Authentication method

US 20060236384A1
Filed: 04/16/2003
Published: 10/19/2006
Est. Priority Date: 04/16/2003
Status: Active Grant

First Claim

Patent Images

1. A method for password-based authentication in a communication system including a group of at least two units associated with a common password, comprising the steps of assigning individual authentication tokens to the respective units in the group based on the password such that each authentication token is irreversibly determined by the password;

determining, at a first unit, a check token for a second unit based on the password and the authentication token of the first unit; and

comparing, at the second unit, the check token with the authentication token of the second unit for authentication of the first unit towards the second unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to password-based authentication in group networks. Each device (42) has an authentication token irreversibly based on the password. The authentication involves a first device (42-1) at which the password P is entered and a second device (42-2) towards which the authentication occurs. The first device determines a check token M_jfor the second based on the password and its own authentication token R₁and this check token is sent to the second device, where it is compared with the athentication token of that device. The procedure may include update of a device to exclude a non-trusted device from the group or change the password. Advantageous features are that the information in one device does not allow retrieval of the password and that the password is only exposed at one device, and only temporarily, during the authentication.

Citations

47 Claims

1. A method for password-based authentication in a communication system including a group of at least two units associated with a common password, comprising the steps of assigning individual authentication tokens to the respective units in the group based on the password such that each authentication token is irreversibly determined by the password;
- determining, at a first unit, a check token for a second unit based on the password and the authentication token of the first unit; and
  
  comparing, at the second unit, the check token with the authentication token of the second unit for authentication of the first unit towards the second unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, further comprising the step of deleting the password and all significant parameters generated in the authentication procedure except the authentication tokens after usage thereof.
  - 3. The method of claim 1, further comprising the step of accepting, at the second unit unit in response to a successful authentication, update information securely transferred from the first unit, at least a portion of the update information being created at the first unit.
  - 4. The method of claim 3, wherein the update information is associated with revocation of a non-trusted group member.
  - 5. The method of claim 3, wherein the update information relates to a password change.
  - 6. The method of claim 3, wherein the update information is selected from the group of:
    - new authentication tokens, a new group key, a group-defining list, and a revocation list, including combinations thereof.
  - 7. The method of claim 3, further comprising the step of delegating update rights to a third intermediate unit, and sending at least a portion of the update information for the second unit to the intermediate unit.
  - 8. The method of claim 7, wherein the update information is accompanied by a time stamp for determining whether the update information is still valid when the intermediate unit encounters the second unit.
  - 9. The method of claim 7, wherein the delegation of update rights comprises delegation of rights to further delegate update rights.
  - 10. The method of claim 1, wherein the assigning step further comprises the steps of determining, at an assigning unit in the group, a token secret common for the group and non-correlated with the password;
    - and creating, at the assigning unit, the authentication token for another unit in the group based on the token secret and the password.
  - 11. The method of claim 10, wherein the step of determining the token secret involves generating the token secret, as a part of an initial set-up procedure.
  - 12. The method of claim 1, wherein the step of determining the check token further comprises the steps of retrieving, at the first unit, the token secret using the authentication token of the first unit and the password;
    - and creating, at the first unit, the check token for the second unit based on the token secret and the password.
  - 13. The method of claim 10, wherein the creating step involves using a bijective locking function, the input parameters of which include the token secret and a one-way function of the password.
  - 14. The method of claim 13, wherein the locking function is a symmetric encryption function.
  - 15. The method of claim 13, wherein the locking function is implemented through password-based secret sharing.
  - 16. The method of claim 1, wherein implementing policies in at least one of the units in the group for limiting the number and/or frequency of authentication attempts.
  - 17. The method of claim 1, further comprising the step of generating an alarm signal if the number of authentication attempts exceeds a predetermined value.
  - 18. The method of claim 1, further comprising the step of sending an authentication response message from the second unit indicating the result of the comparing step.
  - 19. The method of claim 1, further comprising the step of authentication of the second unit towards the first unit, whereby the first and second units are mutually authenticated towards each other.
  - 20. The method of claim 19, further comprising the steps of:
    - generating a respective random value at the first and second unit;
      
      determining temporary test secrets at the first and second unit based on the random values; and
      
      exchanging the temporary test secrets between the first and second unit for mutual authentication purposes.
  - 21. The method of claim 1, wherein critical operations for which authentication is needed are listed in policies in at least one of the units.
  - 22. The method of claim 3, wherein a unit that is switched-on after being inactive for a predetermined period of time automatically requests appropriate update information from at least two other units.
  - 23. The method of claim 1, wherein the group of units constitutes a Personal Area Network (PAN).
  - 24. The method of claim 1, wherein the authentication tokens are tamper-resistantly stored in the respective units.

