System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens

US 5,491,752 A
Filed: 09/02/1994
Issued: 02/13/1996
Est. Priority Date: 03/18/1993
Status: Expired due to Term

First Claim

Patent Images

1. A method for securely accessing a computing system, comprising the steps of:

(a) a workstation receiving a token from a first passive authentication token generator and receiving a secret password associated with a user;

(b) the workstation generating a transmission code by performing a first hashing algorithm upon data comprising;

(1) the token and(2) the secret password;

(c) the workstation sending the transmission code to an authentication server;

(d) the server receiving and verifying the validity of the transmission code;

(e) if the transmission code is valid, the server transmitting to the workstation a message encrypted with a session code generated by performing a second hashing algorithm upon data comprising the token and the password, the second hashing algorithm being substantially different than the first hashing algorithm;

(f) the workstation receiving the message;

(g) the workstation computing the session code by performing the second hashing algorithm on the password and the token; and

(h) the workstation using the session code to decrypt the message.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved security system inhibits eavesdropping, dictionary attacks, and intrusion into stored password lists. In one implementation, the user provides a workstation with a "password", and a "token" obtained from a passive authentication token generator. The workstation calculates a "transmission code" by performing a first hashing algorithm upon the password and token. The workstation sends the transmission code to the server. Then, the server attempts to reproduce the transmission code by combining passwords from a stored list with tokens generated by a second identical passive authentication token generator just prior to receipt of the transmission code. If any password/token combination yields the transmission code, the workstation is provided with a message useful in communicating with a desired computing system; the message is encrypted with a session code calculated by applying a different hashing algorithm to the password and token. In another embodiment, the workstation transmits a user name to the authentication server. The server verifies the user name'"'"'s validity, and uses an active authentication token generator to obtain a "response" to an arbitrarily selected challenge. The server generates a session code by performing a hashing algorithm upon the response and the password. The server sends the challenge and a message encrypted with the session code to the workstation. The workstation generates the session code by performing the hashing algorithm on the password and the received challenge, and uses the session code to decrypt the encrypted message. The message is useful in communicating with a desired computing system.

414 Citations

37 Claims

1. A method for securely accessing a computing system, comprising the steps of:
- (a) a workstation receiving a token from a first passive authentication token generator and receiving a secret password associated with a user;
  
  (b) the workstation generating a transmission code by performing a first hashing algorithm upon data comprising;
  
  (1) the token and(2) the secret password;
  
  (c) the workstation sending the transmission code to an authentication server;
  
  (d) the server receiving and verifying the validity of the transmission code;
  
  (e) if the transmission code is valid, the server transmitting to the workstation a message encrypted with a session code generated by performing a second hashing algorithm upon data comprising the token and the password, the second hashing algorithm being substantially different than the first hashing algorithm;
  
  (f) the workstation receiving the message;
  
  (g) the workstation computing the session code by performing the second hashing algorithm on the password and the token; and
  
  (h) the workstation using the session code to decrypt the message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the step of generating the transmission code comprises the steps of:
    - (1) hashing the password according to a selected one-way hashing equation;
      
      (2) concatenating the token onto the hashed password to form a concatenation; and
      
      (3) hashing the concatenation according to the selected one-way hashing equation.
  - 3. The method of claim 1, wherein the step of generating the transmission code comprises the steps of:
    - (1) hashing the password according to a selected one-way hashing equation;
      
      (2) concatenating the hashed password onto the token to form a concatenation; and
      
      (3) hashing the concatenation according to the selected one-way hashing equation.
  - 4. The method of claim 1, wherein the step of generating the transmission code comprises the steps of:
    - (1) concatenating the token onto the password to form a concatenation; and
      
      (2) hashing the concatenation according to the selected one-way hashing equation.
  - 5. The method of claim 1, wherein the step of generating the transmission code comprises the steps of:
    - (1) concatenating the password onto the token to form a concatenation; and
      
      (2) hashing the concatenation according to the selected one-way hashing equation.
  - 6. The method of claim 1, wherein the step of verifying the validity of the transmission code comprises the steps of:
    - (1) the server utilizing a second passive authentication token generator that simultaneously supplies tokens substantially identical to those of the first passive token generator to identify possible tokens occurring at the time the workstation sent the transmission code to the server;
      
