryption with symmetric keys provide a
confidentiality, or privacy service.
[0009] Symmetric keys can also be used to provide integrity and
authentication of messages in a network. Integrity and
authentication means that the receiver knows who sent a message and
that the message has not been modified so it is received as it was
sent. Integrity and authentication is achieved by attaching a
Message Authentication Code (MAC) to a message M. E.g., the sender
computes S=MAC(M,K) and attaches S to the message M. When the
message M reaches the destination, the receiver also computes
S'=MAC(M,K) and compares S' with the transmitted value S. If S'=S
the verification is successful otherwise verification fails and the
message should be rejected. Early MACs were based on symmetric
encryption algorithms such as DES whereas more recently MACs are
constructed from message digest functions, or "hash" functions,
such as MD5 and SHA-1. The current Internet standard for this
purpose is known as hash-based MAC (HMAC).
[0010] By combining confidentiality with integrity and
authentication, it is possible to achieve both services with
symmetric key cryptography. It is generally accepted that different
keys should be used for these two services and different keys
should be used in different directions between the same two
entities for the same service. Thus if Alice encrypts messages to
Bob with a shared key K, Bob should use a different shared key K'
to encrypt messages from Bob to Alice. Likewise Alice should use
yet another key K" for MACs from Alice to Bob and Bob should use
K'" for MACs from Bob to Alice. Since this is well understood by
those skilled in the art, we will follow the usual custom of
talking about a single shared symmetric key between Alice and Bob,
with the understanding that strong security requires the use of
four different keys.
[0011] Symmetric key systems have been in use for literally
thousands of years, and have always suffered from a major
problem--namely how to perform key distribution. How do Bob and
Alice agree on K? Asymmetric key cryptography was invented to solve
this problem. Here every user is associated with two keys, which
are related by special mathematical properties. These properties
result in the following functionality: a message encrypted with one
of the two keys can then only be decrypted with the other.
[0012] One of these keys for each user is made public and the other
is kept private. Let us denote the former by E, and the latter by
D. So Alice knows Dalice, and everyone knows Ealice. To send Alice
the symmetric key K, Bob simply sends C=Encrypt(K,Ealice). Alice,
and only Alice (since no one else knows Dalice), can decrypt the
ciphertext C to recover the message, i.e. Decrypt(C,Dalice)=K. Now
both Alice and Bob know K and can use it for encrypting subsequent
messages using a symmetric key system. Why not simply encrypt the
message itself with the asymmetric system? This is simply because
in practice all known asymmetric systems are fairly inefficient,
and while they are perfectly useful for encrypting short strings
such as K, they are inefficient for large messages.
[0013] The above illustrates how asymmetric cryptography can solve
the key distribution problem. Asymmetric cryptography can also be
used to solve another important problem, that of digital
signatures. To sign a message M, Alice encrypts it with her own
private key to create S=Encrypt(M,Dalice). She can then send (M,S)
to the recipient who can then decrypt S with Alice's public key to
generate M', i.e. M'=Decyrpt(S,Ealice). If M'=M then the recipient
has a valid signature as only someone who has Dalice, by definition
only Alice, can generate S, which can be decrypted with Ealice to
produce M. To convey the meaning of these cryptographic operations
more clearly they are often written as S=Sign (M, Dalice) and.
M'=Verify (M,S,Ealice). It is worth noting that asymmetric key
digital signatures provide non-repudiation in addition to the
integrity and authentication achieved by symmetric key MACs. With
MACs the verifier can compute the MAC for any message M of his
choice since the computation is based on a shared secret key. With
digital signatures this is not possible since only the sender has
knowledge of the sender's private key required to compute the
signature. The verifier can only verify the signature but not
generate it.
[0014] The RSA cryptosystem is one system that implements
asymmetric cryptography as described above. In particular the RSA
cryptosystem allows the same public-private key pair to be used for
encryption and for digital signatures. It should be noted there are
other asymmetric cryptosystems which implement encryption only
e.g., ElGamal or digital signature only, e.g., DSA.
