Method and system for securely authenticating network access credentials for users

US 20030056096A1
Filed: 04/05/2002
Published: 03/20/2003
Est. Priority Date: 04/18/2001
Status: Active Grant

First Claim

Patent Images

1. A method to securely authenticate user credentials, the method including:

encrypting a user credential with a public key at an access device, the public key being part of a public/private key pair suitable for use with an encryption algorithm;

transmitting the encrypted network user credential from the access device to a decryption server;

decrypting the user credential at the decryption server with a private key, the private key being part of the public/private key pair suitable for use with the encryption algorithm; and

transmitting the decrypted user credential from the decryption server to an authentication server for verification.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided to securely authenticate user credentials. The method includes encrypting a user credential with a public key at an access device wherein the public key is part of a public/private key pair suitable for use with an encryption algorithm. The encrypted network user credential is transmitted from the access device to a decryption server where it is decrypted with a private key, the private key being part of the public/private key pair suitable for use with the encryption algorithm. The decrypted user credential is then transmitted from the decryption server to an authentication server for verification. The decryption server typically forms part of a multi-party service access environment including a plurality of access providers, the method including decrypting the user credential of a user proximate an access provider associated with the user credential. The method can be used in legacy protocols such as Point-to-Point protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Remote Authentication Dial In User Service (RADIUS) protocol, Terminal Access Controller Access Control System (TACACS) protocol, Lightweight Directory Access Protocol (LDAP), NT Domain authentication protocol, Unix password authentication protocol, HyperText Transfer Protocol (HTTP), HyperText Transfer Protocol over Secure sockets layer (HTTPS), Extended Authentication Protocol (EAP), Transport Layer Security (TLS) protocol, Token Ring protocol and/or Secure Remote Password protocol (SRP).

Citations

47 Claims

1. A method to securely authenticate user credentials, the method including:
- encrypting a user credential with a public key at an access device, the public key being part of a public/private key pair suitable for use with an encryption algorithm;
  
  transmitting the encrypted network user credential from the access device to a decryption server;
  
  decrypting the user credential at the decryption server with a private key, the private key being part of the public/private key pair suitable for use with the encryption algorithm; and
  
  transmitting the decrypted user credential from the decryption server to an authentication server for verification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, in which the decryption server forms part of a multi-party service access environment including a plurality of access providers, the method including transmitting the user credential over a secure communication channel and decrypting the user credential of a user proximate an access provider associated with the user credential.
  - 3. The method of claim 2, in which the access provider associated with the user credential is a customer of the multi-party access system, the user requesting access to a computer system of the customer via at least one service provider.
  - 4. The method of claim 1, which includes generating the public/private key pair with an encryption algorithm suitable for use with elliptic curve cryptography.
  - 5. The method of claim 1, wherein the encrypting includes encrypting a password input by a user with the public key.
  - 6. The method of claim 1, wherein the encrypting includes encrypting a non-reversible hash of a password with the public key.
  - 7. The method of claim 1, which includes:
    - transmitting the encrypted user credential from the access device to a network access server; and
      
      transmitting the encrypted user credential from the network access server to the decryption server.
  - 8. The method of claim 7, which includes:
    - negotiating with the network access server for use of an authentication protocol for transmitting the encrypted user credential from the access device to the network access server;
      
      transmitting the encrypted user credential from the access device to the network access server using the negotiated authentication protocol; and
      
      transmitting the encrypted user credential from the network access server to the decryption server.
  - 9. The method of claim 8, which includes retrieving the private key from a private key database at the decryption server based on a username received from the access device.
  - 10. The method of claim 1, wherein the user credential is a password authenticated using at least one of Point-to-Point protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Remote Authentication Dial In User Service (RADIUS) protocol, Terminal Access Controller Access Control System (TACACS) protocol, Lightweight Directory Access Protocol (LDAP), NT Domain authentication protocol, Unix password authentication protocol, HyperText Transfer Protocol (HTTP), HyperText Transfer Protocol over Secure sockets layer (HTTPS), Extended Authentication Protocol (EAP), Transport Layer Security (TLS) protocol, Token Ring protocol and Secure Remote Password protocol (SRP).
  - 11. The method of claim 10, wherein the encrypted user credential is at least substantially defined by standard characters described in RFC 2486.
  - 12. The method of claim 11, wherein the encrypted user credentials that are transmitted to the decryption server are generated by a symbol transformation scheme of values generated by the encryption algorithm and characters described in RFC 2486.
  - 13. The method of claim 1, which includes incrementing a counter each time authentication is requested and including a count of the counter with the user credential.
  - 14. The method of claim 13, which includes including an access device identification with the user credential.
  - 15. The method of claim 14, wherein the access device identification uniquely identifies a connection application via which authentication is requested.
  - 16. The method of claim 15, which includes generating a checksum character by generating the MD5 hash of the count, access device identification and a point of the encryption algorithm.
  - 17. The method of claim 16, wherein standard characters are added to a byte of a random point generated by an elliptic curve cryptography algorithm where after a modulus 95 function is performed.