      (2) the server identifying one or more passwords from a stored list; and
      
      (3) the server attempting to reproduce the transmission code by performing the first hashing algorithm on the identified one or more passwords and different identified possible tokens in turn.
  - 7. The method of claim 6, wherein step (2) comprises the step of utilizing a user name received from the workstation to identify a single password from a cross-referenced list of user names and passwords.
  - 8. The method of claim 1, wherein the step of verifying the validity of the transmission code comprises the steps of:
    - (1) the server utilizing a second passive authentication token generator that simultaneously supplies tokens substantially identical to those of the first passive token generator to identify possible tokens occurring at the time the workstation sent the transmission code to the server;
      
      (2) the server identifying one or more hashed passwords from a stored list; and
      
      (3) the server attempting to reproduce the transmission code by performing the first hashing algorithm on the identified one or more hashed passwords and different identified possible tokens in turn.
  - 9. The method of claim 8, wherein step (2) comprises the step of utilizing a user name received from the workstation to identify a single hashed password from a cross-referenced list of user names and hashed passwords.
  - 10. The method of claim 1, wherein the step of generating the session code comprises the steps of:
    - (1) hashing the password according to a selected one-way hashing equation;
      
      (2) concatenating the token and the hashed password to form a concatenation; and
      
      (3) hashing the concatenation according to the selected one-way hashing equation.
  - 11. The method of claim 1, wherein the step of generating the session code comprises the steps of:
    - (1) hashing the token according to a selected one-way hashing equation;
      
      (2) concatenating the hashed token and the password to form a concatenation; and
      
      (3) hashing the concatenation according to the selected one-way hashing equation.
  - 12. The method of claim 1, wherein the step of generating the session code comprises the steps of:
    - (1) concatenating the token onto the password to form a concatenation; and
      
      (2) hashing the concatenation according to the selected one-way hashing equation.
  - 13. The method of claim 1, wherein the step of generating the session code comprises the steps of:
    - (1) concatenating the password onto the token to form a concatenation; and
      
      (2) hashing the concatenation according to the selected one-way hashing equation.
  - 14. The method of claim 1, further comprising the step of the workstation using the message to encrypt subsequent communications between the workstation and a desired computing system.
  - 15. The method of claim 1, further comprising the step of the workstation using the session code to decrypt subsequent communications between the workstation and a desired computing system.
  - 16. The method of claim 1, additionally including the step of the authentication server maintaining a log of verified transmission codes.
  - 17. The method of claim 1, wherein the step of the workstation receiving the password is accomplished by a user typing the password upon keys of a data entry device.
  - 18. The method of claim 1, wherein the step of the workstation receiving the token is accomplished by a user typing the token upon keys of a data entry device.
  - 19. The method of claim 1, wherein the token is generated by the first authentication token generator based upon an external reference.
  - 20. The method of claim 1, wherein the step of the workstation receiving the token is accomplished by an electrical link.
  - 21. The method of claim 1, wherein the step of the workstation receiving the token is accomplished by the workstation reading a bar code provided by the first authentication token generator.

22. A secure method for obtaining access to a computing system, wherein a workstation performs steps comprising:
- (a) receiving an initial password and an initial token, wherein the initial password is supplied by a user and the initial token is supplied by a first authentication token generator;
  
  (b) generating a transmission code by performing a first hashing algorithm upon the password and the token;
  
  (c) sending the transmission code to an authentication server having a second authentication token generator that simultaneously supplies tokens substantially identical to those provided by the first authentication token generator;
  
  (d) if the authentication server successfully reproduces the transmission code by performing successive calculations utilizing different combinations of possible tokens occurring at the time the transmission code was sent and one or more passwords identified from a list of passwords accessible by the authentication server, then receiving a message from the authentication server that is encrypted with a selected secret key routine using a session code obtained by performing a second hashing algorithm upon data comprising the initial token and the initial password, the second hashing algorithm being substantially different than the first hashing algorithm.
- View Dependent Claims (23, 24)
- - 23. The method of claim 22, wherein the workstation additionally performs steps comprising:
    - (1) decrypting the message; and
      
      (2) utilizing the message to encrypt subsequent communications with a desired computing system.
  - 24. The method of claim 22, wherein the workstation additionally performs steps comprising:
    - (1) decrypting the message; and
      
      (2) utilizing the message to decrypt subsequent communication with a desired computing system.