[0015] Finally, the above description does not answer the important
question of how Bob gets Alice's public key Ealice. The process for
getting and storing the binding [Alice, Ealice] which binds Ealice
to Alice is tricky. The most practical method appears to be to have
the binding signed by a common trusted authority. So such a
"certificate authority" (CA) can create CERTalice=Sign([Alice,
Ealice], Dca). Now CERTalice can be verified by anyone who knows
the CA's public key Eca. So in essence, instead of everyone having
to know everyone else's public key, everyone only need know a
single public key, that of the CA. More elaborate schemes with
multiple Certificate Authorities, sometimes having a hierarchical
relationship, have also been proposed.
[0016] Asymmetric key cryptosystems have been around for a long
time, but have found limited use. The primary reasons are twofold:
(a) the private key D in most systems is long, which means that
users cannot remember them, and they have to either be stored on
every computer they use, or carried around on smart cards or other
tokens; and (b) the infrastructure for ensuring a certificate is
valid, which is critical, is cumbersome to build, operate and use.
The first technique proposed to validate certificates was to send
every recipient a list of all certificates that had been revoked.
This clearly does not scale well to an environment with millions of
users. The second method proposed was to require that one inquire
about the validity of a certificate on-line, which has its own
associated problems.
[0017] A system based on split private key cryptography has been
developed to solve these two issues, among others. In this system
the private key for Alice, i.e. Dalice, is further split into two
parts, Daa which Alice knows, and a part Das which is stored at a
security server. To sign a message, Alice could perform a partial
encryption to generate a partial signature, i.e. PS=Sign(M,Das).
Alice then sends the server PS which `completes` the signature by
performing S=Sign(PS,Dss). This completed signature S is
indistinguishable from one generated by the original private key,
so the rest of the process works as previously described. However,
Daa can be made short, which allows the user to remember it as a
password, so this system is consumer friendly. Further, if the
server is informed that a particular ID has been revoked, then it
will cease to perform its part of the operation for that user, and
consequently no further signatures can ever be performed. This
provides for instant revocation in a simple highly effective
fashion.
[0018] Let us return now to password based systems.
Challenge-response systems solve the issue of having to send
passwords in the clear across a network. If the computer and Alice
share a secret password, P, then the computer can send her a new
random challenge, R, at the time of login. Alice computes
C=Encrypt(R,P) and sends back C. The computer decrypts
Decrypt(C,P)=C'. If C=C', then the computer can trust that it is
Alice at the other end. Note however that the computer had to store
P. A more elegant solution can be created using asymmetric
cryptography. Now Alice has a private key Dalice, or in a split
private key system she has Daa. The computer challenges her to sign
a new random challenge R. She signs the challenge, or in the split
private key system she interacts with the security server to create
the signature, and sends it back to the computer which uses her
public key, retrieved from a certificate, to verify the signature.
Observe that the computer does not have to know her private key,
and that an eavesdropper observing the signature on R gains no
knowledge of her private key.
[0019] The SSL system, which is widely used on the Internet in
effect implements a more elaborate method of exactly this protocol.
SSL has two components, `server side SSL` in which a server proves
its identity by signing a particular message during connection
set-up. As browsers such as Netscape and Microsoft Internet
Explorer come loaded with the public keys of various CAs, the
browser can verify the signature of the server. This authenticates
the server to the client, and also allows for the set-up of a
session key K, which is used to encrypt all further communications.
Server side SSL is widely used, as the complexity of managing
certificates rests with system administrators of web sites who have
the technical knowledge to perform this function. The converse
function in SSL, client side SSL, which lets a client authenticate
herself to a server is rarely used, because although the technical
mechanism is exactly the same, it now requires users to manage
certificates and long private keys which has proven to be
difficult, unless they use the split private key system. So in
practice, most Internet web sites use server side SSL to
authenticate themselves to the client, and to obtain a secure
channel, and from then on use Userid, Password pairs to
authenticate the client.
[0020] So far from disappearing, the use of passwords has increased
dramatically. Passwords themselves are often dubbed as inherently
"weak" which is inaccurate, because if they are used carefully
passwords can actually achieve "strong" security. As discussed
earlier passwords should not be sent over networks, and if possible
should not be stored on the receiving computer. Instead, in a
"strong" system, the user can be asked to prove knowledge of the
password without actually revealing the password. And perhaps most
critically passwords should not be vulnerable to dictionary
attacks.
