SECURING PASSWORDS AGAINST DICTIONARY ATTACKS
First Claim
1. A method that facilitates protecting a password of an individual from dictionary attacks, the method comprising the following computer-executable acts:
- authenticating a user to an online service, comprising;
at a client computing device, receiving a username and password from the user that wishes to authenticate to the online service, wherein the username is configured to identify the user to the online service hosted by a server that is accessible to the client computing device by way of a network connection, wherein the client computing device refrains from transmitting the password or a deterministic function of the password to the server or a storage provider that is separate from the client computing device and the server;
transmitting the username from the client computing device to the server;
receiving at the client computing device from the server a challenge to authenticate the user;
receiving, from a storage device, first data that is processible by the client computing device to reply to the challenge from the server;
processing the first data to obtain a signature, wherein the password is unidentifiable from the signature; and
transmitting the signature to the server responsive to receipt of the challenge.
2 Assignments
0 Petitions
Accused Products
Abstract
Described herein are various technologies pertaining to constructions of a password-based authentication protocol that are configured to allow a user to register with and authenticate to an online service without the online service receiving a password or a deterministic function of the password of the user. When registering with an online service, a client computing device establishes a cryptographically strong random secret and stores an encryption of such secret with a data storage device. The storage device also never receives the password or a deterministic function of the password. When the user wishes to authenticate to the online service, the user employs her password to retrieve the encrypted secret from the storage device, decrypts such secret, and utilizes the decrypted secret to answer a cryptographically strong challenge provided to the user by the online service upon the online service receiving a username pertaining to such user.
-
Citations
20 Claims
-
1. A method that facilitates protecting a password of an individual from dictionary attacks, the method comprising the following computer-executable acts:
authenticating a user to an online service, comprising; at a client computing device, receiving a username and password from the user that wishes to authenticate to the online service, wherein the username is configured to identify the user to the online service hosted by a server that is accessible to the client computing device by way of a network connection, wherein the client computing device refrains from transmitting the password or a deterministic function of the password to the server or a storage provider that is separate from the client computing device and the server; transmitting the username from the client computing device to the server; receiving at the client computing device from the server a challenge to authenticate the user; receiving, from a storage device, first data that is processible by the client computing device to reply to the challenge from the server; processing the first data to obtain a signature, wherein the password is unidentifiable from the signature; and transmitting the signature to the server responsive to receipt of the challenge. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
12. A system that facilitates executing a protocol that facilitates securing a user password from dictionary attacks, the system comprising the following computer-executable components:
-
a receiver component that receives an indication that a user wishes to authenticate with an online service hosted by a server, wherein the indication comprises a username and password of the user; a transmitter component that transmits the username to the server; a challenge receiver component that receives a challenge from the server, wherein the challenge requests a signature from a client computing device; a transform component that executes a first cryptographic function on the password to retrieve a data packet from a storage device responsive to receipt of the challenge; and a challenge answerer component that executes a second cryptographic function on the data packet to generate a signature, wherein the signature is secure against dictionary attacks by the online service, wherein the transmitter component transmits the signature to the server responsive to receipt of the challenge. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer-readable medium resident upon a mobile computing device comprising instructions that, when executed by a processor, cause the processor to perform acts comprising:
-
receiving a challenge from an online service with which a user wishes to authenticate, wherein the challenge is issued by the online service responsive to receipt of a username corresponding to the user; receiving a password from the user that the user employs to authenticate to the online service; executing a hash algorithm on the password to generate a cryptographic hash of the password; decrypting ciphertext utilizing the hash of the password to generate a key, wherein the key is a randomly or pseudo-randomly generate key that is generated during a registration phase with the online service and the ciphertext is an encryption of the key utilizing the hash of the password; signing the challenge using the key to generate a signature; and responding to the challenge based at least in part upon the signature.
-
Specification