System and method for user authentication

US 20070226784A1
Filed: 06/09/2006
Published: 09/27/2007
Est. Priority Date: 03/27/2006
Status: Active Grant

First Claim

Patent Images

1. A user authentication system designed to arrange a plurality of pattern elements in a given pattern format so as to create a presentation pattern to be presented to a user subject to authentication, and apply a one-time-password derivation rule serving as a password of said user to certain ones of the pattern elements included in said presentation pattern at specific positions so as to create a one-time password, said user authentication system comprising:

an authentication server for managing respective user IDs and passwords of users of the system; and

an authentication-requesting client connected to said authentication server via a network, to serve as a terminal for allowing each of the users to request authentication therethrough,wherein said authentication server includes;

a password storage section pre-storing the user IDs and the one-time-password derivation rules of the users in associated relation with each other on a user-by-user basis;

pattern-seed-value generation means for generating, in accordance with a given generation rule, a pattern seed value adapted to be combined with one of the user IDs so as to allow a presentation pattern to be uniquely determined;

user-ID receiving means for receiving the user ID of the user subject to authentication, from the authentication-requesting client of said user; and

pattern-seed-value transmission means for transmitting said generated pattern seed value, to the authentication-requesting client of said user subject to authentication, andwherein said authentication-requesting client includes;

user-ID input means for allowing the user to enter his/her user ID therefrom;

user-ID transmission means for transmitting said entered user ID to said authentication server;

pattern-seed-value receiving means for receiving the transmitted pattern seed value transmitted from said authentication server;

pattern-element-sequence creation means for creating, based on said entered user ID and said received pattern seed value and in accordance with a given pattern-element-sequence creation rule, a pattern element sequence consisting of a set of pattern elements for forming a presentation pattern;

pattern display means for arranging the pattern elements included in said created pattern element sequence, in said given pattern format, to create the presentation pattern, and displaying said created presentation pattern on a screen;

one-time-password input means for allowing said user to enter therefrom a one-time password created as a result of applying said one-time-password derivation rule to the pattern elements included in said displayed presentation pattern; and

one-time-password transmission means for transmitting said entered one-time password to said authentication server of the user subject to authentication,wherein said authentication server further includes;

one-time-password receiving means for receiving said transmitted one-time password;

verification-code creation means for creating a verification code as a result of applying the one-time-password derivation rule corresponding to said received user ID, to certain pattern elements included in a presentation pattern formed from a pattern element sequence which is created based on said received user ID and said transmitted pattern seed value and in accordance with said given pattern-element-sequence creation rule; and

user authentication means for comparing said received one-time password with said created verification code, and successfully authenticating the user corresponding to said received user ID if they are identical to one another.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a user authentication system, which is designed to present a presentation pattern to a user subject to authentication, and apply a one-time-password derivation rule serving as a password of the user to certain pattern elements included in the presentation pattern at specific positions so as to create a one-time password. An authentication server is operable to generate a pattern seed value adapted to be combined with a user ID so as to allow a presentation pattern to be uniquely determined, and transmit the generated pattern seed value to an authentication-requesting client. The authentication-requesting client is operable to display a presentation pattern created based on an entered user ID and the received pattern seed value and in accordance with a given pattern-element-sequence creation rule, so as to allow the user to enter therein a one-time password, and transmit the entered one-time password to the authentication server. The authentication server is operable to duplicate the presentation pattern so as to create a verification code, and compare between the received one-time password and the created verification code, so as to carry out user authentication. The present invention provides a matrix authentication scheme capable of reducing the risk of password leakage.

