Network computer system with remote user data encipher methodology

US 6,061,790 A
Filed: 02/24/1997
Issued: 05/09/2000
Est. Priority Date: 11/20/1996
Status: Expired due to Term

First Claim

Patent Images

1. In a system having computing devices comprising at least a client connected to a server through a communication network, a method for establishing a secured communication session between the client and the server for enciphering data, the method comprising:

receiving input at the client comprising user information, said input being received a point in time when it is desired to establish said secured communication session, said user information including a user identifier which uniquely identifies a particular user to the system and including a user password;

transmitting a request from the client to the server for establishing a secured communication session between the client and the server, said request including said user identifier;

retrieving at the server, based on said user identifier transmitted to the server, previously-stored user authentication information for authenticating the particular user;

computing at the server a first public sub-key, said first public sub-key being based at least in part on said previously-stored user authentication information;

transmitting said first public sub-key to said client;

computing at the client a second public sub-key, said second public sub-key being based at least in part on said user password and said computed first public sub-key;

computing at the client a secret session key, based at least in part on said computed second public sub-key; and

enciphering data with said computed secret session key.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer-implemented methodology is described which allows any user to access a "network client" machine (e.g., PC, ATM machine, cell phone, or the like) which is connected to a network but which does not know the authentication of the user. With only the user'"'"'s password, the client machine is able to initiate a communication session with a server and identify the user to the server as the person who the server truly expects. The method allows both the client and the server to each identify the other as authentic (not a middle man or imposter)--that is, without compromise in security along the communication link. In this manner, the user can access information from the true server in a secure manner and bring that information down to the local client, for instance, for use in a JAVA application.

Citations

40 Claims

1. In a system having computing devices comprising at least a client connected to a server through a communication network, a method for establishing a secured communication session between the client and the server for enciphering data, the method comprising:
- receiving input at the client comprising user information, said input being received a point in time when it is desired to establish said secured communication session, said user information including a user identifier which uniquely identifies a particular user to the system and including a user password;
  
  transmitting a request from the client to the server for establishing a secured communication session between the client and the server, said request including said user identifier;
  
  retrieving at the server, based on said user identifier transmitted to the server, previously-stored user authentication information for authenticating the particular user;
  
  computing at the server a first public sub-key, said first public sub-key being based at least in part on said previously-stored user authentication information;
  
  transmitting said first public sub-key to said client;
  
  computing at the client a second public sub-key, said second public sub-key being based at least in part on said user password and said computed first public sub-key;
  
  computing at the client a secret session key, based at least in part on said computed second public sub-key; and
  
  enciphering data with said computed secret session key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The method of claim 1, wherein said user identifier comprises a user name.
  - 3. The method of claim 1, wherein said computing at the server a first public sub-key includes computing a prime modulus.
  - 4. The method of claim 1, wherein said computing at the server a first public sub-key includes computing a random exponent.
  - 5. The method of claim 1, wherein said computing at the server a first public sub-key includes computing a server component k by:
    - space="preserve" listing-type="equation">k=(g.sup.e mod m)⊕
      
      h.sub.1
      where m represents a prime modulus, e represents a random exponent, g represents a generator value, and h₁ represents said user authentication information.
  - 6. The method of claim 1, wherein said computing at the client a second public sub-key includes computing a random exponent.
  - 7. The method of claim 1, wherein said computing at the server a first public sub-key includes computing a prime modulus and wherein said computing at the client a second public sub-key includes computing said second public sub-key based at least in part on said prime modulus.
  - 8. The method of claim 1, wherein said computing at the client a second public sub-key includes:
    - computing a hash value based at least in part on said user password; and
      
      computing said second public sub-key based at least in part on said hash value.
  - 9. The method of claim 1, wherein said computing at the client a second public sub-key includes computing a client component k'"'"' by:
    - space="preserve" listing-type="equation">k'"'"'=(g.sup.e'"'"' mod m)⊕
      
      h.sub.1
      where m represents a computed prime modulus, e'"'"' represents a computed random exponent, g represents a generator value, and h₁ represents a computed hash value based at least in part on said user password.
  - 10. The method of claim 9, wherein said prime modulus is transmitted from the server to the client prior to the client'"'"'s determination of said client public sub-key.
  - 11. The method of claim 9, wherein said generator value is previously stored at both the client and the server.
  - 12. The method of claim 9, wherein said generator value is exchanged between the client and the server.
  - 13. The method of claim 1, wherein said computing at the client a secret session key includes computing a secret session key K by:
    - space="preserve" listing-type="equation">K=(k⊕
      
      h.sub.1).sup.e'"'"' modm
      where k represents said second public sub-key, h₁ represents a computed hash value based at least in part on said user password, e'"'"' represents a computed random exponent, and m represents a computed prime modulus.
  - 14. The method of claim 1, wherein said secret session key comprises a secret session key which is only valid during the current session.
  - 15. The method of claim 1, further comprising:
    - computing a hash value based at least in part on said user password,transmitting the hash value from the client to the server; and
      
      at the server, authenticating the client by comparing the hash value transmitted from the client with the previously-stored user authentication information.
  - 16. The method of claim 15, wherein said transmitting the hash value from the client to the server step includes:
    - enciphering the hash value before transmitting it from the client to the server.
  - 17. The method of claim 15, further comprising:
    - after authenticating the client, transmitting a session identifier from the server to the client, said session identifier being valid only during the current session.
  - 18. The method of claim 17, wherein said transmitting a session identifier step includes:
    - enciphering said session identifier before transmitting it from the server to the client.
  - 19. The method of claim 1, further comprising:
    - transmitting said second public sub-key from the client to the server; and
      
