Anonymous Spoof resistant authentication and enrollment methods

US 20060143695A1
Filed: 12/27/2004
Published: 06/29/2006
Est. Priority Date: 12/27/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for authenticating a Client to Server over a communication link comprising the steps of:

creating a message at Client comprising at least Client identifying data unique to Server;

adding to said message a tamper proof anti-spoof data element computed as a function of at least first key data derived from a secret shared between Client and Server and from first unique communication link attribute data as known to Client;

communicating said message from Client to Server over said communication link;

verifying said anti-spoof data element at Server by computing a verification function of at least second key data derived from said shared secret retrieved by Server and related to said Client identifying data, second unique communication link attribute data as known to Server and said anti-spoof data element;

authenticating Client, as identified by said Client identifying data, at Server, if said verification step is successful.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for creating and authenticating a message sent from a client over a communication link to a server comprising the steps of creating a message at client containing client identification data adding to said message a first anti-spoof data element computed as a function of a key derived from a shared secret and communication link attribute data, sending said message from client to server over communication link, verifying at server said anti-spoof data element by computing a verification function of anti-spoof element data, server link attribute data and server key computed from said shared secret related to client. These methods are also used for enrolling clients to an authentication system employing authenticated anonymous client certificates.

44 Citations

View as Search Results

16 Claims

1. A method for authenticating a Client to Server over a communication link comprising the steps of:
- creating a message at Client comprising at least Client identifying data unique to Server;
  
  adding to said message a tamper proof anti-spoof data element computed as a function of at least first key data derived from a secret shared between Client and Server and from first unique communication link attribute data as known to Client;
  
  communicating said message from Client to Server over said communication link;
  
  verifying said anti-spoof data element at Server by computing a verification function of at least second key data derived from said shared secret retrieved by Server and related to said Client identifying data, second unique communication link attribute data as known to Server and said anti-spoof data element;
  
  authenticating Client, as identified by said Client identifying data, at Server, if said verification step is successful.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 wherein the step of verifying said anti-spoof element data at Server further includes the sub-steps of:
    - deriving at Server a set of key data from said shared secret related to said client identifying data;
      
      determining at Server a set of unique communication link attribute data as known to Server;
      
      selecting a second key data from said set of key data and selecting a second communication link attribute data from said set of communication link attribute data;
      
      verifying said selection by computing a verification function of said selected second key data, said selected second communication link attribute data and said anti-spoof data element;
      
      repeating said selection and verification steps for combinations of members from said set of key data and said set of unique communication link attribute data until a sub verification step is successful or until all possible combinations are exhausted.
  - 3. The method of claim 1 wherein said unique communication link attribute data is a MAC address.
  - 4. The method of claim 1 wherein said unique communication link attribute data is an IP address.
  - 5. The method of claim 4 wherein client'"'"'s determination of its own IP address is carried out by the following steps:
    - client sends out a data packet query over a communication link to a trusted server requesting the IP address of client;
      
      trusted server sends back to client a data packet comprising client'"'"'s IP address as measured by said trusted server;
      
      client retrieves its IP address from said data packet.
  - 6. The method of claim 1 wherein said unique communication link attribute data is a Server'"'"'s URL.
  - 7. The method of claim 1 wherein said communication link is a secure link whereby a session key is exchanged using public key cryptography and wherein said unique communication link attribute data is one of the public keys participating in said key exchange procedure.
  - 8. The method of claim 1 wherein said unique communication link attribute data is a key generated by Client and Server over said communication link by an algorithm guarantying a key unique to Client-Server link.
  - 9. The method of claim 1 wherein said key data is a one time password newly computed by client and server for each message.
  - 10. The method of claim 9 wherein said client'"'"'s one time password is computed within a hardware token device, displayed on said token device and entered by a user into client.
  - 11. The method of claim 10 wherein said client'"'"'s one time password is computed within a hardware token electronically accessible to client.
  - 12. The method of claim 1 further including the steps of:
    - communicating a client certificate from Client to Server;
      
      associating said certificate with Client identifying data if verification step is successful.
  - 13. The method of claim 12 wherein the step of associating said client certificate means storing said client certificate data in a database accessible to Server and related to Client identifying data.
  - 14. The method of claim 12 wherein the step of associating said client certificate means storing a digest of said client certificate data in a database accessible to Server and related to Client identifying data.
  - 15. The method of claim 12 wherein a private key associated with said client certificate is stored in a hardware device accessible to Client.
  - 16. The method of claim 12 wherein said client certificate is identifiable by an anonymous globally unique identifier and authenticated by a certificate authority to be unique.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amiram Grynberg
Original Assignee
Amiram Grynberg
Inventors
Grynberg, Amiram

Application Number

US10/905,306
Publication Number

US 20060143695A1
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 2209/42   Anonymization, e.g. involvi...

H04L 63/0407   wherein the identity of one...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/1466   Active attacks involving in...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/3228   One-time or temporary data,...

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

Anonymous Spoof resistant authentication and enrollment methods

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Anonymous Spoof resistant authentication and enrollment methods

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others