Systems, methods and software for remote password authentication using multiple servers
First Claim
1. A system that provides for remote password authentication comprising:
- a client computer;
a plurality of authentication servers;
a network interconnecting the client computer and plurality of authentication servers;
software running on the client computer and plurality of authentication servers that cooperates to enter a password on the client, store a unique random value yi on each of the servers, derive a group element (P) from the password, send a blinded password value (Px) to the servers, retrieve blinded key shares (Pxyi) from the servers, unblind and combine the shares to create a master key (Km), and decrypt encrypted private data on the client computer using the master key (Km).
6 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods and software employ zero-knowledge password (ZKP) protocols to provide strong authentication using low-grade passwords that people can easily memorize. We describe protocols that enable multiple servers to verify a password, without providing any single server, client, or network attacker with the ability to validate guesses for the password off-line. Further improvements include removing dependency on a prior secure channel and client-stored keys or certificates, increasing performance without introducing new cryptographic assumptions, and better management of mistakes in password entry. To enroll, a user chooses a password and constructs a master key K composed of multiple shares. The master key may be used for a variety of purposes, such as encrypting the user'"'"'s private keys and other sensitive data. A set of random values {y1, y2, . . . yN} is selected, and each share is computed as Ki=Pyi in a suitable finite group. Each yi value is distributed to the ith one of N servers. To authenticate, the client chooses a random secret x, and with each server, sends Px, retrieves mi=(Px)yi, and computes Ki=mi1/x. The client reconstructs K, performs a validation test on K, and uses K to decrypt a private digital signature key U. When the validation test succeeds, the client signs a message with U that contains Px and optionally other values sent by the client based on incorrect passwords mistakenly entered by the same user in attempting to authenticate. Each server verifies the signed message to authenticate the user, and to forgive the user for some reasonable number of mistakes. With knowledge of valid messages, mistakes and all, the server fine-tunes the accounting of bad access attempts. No single server knows K, P, or any of the Ki shares, and no server receives sufficient information to mount a dictionary attack on K or P. Password security is maintained in a very simple model, requiring no previously secured or server-authenticated channel between the client and any servers. This model further prevents risks inherent in systems where people must authenticate servers, but don'"'"'t. Data protected by a small password, and no other keys, remains secret even against an enemy that compromises any, but not all, of two or more cooperating authentication servers.
-
Citations
24 Claims
-
1. A system that provides for remote password authentication comprising:
-
a client computer;
a plurality of authentication servers;
a network interconnecting the client computer and plurality of authentication servers;
software running on the client computer and plurality of authentication servers that cooperates to enter a password on the client, store a unique random value yi on each of the servers, derive a group element (P) from the password, send a blinded password value (Px) to the servers, retrieve blinded key shares (Pxyi) from the servers, unblind and combine the shares to create a master key (Km), and decrypt encrypted private data on the client computer using the master key (Km). - View Dependent Claims (2, 3, 4, 5, 16)
-
-
6. A method that provide for remote password authentication using a system comprising a client computer, a plurality of authentication servers, and a network interconnecting the client computer and plurality of authentication servers, the method comprising the steps of:
-
entering a password;
deriving group elements (P) from the password;
sending blinded password value (PX) to the servers;
retrieving blinded key shares (Pxyi) from the servers;
unblinding and combining the shares to create a master key (Km); and
decrypting encrypted private data on the client computer using the master key (Km). - View Dependent Claims (7, 8, 9, 10, 19)
-
-
11. A computer program embodied on a computer-readable medium for enabling remote password authentication in a multiple-server system comprising a client computer, a plurality of authentication servers, and a network interconnecting the client computer and plurality of authentication servers, the computer program comprising:
-
a code segment that enters a password;
a data storage area that contains a unique random value yi on each of the servers, a code segment that derives a group element (P) from the password;
a code segment that sends blinded password value (Px) to the servers;
a code segment that retrieves blinded key shares (PXYi) from the servers;
a code segment that unblinds and combines the shares to create a master key (Km); and
a code segment that decrypts encrypted private data on the client computer using the master key (Km). - View Dependent Claims (12, 13, 14, 15, 17, 18, 20, 21, 22, 23, 24)
-
Specification