Security method and system for persistent storage and communications on computer network systems and computer network systems employing the same
First Claim
1. A login method to enhance security in a network computer system having at least one server computer coupled over a communication network to a plurality of client computers, wherein each client computer is coupled to directly access a persistent storage device and wherein each client computer is operated by a control program after login, the method comprising the steps of:
- receiving a login ID and password PW from a user at a first one of said client computers;
computing, at said first client computer, a hash value H1PW of the password PW;
transmitting a first-stage login request including ID from said first client computer to a first one of said server computers;
receiving said first-stage login request at said first server computer;
providing, at said first server computer, a key-exchange key KEK;
encrypting KEK at said first server computer;
transmitting a first-stage login response, including the encrypted KEK, from said first server computer to said first client computer;
receiving said first-stage login response at said first client computer;
decrypting, at said first client computer, the encrypted KEK, to yield KEK;
providing, at said first client computer, a first split key SK1;
encrypting, it said first client computer, key SK1, using KEK as an encryption key, to yield ESK1;
transmitting a second-stage login request, including ESK1, from said first client computer to said first server computer;
receiving said second-stage login request at said first server computer;
decrypting, at said first server computer, ESK1, using KEK as a decryption key, to yield SK1;
providing, at said first server computer, a second split key SK2;
combining, at said first server computer, the first and second split keys SK1 and SK2, to yield session key SK;
encrypting, at said first server computer, the second split key SK2, using KEK as an encryption key, to yield ESK2;
transmitting a second-stage login response, including ESK2, from said first server computer to said first client computer;
receiving the second-stage login response at said first client computer;
decrypting, at said first client computer, ESK2 received with the second-stage login response, using KEK as a decryption key, to yield SK2;
combining, at said first client computer, the first and second split keys SK1 and SK2, to yield sessions key SK;
encrypting further transmissions between said first client computer and said first server computer, using sessions key SK as an encryption key.
0 Assignments
0 Petitions
Accused Products
Abstract
A multi-stage login procedure and system involves a first stage in which a login ID and a public key (encrypted) is transmitted from a client computer to a server computer and a key-exchange key (encrypted) is provided from the server computer to the client computer. In a second stage, a first split symmetric key and a server authentication string is generated and encrypted by the client computer and then transmitted to the server computer. In addition, the server computer generates a second split symmetric key and combines the same with the first split symmetric key to obtain a complete symmetric key for encrypting further communications from the server to the client computer. The server also generates a client authentication string, encrypts the same and transmits the encrypted string, the server authentication string (encrypted and incremented) and the second split symmetric key (encrypted) to the client computer. In a third stage, the client computer uses the server authentication string to authenticate the server. In addition, the client computer combines the second split symmetric key with the first split symmetric key to obtain the complete symmetric key for encrypting further communications from the client computer to the server computer. The client computer also decrypts, increments and encrypts the client authentication string and transmits the same to the server. The server then uses the client authentication string (after decryption and decrementation) to authenticate the client computer. Thereafter, the server provides the client computer with a first split symmetric persistent storage key (encrypted), which the client computer combines (after decryption) with a one-way hash value to obtain a persistent storage key for use by the client computer to communication information to and from persistent storage.
