User authentication by linking randomly-generated authentication secret with personalized secret

US 20060036857A1
Filed: 08/04/2005
Published: 02/16/2006
Est. Priority Date: 08/06/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for digital authentication, comprising:

using a user device operated by an authorized user to produce and register a secret in a computer system; and

using a first user input and a second user input from a user requesting to access the computer system to initiate a challenge from the computer system and a response from the requesting user to compare the registered secret with a user-side hash value computed from the first and second user inputs to authorize the requested access when there is a match and to reject the requested access when there is not a match.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This patent application discloses techniques, devices and systems for user authentication based on linking between a randomly generated authentication secret and a personalized secret.

Citations

47 Claims

1. A method for digital authentication, comprising:
- using a user device operated by an authorized user to produce and register a secret in a computer system; and
  
  using a first user input and a second user input from a user requesting to access the computer system to initiate a challenge from the computer system and a response from the requesting user to compare the registered secret with a user-side hash value computed from the first and second user inputs to authorize the requested access when there is a match and to reject the requested access when there is not a match.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as in claim 1, wherein the registration of the secret comprises:
    - generating a random or pseudorandom number as an authentication secret;
      
      using the authentication secret as an input to a one-way hash function to produce a hash value;
      
      registering the hash value as the registered secret of the authorized user with the computer system;
      
      selecting a personalized secret as a first user secret by the authorized user;
      
      transforming the first user secret via a first transformation function into a transformed secret;
      
      using the transformed secret and the authentication secret as inputs to a second transformation function to produce a second user secret; and
      
      storing the second user secret outside the computer system.
  - 3. The method as in claim 2, further comprising:
    - upon receiving the first and second user inputs from the user requesting the access, transforming the first user input via the first transformation function into a transformed user input;
      
      using the transformed user input and the second user input as inputs to a third transformation function to produce an output;
      
      computing a hash value of the output of the third transformation function as the user-side hash value;
      
      using the user-side hash value as an encryption key; and
      
      upon receiving a challenge from the computer system, using the encryption key to encrypt the challenge as the response to the challenge to be sent to the computer system.
  - 4. The method as in claim 2, further comprising using a collision-resistant hash function as the first transformation function.
  - 5. The method as in claim 2, further comprising configuring the second transformation function as f2(the transformed secret, the authentication secret)=(the transformed secret+α
    - ×
      
      (the authentication secret)) mod q, where the modulus q is a positive integer greater than all possible instances of the authentication secret and the parameter α
      
      is a positive integer relatively prime to q.
  - 6. The method as in claim 2, wherein the personalized secret comprises a user-chosen password.
  - 7. The method as in claim 2, wherein the personalized secret comprises a biological feature of the authorized user.

8. A user authentication method utilizing challenge and response comprising:
- when a user requests an access to a computer system, using a first user input and a second user input from the user and a registered secret at the system to perform a challenge-and-response process to authorize or reject the access request.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 9. The user authentication method of claim 8, further comprising a registration process including:
    - using an authentication secret as input to a one-way hash function to produce a hash value;
      
      registering the hash value as the registered secret of the user with the computer system;
      
      using a first user secret and the authentication secret as input to produce a second user secret; and
      
      providing a persistent memory to store the second user secret;
      
      whereby the registered secret on the system side and the first and second user secrets on the user side establish an association between the user and the computer system, and the challenge-and-response process is to challenge the user to reestablish the association.
  - 10. The user authentication method of claim 9, wherein the first user secret comprises a user-selectable password.
  - 11. The user authentication method of claim 9, wherein the first user secret comprises information digitalized from biological characteristics of the user.
  - 12. The user authentication method of claim 9, wherein the first user secret comprises a concatenation of a user-selectable password and a device-specific code.
  - 13. The user authentication method of claim 9, wherein the first user secret comprises a combination of a plurality of secrets.
  - 14. The user authentication method of claim 9, wherein the challenge-and-response process comprises:
    - creating a message as a challenge by the computer system;
      
      using a user station to receive the challenge sent from the computer system;
      
      computing a user-side hash value from the first and second user inputs by the user station;
      
      using the user-side hash value as an encrypting key to encrypt the received challenge by the user station to produce a response;
      
      sending the response to the computer system from the user station;
      
      using the registered secret as a decryption key to decrypt the received response by the computer system to produce a result; and
      
      authorizing the access request when the result matches the challenge and rejecting the access request when the result mismatches the challenge.
  - 15. The user authentication method of claim 14, wherein computing the user-side hash value comprises:
    - using the first and second user inputs to a transformation to produce a value as a recovered authentication secret;
      
      using the recovered authentication secret as input to the one-way hash function to produce the user-side hash value; and
      
      deleting the recovered authentication secret from the memory associated with the computations upon the production of the user-side hash value.
  - 16. The user authentication method of claim 9, further comprising producing a random number as the authentication secret.
  - 17. The user authentication method of claim 9, further comprising producing a pseudorandom number as the authentication secret.
  - 18. The user authentication method of claim 8 further comprising using a system identifier to identify a computer system among a plurality of computer systems as the computer system to request for access.
  - 19. The user authentication method of claim 18, further comprising using a user identifier as a pointer to retrieve the registered secret from a plurality of secrets registered with the identified computer system.
  - 20. The user authentication method of claim 9, further comprising, upon termination of the registration process, deleting the authentication secret from each memory associated with computations.
  - 21. The user authentication method of claim 9, further comprising changing the authentication secret and the first user secret to a new secret respectively and updating the registered secret and the second user secret accordingly.
  - 22. The user authentication method of claim 9, further comprising changing the authentication secret to a new secret and updating the registered secret and the second user secret accordingly while keeping the first user secret unchanged.
  - 23. The user authentication method of claim 9, further comprising updating the second user secret triggered by changing the first user secret to a new secret while keeping the authentication secret and the registered secret unchanged.