Citations

10 Claims

1. A user authentication system designed to arrange a plurality of pattern elements in a given pattern format so as to create a presentation pattern to be presented to a user subject to authentication, and apply a one-time-password derivation rule serving as a password of said user to certain ones of the pattern elements included in said presentation pattern at specific positions so as to create a one-time password, said user authentication system comprising:
- an authentication server for managing respective user IDs and passwords of users of the system; and
  
  an authentication-requesting client connected to said authentication server via a network, to serve as a terminal for allowing each of the users to request authentication therethrough,wherein said authentication server includes;
  
  a password storage section pre-storing the user IDs and the one-time-password derivation rules of the users in associated relation with each other on a user-by-user basis;
  
  pattern-seed-value generation means for generating, in accordance with a given generation rule, a pattern seed value adapted to be combined with one of the user IDs so as to allow a presentation pattern to be uniquely determined;
  
  user-ID receiving means for receiving the user ID of the user subject to authentication, from the authentication-requesting client of said user; and
  
  pattern-seed-value transmission means for transmitting said generated pattern seed value, to the authentication-requesting client of said user subject to authentication, andwherein said authentication-requesting client includes;
  
  user-ID input means for allowing the user to enter his/her user ID therefrom;
  
  user-ID transmission means for transmitting said entered user ID to said authentication server;
  
  pattern-seed-value receiving means for receiving the transmitted pattern seed value transmitted from said authentication server;
  
  pattern-element-sequence creation means for creating, based on said entered user ID and said received pattern seed value and in accordance with a given pattern-element-sequence creation rule, a pattern element sequence consisting of a set of pattern elements for forming a presentation pattern;
  
  pattern display means for arranging the pattern elements included in said created pattern element sequence, in said given pattern format, to create the presentation pattern, and displaying said created presentation pattern on a screen;
  
  one-time-password input means for allowing said user to enter therefrom a one-time password created as a result of applying said one-time-password derivation rule to the pattern elements included in said displayed presentation pattern; and
  
  one-time-password transmission means for transmitting said entered one-time password to said authentication server of the user subject to authentication,wherein said authentication server further includes;
  
  one-time-password receiving means for receiving said transmitted one-time password;
  
  verification-code creation means for creating a verification code as a result of applying the one-time-password derivation rule corresponding to said received user ID, to certain pattern elements included in a presentation pattern formed from a pattern element sequence which is created based on said received user ID and said transmitted pattern seed value and in accordance with said given pattern-element-sequence creation rule; and
  
  user authentication means for comparing said received one-time password with said created verification code, and successfully authenticating the user corresponding to said received user ID if they are identical to one another.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The user authentication system as defined in claim 1, wherein said given pattern-element-sequence creation rule in said pattern-element-sequence creation means is designed to apply a symmetric-key encryption algorithm using a key consisting of a value based on said entered user ID and said received pattern seed value, to a given initial character sequence, so as to allow said pattern element sequence to be created based on a result of said algorithm.
  - 3. The user authentication system as defined in claim 1, wherein said given pattern-element-sequence creation rule in said pattern-element-sequence creation means is designed to apply a hash function algorithm to a value based on said entered user ID and said received pattern seed value, so as to allow said pattern element sequence to be created based on a result of said algorithm.
  - 4. The user authentication system as defined in claim 1, wherein:
    - said one-time-password transmission means is operable to apply a given hash function algorithm to said entered one-time password and then transmit an obtained hashed one-time password to said authentication server;
      
      said verification-code creation means operable to apply said given hash function algorithm to said result of applying the one-time-password derivation rule corresponding to said received user ID, to certain pattern elements included in a presentation pattern formed from a pattern element sequence which is created based on said received user ID and said transmitted pattern seed value and in accordance with said given pattern-element-sequence creation rule, so as to create a hashed verification code; and
      
      said user authentication means is operable to compare said received hashed one-time password with said created hashed verification code, and successfully authenticate the user corresponding to said received user ID if they are identical to one another.
  - 5. The user authentication system as defined in claim 4, wherein said one-time-password derivation rule consists of a combination of respective positions of certain ones to be selected from the pattern elements included in the presentation pattern, and a selection order of said certain pattern elements.
  - 6. The user authentication system as defined in claim 5, wherein said one-time-password derivation rule consists of a combination of:
    - respective positions of certain ones to be selected from the pattern elements included in the presentation pattern;
      
