System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens
First Claim
1. A method for securely accessing a computing system, comprising the steps of:
- (a) a workstation receiving a token from a first passive authentication token generator and receiving a secret password associated with a user;
(b) the workstation generating a transmission code by performing a first hashing algorithm upon data comprising;
(1) the token and(2) the secret password;
(c) the workstation sending the transmission code to an authentication server;
(d) the server receiving and verifying the validity of the transmission code;
(e) if the transmission code is valid, the server transmitting to the workstation a message encrypted with a session code generated by performing a second hashing algorithm upon data comprising the token and the password, the second hashing algorithm being substantially different than the first hashing algorithm;
(f) the workstation receiving the message;
(g) the workstation computing the session code by performing the second hashing algorithm on the password and the token; and
(h) the workstation using the session code to decrypt the message.
2 Assignments
0 Petitions
Accused Products
Abstract
An improved security system inhibits eavesdropping, dictionary attacks, and intrusion into stored password lists. In one implementation, the user provides a workstation with a "password", and a "token" obtained from a passive authentication token generator. The workstation calculates a "transmission code" by performing a first hashing algorithm upon the password and token. The workstation sends the transmission code to the server. Then, the server attempts to reproduce the transmission code by combining passwords from a stored list with tokens generated by a second identical passive authentication token generator just prior to receipt of the transmission code. If any password/token combination yields the transmission code, the workstation is provided with a message useful in communicating with a desired computing system; the message is encrypted with a session code calculated by applying a different hashing algorithm to the password and token. In another embodiment, the workstation transmits a user name to the authentication server. The server verifies the user name'"'"'s validity, and uses an active authentication token generator to obtain a "response" to an arbitrarily selected challenge. The server generates a session code by performing a hashing algorithm upon the response and the password. The server sends the challenge and a message encrypted with the session code to the workstation. The workstation generates the session code by performing the hashing algorithm on the password and the received challenge, and uses the session code to decrypt the encrypted message. The message is useful in communicating with a desired computing system.
414 Citations
37 Claims
-
1. A method for securely accessing a computing system, comprising the steps of:
-
(a) a workstation receiving a token from a first passive authentication token generator and receiving a secret password associated with a user; (b) the workstation generating a transmission code by performing a first hashing algorithm upon data comprising; (1) the token and (2) the secret password; (c) the workstation sending the transmission code to an authentication server; (d) the server receiving and verifying the validity of the transmission code; (e) if the transmission code is valid, the server transmitting to the workstation a message encrypted with a session code generated by performing a second hashing algorithm upon data comprising the token and the password, the second hashing algorithm being substantially different than the first hashing algorithm; (f) the workstation receiving the message; (g) the workstation computing the session code by performing the second hashing algorithm on the password and the token; and (h) the workstation using the session code to decrypt the message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A secure method for obtaining access to a computing system, wherein a workstation performs steps comprising:
-
(a) receiving an initial password and an initial token, wherein the initial password is supplied by a user and the initial token is supplied by a first authentication token generator; (b) generating a transmission code by performing a first hashing algorithm upon the password and the token; (c) sending the transmission code to an authentication server having a second authentication token generator that simultaneously supplies tokens substantially identical to those provided by the first authentication token generator; (d) if the authentication server successfully reproduces the transmission code by performing successive calculations utilizing different combinations of possible tokens occurring at the time the transmission code was sent and one or more passwords identified from a list of passwords accessible by the authentication server, then receiving a message from the authentication server that is encrypted with a selected secret key routine using a session code obtained by performing a second hashing algorithm upon data comprising the initial token and the initial password, the second hashing algorithm being substantially different than the first hashing algorithm. - View Dependent Claims (23, 24)
-
-
25. A secure method for obtaining access to a computing system,
wherein an authentication server performs steps comprising: -
(a) receiving a transmission code from a workstation, the transmission code generated by performing a first hashing algorithm upon data comprising an initial password received from a user and an initial token provided by a first passive authentication token generator; (b) utilizing a second passive authentication token generator that simultaneously provides tokens substantially identical to those supplied by the first passive authentication token generator to identify possible tokens occurring at the time the workstation sent the transmission code, identifying one or more passwords from a list of passwords accessible by the authentication server, and attempting to reproduce the transmission code by performing successive calculations utilizing different combinations of the possible tokens and one or more identified passwords; (c) if the server in step (b) successfully reproduced the transmission code, then providing the workstation with a message encrypted with a selected secret key routine using a session code generated by performing a second hashing algorithm upon the initial token and the initial password, wherein the second hashing algorithm is substantially different than the first hashing algorithm.
-
-
26. In a system including a workstation, an authentication server, and a token generator, a signal comprising a hashed version of a first signal computed from data including a user-supplied password and a token supplied by a token generator.
-
27. In a system that includes a workstation and an authentication server, a signal comprising a hashed version of a first signal computed from data including a token supplied by a token generator and a user-supplied password.
-
28. A method for securely accessing a computing system, comprising the steps of:
-
(a) a workstation receiving a user name associated with a user; (b) the workstation transmitting the user name to an authentication server; (c) the authentication server verifying the validity of the user name, and if the user name is valid; (1) selecting a challenge; (2) obtaining a response by inputting the challenge into a first active authentication token generator; (3) generating a session code by performing a first hashing algorithm on data comprising the response and a password associated with the user; (4) encrypting a message with the session code; (5) transmitting the challenge and the encrypted message to the workstation; and (d) the workstation receiving the challenge and the encrypted message; (e) the workstation obtaining the response by inputting the challenge into a second active authentication token generator that generates tokens substantially identical to those generated by the first active authentication token generator, and using the response and the password to generate the session code and decrypt the message. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37)
-
Specification