Establishing secure mutual trust using an insecure password

US 20070005955A1
Filed: 06/29/2005
Published: 01/04/2007
Est. Priority Date: 06/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method of establishing secure mutual trust comprising:

acquiring a one-time-password by a first device;

outputting a bit-commit cryptographic encoding of the one-time-password and a certificate of the first device;

receiving a bit-commit cryptographic encoding of the on-time-password and a certificate of a second device;

step-wise revealing the one-time-password and the certificate of the first device; and

step-wise verifying the one-time-password and the certificate of the second device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process for establishing secure mutual trust includes generating a one-time-password. The one-time-password is transferred between the devices in a communication occurring off of the network. Each device generates a set of authenticators by hashing a plurality of sub-strings of the password and the device'"'"'s authentication certificate with a respective set of nonces. The devices exchange the respective sets of authenticators. Each device then alternates revealing its respective set of nonces and its authentication certificate in a multi-stage process. The devices re-calculate the authenticators based upon the respective set of nonces and authentication certificate revealed by the other device along with the one-time-password sub-strings that it posses. If each device determines that the authenticators re-calculated by the given device matches the authenticators previously received from the other device, secure mutual trust is established.

145 Citations

20 Claims

1. A method of establishing secure mutual trust comprising:
- acquiring a one-time-password by a first device;
  
  outputting a bit-commit cryptographic encoding of the one-time-password and a certificate of the first device;
  
  receiving a bit-commit cryptographic encoding of the on-time-password and a certificate of a second device;
  
  step-wise revealing the one-time-password and the certificate of the first device; and
  
  step-wise verifying the one-time-password and the certificate of the second device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method according to claim 1, wherein step-wise revealing the one-time-password and the certificate of the first device comprises iteratively outputting each nonce of a first set of nonces and the certificate of the first device.
  - 3. A method according to claim 1, wherein step-wise verifying the one-time-password and the certificate of the second device comprises:
    - iteratively receiving each nonce of a second set of nonces and the certificate of the second device; and
      
      iteratively calculating a bit-commit cryptographic encoding of the one-time-password and the received certificate of the second device utilizing the received second set of nonces; and
      
      comparing the calculated bit-commit cryptographic encoding to the received bit-commit cryptographic encoding.
  - 4. A method according to claim 1, wherein the bit-commit cryptographic encoding comprises a message authentication code.
  - 5. A method according to claim 1, further comprising outputting an acceptance or rejection of establishing secure mutual trust based upon step-wise verifying the one-time-password and the certificate of the second device.
  - 6. A method according to claim 1, further comprising receiving an acceptance or rejection of establishing secure mutual trust from the second device.

7. One or more computer-readable media having instructions that, when executed on one or more processors, perform acts comprising:
- acquiring a one-time-password;
  
  generating a first set of nonces;
  
  generating a first set of authenticators as a function of the one-time-password, the first set of nonces and a first authentication certificate;
  
  iteratively outputting the first set of authenticators;
  
  iteratively receiving a second set of authenticators;
  
  iteratively outputting each nonce of the first set of nonces and the first authentication certificate;
  
  iteratively receiving each nonce of a second set of nonces and a second authentication certificate;
  
  iteratively calculating a set of validation parameters as a function of the one-time-password, the second set of nonces and the second authentication certificate; and
  
  comparing the set of validation parameters to the received second set of authenticators.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. One or more computer-readable media according to claim 7, wherein acquiring the one-time-password comprises generating the one-time-password.
  - 9. One or more computer-readable media according to claim 8, wherein acquiring the one-time-password further comprises outputting the one-time-password in an out-of-band transfer.
  - 10. One or more computer-readable media according to claim 7, wherein acquiring the one-time-password comprises receiving the one-time-password in an out-of-band transfer.
  - 11. One or more computer-readable media according to claim 7, wherein the first set of authenticators is further generated as a function of a first device identifier.
  - 12. One or more computer-readable media according to claim 7, further comprising receiving a second device identifier.
  - 13. One or more computer-readable media according to claim 12, wherein the set of validation parameters are further iteratively calculated as a function of the second device identifier.
  - 14. One or more computer-readable media according to claim 7, wherein generating the first set of authenticators comprises:
    - decomposing the one-time-password into a plurality of password sub-strings; and
      
      hashing each one of the first set of nonces with a respective one of the plurality of password sub-strings and the first authentication certificate utilizing a bit-commit cryptographic primitive.
  - 15. One or more computer-readable media according to claim 14, wherein iteratively calculating the set of validation parameters comprises hashing each one of the second set of nonces with a respective one of the plurality of password sub-strings and the second authentication certificate utilizing the bit-commit cryptographic primitive.

16. An apparatus comprising:
- a processor;
  
  memory communicatively coupled to the processor;
  
  a communication port, communicatively coupled to the processor, for receiving and sending communications;
  
  wherein the apparatus is adapted to;
  
  acquire a one-time-password;
  
  decompose the one-time-password into a plurality of password sub-strings;
  
  generate a first set of nonces;
  
  hash each nonce of the first set of nonces with a respective one of the plurality of password sub-strings and a first authentication certificate to generate a first set of authenticators;
  
  output the first set of authenticators; and
  
  step-wise reveal each nonce of the first set of nonces and the first authentication certificates.
- View Dependent Claims (17, 18, 19, 20)
- - 17. An apparatus according to claim 16, wherein acquiring a one-time-password comprises an out-of-band exchange of the one-time-password between the apparatus and another device.
  - 18. An apparatus according to claim 17, further adapted to:
    - receive a second set of authenticators;
      
      step-wise receive each nonce of a second set of nonces and a second authentication certificate in correspondence with step-wise revealing each nonce of the first set of nonces and the first authentication certificates;
      
      hash each nonce of the second set of nonces with a respective one of the plurality of password sub-strings and the second authentication certificate to generate a set of validation parameters; and
      
      compare the set of validation parameters to the second set of authenticators.
  - 19. An apparatus according to claim 18, further adapted to accept or reject establishment of secure mutual trust based upon comparing the set of validation parameters to the second set of authenticators.
  - 20. An apparatus according to claim 19, further adapted to determine acceptance or rejection of establishing secure mutual trust by the other device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dollar, William, Simonnet, Guillaume, Pyle, Harry, Simon, Daniel, Lieberman, Bruce

Granted Patent

US 7,836,306 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 9/3228   One-time or temporary data,...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

Establishing secure mutual trust using an insecure password

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

145 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Establishing secure mutual trust using an insecure password

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

145 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others