Tunneled authentication protocol for preventing man-in-the-middle attacks
First Claim
1. A method of at least partially authenticating a user on a communications network, the method comprising acts of:
- (A) transmitting a first communication from a first network device to a second network device, wherein the first communication includes a challenge;
(B) in response to receiving the challenge, generating a preliminary hash value by performing only part of a hash function on a first part of the challenge, wherein the first part is less than the complete challenge;
(C) transmitting a second communication from the second network device to the first network device, the second communication including the preliminary hash value; and
(D) completing performance of the hash function on the first network device to produce a final hash value.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for preventing a Man-in-the-Middle attack on a communications network, without combining encryption keys of an inner authentication protocol and a tunneling protocol encapsulating the inner authentication protocol. The performance of a hash function may be split between two network devices on the communications network. For example, in response to a challenge issued by a tunnel server, a client may initiate performance of a hash function using only a first part only of the challenge and generate an intermediate result of the hash function (i.e., a preliminary hash). The client then may transmit the preliminary hash to the tunnel server as part of a response to the challenge. The tunnel server then may complete the hash function using the preliminary hash and the remaining part of the challenge to produce a final hash. The final hash then may be used to authenticate a user.
-
Citations
87 Claims
-
1. A method of at least partially authenticating a user on a communications network, the method comprising acts of:
-
(A) transmitting a first communication from a first network device to a second network device, wherein the first communication includes a challenge;
(B) in response to receiving the challenge, generating a preliminary hash value by performing only part of a hash function on a first part of the challenge, wherein the first part is less than the complete challenge;
(C) transmitting a second communication from the second network device to the first network device, the second communication including the preliminary hash value; and
(D) completing performance of the hash function on the first network device to produce a final hash value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system for at least partially authenticating a user on a communications network, the system comprising:
-
a first communication device operative to transmit a first communication from a first network device to a second network device, wherein the first communication includes a challenge; and
a second network device, operative to receive the challenge, generate a preliminary hash value by performing only part of a hash function on a first part of the challenge, wherein the first part is less than the complete challenge, and to transmit a second communication from the second network device to the first network device, the second communication including the preliminary hash value, wherein the first network device is operative to complete performance of the hash function to produce a final hash value. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
-
38. A system for at least partially authenticating a user on a communications network, the system comprising:
-
a first communication device operative to transmit a first communication from a first network device to a second network device, wherein the first communication includes a challenge; and
a second network device operative to receive the challenge and transmit a second communication from the second network device to the first network device, the second communication including a preliminary hash value, wherein the second network device includes means for generating a preliminary hash value by performing only part of a hash function on a first part of the challenge, wherein the first part is less than the complete challenge, and wherein the first network device includes means for completing performance of the hash function to produce a final hash value.
-
-
39. A computer-readable medium having computer-readable signals stored thereon that define instructions that, as a result of being executed by a computer, control the computer to perform a method of at least partially authenticating a user on a communications network, the method comprising:
-
(A) transmitting a first communication from a first network device to a second network device, wherein the first communication includes a challenge;
(B) in response to receiving the challenge, generating a preliminary hash value by performing only part of a hash function on a first part of the challenge, wherein the first part is less than the complete challenge; and
(C) transmitting a second communication from the second network device to the first network device, the second communication including the preliminary hash value; and
(D) completing performance of the hash function on the first network device to produce a final hash value.
-
-
40. A method of at least partially authenticating a user on a communications network, the method comprising acts of:
-
(A) transmitting a first communication from a first network device to a second network device, wherein the first communication includes a challenge;
(B) receiving a second communication from the second network device to the first network device, the second communication including a preliminary hash value resulting from performance of only part of a hash function on a first part of the challenge, wherein the first part is less than the complete challenge; and
(C) completing performance of the hash function on the first network device to produce a final hash value. - View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
-
-
54. A tunnel server residing on a first network device of a communications network for at least partially authenticating a user on the communications network, the tunnel server comprising:
-
a challenge generator to generate a challenge that is transmitted from the first network device to a second network device;
a final hash value generator to receive a preliminary hash value from the second network device, the preliminary hash value resulting from performance of only part of a hash function on a first part of the challenge, wherein the first part is less than the complete challenge, wherein the final hash value generator is operative to complete performance of the hash function on the first network device to produce a final hash value. - View Dependent Claims (55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67)
-
-
68. A tunnel server residing on a first network device of a communications network for at least partially authenticating a user on the communications network, the tunnel server comprising:
-
a challenge generator to generate a challenge that is transmitted from the first network device to a second network device, wherein the tunnel server is operative to receive a preliminary hash value from the second network device, the preliminary hash value resulting from performance of only part of a hash function on a first part of the challenge, wherein the first part is less than the complete challenge; and
means for completing performance of the hash function on the first network device to produce a final hash value.
-
-
69. A computer-readable medium having computer-readable signals stored thereon that define instructions that, as a result of being executed by a computer, control the computer to perform a method of at least partially authenticating a user on a communications network, the method comprising acts of:
-
(A) transmitting a first communication from a first network device to a second network device, wherein the first communication includes a challenge;
(B) receiving a second communication from the second network device to the first network device, the second communication including a preliminary hash value generated by performing only part of a hash function on a first part of the challenge, wherein the first part is less than the complete challenge; and
(C) completing performance of the hash function on the first network device to produce a final hash value.
-
-
70. A method of at least partially authenticating a user on a communications network in response to a challenge received at a second network device from a first network device, the method comprising acts of:
-
(A) generating a preliminary hash value by performing only part of a hash function on a first part of the challenge wherein the first part is less than the complete challenge; and
(B) transmitting a communication from the second network device to the first network device, the communication including the preliminary hash value. - View Dependent Claims (71, 72, 73, 74, 75, 76, 77)
-
-
78. A client residing on a second network device of a communications network, for at least partially authenticating a user in response to a challenge received on the second network device from a first network device, the client comprising:
-
a preliminary hash generator to generate a preliminary hash value by performing only part of a hash function on a first part of the challenge, wherein the first part is less than the complete challenge, wherein the second network device is operative to transmit a communication from the second network device to the first network device, the communication including the preliminary hash value. - View Dependent Claims (79, 80, 81, 82, 83, 84, 85)
-
-
86. A client residing on a second network device of a communications network, for at least partially authenticating a user in response to a challenge received on the second network device from a first network device, the client comprising:
-
means for generating a preliminary hash value by performing only part of a hash function on a first part of the challenge, wherein the first part is less than the complete challenge, wherein the second network device is operative to transmit a communication from the second network device to the first network device, the communication including the preliminary hash value.
-
-
87. A computer-readable medium having computer-readable signals stored thereon that define instructions that, as a result of being executed by a computer, control the computer to perform a method of at least partially authenticating a user on a communications network in response to a challenge received at a second network device from a first network device, the method comprising acts of:
-
(A) generating a preliminary hash value by performing only part of a hash function on a first part of the challenge wherein the first part is less than the complete challenge; and
(B) transmitting a communication from the second network device to the first network device, the second communication including the preliminary hash value.
-
Specification