      one or more characters to be entered without being based on the presentation pattern; and
      
      a selection or input order of said certain pattern elements and said characters.
  - 7. The user authentication system as defined in claim 5, wherein the pattern elements to be included in the presentation pattern are selected from ten numerals of 0 (zero) to 9 and a symbol.
  - 8. The user authentication system as defined in claim 7, wherein the pattern elements to be included in the presentation pattern are selected from ten numerals of 0 (zero) to 9.
  - 9. The user authentication system as defined in claim 8, wherein said given pattern format for use in arranging the plurality of pattern elements to create the presentation pattern includes a matrix having a number m of matrix elements in height and a number n of matrix elements in width to form a rectangular shape in its entirety.

10. A user authentication method for use in a user authentication system designed to arrange a plurality of pattern elements in a given pattern format so as to create a presentation pattern to be presented to a user subject to authentication, and apply a one-time-password derivation rule serving as a password of said user to certain ones of the pattern elements included in said presentation pattern at specific positions so as to create a one-time password, said user authentication system including an authentication server adapted to manage respective user IDs and passwords of users of the system and connected via a network to an authentication-requesting client serving as a terminal for allowing each of the users to request authentication therethrough, said authentication server being operable, in response to an authentication request from said authentication-requesting client, to perform authentication, said user authentication method comprising the steps of:
- pre-storing the user IDs and the one-time-password derivation rules of the users in associated relation with each other on a user-by-user basis in said authentication server;
  
  allowing the user subject to authentication to enter his/her user ID into the authentication-requesting client;
  
  transmitting said entered user ID from said authentication-requesting client to said authentication server;
  
  receiving said transmitted user ID from said authentication-requesting client, at said authentication server;
  
  allowing said authentication server to generate, in accordance with a given generation rule, a pattern seed value adapted to be combined with one of the user IDs so as to allow a presentation pattern to be uniquely determined;
  
  transmitting said generated pattern seed value from said authentication server to the authentication-requesting client of the user subject to authentication;
  
  receiving said transmitted pattern seed value from said authentication server, at said authentication-requesting client;
  
  allowing said authentication-requesting client to create, based on said entered user ID and said received pattern seed value and in accordance with a given pattern-element-sequence creation rule, a pattern element sequence consisting of a set of pattern elements for forming a presentation pattern;
  
  allowing said authentication-requesting client to arrange the pattern elements included in said created pattern element sequence, in said given pattern format, to create the presentation pattern, and display said created presentation pattern on a screen;
  
  allowing said user to enter a one-time password created as a result of applying said one-time-password derivation rule to the pattern elements included in the displayed presentation pattern, into said authentication-requesting client;
  
  transmitted said entered one-time password from said authentication-requesting client to said authentication server;
  
  receiving said transmitted one-time password from said authentication-requesting client, at said authentication server;
  
  allowing said authentication server to create a verification code as a result of applying the one-time-password derivation rule corresponding to said received user ID, to certain pattern elements included in a presentation pattern formed from a pattern element sequence which is created based on said received user ID and said transmitted pattern seed value and in accordance with said given pattern-element-sequence creation rule; and
  
  allowing said authentication server to compare said received one-time password with said created verification code, and successfully authenticate the user corresponding to said received user ID if they are identical to one another.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cse Co. Ltd.
Original Assignee
Computer Systems Engineering Company Limited
Inventors
Ueda, Yukiya, Saito, Tsugune, Tamai, Shigetomo

Granted Patent

US 7,409,705 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/36   by graphic or iconic repres...

H04L 2209/60   Digital content management,...

H04L 63/0838   using one-time-passwords

H04L 9/3228   One-time or temporary data,...

H04L 9/3271   using challenge-response

System and method for user authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for user authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links