25. A communication system including a group of at least two units associated with a common password, and means for password-based authentication, comprising:
- means for assigning individual authentication tokens to the respective units in the group based on the password such that each authentication token is irreversibly determined by the password;
  
  means for determining, at a first unit, a check token for a second unit based on the password and the authentication token of the first unit; and
  
  means for comparing, at the second unit, the check token with the authentication token of the second unit for authentication of the first unit towards the second unit.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 26. The system of claim 25, further comprising means for deleting the password and parameters generated in the authentication procedure except the authentication tokens after usage thereof.
  - 27. The system of claim 25, further comprising means for transferring update information from the first unit to the second unit;
    - and means for accepting, at the second unit, update information from the first unit in response to a successful authentication.
  - 28. The system of claim 27, wherein the update information is associated with revocation of a non-trusted group member.
  - 29. The system of claim 27, wherein the update information relates to a password change.
  - 30. The system of claim 27, wherein the update information is selected from the group of:
    - new authentication tokens, a new group key, a group-defining list, and a revocation list, including combinations thereof.
  - 31. The system of claim 27, further comprising means for delegation of update rights to a third intermediate unit, and means for sending at least a portion of the update information for the second unit to the intermediate unit.
  - 32. The system of claim 25, wherein the means for assigning further comprises means for determining, at an assigning unit in the group, a token secret common for the group and non-correlated with the password;
    - and means for creating, at the assigning unit, the authentication token for another unit in the group based on the token secret and the password.
  - 33. The system of claim 25, wherein the means for determining the check token further comprises means for retrieving, at the first unit, the token secret using the authentication token of the first unit and the password;
    - and means for creating, at the first unit, the check token for the second unit based on the token secret and the password.
  - 34. The system of claim 32, wherein the means for creating involves a bijective locking function, the input parameters of which include the token secret and a one-way function of the password.
  - 35. The system of claim 25, wherein policies implemented in at least one of the units in the group for limiting the number and/or frequency of authentication attempts.
  - 36. The system of claim 25, further comprising means for generating an alarm signal if the number of authentication attempts exceeds a predetermined value.
  - 37. The system of claim 25, further comprising means for sending an authentication response message from the second unit.
  - 38. The system of claim 25, further comprising means for mutual authentication between two units in the group.
  - 39. The system of claim 25, wherein policies defining critical operations for which authentication is needed.
  - 40. The system of claim 25, wherein said communication system being a Personal Area Network (PAN).

41. A first device belonging to a group of at least two devices associated with a common password, and including means for password-based authentication, the first device comprises:
- means for receiving a password;
  
  means for assigning individual authentication tokens to other devices in the group based on the password such that each authentication token is irreversibly determined by the password;
  
  means for determining a check token for a second device in the group based on the password and the authentication token of the first device; and
  
  means for transmitting the check token to the second device for authentication towards the second device.
- View Dependent Claims (42, 43, 44, 45, 46)
- - 42. The device of claim 41, further comprising means for deleting the password and parameters generated in the authentication procedure except the authentication token after usage thereof.
  - 43. The device of claim 41, further comprising means for creating update information for the second device;
    - and means for securely transferring update information to the second device.
  - 44. The device of claim 43, further comprising means for delegation of update rights to an intermediate device, and means for sending update information for the second device to the intermediate device.
  - 45. The device of claim 41, wherein the means for assigning further comprises means for determining a token secret common for the group and non-correlated with the password;
    - and means for creating the authentication token for another device in the group based on the token secret and the password.
  - 46. The device of claim 41, wherein the means for determining the check token further comprises means for retrieving the token secret using the authentication token of the first device and the password;
    - and means for creating the check token for the second device based on the token secret and the password.

47. A computer program product for, when executed by a computer, password-based authentication in a communication system comprising:
- a group of at least two units associated with a common password;
  
  program means for assigning individual authentication tokens to the respective units of the group based on the password such that each authentication token is irreversibly determined by the password;
  
  program means for determining, at a first unit, a check token for a second unit based on the password and the authentication token of the first unit; and
  
  program means for comparing, at the second unit, the check token with the authentication token of the second unit for authentication of the first unit towards the second unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Naeslund, Mats, Lindholm, Fredrik

Granted Patent

US 8,745,715 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

H04L 2209/80   Wireless

H04L 63/0435   wherein the sending and rec...

H04L 63/083   using passwords cryptograph...

H04L 63/0869   for achieving mutual authen...

H04L 63/104   Grouping of entities

H04L 9/0833   involving conference or gro...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3273   for mutual authentication n...

Authentication method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links