Protecting one-time-passwords against man-in-the-middle attacks
First Claim
1. A method for authenticating a user of a communications network based on a one-time-password, the user having an associated asymmetric crypto-key pair including a private key D and a public key E, and the private key D being split into a first private key portion D1 and a second private key portion D2, comprising:
- partially signing, by the user, a symmetric session key with the first private key portion D1;
receiving, by the authenticating entity from the user via the network, the partially signed symmetric session key;
completing the signature, by the authenticating entity, on the received partially signed symmetric session key with the second private key portion D2 to recover the symmetric session key;
encrypting, by the user, a one-time-password with the symmetric session key;
receiving, by the authenticating entity from the user via the network, the encrypted one-time-password;
decrypting, by the authenticating entity, the received encrypted one-time-password with the recovered symmetric session key; and
authenticating the user based on the decrypted one-time-password.
5 Assignments
0 Petitions
Accused Products
Abstract
To authenticate a user having an associated asymmetric crypto-key having a private/public key pair (D,E) based on a one-time-password, the user partially signs a symmetric session key with the first portion D1 of the private key D. The authenticating entity receives the partially signed symmetric session key via the network and completes the signature with the second private key portion D2 to recover the symmetric session key. The user also encrypts a one-time-password with the symmetric session key. The authenticating entity also receives the encrypted one-time-password via the network, and decrypts the received encrypted one-time-password with the recovered symmetric session key to authenticate the user.
-
Citations
27 Claims
-
1. A method for authenticating a user of a communications network based on a one-time-password, the user having an associated asymmetric crypto-key pair including a private key D and a public key E, and the private key D being split into a first private key portion D1 and a second private key portion D2, comprising:
-
partially signing, by the user, a symmetric session key with the first private key portion D1;
receiving, by the authenticating entity from the user via the network, the partially signed symmetric session key;
completing the signature, by the authenticating entity, on the received partially signed symmetric session key with the second private key portion D2 to recover the symmetric session key;
encrypting, by the user, a one-time-password with the symmetric session key;
receiving, by the authenticating entity from the user via the network, the encrypted one-time-password;
decrypting, by the authenticating entity, the received encrypted one-time-password with the recovered symmetric session key; and
authenticating the user based on the decrypted one-time-password. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for authenticating a user of a communications network based on a one-time-password, the user having an associated asymmetric crypto-key pair including a private key D and a public key E, and the private key D being split into a first private key portion D1 and a second private key portion D2, comprising:
-
a user network device configured to (i) partially sign a symmetric session key with the first private key portion D1, (ii) transmit the partially signed symmetric session key via the network, (iii) encrypt a one-time-password with the symmetric session key, and (iv) transmit the encrypted one-time-password via the network; and
an authenticating entity network device configured to (i) receive the transmitted partially signed symmetric session key, (ii) complete the signature on the received partially signed symmetric session key with the second private key portion D2 to recover the symmetric session key, (iii) receive the transmitted encrypted one-time-password, (iv) decrypt the received encrypted one-time-password with the recovered symmetric session key, and (v) authenticate the user based on the decrypted one-time-password. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method for authenticating a user of a communications network based on a one-time-password, the user having an associated asymmetric crypto-key pair including a private key D and a public key E, and the private key D being split into a first private key portion D1 and a second private key portion D2, comprising:
-
receiving a first network communication from the user including a symmetric session key partially signed with the first private key portion D1;
completing the signature on the received partially signed symmetric session key with the second private key portion D2 to recover the symmetric session key;
receiving a second network communication from the user including a one-time-password encrypted with the symmetric session key;
decrypting the received encrypted one-time-password with the recovered symmetric session key; and
authenticating the user based on the decrypted one-time-password. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A system for authenticating a user of a communications network based on a one-time-password, the user having an associated asymmetric crypto-key pair including a private key D and a public key E, and the private key D being split into a first private key portion D1 and a second private key portion D2, comprising:
-
a network interface configured to receive (i) a first network communication including a symmetric session key partially signed with the first private key portion D1 and (ii) a second network communication including a one-time-password encrypted with the symmetric session key; and
a processor configured to (i) complete the signature on the received partially signed symmetric session key with the second private key portion D2 to recover the symmetric session key, (ii) decrypt the received encrypted one-time-password with the recovered symmetric session key, and authenticate the user based on the decrypted one-time-password. - View Dependent Claims (23, 24, 25, 26, 27)
-
Specification