Security method and system for persistent storage and communications on computer network systems and computer network systems employing the same

US 6,088,799 A
Filed: 12/11/1997
Issued: 07/11/2000
Est. Priority Date: 12/11/1997
Status: Expired due to Fees

First Claim

Patent Images

1. A login method to enhance security in a network computer system having at least one server computer coupled over a communication network to a plurality of client computers, wherein each client computer is coupled to directly access a persistent storage device and wherein each client computer is operated by a control program after login, the method comprising the steps of:

receiving a login ID and password from a user at a first one of said client computers;

encrypting the login ID and password with a first asymmetric key stored in the persistent storage coupled to the first client computer;

transmitting a login request including the encrypted login ID and password to a first one of said server computers;

decrypting the encrypted portions of the login request with a second asymmetric key at the server computer;

authenticating the first client computer to the first server computer, using the login ID and password from the decrypted login request;

transmitting, upon authentication of the first client computer, a set of symmetric keys from the first server computer to the first client computer, including;

one symmetric key for encrypting and decrypting persistent information associated with the control program for operating the first client computer;

another symmetric key for encrypting and decrypting persistent information associated with the login ID; and

yet another symmetric key for encrypting and decrypting communications between the first client computer and the first server computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process is described in which a user enters ID and password information at a network client computer terminal. This information is combined with an asymmetric key stored in a persistent storage directly accessible to the client'"'"'s computer terminal. This "combined" information is communicated through a communication network to one or more server computers for authentication of the client. A similar identification and authentication process may be used to authenticate the server computer. Upon authentication of the client, the server provides the client computer with three symmetric keys, in encrypted format. The first key is for encrypting and decrypting persistent information associated with the client computer'"'"'s control program. The second key is used to encrypt and decrypt persistent information associated with the login ID. The third key is used to encrypt and decrypt communication between the client computer and the server computer.

Citations

18 Claims

1. A login method to enhance security in a network computer system having at least one server computer coupled over a communication network to a plurality of client computers, wherein each client computer is coupled to directly access a persistent storage device and wherein each client computer is operated by a control program after login, the method comprising the steps of:
- receiving a login ID and password from a user at a first one of said client computers;
  
  encrypting the login ID and password with a first asymmetric key stored in the persistent storage coupled to the first client computer;
  
  transmitting a login request including the encrypted login ID and password to a first one of said server computers;
  
  decrypting the encrypted portions of the login request with a second asymmetric key at the server computer;
  
  authenticating the first client computer to the first server computer, using the login ID and password from the decrypted login request;
  
  transmitting, upon authentication of the first client computer, a set of symmetric keys from the first server computer to the first client computer, including;
  
  one symmetric key for encrypting and decrypting persistent information associated with the control program for operating the first client computer;
  
  another symmetric key for encrypting and decrypting persistent information associated with the login ID; and
  
  yet another symmetric key for encrypting and decrypting communications between the first client computer and the first server computer.

2. A method to enhance security in a network computer system having at least one server computer coupled over a communication network to at least one client computer, wherein each client computer is coupled to directly access a persistent storage device and wherein each client computer is operated by a control program after login, the method comprising the steps of:
- receiving a login ID and password from a user at a first one of said client computers;
  
  encrypting the login ID and password using a first asymmetric key stored in the persistent storage coupled to the first client computer;
  
  forming a login request including the encrypted login ID and password;
  
  transmitting the login request to a first one of said server computers;
  
  decrypting the encrypted portions of the login request with a second asymmetric key at the server computer;
  
  authenticating the first client computer to the first server computer, using the login ID and password from the decrypted login request;
  
  transmitting, upon authentication of the first client computer at least three symmetric keys from the first server computer to the first client computer;
  
  encrypting and decrypting persistent information associated with the control program for operating the first client computer, using one of the at least three symmetric keys transmitted by the server computer;
  
  encrypting and decrypting persistent information associated with the login ID using another one of the at least three symmetric keys transmitted by the server computer; and
  
  encrypting and decrypting further communications between the client computer and the server computer using yet another one of the at least three symmetric keys transmitted by the server computer.
- View Dependent Claims (3, 4, 5, 6, 7, 8)
- - 3. A method as recited in claim 2, wherein the step of encrypting the login ID and password using a first asymmetric key stored in the persistent storage, comprises the steps of:
    - retrieving a first asymmetric key K1 from the persistent storage device coupled to the first remote computer; and
      
      encrypting the login ID and password using the K1 key and a first asymmetric key encryption operator to provide;
      