18. A method of authenticating user data of a user requesting access to a service access system including a plurality of service providers, the method including:
- encrypting the user data with a public key, the public key being part of a public/private key pair suitable for use with an encryption algorithm; and
  
  transmitting the encrypted user data to a decryption server for decryption using the private key.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 19. The method of claim 18, in which the encrypted user data is configured so that it can be transmitted using at least one of Point-to-Point protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Remote Authentication Dial In User Service (RADIUS) protocol, Terminal Access Controller Access Control System (TACACS) protocol, Lightweight Directory Access Protocol (LDAP), NT Domain authentication protocol, Unix password authentication protocol, HyperText Transfer Protocol (HTTP), HyperText Transfer Protocol over Secure sockets layer (HTTPS), Extended Authentication Protocol (EAP), Transport Layer Security (TLS) protocol, Token Ring protocol and Secure Remote Password protocol (SRP).
  - 20. The method of claim 19, in which the encrypted user data is modified prior to transmission to conform to RFC 2486 standards using character transformation.
  - 21. The method of claim 20, which includes encrypting a non-reversible hash of a user password with the public key.
  - 22. The method of claim 21, in which the encrypted user data is modified prior to transmission to include only plain text ASCII characters.
  - 23. The method of claim 22, in which the encrypted data is included in at least one of a user password field and a user identification field of the protocol.
  - 24. The method of claim 23, in which user data for inclusion in the password field is encrypted with a random point generated using an elliptic curve cryptography algorithm.
  - 25. The method of claim 18, in which the user requests access to the network via a connect dialer, the method including:
    - incrementing a counter of the connect dialer, the count of the counter identifying a user session for which the user requires authentication;
      
      retrieving a connect dialer identification that identifies the dialer; and
      
      including the count and dialer identification with the encrypted data prior to transmission thereof to the service access system.
  - 26. The method of claim 25, which includes:
    - generating a checksum from the count and connect dialer identification; and
      
      encrypting the checksum using a random point of an elliptic curve cryptography algorithm.
  - 27. The method of claim 26, which includes encoding 7 bits with a single byte from the random point.
  - 28. The method of claim 26, which includes:
    - concatenating an encoded user password, an encrypted and encoded x coordinate of the random point with encoded checksum bits to define encrypted credentials; and
      
      transmitting the encrypted credentials in user password and identification fields provided by a standard authentication protocol.
  - 29. The method of claim 25, in which includes encrypting a non-reversible hash of a user password with the public key.
  - 30. The method of claim 25, which includes negotiating with a network access server for use of an authentication protocol for transmitting the network user credential from the network access device to the network decryption server.

31. A method of authenticating user data of a user requesting access to a service access system including a plurality of service providers, the method including:
- receiving encrypted user data from an access device;
  
  decrypting the encrypted user data using a private key; and
  
  transmitting the decrypted user data to an authentication server for authentication.
- View Dependent Claims (32, 33, 34, 35, 36, 37)
- - 32. The method of claim 31, in which the encrypted user data is received from the access device via at least one service provider.
  - 33. The method of claim 31, which includes extracting encrypted user data from at least one of a user password and a user identification field of a an authentication protocol selected from at least one of Point-to-Point protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Remote Authentication Dial In User Service (RADIUS) protocol, Terminal Access Controller Access Control System (TACACS) protocol, Lightweight Directory Access Protocol (LDAP), NT Domain authentication protocol, Unix password authentication protocol, HyperText Transfer Protocol (HTTP), HyperText Transfer Protocol over Secure sockets layer (HTTPS), Extended Authentication Protocol (EAP), Transport Layer Security (TLS) protocol, Token Ring protocol and Secure Remote Password protocol (SRP).
  - 34. The method of claim 33, in which includes:
    - receiving an encrypted random point from the access device, the random point being generated in response to encryption based on elliptic curve cryptography; and
      