[0021] Dictionary attacks can be classified into three types. In
all three cases the starting point is a `dictionary` of likely
passwords. Unless the system incorporates checks to prevent it,
users tend to pick poor passwords, and compilations of lists of
widely used poor passwords are widely available.
[0022] 1) On line dictionary attack. Here the attacker types in a
guess at the password from the dictionary. If the attacker is
granted access to the computer they know the guess was correct.
These attacks are normally prevented by locking the user account if
there are an excessive number of wrong tries. Note that this very
commonly used defense prevented one problem, but just created
another one. An attacker can systematically go through and lock out
the accounts of hundreds or thousands users. Although the attacker
did not gain access, now legitimate users cannot access their own
accounts either, creating a denial of service problem.
[0023] 2) Encrypt dictionary attacks: If somewhere in the operation
of the system a ciphertext C=Encrypt(M,P) was created, and the
attacker has access to both C and M, then the attacker can compute
off-line C1=Encrypt(M,G1), C2=Encrypt(M,G2), . . . where G1, G2, .
. . etc. are the guesses at the password P from the dictionary. The
attacker stops when he finds a Cn=C, and knows that Gn=P. Observe
that the UNIX file system, which uses a one way function F( )
instead of an encryption function E( ), is vulnerable to this
attack.
[0024] 3) Decrypt dictionary attacks: Here the attacker, does not
know M, and only sees the ciphertext C (where C=Encrypt(M,P). The
system is only vulnerable to this attack IF it is true that M has
some predictable structure. So the attacker tries M1=Decrypt(C,G1),
M2=Decrypt(C,G2) . . . , and stops when the Mi has the structure he
is looking for. For instance Mi could be known to be a timestamp,
English text, or a number with special properties such as a prime,
or a composite number with no small factors.
[0025] It is possible to design strong password based systems but
the password should not be stored on the computer in any form, ever
communicated to it, and should be protected from all three types of
dictionary attacks.
[0026] FIG. 1 depicts the operations of Server-Side-Authentication
during a communications session between network users, in this
instance a client device such as a personal computer and a host
device such as a server. It will be understood that software is
resident on the client device and this software directs
communications on the client side of the communication session. It
will also be understood that software is resident on the server and
that this software directs communications on the server side of the
communication session. Furthermore, it should be understood that
while in this example the server is associated with a merchant, the
server could be associated with any type of entity. As used here,
server designates any networked device capable of presenting
information to another network device via the network. Also, it
should be understood that while the client device in this example
is associated with an individual user, the client device may be
associated with an entity other than an individual user. Also, a
client device may be any networked device capable of accessing
information via a network.
[0027] At step 100 the client device transmits a message to the
server. This message includes a first random number generated by
the software and an indication of the types of cryptography the
client device is capable of supporting. This message can be called
a `hello` message. The server then selects one of the types of
cryptography and includes a second random number and the server's
certificate in a transmission to the client device, step 110. This
transmission can be called `message two`. A certificate contains
information certifying that an entity is who that entity claims to
be. The client device then obtains the public portion of the
server's asymmetric key from the certificate and verifies the
certificate by verifying the certificate issuer's signature on the
certificate, step 115. The client device then generates and
encrypts a symmetric session key with the public portion of the
server's asymmetric key and transmits the encrypted symmetric
session key to the server, step 120. The server then decrypts the
symmetric session key with the private portion of the server's
asymmetric key and encrypts the first random number using the
symmetric key and transmits the encrypted random number to the
client device, step 125. The client device then decrypts the random
number using its copy of the symmetric key, step 130. If the
original first random number is recovered, the server has
authenticated itself to the client device. All further
communication between the server and client device are secured
using the symmetric session key. It will be recognized that SSL
server-side-authentication in current use does not actually follow
steps 125 and 130. Rather these steps are representative of how the
shared symmetric key could be used for server to client
authentication.
[0028] Client-Side-Authentication is designed to operate similar to
Server-Side-Authentication as is depicted in FIG. 2. At step 200,
the server transmits a 36 byte hash to the client device and
requests the client device to sign it with the private portion of
the client device's asymmetric key. Also, the server will request
that the client device return the client device's certificate. The
client device signs the 36 byte hash and sends the signed 36 byte
hash and the client device certificate to the server, step 210. The
server then verifies that the client device's certificate is valid
and obtains the public portion of the browser's asymmetric key from
the authority issuing the certificate, step 215. The server then
uses the public portion of the client device's asymmetric
crypto-key to verify the client device signature, step 220. If the
server recovers the original 36 byte hash, the client device has
authenticated itself to the server. It will be recognized here also
that SSL client-side-authentication currently in use does not
actually follow these precise steps. Rather these steps are
representative of how the user's asymmetric public and private keys
could be used for client to server authentication.
