Computer network security system employing portable storage device
First Claim
1. A security system for controlling access to a trusted computer network by a client computer, comprising:
- a bastion host that controls access to said trusted computer network;
a first data store associated with said bastion host and configured to store a set of key-password pairs;
a portable storage device;
a second data store associated with said portable storage device and configured to store passwords represented in said key-password pairs;
a user operable initialization mechanism that interfaces with said first and second data stores, said initialization mechanism generating and storing said key-password pairs in said first data store and generating and storing said passwords in said second data store;
an authentication mechanism having a first component associated with said bastion host and having a second component associated with said client computer;
said first component being configured to communicate a key associated with one of said key-password pairs to said second component;
said second component being configured to access said second data store and retrieve at least one password represented in said key-password pair;
said second component being further configured to communicate said at least one password to said first component based on input from the user and based on said key communicated from said first component.
3 Assignments
0 Petitions
Accused Products
Abstract
The trusted computer network is protected behind a gateway that includes a bastion host and screening router which blocks all URLs associated with the trusted network. The bastion host includes a remote client authentication mechanism and web proxy component that verifies and translates incoming URL requests from authenticated remote clients. Authentication is performed using one-time passwords that are stored on a portable storage device. The user configures the portable storage device by operating configuration software from the protected side of the gateway. The portable storage device also stores plug-in software to enable the client computer to properly retrieve the one-time password and exchange authentication messages with the bastion host. Further security is obtained by basing the one-time password on an encrypted version of the user'"'"'s PIN. A symmetric key used to encrypt the PIN is stored in a protected area within the portable storage device.
127 Citations
23 Claims
-
1. A security system for controlling access to a trusted computer network by a client computer, comprising:
-
a bastion host that controls access to said trusted computer network;
a first data store associated with said bastion host and configured to store a set of key-password pairs;
a portable storage device;
a second data store associated with said portable storage device and configured to store passwords represented in said key-password pairs;
a user operable initialization mechanism that interfaces with said first and second data stores, said initialization mechanism generating and storing said key-password pairs in said first data store and generating and storing said passwords in said second data store;
an authentication mechanism having a first component associated with said bastion host and having a second component associated with said client computer;
said first component being configured to communicate a key associated with one of said key-password pairs to said second component;
said second component being configured to access said second data store and retrieve at least one password represented in said key-password pair;
said second component being further configured to communicate said at least one password to said first component based on input from the user and based on said key communicated from said first component. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of authenticating interaction with a trusted computer network located behind a bastion host, comprising:
-
defining a secure database protected by said bastion host;
providing a portable storage device;
providing a user-operable recording mechanism protected by said bastion host by which said user stores first information in said secure database and second information in said portable storage device;
said first and second information representing components of an encryption key system from which at least one password is generated;
installing said portable storage device at a client computer and establishing communication between said bastion host and said client computer;
using said first and second information at said client computer to generate said password and communicating said password to said bastion host;
evaluating said password at said bastion host and effecting authentication based on correspondence of said password to information stored in said secure database. - View Dependent Claims (12, 13, 14, 15, 18, 19, 20, 21, 22, 23)
-
-
16. A computer network authentication signal embodied in a carrier wave, comprising:
-
an index value representing one of a plurality of one-time passwords;
a key value associated with said index value and corresponding to said one of said plurality of one-time passwords.
-
-
17. A secure network communication system, comprising:
-
a screening router;
an authentication system that authenticates a remote client communicating through said screening router;
a bastion host having web proxy system in communication with said screening router;
active session middleware associated with said bastion host that associates an active session with said remote client upon authentication by said authentication system;
said web proxy system being configured to perform URL verification and URL modification based on information received from said active session middleware and said authentication system.
-
Specification