      computing at the server said secret session key, based at least in part on said transmitted second public sub-key.
  - 20. The method of claim 1, further comprising:
    - computing a hash value based at least in part on said user password and which corresponds to second user authentication information stored at the server, said second user authentication information for authenticating the particular user;
      
      transmitting said second user authentication information from the server to the client; and
      
      at the client, authenticating the server by comparing the second user authentication information transmitted from the server with the computed hash value.
  - 21. The method of claim 20, wherein said transmitting said second user authentication information from the server to the client step includes:
    - enciphering said second user authentication information before transmitting it from the server to the client.
  - 22. The method of claim 1, further comprising:
    - computing at the server said secret session key, based at least in part on said computed second public sub-key; and
      
      enciphering data at the server with said computed secret session key and thereafter transmitting the enciphered data to the client.
  - 23. The method of claim 22, wherein data of the particular user which is stored at the server is previously enciphered using said user password, such that any data of the particular user is twice enciphered before being transmitted from the server to the client.
  - 24. The method of claim 23, further comprising:
    - deciphering enciphered data of the particular user upon transmission from the server to the client by deciphering the transmitted data first with said secret session key and thereafter deciphering the once-deciphered transmitted data with said user password.
  - 25. The method of claim 1, further comprising:
    - receiving input at the client further comprising information from a user key-card for authenticating the particular user.
  - 26. The method of claim 25, wherein said user key-card stores a private key of a private key/public key pair, said public key being stored at the server.
  - 27. The method of claim 26, further comprising:
    - computing a hash value based at least in part on said user password;
      
      enciphering said hash value with said private key stored by said key-card;
      
      transmitting the enciphered hash value from the client to the server; and
      
      authenticating the client to the server by;
      
      deciphering the enciphered hash value at the server, andcomparing the deciphered hash value from the client with the previously-stored user authentication information.
  - 28. The method of claim 26, wherein said key-card is employed for authenticating users without using it for enciphering or deciphering any user data stored at the server.
  - 29. The method of claim 1, further comprising:
    - computing at the server said secret session key, based at least in part on said computed second public sub-key;
      
      retrieving an e-mail private key for the particular user stored at the server; and
      
      transmitting to the client an enciphered copy of said e-mail private key for the particular user.
  - 30. The method of claim 29, further comprising:
    - transmitting an enciphered copy of an e-mail public key ring for the particular user.

31. A secured client/server system comprising:
- a client connected to a server through a communication network;
  
  an input means at the client for receiving user information at a point in time when it is desired to establish a secured communication session between said client and said server, said user information including a user identifier which uniquely identifies a particular user to the system and including a user password;
  
  means for computing at the server and at the client respective public sub-keys, based at least in part on a hash value derived from said user password;
  
  means for exchanging said respective public sub-keys;
  
  means for computing at the server and at the client a shared secret session key that is generated at least in part from said respective public sub-keys; and
  
  means for enciphering and deciphering data with said secret session key.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The system of claim 31, wherein said means for computing at the server and at the client respective public sub-keys includes:
    - means for transmitting a request from the client to the server for establishing a secured communication session between the client and the server, said request including said user identifier;
      
      means for retrieving at the server, based on said user identifier transmitted to the server, previously-stored user authentication information for authenticating the particular user;
      
      means for computing at the server a first public sub-key, based at least in part on said previously-stored user authentication information;
      
      means for transmitting said first public sub-key to said client;
      
      means for computing at the client a second public sub-key, based at least in part on said user password and said computed first public sub-key;
      
      means for transmitting said second public sub-key from the client to the server; and
      
      means for computing at the client a secret session key, based at least in part on said computed second public sub-key; and
      
      means for computing at the server said secret session key, based at least in part on said computed second public sub-key.
  - 33. The system of claim 31, further comprising:
    - means for authenticating the client to the server.
  - 34. The system of claim 31, further comprising:
    - means for authenticating the server to the client.
  - 35. The system of claim 31, wherein said means for enciphering and deciphering data employs a selected one of IDEA, Blowfish, and DES block cipher.
  - 36. The system of claim 31, wherein said previously-stored user authentication information comprises a one-way hash of said user password.
  - 37. The system of claim 36, wherein said one-way hash employs a selected one of an MD4 one-way hash and an MD5 one-way hash.
  - 38. The system of claim 31, wherein said password includes a pass phrase comprising one or more words.
  - 39. The system of claim 31, further comprising:
    - second input means at the client for receiving a user key-card for authenticating a particular user to the system.
  - 40. The system of claim 39, wherein said user key-card stores a private key of a separate private key/public key pair, with the public key of said separate private key/public key pair being stored at the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellisync Corporation (Nokia Corporation)
Original Assignee
Starfish Software, Inc. (Nokia Corporation)
Inventors
Bodnar, Eric O.
Primary Examiner(s)
Laufer, Pinchus M.

Application Number

US08/805,990
Time in Patent Office

1,170 Days
Field of Search

380/21, 380/30, 380/23, 380/44, 380/49, 380/32, 380/28
US Class Current

713/171
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 21/606   by securing the transmissio...

H04L 51/00   User-to-user messaging in p...

H04L 63/083   using passwords cryptograph...

H04L 63/0869   for achieving mutual authen...

H04L 63/168   above the transport layer

H04L 9/0844   with user authentication or...

H04L 9/3271   using challenge-response

Network computer system with remote user data encipher methodology

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Network computer system with remote user data encipher methodology

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links