Protocol And Method For Client-Server Mutual Authentication Using Event-Based OTP
First Claim
1. A method of authenticating and encrypting a client-server communication, comprising the steps of:
- a) generating a first one-time password (OTP1) and a second one-time password (OTP2) from a cryptographic token;
b) generating an encryption key (K_ENC) and a MAC (Message Authentication Code) key (K_MAC) based on OTP2;
c) preparing and protecting client data using K_ENC and K_MACd) sending a request message from the client to the server, the request message containing the protected client data, a cryptographic identifier token (TID) and OTP1;
e) validating OTP1 at the server, and generating OTP2 at the server upon successful validation;
f) deriving K_ENC and K_MAC from OTP2 at the server;
g) processing the request message and generating result data;
h) encrypting the result data using K_ENC and creating a digest using K_MAC;
i) sending the encrypted result data to the client; and
j) decrypting the result data at the client using K_ENC and verifying the authenticity of the result data using K_MAC.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention comprises a method of authenticating and encrypting a client-server communication, comprising the steps of: a) generating a first one-time password (OTP1) and a second one-time password (OTP2) from a cryptographic token; b) generating an encryption key (K_ENC) and a MAC key (K_MAC) based on OTP2; c) preparing and protecting the client data using K_ENC and K_MAC; d) sending a request message from the client to the server, the request message containing the protected client data, a cryptographic token identifier (TID) and OTP1; e) validating OTP1 at the server, and generating OTP2 at the server upon successful validation; f) deriving K_ENC and K_MAC from OTP2 at the server; g) processing the request message and generating result data h) encrypting the result data using K_ENC and creating a digest using K_MAC; i) sending the encrypted result data to the client; and i) decrypting the result data at the client using K_ENC and verifying the authenticity of the result data using K_MAC.
62 Citations
10 Claims
-
1. A method of authenticating and encrypting a client-server communication, comprising the steps of:
-
a) generating a first one-time password (OTP1) and a second one-time password (OTP2) from a cryptographic token; b) generating an encryption key (K_ENC) and a MAC (Message Authentication Code) key (K_MAC) based on OTP2; c) preparing and protecting client data using K_ENC and K_MAC d) sending a request message from the client to the server, the request message containing the protected client data, a cryptographic identifier token (TID) and OTP1; e) validating OTP1 at the server, and generating OTP2 at the server upon successful validation; f) deriving K_ENC and K_MAC from OTP2 at the server; g) processing the request message and generating result data; h) encrypting the result data using K_ENC and creating a digest using K_MAC; i) sending the encrypted result data to the client; and j) decrypting the result data at the client using K_ENC and verifying the authenticity of the result data using K_MAC. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A data authentication and encryption protocol, comprising:
-
a) a pair of one-time passwords, OTP1 and OTP2, where OTP1 is used for user validation and OTP2 is used for key generation; b) an encryption key, K_ENC, derived from OTP2, used to encrypt data; and c) a MAC key, K_MAC, derived from OTP2, used to authenticate encrypted data, wherein OTP1, OTP2, K_ENC and K_MAC are derived such that the protocol does not require a public-key infrastructure. - View Dependent Claims (10)
-
Specification
-
- Resources
-
Current AssigneeIQVIA, Inc. (IQVIA Holdings, Inc.)
-
Original AssigneeDiversinet Corporation
-
InventorsTESLENKO, Konstantin, MACHANI, Salah E.
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current713/181
-
CPC Class CodesG06Q 20/3829 involving key managementH04L 2209/56 Financial cryptography, e.g...H04L 63/0435 wherein the sending and rec...H04L 63/061 for key exchange, e.g. in p...H04L 63/0838 using one-time-passwordsH04L 9/0863 involving passwords or one-...H04L 9/3228 One-time or temporary data,...H04L 9/3234 involving additional secure...H04L 9/3242 involving keyed hash functi...