[0029] In practice, only Server-Side-Authentication is generally
implemented today. Most servers which require authentication of
other network users utilize passwords. As discussed above, after
Server-Side-Authentication is completed, both the server and the
client device are in possession of a symmetric session key. All
subsequent communications between the parties during the present
communication session are secured with the symmetric session key.
Typically, the server requests the client device to supply a valid
user ID and password. This information is provided by the user and
transmitted from the client device to the server, encrypted with
the symmetric session key. Each server must maintain a database of
associated users. These databases contain passwords and information
identifying the holders of the passwords. This requires the server
to gather or dispense passwords and to manage stored passwords. If
the password is valid, that is, it is included in the database, the
client device has authenticated itself to the server.
[0030] Accordingly, a need exists for a technique whereby a first
network user can obtain verifiable authentication from a second
network user without the first network user having to maintain,
process and utilize a password system.
[0031] A certificate issuing authority includes information about
the user in the user's certificate. This information may include
associations the user maintains, personal information, or even
financial information. A certificate issuing authority may include
information that a user does not want disclosed. Or, user
information included in a certificate may change. Presently, a user
cannot update or change information in an issued certificate. A
user can at best revoke a certificate and obtain a new one which
includes the changed information. When a new certificate is
obtained, new keys must be generated. Any entity who has previously
obtained the user's certificate and public key must now reobtain
the new certificate and key. Thus, there is no way to modify a
certificate without revoking the corresponding key pair.
[0032] Accordingly, a need exists whereby a certificate can be
modified, while retaining the associated key pair.
[0033] A single user may have associations with multiple servers.
Each of the multiple servers may require the user to maintain a
password and client ID. Thus, a single user may be required to
remember a plurality of passwords.
[0034] Oftentimes a user may attempt to establish the same client
ID and password with several unrelated servers. This cannot always
be accomplished. Some servers require a password to meet certain
quality standards not be a `bad` password, as discussed above. Thus
a password that the user may wish to use may not be acceptable to
certain servers. Also, a password that a user may wish to use may
already be in use by another user of a server, and the server may
not allow more than one user to use the same password.
[0035] Even if a user is able to use the same client ID and
password for access to multiple servers, other problems with using
passwords for authentication arise. For instance, a user's password
may become compromised. That is, the password may become known to
another individual. That individual can then impersonate the user
to multiple servers. The user must obtain a new password with each
server with which the user uses the now compromised password.
Furthermore, if a user's password is compromised and a first server
recognizes this fact, there is currently no method whereby this
first server can notify other servers at which the user uses this
same password that the password has been compromised.
[0036] Yet another problem with the use of passwords in providing
authentication is that a user must provide a password to each and
every server requiring authentication. If a user is fortunate
enough to obtain the same password with several servers, the user
still must provide the password to each server to which the user
seeks access. Thus, every time a user wishes to perform
communications with a server, that user must cause his or her
password to be transmitted to the server. Furthermore, when a user
ends an authenticated communication with a server and immediately
attempts to reestablish an authenticated communication, the user
must again provide his or her password to the server for
authentication.
[0037] Accordingly, a need exists for a technique whereby a network
user can utilize a single password to access a plurality of
networked devices and enter that single password only once to gain
access to any of the plurality of networked devices.
[0038] SSL as deployed in current systems is based upon the RSA
public key cryptosystem. As introduced above, RSA relies upon the
use of products of large prime numbers which are not easily
factorable. If the RSA technique should be broken, that is, if an
algorithm for factoring large prime numbers is found, SSL and any
cryptosystem based on RSA would be useless. An attacker would have
access to communications in any RSA based cryptosystem. Secure and
trusted communications in SSL and other public key cryptosystems
would become impossible. Accordingly, a need exists for a technique
whereby a public key based cryptosystem could provide secure
communications if RSA were to become unusable.
