Methods for pre-authentication of users using one-time passwords

US 20020095507A1
Filed: 06/28/2001
Published: 07/18/2002
Est. Priority Date: 01/17/2001
Status: Active Grant

First Claim

Patent Images

1. A method for communicating passwords comprises:

receiving at a server a challenge from a authentication server via a first secure communications channel, the challenge comprising at least a random password that is inactive;

communicating the challenge from the server to a client computer via a second secure communications channel;

receiving at the server a challenge response from the client computer via the second secure communications channel, the challenge response comprising a digital certificate and a digital signature, the digital certificate including a public key in an encrypted form, the digital signature being determined in response to at least a portion of the challenge and the private key; and

communicating the challenge response from the server to the authentication server via the first secure communications channel;

wherein the random password is activated when the authentication server verifies the challenge response.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for communicating passwords includes receiving at a server a challenge from a authentication server via a first secure communications channel, the challenge comprising a random password that is inactive, communicating the challenge from the server to a client computer via a second secure communications channel, receiving at the server a challenge response from the client computer via the second secure communications channel, the challenge response comprising a digital certificate and a digital signature, the digital certificate including a public key in an encrypted form, the digital signature being determined in response to the random password and the private key, and communicating the challenge response from the server to the authentication server via the first secure communications channel, wherein the random password is activated when the authentication server verifies the challenge response.

131 Citations

20 Claims

1. A method for communicating passwords comprises:
- receiving at a server a challenge from a authentication server via a first secure communications channel, the challenge comprising at least a random password that is inactive;
  
  communicating the challenge from the server to a client computer via a second secure communications channel;
  
  receiving at the server a challenge response from the client computer via the second secure communications channel, the challenge response comprising a digital certificate and a digital signature, the digital certificate including a public key in an encrypted form, the digital signature being determined in response to at least a portion of the challenge and the private key; and
  
  communicating the challenge response from the server to the authentication server via the first secure communications channel;
  
  wherein the random password is activated when the authentication server verifies the challenge response.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the client computer communicates the random password to a password-based security system, the password-based security system coupled to the authentication server.
  - 3. The method of claim 2 wherein the password-based security system comprises a firewall.
  - 4. The method of claim 1 wherein the public key and the private key are associated with an authenticated user.
  - 5. The method of claim 1wherein the private key is not associated with an authenticated user, and wherein the authentication server does not authenticate the challenge response.
  - 6. The method of claim 1 wherein the first secure communications channel is selected from the group:
    - secure socket layer and secure HTTP.

7. A method for a client computer comprises:
- receiving challenge data from a authentication server via a first secure communications channel, the challenge data comprising a challenge and a password that is inactive;
  
  receiving a user PIN;
  
  recovering a private key and a digital certificate in response to the user PIN;
  
  sending the digital certificate to the authentication server via an external server, the digital certificate comprising a public key in an encrypted form;
  
  sending a digital signature to the authentication server via the external server, the digital signature being determined in response the challenge and the private key; and
  
  thereafter sending a user login and the password to a password-based security system coupled to the authentication server, wherein when the authentication server verifies the digital signature, the password is activated.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20)
- - 8. The method of claim 7 wherein when the authentication server does not verify the digital signature, the password remains inactive.
  - 9. The method of claim 7 wherein the password-based security system comprises a server selected from the group:
    - a firewall and a VPN Gateway.
  - 10. The method of claim 7 wherein recovering the private key and the digital certificate in response to the user PIN comprises:
    - recovering a private key associated with the user when the user PIN is correct; and
      
      generating a private key not associated with the user when the user PIN is incorrect.
  - 11. The method of claim 10 further comprising manually entering the user login and the password to the client computer.
  - 12. The method of claim 7 wherein the password is activated for a pre-determined amount of time.
  - 13. The method of claim 12 wherein after the pre-determined amount of time, the password is inactivated.
  - 15. The method of claim 14 wherein communicating data comprising the one-time password to the client computer comprises communicating via an external server via a secure communications channel.
  - 16. The method of claim 14 wherein the one-time password is selected form the group:
    - random, pre-determined, pseudo-random.
  - 17. The method of claim 14 wherein the user identification data comprises a digital signature.
  - 18. The method of claim 17 wherein the digital signature comprises a private key selected from the group:
    - associated with the user, not associated with the user.
  - 19. The method of claim 18 wherein verifying the user comprises verifying the user when the private key is associated with the user.
  - 20. The method of claim 14 further comprising:
    - receiving a verification request from a password-based security system, the verification request comprising a user login and the one-time password;
      
      determining whether the one-time password is activated; and
      
      approving the verification request when the one-time password is determined to be active.

14. A method for a verification server comprises:
- receiving a request for a one-time password from a client computer;
  
  determining a one-time password, the one-time password being inactive;
  
  communicating data comprising the one-time password to the client computer;
  
  receiving user identification data from a user at the client computer;
  
  verifying the user in response to the user identification data; and
  
  activating the one-time password when the user is authenticated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Arcot Systems, Inc. (Broadcom, Inc.)
Inventors
Jerdonek, Robert A.

Granted Patent

US 6,983,381 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/0861   using biometrical features,...

H04L 63/12   Applying verification of th...

H04L 9/3215   using a plurality of channe...

H04L 9/3271   using challenge-response

Methods for pre-authentication of users using one-time passwords

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

131 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for pre-authentication of users using one-time passwords

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links