Systems, methods and computer program products that use an encrypted session for additional password verification

US 6,064,736 A
Filed: 09/15/1997
Issued: 05/16/2000
Est. Priority Date: 09/15/1997
Status: Expired due to Term

First Claim

Patent Images

1. A password authentication method between a client and a server that communicate over a network, the server storing a plurality of hashed passwords for a corresponding plurality of clients, the method comprising the steps of:

establishing an encrypted session between the client and the server over the network, using a client password and the corresponding hashed password that is stored at the server;

transmitting the client password from the client to the server during the encrypted session;

hashing the received password at the server during the encrypted session;

comparing the hashed received password with the corresponding hashed password for the client that is stored at the server during the encrypted session; and

terminating the encrypted session between the client and the server over the network if the hashed received password and the corresponding hashed password that were compared during the encrypted session do not match.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and computer program products for two-party key authentication provide additional security against intruders that might gain access to the password database of a server. The client verifies his clear password over an encrypted channel, rather than merely verifying the encrypted password, prior to receiving secure traffic.

Citations

24 Claims

1. A password authentication method between a client and a server that communicate over a network, the server storing a plurality of hashed passwords for a corresponding plurality of clients, the method comprising the steps of:
- establishing an encrypted session between the client and the server over the network, using a client password and the corresponding hashed password that is stored at the server;
  
  transmitting the client password from the client to the server during the encrypted session;
  
  hashing the received password at the server during the encrypted session;
  
  comparing the hashed received password with the corresponding hashed password for the client that is stored at the server during the encrypted session; and
  
  terminating the encrypted session between the client and the server over the network if the hashed received password and the corresponding hashed password that were compared during the encrypted session do not match.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method according to claim 1 wherein the step of establishing an encrypted session comprises the step of establishing an encrypted session using a KryptoKnight authentication key and distribution system.
  - 3. A method according to claim 1 wherein the step of establishing an encrypted session comprises the steps of:
    - sending a client nonce and client User Id from the client to the server;
      
      creating an encrypted session key at the server, from the corresponding hashed password for the client that is stored at the server;
      
      transmitting the encrypted session key from the server to the client;
      
      decrypting the encrypted session key at the client; and
      
      initiating the encrypted session using the decrypted encrypted session key.
  - 4. A method according to claim 1 wherein the transmitting step is performed at the beginning of the encrypted session.
  - 5. A method according to claim 1:
    - wherein the server stores the plurality of passwords as a hashed password combined with a first salt; and
      
      wherein the comparing step is followed by the steps of;
      
      rehashing the hashed received password with a second salt; and
      
      replacing the stored password and the first salt with the rehashed received password.
  - 6. A method according to claim 5 wherein the step of establishing an encrypted session comprises the steps of:
    - sending a client nonce and client User Id from the client to the server;
      
      creating an encrypted session key at the server, from the corresponding hashed password for the client that is stored at the server;
      
      transmitting the encrypted session key and the first salt from the server to the client;
      
      decrypting the encrypted session key at the client including the first salt; and
      
      initiating the encrypted session using the decrypted encrypted session key.

7. A password authentication method for a client that communicates with a server over a network, the server storing a plurality of hashed passwords for a corresponding plurality of clients, the method comprising the steps of:
- establishing an encrypted session between the client and the server over the network, using a client password and the corresponding hashed password that is stored at the server; and
  
  transmitting the client password from the client to the server during the encrypted session.
- View Dependent Claims (8, 9, 10, 11)
- - 8. A method according to claim 7 wherein the step of establishing an encrypted session comprises the step of establishing an encrypted session using a KryptoKnight authentication key and distribution system.
  - 9. A method according to claim 7 wherein the step of establishing an encrypted session comprises the steps of:
    - sending a client nonce and client User Id from the client to the server;
      
      decrypting an encrypted session key that is received by the client; and
      
      initiating the encrypted session using the decrypted encrypted session key.
  - 10. A method according to claim 7 wherein the transmitting step is performed at the beginning of the encrypted session.
  - 11. A method according to claim 7:
    - wherein the server stores the plurality of passwords as a hashed password and a first salt; and
      
      wherein the comparing step is followed by the steps of;
      
      rehashing the hashed received password with a second salt; and
      
      replacing the stored password combined and first salt with the rehashed received password.