      decrypting the encrypted user data using the random point and the private key.
  - 35. The method of claim 34, which includes applying symbol transformation to obtain the random point.
  - 36. The method of claim 34, which includes retrieving the private key from a private key database provided at the decryption server based on a username received from the access device.
  - 37. The method of claim 31, which includes:
    - identifying a count and an access device identification in the encrypted user data;
      
      comparing the decrypted count and access device identification with a reference count and an access device identification; and
      
      selectively rejecting the access request based on the comparison.

38. A computer readable medium, having stored thereon:
- a first sequence of instructions which, when executed by a processor, causes the processor to encrypt user data with a public key, the public key being part of a public/private key pair suitable for use with an encryption algorithm; and
  
  a second sequence of instructions which, when executed by a processor, causes the processor to transmit the encrypted user credential to a decryption server.
- View Dependent Claims (39, 40, 41, 42)
- - 39. The computer readable medium of claim 38, wherein the first sequence of instructions, when executed by a processor, causes the processor to encrypt user data with the public key, the public key part of the public/private key pair suitable for use with the encryption algorithm based on elliptic curve cryptography.
  - 40. The computer readable medium of claim 38, wherein the first sequence of instructions, when executed by a processor, causes the processor to encrypt a password input by a user with the public key.
  - 41. The computer readable medium of claim 38, wherein the first sequence of instructions, when executed by a processor, causes the processor to encrypt a non-reversible hash with the public key.
  - 42. The computer readable medium of claim 38, wherein the first sequence of instructions, when executed by a processor, causes the processor to negotiate with a network access server the use of an authentication protocol for transmitting the encrypted user data to the network access server.

43. A computer readable medium, having stored thereon:
- a first sequence of instructions which, when executed by a processor, causes the processor to receive encrypted user data from an access device;
  
  a second sequence of instructions which, when executed by a processor, causes the processor to decrypt the encrypted user data using a private key, the private key being suitable for use with an encryption algorithm; and
  
  a third sequence of instructions which, when executed by a processor, causes the processor to transmit the decrypted user data to an authentication server for verification.
- View Dependent Claims (44, 45)
- - 44. The computer readable medium of claim 43, wherein the second sequence of instructions, when executed by a processor, causes the processor to decrypt the encrypted user data using the private key, the private key generated utilizing the encryption algorithm based on elliptic curve cryptography.
  - 45. The computer readable medium of claim 43, including a fourth sequence of instructions which, when executed by a processor, causes the processor to retrieve the private key from a private key database based on a username received from the access device.

46. A computer to authenticate user data of a user requesting access to a service access system including a plurality of service providers, the computer including:
- a receiver to receive encrypted user data from an access device;
  
  decryptor to decrypt the encrypted user data using a private key; and
  
  a transmitter to transmit the decrypted user data to an authentication server for authentication.
- View Dependent Claims (47)
- - 47. The computer of claim 46, which includes a processor to extract encrypted user data from at least one of a user password and a user identification field of a authentication protocol selected from at least one of Point-to-Point protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Remote Authentication Dial In User Service (RADIUS) protocol, Terminal Access Controller Access Control System (TACACS) protocol, Lightweight Directory Access Protocol (LDAP), NT Domain authentication protocol, Unix password authentication protocol, HyperText Transfer Protocol (HTTP), HyperText Transfer Protocol over Secure sockets layer (HTTPS), Extended Authentication Protocol (EAP), Transport Layer Security (TLS) protocol, Token Ring protocol and Secure Remote Password protocol (SRP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Channel IP BV
Original Assignee
Ipass Incorporated (Pareteum Corp.)
Inventors
Edgett, Jeff Steven, Sunder, Singam, Underwood, James Marion, Albert, Roy David

Granted Patent

US 7,921,290 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/31   User authentication

G06Q 20/14   specially adapted for billi...

H04L 63/0442   wherein the sending and rec...

H04L 63/083   using passwords cryptograph...

H04L 63/108   when the policy decisions a...

Method and system for securely authenticating network access credentials for users

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for securely authenticating network access credentials for users

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links