25. A secure method for obtaining access to a computing system,wherein an authentication server performs steps comprising:
- (a) receiving a transmission code from a workstation, the transmission code generated by performing a first hashing algorithm upon data comprising an initial password received from a user and an initial token provided by a first passive authentication token generator;
  
  (b) utilizing a second passive authentication token generator that simultaneously provides tokens substantially identical to those supplied by the first passive authentication token generator to identify possible tokens occurring at the time the workstation sent the transmission code, identifying one or more passwords from a list of passwords accessible by the authentication server, and attempting to reproduce the transmission code by performing successive calculations utilizing different combinations of the possible tokens and one or more identified passwords;
  
  (c) if the server in step (b) successfully reproduced the transmission code, then providing the workstation with a message encrypted with a selected secret key routine using a session code generated by performing a second hashing algorithm upon the initial token and the initial password, wherein the second hashing algorithm is substantially different than the first hashing algorithm.

26. In a system including a workstation, an authentication server, and a token generator, a signal comprising a hashed version of a first signal computed from data including a user-supplied password and a token supplied by a token generator.

27. In a system that includes a workstation and an authentication server, a signal comprising a hashed version of a first signal computed from data including a token supplied by a token generator and a user-supplied password.

28. A method for securely accessing a computing system, comprising the steps of:
- (a) a workstation receiving a user name associated with a user;
  
  (b) the workstation transmitting the user name to an authentication server;
  
  (c) the authentication server verifying the validity of the user name, and if the user name is valid;
  
  (1) selecting a challenge;
  
  (2) obtaining a response by inputting the challenge into a first active authentication token generator;
  
  (3) generating a session code by performing a first hashing algorithm on data comprising the response and a password associated with the user;
  
  (4) encrypting a message with the session code;
  
  (5) transmitting the challenge and the encrypted message to the workstation; and
  
  (d) the workstation receiving the challenge and the encrypted message;
  
  (e) the workstation obtaining the response by inputting the challenge into a second active authentication token generator that generates tokens substantially identical to those generated by the first active authentication token generator, and using the response and the password to generate the session code and decrypt the message.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 29. The method of claim 28, wherein the step of the workstation receiving the user name is accomplished by the user typing the user name upon keys of a data entry device.
  - 30. The method of claim 28, wherein the step of generating the session code comprises the steps of:
    - (1) concatenating the response onto a password associated with the user to form a concatenation; and
      
      (2) hashing the concatenation according to the selected one-way hashing equation.
  - 31. The method of claim 28, wherein the step of generating the session code comprises the steps of:
    - (1) concatenating a password associated with the user onto the response to form a concatenation; and
      
      (2) hashing the concatenation according to the selected one-way hashing equation.
  - 32. The method of claim 28, wherein the step of generating the session code comprises the steps of:
    - (1) hashing a password associated with the user according to a selected one-way hashing equation;
      
      (2) concatenating the hashed password and the response to form a concatenation; and
      
      (3) hashing the concatenation according to the selected one-way hashing equation.
  - 33. The method of claim 28, wherein the step of generating the session code comprises the steps of:
    - (1) hashing the response according to a selected one-way hashing equation;
      
      (2) concatenating the response and a password associated with the user to form a concatenation; and
      
      (3) hashing the concatenation according to the selected one-way hashing equation.
  - 34. The method of claim 28, wherein the step of verifying the validity of the user name comprises the step of the server accessing a database of user names and determining whether the user name appears in the database.
  - 35. The method of claim 28, wherein the step of verifying the validity of the user name comprises the step of the server accessing a database of hashed user names and determining whether the user name appears in the database.
  - 36. The method of claim 28, further comprising the step of the workstation using the message to encrypt subsequent communications between the workstation and a desired computing system.
  - 37. The method of claim 28, further comprising the step of the workstation using the message to decrypt subsequent communications between the workstation and a desired computing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Digital Equipment Corporation PAT Law Group
Inventors
Gasser, Morrie, Kaufman, Charles W., Pearlman, Radia J.
Primary Examiner(s)
Swann, Tod R.

Application Number

US08/300,576
Time in Patent Office

529 Days
Field of Search

380/23, 380/24, 380/25, 380/30
US Class Current

380/30
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/34   involving the use of extern...

G06F 2221/2103   Challenge-response

G06F 2221/2151   Time stamp

H04L 9/0877   using additional device, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3271   using challenge-response

System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

414 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

414 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links