      (A+K1);
      
      wherein `+` represents the first asymmetric key encryption operator and `A` represents the information constituting the login ID and password.
  - 4. A method as recited in claim 3, wherein the step of decrypting the encrypted portions of the login request at the server comprises the steps of:
    - retrieving a second asymmetric key K2 from a secure storage accessible to the server; and
      
      applying the K2 key and a second asymmetric key encryption operator to the encrypted portions of the login request, wherein `*` represents the second asymmetric key encryption operator; and
      
      wherein (A+K1)*K2=A=(A+K2)*K1.
  - 5. A method as recited in claim 4, wherein the step of forming a login request further comprises combining an unencrypted ID code specific to the first client computer with the encrypted portions of the login request, and wherein said step of retrieving a second asymmetric key K2 comprises the steps of:
    - extracting the unencrypted remote computer ID code from the received login request;
      
      searching a security database for a record corresponding to the extracted ID code, wherein said record contains the second asymmetric key K2 associated with the ID code; and
      
      retrieving key K2 from the security database, upon locating a record corresponding to the extracted ID code in the security database.
  - 6. A method as recited in claim 4, wherein said step of authenticating the first client computer to the first server computer, comprises the steps ofsearching a security database for a record corresponding to the login ID, wherein said record contains a second symmetric key K3 and a password corresponding to the login ID;
    - comparing the password from the security database record with the password of the login request;
      
      rejecting the login request upon an insufficient correspondence between the compared passwords;
      
      allocating a third symmetric key K5 for further communications with the first remote computer upon a sufficient correspondence between the compared passwords;
      
      constructing a login response comprising second, third and fourth symmetric keys K3, K4 and K5encrypting the login response; and
      
      transmitting the encrypted login response to the first remote computer.
  - 7. A method as recited in claim 6, wherein said step of encrypting the login response comprises the steps of first, encrypting the login response using the password and a symmetric key encryption operator and then encrypting the resulting encryption using the second asymmetric key K2 and the first asymmetric encryption key operator.
  - 8. A method as recited in claim 2, wherein said step of authenticating the first remote computer to the first server computer, comprises the steps of:
    - searching a security database for a record corresponding to the login ID, wherein said record contains a symmetric key and a password corresponding to the login ID;
      
      comparing the password from the security database record with the password of the login request;
      
      rejecting the login request upon an insufficient correspondence between the compared passwords;
      
      allocating a symmetric key K5 for further communications with the first remote computer upon a sufficient correspondence between the compared passwords;
      
      constructing a login response comprising three symmetric keys, including the symmetric key in the security database record corresponding to the login ID and two other symmetric keys;
      
      encrypting the login response using the password and a symmetric encryption key operator and then encrypting the resulting encryption using an asymmetric key and a first asymmetric key encryption operator; and
      
      transmitting the encrypted login response to the first client computer.

9. A computer network system having enhanced security, comprising:
- a communications network;
  
  at least one server computer coupled for communication over the communication network;
  
  a plurality of client computers, each coupled for communication over the communication network and each operated by a control program after login;
  
  a persistent storage device associated with each client computer, for storing persistent information directly accessible by the associated client computer;
  
  an input device associated with each client computer for receiving a login ID and password from a user;
  
  means associated with each client computer, for encrypting the login ID and password received by the input device, with a first asymmetric key stored in the associated persistent storage;
  
  means associated with each client computer for constructing and transmitting a login request including the encrypted login ID and password, over the communications network, to at least one of said server computers;
  
  means associated with said at least one server computer, for receiving said login request and decrypting the encrypted portions of the login request with a second asymmetric key;
  
  means associated with said at least one server computer for authenticating the first client computer, using the login ID and password from the decrypted portions of the login request;
  
  means associated with said at least one server, for transmitting, upon authentication of the first client computer, a set of symmetric keys to the first client computer, including;
  
  at least one symmetric key for encrypting and decrypting persistent information associated with the control program for operating the first client computer;
  
  at least one other symmetric key for encrypting and decrypting persistent information associated with the login ID; and
  