12. A password authentication method for a server that communicates with a client over a network, the server storing a corresponding plurality of hashed passwords for a plurality of clients, the method comprising the steps of:
- establishing an encrypted session between the client and the server over the network, using a client password and the corresponding hashed password that is stored at the server;
  
  hashing a received password that is received at the server during the encrypted session;
  
  comparing the hashed received password with the corresponding hashed password for the client that is stored at the server during the encrypted session; and
  
  terminating the encrypted session between the client and the server over the network if the hashed received password and the corresponding hashed password that were compared during the encrypted session do not match.
- View Dependent Claims (13, 14, 15, 16)
- - 13. A method according to claim 12 wherein the step of establishing an encrypted session comprises the step of establishing an encrypted session using a KryptoKnight authentication key and distribution system.
  - 14. A method according to claim 12 wherein the step of establishing an encrypted session comprises the steps of:
    - receiving a client nonce and client User Id from the client at the server;
      
      creating an encrypted session key at the server, from the corresponding hashed password for the client that is stored at the server; and
      
      transmitting the encrypted session key from the server to the client.
  - 15. A method according to claim 12:
    - wherein the server stores the plurality of passwords as a hashed password and a first salt; and
      
      wherein the comparing step is followed by the steps of;
      
      rehashing the hashed received password with a second salt; and
      
      replacing the stored password and the first salt with the rehashed received password.
  - 16. A method according to claim 15 wherein the step of establishing an encrypted session comprises the steps of:
    - receiving a client nonce and client User Id from the client at the server;
      
      creating an encrypted session key at the server, from the corresponding hashed password for the client that is stored at the server;
      
      transmitting the encrypted session key and the first salt from the server to the client; and
      
      decrypting the encrypted session key at the client including the first salt.

17. A password authentication system for a client and a server that communicate over a network, the server storing a plurality of hashed passwords for a corresponding plurality of clients, the system comprising:
- means for establishing an encrypted session between the client and the server over the network, using a client password and the corresponding hashed password that is stored at the server;
  
  means for transmitting the client password from the client to the server during the encrypted session;
  
  means for hashing the received password at the server during the encrypted session;
  
  means for comparing the hashed received password with the corresponding hashed password for the client that is stored at the server during the encrypted session; and
  
  means for terminating the encrypted session between the client and the server over the network if the hashed received password and the corresponding hashed password that were compared during the encrypted session do not match.
- View Dependent Claims (18, 19)
- - 18. A system according to claim 17 wherein the transmitting means comprises means for transmitting the client password from the client to the server at the beginning of the encrypted session.
  - 19. A system according to claim 17:
    - wherein the server stores the plurality of passwords as a hashed password and a first salt; and
      
      wherein the system further comprises;
      
      means for rehashing the hashed received password with a second salt; and
      
      means for replacing the stored password and the first salt with the rehashed received password.

20. A computer program product for authenticating a password of a client that communicates with a server over a network, the server storing a plurality of hashed passwords for a corresponding plurality of clients, the computer program product comprising a computer-readable storage medium having computer-readable program code embodied in the medium, the computer-readable program code comprising:
- computer-readable program code that establishes an encrypted session between the client and the server over the network, using a client password and the corresponding hashed password that is stored at the server; and
  
  computer-readable program code that transmits the client password from the client to the server during the encrypted session.
- View Dependent Claims (21, 22)
- - 21. A computer program product according to claim 20 wherein the computer-readable program code that establishes an encrypted session comprises a KryptoKnight authentication key and distribution computer program product.
  - 22. A computer program product according to claim 20 wherein the computer-readable program code that transmits comprises computer-readable program code that transmits the client password from the client to the server at the beginning of the encrypted session.

23. A computer program product for authenticating a password at a server that communicates with a client over a network, the server storing a corresponding plurality of hashed passwords for a plurality of clients, the computer program product comprising a computer-readable storage medium having computer-readable program code embodied in the medium, the computer-readable program code comprising:
- computer-readable program code that establishes an encrypted session between the client and the server over the network, using a client password and the corresponding hashed password that is stored at the server;
  
  computer-readable program code that hashes a received password that is received at the server during the encrypted session;
  
  computer-readable program code that compares the hashed received password with the corresponding hashed password for the client that is stored at the server during the encrypted session; and
  
  computer-readable program code that terminates the encrypted session between the client and the server over the network if the hashed received password and the corresponding hashed password that were compared during the encrypted session do not match.
- View Dependent Claims (24)
- - 24. A computer program product according to claim 23:
    - wherein the server stores the plurality of passwords as a hashed password and a first salt; and
      
      wherein the computer program product further comprises;
      
      computer-readable program code that rehashes the hashed received password with a second salt; and
      
      computer-readable program code that replaces the stored password and the first salt with the rehashed received password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OpenTV, Inc. (Kudelski SA)
Original Assignee
International Business Machines Corporation
Inventors
Davis, Mark Charles, Kuehr-McLaren, David Gerard, Powers, Calvin Stacy
Primary Examiner(s)
Swann, Tod R.
Assistant Examiner(s)
COMBS, JENNIFER

Application Number

US08/929,434
Time in Patent Office

974 Days
Field of Search

380/21, 380/25, 380/30, 380/4, 713/201
US Class Current

713/155
CPC Class Codes

G06F 21/31   User authentication

G06F 2211/007   Encryption, En-/decode, En-...

H04L 63/0428   wherein the data content is...

Systems, methods and computer program products that use an encrypted session for additional password verification

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Systems, methods and computer program products that use an encrypted session for additional password verification

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links