Re-initialization of an iterated hash function secure password system over an insecure network connection

US 5,751,812 A
Filed: 08/27/1996
Issued: 05/12/1998
Est. Priority Date: 08/27/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method of communicating over a transmission medium using an iterated hash function, the method comprising the steps of:

determining that a first series of communications based on a first password has reached a predetermined minimum number of remaining hash function iterations;

generating an initialization signal relating the first series of communications based on the first password to a second series of communications to be based on a second password, wherein the initialization signal is generated as a function of the results of applying a first number of hash function iterations to the first password and a second number of hash function iterations to the second password; and

transmitting the initialization signal over the medium prior to commencing the second series of communications.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are disclosed for re-initializing a secure password series based on an iterated hash function. User login information is communicated over an insecure network connection or other transmission medium between a client and a server. The server provides an indication that a first login series based on a first password has reached a predetermined minimum number of remaining hash function iterations. This indication could also be generated by the client. In either case, the client responds to the indication by generating an initialization signal which relates the first login series based on the first password to a second login series based on a second password. The initialization signal may be generated as the exclusive-or of the results of applying a first number of hash function iterations to the first password and a second number of hash function iterations to the second password. The client transmits the initialization signal to the server, which stores it along with an encrypted password transmitted in a previous valid first series login by the same user. The server then compares a function of the stored initialization signal and an initial second series login to the previously-stored first series login to determine if the initial second series login is valid. The second password may be generated by the client using a pass phrase portion of the first password and a new seed portion which does not require additional user input. The password re-initialization process can thus be performed automatically without any need to notify the user.

Citations

24 Claims

1. A method of communicating over a transmission medium using an iterated hash function, the method comprising the steps of:
- determining that a first series of communications based on a first password has reached a predetermined minimum number of remaining hash function iterations;
  
  generating an initialization signal relating the first series of communications based on the first password to a second series of communications to be based on a second password, wherein the initialization signal is generated as a function of the results of applying a first number of hash function iterations to the first password and a second number of hash function iterations to the second password; and
  
  transmitting the initialization signal over the medium prior to commencing the second series of communications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the first and second series of communications further include first and second series of logins, respectively, wherein each login in the series is initiated by the user corresponding to the first and second passwords and involves information communicated between a given client and a server over the medium.
  - 3. The method of claim 2 wherein the information transmitted between the given client and the server over the medium further includes:
    - a login request transmitted by the client to the server;
      
      a designated number of hash function iterations transmitted from the server to the client;
      
      an encrypted password, transmitted from the client to the server, and generated by the client applying the designated number of hash function iterations to the corresponding password; and
      
      an indication as to whether or not the login is valid, transmitted from the server to the client, and generated by the server applying at least one hash function iteration to the encrypted password and comparing the result to a previously stored encrypted password transmitted to the server in a previous valid login by the user.
  - 4. The method of claim 1 wherein the step of determining that a first series of communications based on a first password has reached a predetermined minimum number of remaining iterations further includes the step of a client receiving the indication from a server in response to a login request of a given user transmitted from the client to the server.
  - 5. The method of claim 1 wherein the step of generating an initialization signal further includes the step of generating the second password to include first and second portions, wherein one of the first and second portions is the same as a corresponding portion of the first password.
  - 6. The method of claim 1 wherein the step of generating an initialization signal relating the first series of communications based on the first password to the second series of communications based on the second password further includes the step of generating the initialization signal as the exclusive-or of (i) the result of applying the first number of hash function iterations to the first password, and (ii) the result of applying the second number of hash function iterations to the second password.
  - 7. The method of claim 1 wherein the step of generating an initialization signal relating the first series of communications based on the first password to the second series of communications based on the second password further includes the step of generating the second password by combining a portion of the first password with a new seed portion without input from the corresponding user.
  - 8. The method of claim 1 wherein the step of generating an initialization signal relating the first series of communications based on the first password to the second series of communications based on the second password further includes the step of requesting a user to enter at least a portion of the second password.
  - 9. The method of claim 1 further including the step of transmitting another communication in the first series of communications based on the first password, after transmission of the initialization signal but prior to commencement of the second series of communications, if the transmission of the initialization signal results in a server denying access to the corresponding user.