OBJECTS OF THE INVENTION
[0039] It is an object of the present invention to provide a system
and method whereby a user can gain access to plurality of networked
devices controlled by different entities by only once providing
identifying information.
[0040] Additional objects, advantages, novel features of the
present invention will become apparent to those skilled in the art
from this disclosure, including the following detailed description,
as well as by practice of the invention. While the invention is
described below with reference to preferred embodiment(s), it
should be understood that the invention is not limited thereto.
Those of ordinary skill in the art having access to the teachings
herein will recognize additional implementations, modifications,
and embodiments, as well as other fields of use, which are within
the scope of the invention as disclosed and claimed herein and with
respect to which the invention could be of significant utility.
INVETION SUMMARY
[0041] In accordance with the invention, multiple different network
stations are accessed based on a single entry of a user password.
The network stations may take the form of personal computers, high
power workstations, mainframe computers, portable computing
devices, telephones or virtually any other type of network device
capable of functioning in the described manner below.
[0042] According to the invention, a first network station
represents a network entity, such as a bank, merchant, university,
corporation or other network entity which requires authentication
of the user prior to granting the user access. The first station
transmits a request for authentication of the user seeking access.
Commonly, the request for authentication takes the form of a hash
message of 36 bytes computed from the conversation between the
first and a second network station. The user not only has an
associated password, but also a user identifier and an associated
asymmetric crypto-key, including a first private key portion
obtainable with the password, a second private key portion and a
public key portion. It will be understood that the private key
could be split into more than two key portions if so desired.
[0043] The second network station, representing the user, has the
user identifier, a combination symmetric crypto-key corresponding
to a first symmetric crypto-key and a second symmetric crypto-key,
and the first private key portion encrypted with a first symmetric
crypto-key stored thereat. Preferably, the combination symmetric
crypto-key corresponds to the first symmetric crypto-key XOR'd with
the second symmetric crypto-key. Advantageously, the first
symmetric crypto-key is a first random number having a length of
192 bits and the second symmetric crypto-key is a second random
number, different than the first random number, having a length of
192 bits.
[0044] In response to the transmitted authentication request, the
second network station transmits the stored user identifier and the
transmitted authentication request encrypted with the stored
combination symmetric key to a third network station.
Advantageously, the second network station automatically responds
to the authentication request without any need for the user to
input the user password. The stored user identifier and the
authentication request encrypted with the stored combination
symmetric crypto-key may be transmitted in a single communication.
However, preferably, the stored user identifier is transmitted in a
first communication, and the encrypted authentication request is
transmitted in a separate later communication. Beneficially, the
second network station MAC's the stored user identifier with the
stored combination symmetric crypto-key, and the user identifier is
transmitted in the MAC'd message.
[0045] The third network station, representing a sponsor, has the
user identifier, the combination symmetric crypto-key, the first
symmetric crypto-key, and the second private key portion stored
thereat. The third network station retrieves the stored combination
symmetric crypto-key by matching the transmitted user identifier
with the stored user identifier. The station verifies the MAC on
the transmitted message to verify the identity of the user. The
station decrypts the transmitted encrypted authentication request
with the retrieved combination symmetric crypto-key to recover the
authentication request. The station then encrypts the recovered
authentication request with the stored second private key portion
and transmits the encrypted authentication request and the first
symmetric crypto-key, both encrypted with the retrieved combination
symmetric key.
[0046] The second network station decrypts the transmitted
encrypted authentication request and the first symmetric
crypto-key, with its stored combination symmetric crypto-key to
recover the encrypted authorization request and the first symmetric
crypto-key. The station can then decrypt the stored encrypted first
private key portion with the recovered first symmetric crypto-key
to recover the unencrypted first private key portion, and transmit
the recovered encrypted authentication request further encrypted
with the recovered first private key portion. This further
encrypted authentication request serves as an authentication
message. The first station decrypts the transmitted authentication
message with the user public key to recover the authentication
request and thereby authenticate the user.
[0047] Beneficially, the second network station is further
configured to receive the user password as input and obtain the
first private key portion with the password, prior to transmission
of the authorization request by the first station.
[0048] In accordance with another aspect of the invention, the
third station also has a time value, representing a time period for
authenticating the user, stored thereat. In such a case, the third
station can retrieve the stored time value prior to decrypting the
encrypted authentication request transmitted by the second station.