155 Citations
20 Claims
-
1. A login method to enhance security in a network computer system having at least one server computer coupled over a communication network to a plurality of client computers, wherein each client computer is coupled to directly access a persistent storage device and wherein each client computer is operated by a control program after login, the method comprising the steps of:
-
receiving a login ID and password PW from a user at a first one of said client computers;
computing, at said first client computer, a hash value H1PW of the password PW;
transmitting a first-stage login request including ID from said first client computer to a first one of said server computers;
receiving said first-stage login request at said first server computer;
providing, at said first server computer, a key-exchange key KEK;
encrypting KEK at said first server computer;
transmitting a first-stage login response, including the encrypted KEK, from said first server computer to said first client computer;
receiving said first-stage login response at said first client computer;
decrypting, at said first client computer, the encrypted KEK, to yield KEK;
providing, at said first client computer, a first split key SK1;
encrypting, it said first client computer, key SK1, using KEK as an encryption key, to yield ESK1;
transmitting a second-stage login request, including ESK1, from said first client computer to said first server computer;
receiving said second-stage login request at said first server computer;
decrypting, at said first server computer, ESK1, using KEK as a decryption key, to yield SK1;
providing, at said first server computer, a second split key SK2;
combining, at said first server computer, the first and second split keys SK1 and SK2, to yield session key SK;
encrypting, at said first server computer, the second split key SK2, using KEK as an encryption key, to yield ESK2;
transmitting a second-stage login response, including ESK2, from said first server computer to said first client computer;
receiving the second-stage login response at said first client computer;
decrypting, at said first client computer, ESK2 received with the second-stage login response, using KEK as a decryption key, to yield SK2;
combining, at said first client computer, the first and second split keys SK1 and SK2, to yield sessions key SK;
encrypting further transmissions between said first client computer and said first server computer, using sessions key SK as an encryption key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system to enhance security in a network computer environment, said system comprising:
-
a communication network;
at least one server computer, including a first server computer, coupled to said communication network;
a plurality of client computers, including a first client computer, coupled to said communication network;
a persistent storage device operatively coupled to each of said client computers;
means, associated with said first client computer, for receiving a login ID and password PW;
means, associated with said first computer, for computing a hash value H1PW of the password PW;
means, associated with said first computer, for transmitting a first-stage login request including ID, through said communication network, to said first server computer;
means, associated with said first server computer, for providing a first encryption key KEK;
means, associated with said first server computer, for encrypting KEK;
means, associated with said first server computer, for transmitting a first-stage login response, including the encrypted KEK, through said communication network, to said first client computer;
means, associated with said first client computer, for decrypting the encrypted KEK, to yield KEK;
means, associated with said first client computer, for providing a first split encryption key SK1;
means, associated with said first client computer, for encrypting the first split key SK1, using KEK as an encryption key, to yield ESK1;
means, associated with said first client computer, for transmitting a second-stage login request, including ESK1, through said communication network, to said first server computer;
means, associated with said first server computer, for decrypting ESK1, using KEK as a decryption key, to yield SK1;
means, associated with said first server computer, for providing a second split encryption key SK2;
means, associated with said first server computer, for combining the first and second split keys SK1 and SK2, to yield session key SK;
means, associated with said first server computer, for encrypting the second split symmetric key SK2, using KEK as an encryption key, to yield ESK2;
means, associated with said first server computer, for transmitting a second-stage login response, including ESK2, through said communication network, to said first client computer;
means, associated with said first client computer, for decrypting ESK2 received with the second-stage login response, using KEK as a decryption key, to yield SK2;
means, associated with said first client computer, for combining the first and second split keys SK1 and SK2, to yield session key SK;
means, associated with said first client computer, for encrypting further transmissions from said first client computer to said first server computer, using symmetric session key SK as an encryption key; and
means, associated with said first server computer, for encrypting further transmissions from said first server computer to said first client computer, using symmetric session key SK as an encryption key. - View Dependent Claims (18)
-
-
19. An article of manufacture comprising a computer program carrier readable by a first client computer coupled to a computer network system having a plurality of client computers and a computer program carrier readable by a first server computer coupled to said computer network system, the computer program carriers embodying one or more instructions executable by the first remote computer and the first server computer to perform method steps of:
-
receiving a login ID and password PW from a user at a first one of said client computers;
computing, at said first client computer, a hash value H1PW of the password PW;
transmitting a first-stage login request including ID from said first client computer to a first one of said server computers;
receiving said first-stage login request at said first server computer;
providing, at said first server Computer, a key-exchange key KEK;
encrypting KEK at said first server computer;
transmitting a first-stage login response, including the encrypted KEK, from said first server computer to said first client computer;
receiving said first-stage login response at said first client computer;
decrypting, at said first client computer, the encrypted KEK, to yield KEK;
providing, at said first client computer, a first split key SK1;
encrypting, at said first client computer, key SK1, using KEK as an encryption key, to yield ESK1;
transmitting a second-stage login request, including ESK1, from said first client computer to said first server computer;
receiving said second-stage login request at said first server computer;
decrypting, at said first server computer, ESK1, using KEK as a decryption key, to yield SK1;
providing, at said first server computer, a second split key SK2;
combining, at said first server computer, the first and second split keys SK1 and SK2, to yield session key SK;
encrypting, at said first server computer, the second split key SK2, using KEK as an encryption key, to yield ESK2;
transmitting a second-stage login response, including ESK2, from said first server computer to said first client computer;
receiving the second-stage login response at said first client computer;
decrypting, at said first client computer, ESK2 received with the second-stage login response, using KEK as a decryption key, to yield SK2;
combining, at said first client computer, the first and second split keys SK1 and SK2, to yield sessions key SK;
encrypting further transmissions between said first client computer and said first server computer, using sessions key SK as an encryption key. - View Dependent Claims (20)
-
Specification