System and method for providing masquerade protection in a computer network using hardware and timestamp-specific single use keys

US 5,717,756 A
Filed: 10/12/1995
Issued: 02/10/1998
Est. Priority Date: 10/12/1995
Status: Expired due to Fees

First Claim

Patent Images

1. A method for providing masquerade protection in a computer network, comprising:

executing a one way hash function having an output space with guaranteed output space duplicates, comprising;

seeding a pseudo random number generator function with a number corresponding to said one or more hardware characteristics; and

wherein said session key is generated from a number generated from said seeded pseudo random number generator function;

generating a session key with a first machine as a function of a timestamp and one or more hardware characteristics unique to said first machine;

transmitting said session key over said network from said first machine through intermediate machines without said masquerade protection to said second machine;

generating a plurality of locks with said second machine as a function of said timestamp and said hardware characteristics;

testing with said second machine whether said session key matches one of said plurality of locks; and

granting access from said first machine to said second machine when said session key matches said one of said plurality of locks.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication session key is generated on a trusted machine based upon an identifier of its CPU, hardware configuration, and a timestamp. The trusting machine retrieves this same information about the trusted machine, and then generates session locks for the machine which are valid for a predetermined time interval. If the incoming session key matches one of the session locks, and the incoming session key is not on the list of used keys, the session key is appended to a list of keys which will no longer thereafter be valid, and access is then granted, thereby employing single-use keys. Because the locks and keys are also generated during a timestamp, a user may request service from the same machine multiple times by waiting no more than a predetermined time between requests, or front ends to the masquerade protection tools could be written that re-try until successful. Because the keys generated are specific to the hardware characteristics of the trusted machine upon which they are generated, attempts to gain access from an imposter machine will generate unusable session keys.

Citations

18 Claims

1. A method for providing masquerade protection in a computer network, comprising:
- executing a one way hash function having an output space with guaranteed output space duplicates, comprising;
  
  seeding a pseudo random number generator function with a number corresponding to said one or more hardware characteristics; and
  
  wherein said session key is generated from a number generated from said seeded pseudo random number generator function;
  
  generating a session key with a first machine as a function of a timestamp and one or more hardware characteristics unique to said first machine;
  
  transmitting said session key over said network from said first machine through intermediate machines without said masquerade protection to said second machine;
  
  generating a plurality of locks with said second machine as a function of said timestamp and said hardware characteristics;
  
  testing with said second machine whether said session key matches one of said plurality of locks; and
  
  granting access from said first machine to said second machine when said session key matches said one of said plurality of locks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein said session key is valid for a predetermined time functionally related to said timestamp.
  - 3. The method of claim 2 wherein said hardware characteristics include a central processing unit identification number associated with a central processor unit in said first machine.
  - 4. The method of claim 3 wherein said hardware characteristics include a checksum determined from multiple hardware aspects of said first machine.
  - 5. The method of claim 4 wherein said session key is a function of a product of said central processor unit identification number and said checksum.
  - 6. The method of claim 1 further includingmaintaining with said second machine a list of previously used said session keys;
    - and wherein said method further includestesting whether said session key is on said list, and, if so, inhibiting said testing of whether said session key matches said one of said plurality of locks, and denying access.
  - 7. The method of claim 1 includingspecifying at said first and second machines a COMPLEXITY number corresponding to a desired level of said masquerade protection;
    - and wherein said pseudo random number generator function is seeded a number of times corresponding to said complexity number.
  - 8. The method of claim 1 further includingmaintaining on said second machine a list of machines on said network which have said masquerade protection and may be granted access to said second machine;
    - wherein said transmitting occurs at a time corresponding to a timestamp generated with said first machine; and
      
      wherein said list includes a network address, and information for generating said time with said second machine.
  - 9. The method of claim 8 further includingmaintaining on said first machine a list of machines on said network to which said first machine will permit said session keys to be sent;
    - andpreventing said transmitting of said session key to said second machine when said second machine is not on said list on said first machine.

10. An apparatus for providing masquerade protection in a computer network, comprising:
- means for executing a one way hash function having an output space with guaranteed output space duplicates, comprising;
  
  means for seeding a pseudo random number generator function with a number corresponding to said one or more hardware characteristics; and
  
  wherein said session key is generated from a number generated from said seeded pseudo random number generator function;
  
  means for generating a session key with a first machine as a function of a timestamp and one or more hardware characteristics unique to said first machine;
  
  means for transmitting said session key over said network from said first machine through intermediate machines without said masquerade protection to said second machine;
  
  means for generating a plurality of locks with said second machine as a function of said timestamp and said hardware characteristics;
  
  means for testing with said second machine whether said session key matches one of said plurality of locks; and
  
  means for granting access from said first machine to said second machine when said session key matches said one of said plurality of locks.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus of claim 10 wherein said session key is valid for a predetermined time functionally related to said timestamp.
  - 12. The apparatus of claim 11 wherein said hardware characteristics include a central processing unit identification number associated with a central processor unit in said first machine.
  - 13. The apparatus of claim 12 wherein said hardware characteristics include a checksum determined from multiple hardware aspects of said first machine.
  - 14. The apparatus of claim 13 wherein said session key is a function of a product of said central processor unit identification number in said checksum.
  - 15. The apparatus of claim 10 further includingmeans for maintaining with said second machine a list of previously used said session keys;
    - and wherein said apparatus further includesmeans for testing whether said session key is on said list, and, if so, inhibiting said testing of whether said session key matches said one of said plurality of locks, and denying access.
  - 16. The apparatus of claim 10 includingmeans for specifying at said first and second machines a COMPLEXITY number corresponding to a desired level of said masquerade protection;
    - and wherein said pseudo random number generator function is seeded a number of times corresponding to said complexity number.
  - 17. The apparatus of claim 10 further includingmeans for maintaining on said second machine a list of machines on said network which have said masquerade protection and may be granted access to said second machine;
    - wherein said transmitting occurs at a time corresponding to a timestamp generated with said first machine; and
      
      wherein said list includes a network address, and information for generating said time with said second machine.
  - 18. The apparatus of claim 17 further includingmeans for maintaining on said first machine a list of machines on said network to which said first machine will permit said session keys to be sent;
    - andmeans for preventing said transmitting of said session key to said second machine when said second machine is not on said list on said first machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Coleman, David Allen
Primary Examiner(s)
Cain, David C.

Application Number

US08/542,205
Time in Patent Office

852 Days
Field of Search

380/25, 380/23, 380/24, 380/4, 380/49, 380/28
US Class Current

713/155
CPC Class Codes

G06F 21/31   User authentication

H04L 2463/121   Timestamp

H04L 63/08   for authentication of entit...

H04L 63/0846   using time-dependent-passwo...

H04L 63/0876   based on the identity of th...

System and method for providing masquerade protection in a computer network using hardware and timestamp-specific single use keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing masquerade protection in a computer network using hardware and timestamp-specific single use keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links