10. An apparatus for communicating over a transmission medium using an iterated hash function, the apparatus comprising:
- a processor coupled to the transmission medium to receive therefrom an initialization signal relating a first series of communications based on a first password to a second series of communications to be based on a second password, wherein the initialization signal is generated as a function of the results of applying a first number of hash function iterations to the first password and a second number of hash function iterations to the second password; and
  
  a memory coupled to the processor and storing at least a portion of one of the first series of communications, wherein the processor is further operative to subsequently determine if one of the second series of communications is a valid communication by comparing a function of the initialization signal to the stored portion of one of the first series of communications.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus of claim 10 wherein the processor is further operative to provide an indication that a first series of communications based on a first password has reached a predetermined minimum number of remaining hash function iterations, and wherein the indication is supplied over the transmission medium to a client which generates the initialization signal in response to the indication.
  - 12. The apparatus of claim 11 wherein the indication that a first series of communications based on a first password has reached a predetermined minimum number of hash function iterations is provided in response to a login request of a given user supplied over the medium from a client to a server.
  - 13. The apparatus of claim 10 wherein the processor and memory are part of a server which receives the first series of communications from one or more clients over the transmission medium.
  - 14. The apparatus of claim 13 wherein the first and second series of communications further include first and second series of logins, respectively, wherein each login in the series is initiated by a user corresponding to the first and second passwords and involves information communicated between a given client and the server over the transmission medium.
  - 15. The apparatus of claim 14 wherein the information transmitted between the given client and the server over the medium further includes:
    - a login request transmitted by the client to the server;
      
      a designated number of hash function iterations transmitted from the server to the client;
      
      an encrypted password, transmitted from the client to the server, and generated by the client applying the designated number of hash function iterations to the corresponding password; and
      
      an indication as to whether or not the login is valid, transmitted from the server to the client, and generated by the server applying at least one hash function iteration to the encrypted password and comparing the result to a previously stored encrypted password transmitted to the server in a previous valid login by the user.

16. An apparatus for communicating over a transmission medium using an iterated hash function, comprising:
- a processor operative to receive an indication that a first series of communications based on a first password has reached a predetermined minimum number of remaining hash function iterations, to generate in response to the indication an initialization signal relating the first series of communications based on the first password to a second series of communications to be based on a second password, wherein the initialization signal is generated as a function of the results of applying a first number of hash function iterations to the first password and a second number of hash function iterations to the second password, and to transmit the initialization signal over the medium prior to commencing the second series of communications.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The apparatus of claim 16 wherein the processor is part of a client which receives the indication from a server over the transmission medium.
  - 18. The apparatus of claim 16 wherein the processor is part of a client which generates the indication.
  - 19. The apparatus of claim 16 wherein the first and second series of communications further include first and second series of logins, respectively, wherein each login in the series is initiated by a user corresponding to the first and second passwords and involves information communicated between a given client and the server over the transmission medium.
  - 20. The apparatus of claim 16 wherein the processor is further operative to generate the second password to include first and second portions, wherein one of the first and second portions is the same as a corresponding portion of the first password.
  - 21. The apparatus of claim 16 wherein the processor is further operative to generate the initialization signal as the exclusive-or of (i) the result of applying the first number of hash function iterations to the first password, and (ii) the result of applying the second number of hash function iterations to the second password.
  - 22. The apparatus of claim 16 wherein the processor is further operative to generate the second password by combining a portion of the first password with a new seed portion without input from the corresponding user.
  - 23. The apparatus of claim 16 wherein processor is further operative to generate the second password by requesting a user to enter at least a portion of the second password.
  - 24. The apparatus of claim 16 wherein the processor is further operative to transmit another communication in the first series of communications based on the first password, after transmission of the initialization signal but prior to commencement of the second series of communications, if the transmission of the initialization signal results in a server denying access to the corresponding user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nytell Software LLC (Intellectual Ventures LLC)
Original Assignee
Bell Communications Research, Inc. (Telefonaktiebolaget LM Ericsson)
Inventors
Anderson, Milton M.
Primary Examiner(s)
Cain, David C.

Application Number

US08/702,916
Time in Patent Office

623 Days
Field of Search

380/28, 380/21, 380/25, 380/48
US Class Current

713/155
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2103   Challenge-response

G07F 7/1016   Devices or methods for secu...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

H04L 9/50   using hash chains, e.g. blo...

Re-initialization of an iterated hash function secure password system over an insecure network connection

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Re-initialization of an iterated hash function secure password system over an insecure network connection

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links