The station only decrypts the transmitted encrypted authentication
request if the present time is within the time period represented
by the time value.
[0049] According to still other aspects of the invention, the
second network station generates the first symmetric crypto-key,
and transmits this key, encrypted with the first private key
portion, to the third network station. The third station decrypts
the transmitted encrypted first symmetric crypto-key with the
second private key portion to recover the first symmetric
crypto-key, thereby authenticating the user, and stores the
decrypted first symmetric crypto-key. The third network station
also generates the second symmetric crypto-key, combines the first
and the second symmetric crypto-key to form the combination
symmetric crypto-key, and stores the combination crypto-key. The
station then transmits the second symmetric crypto-key encrypted
with the first symmetric crypto-key to the second network station,
and destroys the second symmetric crypto-key.
[0050] The second network station decrypts the transmitted
encrypted second symmetric crypto-key with the first symmetric
crypto-key to recover the second symmetric crypto-key and
authenticate the sponsor. The second network station also combines
the recovered second symmetric crypto-key with the first symmetric
crypto-key to form the combination crypto-key, stores the
combination symmetric crypto-key, encrypts the first private key
portion with the first symmetric crypto-key, stores the encrypted
first private key portion, and destroys the first symmetric
crypto-key and the unencrypted first private key portion.
[0051] In a preferred practical implementation of the invention, a
system for accessing multiple different network stations includes a
first station representing a user having a password, user
identifier, and an associated asymmetric crypto-key, including a
first private key portion, a second private key portion and a
public key portion. The first network station transmits a log-in
request including the user identifier.
[0052] A second station, representing a sponsor, transmits a
challenge responsive to the transmitted log-in request. The first
station processes a user input including the password to obtain the
first private key portion, and encrypts a first symmetric
crypto-key and the transmitted challenge with the obtained first
private key portion to form a first encrypted message. The station
then transmits the first encrypted message.
[0053] The second station decrypts the transmitted first encrypted
message with the second private key portion and public key to
recover the challenge and the first symmetric crypto-key, and
thereby authenticate the user. The second station also combines the
recovered first symmetric crypto-key with a second symmetric
crypto-key to form a combined symmetric crypto-key and stores the
combined symmetric crypto-key. The second station additionally
encrypts the second symmetric crypto-key with the first symmetric
crypto-key to form a second encrypted message, and transmits the
second encrypted message.
[0054] The first station decrypts the transmitted second encrypted
message with the first symmetric crypto-key to recover the second
symmetric crypto-key, thereby authenticating the sponsor. The first
station combines the recovered second symmetric crypto-key with the
first symmetric crypto-key to form the combined symmetric
crypto-key. The first station also encrypts the obtained first
private key portion with the first symmetric crypto-key and
destroys the first symmetric crypto-key and the unencrypted first
private key portion.
[0055] Subsequently, the first station can encrypt a request for
user authentication from another network entity with the combined
symmetric crypto-key to form a third encrypted message. The first
station then transmits the user identifier and the third encrypted
message, typically MAC'd with the combined symmetric crypto-key. As
discussed above, this information may be transmitted in a single or
multiple communications.
[0056] The second station verifies the MAC on the transmitted
message and matches the transmitted user identifier with the user
identifier previously transmitted by the first station to retrieve
the combined symmetric crypto-key. The second station also decrypts
the third encrypted message with the retrieved combined symmetric
crypto-key to recover the request for user authentication. The
second station then encrypts the recovered request for user
authentication with the second private key portion to form a fourth
encrypted message. The station next encrypts the first symmetric
crypto-key and the fourth encrypted message with the combined
symmetric crypto-key to form a fifth encrypted message. The second
station next transmits the fifth encrypted message.
[0057] The first network station decrypts the transmitted fifth
encrypted message with the combined symmetric crypto-key to recover
the transmitted first symmetric crypto-key and the transmitted
fourth encrypted message, thereby verifying the identity of the
sponsor. The first station also decrypts the encrypted first
private key portion with the recovered first symmetric crypto-key,
and further encrypts the recovered fourth encrypted message with
the decrypted first private key portion to form an authentication
message. The station transmits the authentication message to the
other network entity to authenticate the user.
* * * * *