24. A method of user authentication, comprising:
- using an authentication secret to associate a user identifier of a user with a system identifier of a computer system;
  
  using a user password from the user and the authentication secret as input to produce a user-side secret;
  
  grouping the user-side secret, user identifier, and system identifier as an authenticator; and
  
  using the user password and the authenticator to reproduce the authentication secret by a user station to reestablish the association as a basis for authenticating the user to the computer system.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 25. The method of user authentication of claim 24, wherein the authentication secret comprises a random number.
  - 26. The method of user authentication of claim 24, further comprising:
    - using the authentication secret as input to produce a hash value; and
      
      registering the hash value along with the user identifier of the user with the computer system.
  - 27. The method of user authentication of claim 26 further comprising using the hash value on the system side in a challenge and response process to permit or deny an access request.
  - 28. The method of user authentication of claim 24 further comprising including the authenticator as a member of a plurality of authenticators, each authenticator having a user-side secret, a user identifier of the user, and a system identifier.
  - 29. The method of user authentication of claim 28 further comprising providing a device with persistent memory to store the plurality of authenticators.
  - 30. The method of user authentication of claim 29 further comprising using the user password and the plurality of authenticators to authenticate the user to access any member of a plurality of computer systems.
  - 31. The method of user authentication of claim 30, further comprising, on a user station:
    - using a system identifier input from the user to identify a member computer system to request for access. using the system identifier input as a pointer to identify an authenticator among the plurality of authenticators;
      
      using a password input from the user and the user-side secret from the identified authenticator as input to produce a value as a recovered authentication secret;
      
      using the recovered authentication secret as input to produce a user-side hash value; and
      
      using the user-side hash value in a challenge-and-response process to obtain an access permission or denial.
  - 32. The method of user authentication of claim 31, wherein the challenge-and-response process results in an access permission when the recovered authentication secret matches the original authentication secret.
  - 33. The method of user authentication of claim 31, wherein the challenge-and-response process results in an access denial when the password input mismatches the user password.
  - 34. The method of user authentication of claim 26 further comprising updating the registered secret and the user-side secret by changing the authentication secret to a new secret while keeping the user password unchanged.
  - 35. The method of user authentication of claim 26 further comprising updating the registered secret and the user-side secret by changing the authentication secret to a new secret and changing the user password to a new password.
  - 36. The method of user authentication of claim 26 further comprising updating the user-side secret triggered by changing the user password to a new password while keeping the authentication secret unchanged.

37. A method of user authentication, comprising:
- using a secret to link a user with a computer system;
  
  in a login process, using a user-side verifier to verify whether the secret is used in processing an access request on the user side.
- View Dependent Claims (38, 39, 40, 41, 42)
- - 38. The method of claim 37, wherein the secret is a user-selectable password.
  - 39. The method of claim 37, wherein the secret comprises either one of a random number and a pseudorandom number.
  - 40. The method of claim 37, wherein the user-side verifier is a derivative of the secret.
  - 41. The method of claim 37, wherein the user-side verifier is a double-hashed value of the secret.
  - 42. The method of claim 37, further comprising sending the access request to the computer system only when the verification proves that the secret is used in the processing on the user side.

43. An article comprising a machine-readable medium that store machine-executable instructions for user authentication, the instructions causing a machine to:
- send an access request to a computer system;
  
  receive a challenge message from the computer system;
  
  use a first user input, a second user input, and the challenge message as input to a transformation to produce a response message;
  
  send the response message and a user identifier to the computer system; and
  
  receive an access decision from the computer system, wherein the access decision, either a permission or a denial, is determined by the computer system according to a registered secret associated with the user identifier.
- View Dependent Claims (44, 45, 46, 47)
- - 44. The article as in claim 43, wherein the instructions further cause a machine, at a registration time, to:
    - receive an identifier from a user as the user identifier;
      
      produce an authentication secret;
      
      produce a hash value from the authentication secret;
      
      register the hash value as the registered secret along with the user identifier with the computer system;
      
      use a user password and the authentication secret as input to produce a user-side secret; and
      
      store the user-side secret in a persistent memory.
  - 45. The article as in claim 44, wherein the access decision determined by the accessed computer system is a denial when the first user input mismatches the user password.
  - 46. The article in claim 44, wherein the instructions further cause a machine to change the authentication secret to a new secret and update the registered secret and the user-side secret accordingly.
  - 47. The article in claim 44, wherein the instructions further cause a machine to update the user-side secret by changing the user password to a new password while keeping the authentication secret and the registered secret unchanged.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Chang GUNG University
Original Assignee
Chang GUNG University
Inventors
Hwang, Jing-Jang

Application Number

US11/197,888
Publication Number

US 20060036857A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2103   Challenge-response

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3271   using challenge-response

User authentication by linking randomly-generated authentication secret with personalized secret

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

User authentication by linking randomly-generated authentication secret with personalized secret

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links