ROBUST DIGEST AUTHENTICATION METHOD

US 20080216160A1
Filed: 02/29/2008
Published: 09/04/2008
Est. Priority Date: 03/01/2007
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a user in a communication system:

comprising a user terminal (201) and an authentication server (202) which is capable of storing two types of nonce values comprising dedicated nonce values unique in the system and common nonce values constant and common to all users managed by the authentication server (202) during a fixed time period, the method comprising the following steps performed by the authentication server (202);

receiving (301, 401) from the user terminal (201) an access request;

using a given criterion for determining (605) the type of a first nonce value to be sent to the user terminal (201) as a response to the access request, wherein, in case the given criterion is fulfilled, then sending a dedicated nonce value, otherwise sending a common nonce value;

receiving (303, 403) a response from the user terminal (201), the response comprises a second nonce value and a response code to the nonce value sent by the authentication server (202); and

determining whether the response code is correct and whether the second nonce value corresponds to the first nonce value sent by the authentication server (202).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a method of authenticating a user in a communication system comprising a user terminal and an authentication server which is capable of storing two types of nonce values, namely dedicated nonce values unique in the system and common nonce values shared between users in the system. In the method the authentication server receives (401) from the user terminal an access request. Then the authentication server uses a predefined criterion for determining the type of a first nonce value to be sent to the user terminal as a response to the access request. In case the predefined criterion is fulfilled, then a dedicated nonce value is sent, otherwise a common nonce value is sent (402). Then the authentication server receives (403) from the user terminal a response comprising a second nonce value and a response code to the first nonce value. The authentication server then determines whether the response code is correct and whether the second nonce value corresponds to the first nonce value.

Citations

19 Claims

1. A method of authenticating a user in a communication system:
- comprising a user terminal (201) and an authentication server (202) which is capable of storing two types of nonce values comprising dedicated nonce values unique in the system and common nonce values constant and common to all users managed by the authentication server (202) during a fixed time period, the method comprising the following steps performed by the authentication server (202);
  
  receiving (301, 401) from the user terminal (201) an access request;
  
  using a given criterion for determining (605) the type of a first nonce value to be sent to the user terminal (201) as a response to the access request, wherein, in case the given criterion is fulfilled, then sending a dedicated nonce value, otherwise sending a common nonce value;
  
  receiving (303, 403) a response from the user terminal (201), the response comprises a second nonce value and a response code to the nonce value sent by the authentication server (202); and
  
  determining whether the response code is correct and whether the second nonce value corresponds to the first nonce value sent by the authentication server (202).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, wherein the given criterion comprises the authentication server (202) generating (603) a dedicated nonce value and determining (604) a memory location for the generated dedicated nonce value and if the memory location is vacant, then concluding that the given criterion is fulfilled.
  - 3. The method according to claim 2, wherein the dedicated nonce value is generated randomly by the authentication server (202).
  - 4. The method according to claim 1, wherein the given criterion comprises determining the number of received access requests in a time unit and if the number is lower than a predetermined threshold, then concluding that the given criterion is fulfilled.
  - 5. The method according to any of the preceding claims, wherein the response code is calculated by the user terminal (201) based on the nonce value received from the authentication server (202) and password and username of the user.
  - 6. The method according to any one of the preceding claims, wherein in case the given criterion is fulfilled, the method further comprises after having determined that the response code to the dedicated nonce value is correct and that the second nonce value corresponds to the first nonce value, forwarding (304) the access request to a server (203).
  - 7. The method according to any of the preceding claims, wherein the method further comprises refusing (612, 642) the access request in case it is determined that the response code is not correct or that the second nonce value does not correspond to the first nonce value.
  - 8. The method according to any of the preceding claims, wherein in case the given criterion is fulfilled, the dedicated nonce value is stored in a table, and a memory location in the table being indexed by using internet protocol source address of the user terminal (201), user datagram protocol source port of the user terminal (201) and the dedicated nonce value.
  - 9. The method according to any one of claims 1-5 or 7, wherein the method further comprises, in case the given criterion is not fulfilled, after having determined that the response code to the common nonce value is correct and that the second nonce value corresponds to the first nonce value, generating a dedicated nonce value, sending (404) this value to the user terminal (201), receiving (405) a second response code from the user terminal (201), verifying that the second response code is correct and forwarding (406) the access request to a server (203).
  - 10. The method according to any one of claims 1-5, 7 or 9, wherein in case the given criterion is not fulfilled, after having determined that the response code to the common nonce value is correct and that the second nonce value corresponds to the first nonce value, the dedicated nonce value is stored in a table, and a memory location in the table being indexed by using a username of the user terminal (201).
  - 11. The method according to claims 8 or 10, wherein a single table is used irrespective of the method of indexing the memory locations in the table.
  - 12. The method according to any one of the preceding claims, wherein the common nonce and the dedicated nonce values have limited time validities.
  - 13. The method according to claims 8, 10, or 11, wherein each entry in a certain memory location of the table is associated with a priority bit, an authentication bit and timestamp and each entry can be overwritten by a new nonce value, if the priority bit is unset or if the authentication bit indicates that the corresponding request has already been approved or if the timestamp indicates that the current entry is no longer valid.
  - 14. The method according to claim 13, wherein the priority bit is set when the response code to the common nonce value has been determined to be correct and when the second nonce value corresponds to the first nonce value, otherwise the priority bit is unset.
  - 15. The method according to claim 13, wherein the authentication bit is set when the access request has been forwarded to a server (203), otherwise the authentication bit is unset.
  - 16. A computer program product comprising instructions for implementing the steps of a method according to any one of claims 1-15 when loaded and run on computer means of the authentication server (202).

17. A device for authenticating a user terminal (201) in a communication system, the device is capable of storing two types of nonce values comprising dedicated nonce values unique in the system and common nonce values constant and common to all users managed by the device during a fixed time period, the device comprising:
- a receiver for receiving from the user terminal messages; and
  
  a processor for using a given criterion for determining the type of a first nonce value to be sent to the user terminal (201) as a response to an access request from the user terminal (201), wherein, in case the given criterion is fulfilled, the processor is arranged to send a dedicated nonce value, otherwise the processor is arranged to send a common nonce value, the processor is further arranged to determine whether a response comprising a second nonce value and a response code received from the user terminal (201) as a response to the first nonce value, is correct.
- View Dependent Claims (18, 19)
- - 18. The device according to claim 17, wherein the device further comprises a memory arranged for storing common and dedicated nonce values.
  - 19. An authentication server for authenticating a user terminal (201), the authentication server (202) comprising a device according to claims 17-18.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitsubishi Electric Corporation
Original Assignee
Mitsubishi Electric Corporation
Inventors
ROLLET, Romain

Granted Patent

US 8,336,087 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/33   using certificates

H04L 63/083   using passwords cryptograph...

H04L 63/205   involving negotiation or de...

H04L 9/3271   using challenge-response

ROBUST DIGEST AUTHENTICATION METHOD

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

ROBUST DIGEST AUTHENTICATION METHOD

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links