  at least one further symmetric key for encrypting and decrypting communications between the first client computer and the first server computer.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. A system as recited in claim 9, further comprising means associated with the first client computer for encrypting and decrypting persistent information associated with the control program for operating the first client computer, using at least one of the symmetric keys transmitted by said server computer.
  - 11. A system as recited in claim 9, further comprising means associated with the first client computer for encrypting and decrypting persistent information associated with the login ID using at least one of said other symmetric keys transmitted by said server computer.
  - 12. A system as recited in claim 9, further comprising means associated with the first client computer and said server computer for encrypting and decrypting further communications between the client computer and the server computer using at least one of said further symmetric keys transmitted by the server computer.
  - 13. A system as recited in claim 9, wherein said means for encrypting the login ID and password, comprises:
    - means for retrieving a first asymmetric key K1 from the persistent storage device associated with the first client computer; and
      
      means for encrypting the login ID and password using the first asymmetric key K1 and a first asymmetric key encryption operator to provide (A+K1);
      
      wherein `+` represents the first asymmetric key encryption operator and wherein A represents the information constituting the login ID and password.
  - 14. A system as recited in claim 13, wherein:
    - said at least one server is operable with a secure storage, for retrieving records from the secure storage;
      
      said means for decrypting the encrypted portions of the login request comprise means for retrieving a second asymmetric key from the secure storage and applying the second asymmetric key and a second asymmetric key encryption operator to the encrypted portions of the login request, such that;
      
      (A+K1)*K2=A=(A+K2)*K1; and
      
      K2 represents the second asymmetric key and `*` represents the second asymmetric key encryption operator.
  - 15. A method as recited in claim 14, wherein said means for authenticating the first client computer to said server computer, comprise:
    - means associated with said server computer for searching said secure storage for a record corresponding to the login ID, wherein said record contains a second symmetric key K3 and a password corresponding to the login ID;
      
      means for comparing the password from the security database record with the password of the login request and for rejecting the login request upon an insufficient correspondence between the compared passwords;
      
      means for constructing a login response comprising at least three symmetric keys K3, K4 and K5 upon a sufficient correspondence between the compared passwords; and
      
      means for encrypting the login response and providing the encrypted login response to said means for transmitting.
  - 16. A method as recited in claim 15, wherein said means for encrypting the login response comprises means for first encrypting the login response using the password and a symmetric key encryption operator, and then encrypting the resulting encryption using the second asymmetric key encryption operator K2 key and the second asymmetric key encryption operator `+`.
  - 17. A system as recited in claim 9, wherein said means for constructing a login request comprises comprise means for combining an unencrypted ID code specific to the first client computer with the encrypted portions of the login request, and wherein said means for retrieving a second asymmetric key comprises:
    - means for extracting the unencrypted remote computer ID code from the received login request;
      
      means for searching a security database for a record corresponding to the extracted ID code, wherein said record contains the second asymmetric key associated with the ID code; and
      
      means for retrieving the second asymmetric key from the security database, upon locating a record corresponding to the extracted ID code in the security database.

18. An article of manufacture comprising a computer program carrier readable by a first client computer coupled to a computer network system having a plurality of client computers and at least one server computer, the computer program carrier embodying one or more instructions executable by the first remote computer to perform method steps of:
- receiving a login ID and password from a user at a first one of said client computers;
  
  encrypting the login ID and password using an asymmetric key stored in the persistent storage coupled to the first client computer;
  
  forming a login request including the encrypted login ID and password;
  
  transmitting the login request to a first one of said server computers;
  
  decrypting the encrypted portions of the login request with a first asymmetric key at the server computer;
  
  authenticating the first client computer to the first server computer, using the login ID and password from the decrypted login request;
  
  transmitting, upon authentication of the first client computer a set of symmetric keys from the first server computer to the first client computer;
  
  encrypting and decrypting persistent information associated with the control program for operating the first remote computer, using at least one of the symmetric keys transmitted by the server computer;
  
  encrypting and decrypting persistent information associated with the login ID using another one of the symmetric key transmitted by the server computer; and
  
  encrypting and decrypting further communications between the client computer and the server computer using at least one further symmetric key transmitted by the server computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Russell, Lance W., Morgan, Stephen P.
Primary Examiner(s)
Laufer, Pinchus M.
Assistant Examiner(s)
Leaning, Jeffrey S.

Application Number

US08/988,880
Time in Patent Office

943 Days
Field of Search

713/201, 713/202, 713/182, 713/185, 713/155, 380/279
US Class Current

713/182
CPC Class Codes

G06F 21/31 User authentication

Security method and system for persistent storage and communications on computer network systems and computer network systems employing the same

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Security method and system for persistent storage and communications on computer network systems and computer network systems employing the same

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links