Distributed user authentication protocol
First Claim
1. In a method for authenticating an authorized user for a computer controlled system, said method being of the type wherein a coded card containing an authentication code and a user password is inserted by the user into a reader coupled to the computer controlled system, and wherein the computer then verifies the authenticity of the card by checking the authentication code against authentication data stored on the coded card, and wherein the computer also compares a password entered into a data entry device with the user password on the coded card, the improvement comprising the following steps for authorization of access after verification of the user password:
- providing a set of challenges to be answered by the user, each challenge having a right answer and at least one wrong answer;
storing a predetermined pattern of responses to said challenges, said predetermined pattern defining an authenticating response to said set of challenges, said predetermined pattern including a deliberately wrong answer to at least one of said challenges and a right answer to at least a remaining one of said challenges comprising said set;
sequentially presenting said set of challenges via a readout device to the user;
permitting the user to respond sequentially to each challenge of the set of challenges via the data entry device, wherein the sequential set of user responses to said set of challenges defines a user-entered pattern of responses;
comparing said user-entered pattern of responses to said predetermined pattern defining said authenticating response and permitting entry to said computer controlled system if and only if said user-entered pattern of responses matches said authentication pattern.
1 Assignment
0 Petitions
Accused Products
Abstract
A distributed authentication system that prevents unauthorized access to any computer system in a distributed environment. Authentication using the present invention involves three distinct phases. In the first phase, user passwords are generated by the computer system and encrypted on a coded card together with a message authentication code to prevent alterations prior to any access attempts. These are complex and impersonal enough not to be easily guessed. This coded card must be used whenever requesting access to the system. Second, in addition to supplying a password, the user is required to correctly respond to a set of randomly selected authentication challenges when requesting access. The correct responses may vary between the right response, a wrong response or no response depending on some predetermined variable, e.g., the day of the week or hour of the day. The dual randomness thus introduced significantly reduces the usefulness of observed logon information. Third, at random times during the session, the user is required again to respond to selected authentication challenges. This detects piggybacking attempts. Since authentication depends on the correctness of the entire set of responses rather than on the response to a single question, the present invention provides a significant increase in the probability of detecting and preventing unauthorized computer access.
188 Citations
9 Claims
-
1. In a method for authenticating an authorized user for a computer controlled system, said method being of the type wherein a coded card containing an authentication code and a user password is inserted by the user into a reader coupled to the computer controlled system, and wherein the computer then verifies the authenticity of the card by checking the authentication code against authentication data stored on the coded card, and wherein the computer also compares a password entered into a data entry device with the user password on the coded card, the improvement comprising the following steps for authorization of access after verification of the user password:
-
providing a set of challenges to be answered by the user, each challenge having a right answer and at least one wrong answer; storing a predetermined pattern of responses to said challenges, said predetermined pattern defining an authenticating response to said set of challenges, said predetermined pattern including a deliberately wrong answer to at least one of said challenges and a right answer to at least a remaining one of said challenges comprising said set; sequentially presenting said set of challenges via a readout device to the user; permitting the user to respond sequentially to each challenge of the set of challenges via the data entry device, wherein the sequential set of user responses to said set of challenges defines a user-entered pattern of responses; comparing said user-entered pattern of responses to said predetermined pattern defining said authenticating response and permitting entry to said computer controlled system if and only if said user-entered pattern of responses matches said authentication pattern. - View Dependent Claims (2, 3, 4)
-
-
5. A method for authenticating an authorized user for a computer network having a first terminal and a second terminal coupled by a communication link, said method comprising the following steps:
-
insertion by the user of a coded card containing an authentication code and a user password into a reader coupled to the first of said terminals, said first terminal then verifying the authenticity of the card by checking the authentication code against authentication data stored on the coded card; entry by the user of a password into a data entry device, said first terminal then verifying the authenticity of the password by checking the password against authentication data stored on the coded card, said first terminal initiating communication with the second terminal if the coded card and the password are authenticated; determining a set of challenges to be answered by the user, each challenge having a right answer and at least one wrong answer; storing a predetermined pattern of responses to said challenges, said predetermined pattern defining an authenticating response to said set of challenges, said predetermined pattern including a deliberately wrong answer to at least one of said challenges and a right answer to at least a remaining one of said challenges comprising said set; the second terminal sequentially presenting said predetermined set of challenges to the user via a readout device; permitting the user to respond sequentially to each challenge of the presented set of challenges via the data entry device, wherein the sequential set of user responses to said set of challenges defines a user-entered pattern of responses; comparing said user-entered pattern of responses to said predetermined pattern defining said authenticating response and permitting entry to said computer controlled system if and only if said user-entered pattern of responses matches said authentication pattern. - View Dependent Claims (6, 7, 8, 9)
-
Specification
-
- Resources
-
Current AssigneeHughes Electronics Corporation (Rtx Corporation)
-
Original AssigneeHughes Aircraft Company (Rtx Corporation)
-
InventorsKung, Kenneth C.
-
Primary Examiner(s)Yusko, Donald J.
-
Assistant Examiner(s)Holloway, III, Edwin C.
-
Application NumberUS08/077,133Time in Patent Office810 DaysField of Search340/825.31, 340/825.34, 235/380, 235/279, 235/382, 235/382.5, 364/408US Class Current340/5.27CPC Class CodesG06F 21/34 involving the use of extern...G06F 2221/2103 Challenge-responseG07F 7/1016 Devices or methods for secu...H04L 9/3226 using a predetermined code,...H04L 9/3242 involving keyed hash functi...H04L 9/3271 using challenge-response
