PASSWORD-BASED AUTHENTICATION
First Claim
1. A system comprising:
- an access control server configured to communicate with user computers via a network and control access by the user computers to a resource in dependence on authentication of user passwords associated with respective user IDs; and
a plurality n of authentication servers configured to store respective secret values and communicate with the access control server via the network;
wherein the access control server is further configured to store, for each said user ID, a first ciphertext produced by encrypting a user password associated with a user ID using a predetermined algorithm dependent on said secret values; and
wherein, in response to receipt from a user computer of a received user ID and an input password, the access control server is further configured to communicate with a plurality k≦
n of authentication servers to implement a password authentication protocol, requiring use by the plurality k of authentication servers of the respective secret values, in which a second ciphertext is produced by encrypting the input password using said predetermined algorithm, and the access control server is further configured to use the first and second ciphertexts to determine whether the input password equals the user password for the received user ID to permit access to the resource by the user computer.
1 Assignment
0 Petitions
Accused Products
Abstract
A password authentication system includes an access control server configured to control access by a user computer to a resource dependent on authentication of user passwords associated with user IDs. The system further includes a plurality of authentication servers, storing respective secret values. For each user ID, the access control server stores a first ciphertext produced by encrypting the user password associated with that ID using a predetermined algorithm dependent on the secret values. In response to receipt of a user ID and an input password, the access control server communicates with the plurality of authentication servers to implement password authentication, requiring use of the secret values, in which a second ciphertext is produced by encrypting the input password using said predetermined algorithm. The access control server compares the first and second ciphertexts to determine whether the input password equals the user password to permit access to the resource.
16 Citations
31 Claims
-
1. A system comprising:
-
an access control server configured to communicate with user computers via a network and control access by the user computers to a resource in dependence on authentication of user passwords associated with respective user IDs; and a plurality n of authentication servers configured to store respective secret values and communicate with the access control server via the network; wherein the access control server is further configured to store, for each said user ID, a first ciphertext produced by encrypting a user password associated with a user ID using a predetermined algorithm dependent on said secret values; and wherein, in response to receipt from a user computer of a received user ID and an input password, the access control server is further configured to communicate with a plurality k≦
n of authentication servers to implement a password authentication protocol, requiring use by the plurality k of authentication servers of the respective secret values, in which a second ciphertext is produced by encrypting the input password using said predetermined algorithm, and the access control server is further configured to use the first and second ciphertexts to determine whether the input password equals the user password for the received user ID to permit access to the resource by the user computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28-30. -30. (canceled)
-
31. A computer program product configured to control access by user computers to a resource in dependence on authentication of user passwords, associated with respective user IDs, at an access control server configured to communicate via a network with the user computers and a plurality n of authentication servers, the computer program product comprising a computer readable storage medium having program instructions, the program instructions readable by an access control server which, when executed, causes the access control server to:
-
for each said user ID, store a first ciphertext produced by encrypting a user password associated with a user ID using a predetermined algorithm dependent on said secret values; in response to receipt from a user computer of a received user ID and an input password, communicate with a plurality k≦
n of authentication servers to implement a password authentication protocol, requiring use by the plurality k of authentication servers of the respective secret values, in which a second ciphertext is produced by encrypting the input password using said predetermined algorithm;at the access control server, use the first and second ciphertexts to determine whether the input password equals the user password for the received user ID; and permit access to the resource by the user computer if the input password equals the user password.
-
Specification