Secure two-piece user authentication in a computer network
First Claim
1. A method for securely authenticating user identity in a computer network including a network server coupled to at least one network node capable of communicating with an external token that includes a cryptographic algorithm and an encryption key, the network node further incorporating a secure memory and an associated secure operating mode independent from the general memory and operating mode of the network node, the method comprising the steps of:
- placing the network node into the secure operating mode, and while in the secure operating mode, performing the steps of;
receiving a user password from a user in the network node;
communicatively coupling the external token to the network node;
providing the user password to the cryptographic algorithm stored in the token;
encrypting the user password with the cryptographic algorithm and the encryption key to produce a network password;
storing the network password within the secure memory; and
exiting the secure operating mode; and
performing the following steps for network access;
encrypting the network password stored in secure memory using a network server public key creating an encrypted network password;
communicating the encrypted network password to the network server;
decrypting the encrypted network password in the network server using a network server private key corresponding to the network server public key; and
comparing the decrypted network password or portions thereof to information maintained by the network server in order to verify user identity and/or determine network privileges accorded to the network password.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer system incorporating a two-piece authentication procedure for securely providing user authentication over a network. In the disclosed embodiment of the invention, a user password is entered during a secure power-up procedure. The user password is encrypted by an external token or smart card that stores an encryption algorithm furnished with an encryption key that is unique or of limited production. A network password is thereby created. The network password is maintained in a secure memory space such as System Management Mode (SMM) memory. The network password is then encrypted and communicated over the network. The network password may be encrypted using the server'"'"'s public key or another key that is known to the server. Optional node identification information is appended to the network password prior to communication over the network. Once received by the server, the encrypted network password is decrypted using the server'"'"'s private key. A user verification process is then performed on the network password to determine which, if any, access privileges have been accorded the network user.
-
Citations
20 Claims
-
1. A method for securely authenticating user identity in a computer network including a network server coupled to at least one network node capable of communicating with an external token that includes a cryptographic algorithm and an encryption key, the network node further incorporating a secure memory and an associated secure operating mode independent from the general memory and operating mode of the network node, the method comprising the steps of:
placing the network node into the secure operating mode, and while in the secure operating mode, performing the steps of; receiving a user password from a user in the network node; communicatively coupling the external token to the network node; providing the user password to the cryptographic algorithm stored in the token; encrypting the user password with the cryptographic algorithm and the encryption key to produce a network password; storing the network password within the secure memory; and exiting the secure operating mode; and
performing the following steps for network access;encrypting the network password stored in secure memory using a network server public key creating an encrypted network password; communicating the encrypted network password to the network server; decrypting the encrypted network password in the network server using a network server private key corresponding to the network server public key; and comparing the decrypted network password or portions thereof to information maintained by the network server in order to verify user identity and/or determine network privileges accorded to the network password. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
13. A computer system capable of securely providing two-piece user authentication data over a computer network, the computer system including capabilities for operating in conjunction with an external token containing a cyptographic algorithm and an encryption key, the computer system comprising:
-
a system bus; a secure memory coupled to said system bus, said secure memory independent from a general memory of the computer system; a processor coupled to said system bus, said processor having a secure operating mode associated with said secure memory and independent from a general operating mode of said processor; token interface circuitry coupled to said processor for communicating with the external token; network interface circuitry allowing said processor to direct communications to a network server; and security code stored in a processor readable medium, said security code and said processor readable medium configured for access and execution during the secure operating mode, said security code when executed by said processor causing the processor to perform the steps of; receiving a user password; providing the user password to the external token; receiving a network password from the external token, wherein the network password is an encrypted version of the user password; storing the network password within said secure memory; encrypting the network password stored in said secure memory using a network server public key creating an encrypted network password; and communicating the encrypted network password to the network server via said network interface circuitry to allow the computer user to access secured network resources. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A system capable of securely providing two-piece user authentication data over a computer network, the system including capabilities for operating in conjunction with an external token containing a cryptographic algorithm and an encryption key, the system comprising:
-
a computer system including; a system bus; a secure memory coupled to said system bus, said secure memory independent from a general memory of the computer system; a processor coupled to said system bus, said processor having a secure operating mode associated with said secure memory and independent from a general operating mode of said processor; token interface circuitry coupled to said processor for communicating with the external token; network interface circuitry coupling said processor to the computer network; and a security code stored in a processor readable medium, said security code and said processor readable medium configured for access and execution during the secure operating mode, said security code when executed by said processor causing the processor to perform the steps of; receiving a user password; providing the user password to the external token; receiving a network password from the external token, wherein the network password is an encrypted version of the user password; storing the network password within said secure memory; encrypting the network password stored in said secure memory using a public key creating an encrypted network password; and communicating the encrypted network password to the computer network via said network interface circuitry; and a network resource comprising; an interface coupled to the computer network suitable for communicating with said computer system and receiving the encrypted network password; and executable code in readable media, the code, when executed, performing the steps of; decrypting the encrypted network password using a private key corresponding to the public key; and comparing the decrypted network password or portions thereof to information maintained by the network server to verify user identity and/or determine network privileges accorded to the network password.
-
Specification