Authentication system using authentication information valid one-time

US 6,148,404 A
Filed: 05/27/1998
Issued: 11/14/2000
Est. Priority Date: 05/28/1997
Status: Expired due to Term

First Claim

Patent Images

1. An authentication method for authenticating an authentication requester by using a public-key enciphering scheme in response to an authentication request sent by the authentication requester, comprising:

a storing step of storing first inspection data into an authenticator'"'"'s memory in advance for inspecting authentication data of the authentication requester;

an authentication request sending step of sending an authentication request from the authentication requester to the authenticator;

an authentication-data requesting step of sending an authentication-data request from the authenticator to the authentication requester in response to the authentication request sent by the authentication requester;

an authentication-data sending step of sending from the authentication requester to the authenticator, in response to the authentication-data request, first authentication information which is generated by enciphering first seed data held by the authentication requester with utilizing a secret key of the authentication requester, and storing the generated first authentication data as second seed data for a next authentication request in place of the stored first seed data;

a comparing step of deciphering the first authentication data, sent by the authentication requester, by utilizing a public key of the authentication requester, generating second inspection data, and comparing the second inspection data with the first inspection data stored in advance; and

an updating step of notifying the authentication requester of grant of the authentication request in a case where the second inspection data coincides with the first inspection data, and storing the first authentication data in place of the first inspection data in the memory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication method adopting simple steps, in which it is difficult for a third person, who steals authentication data, to reuse (to replay, for attacking purpose) the stolen authentication data. First inspection data (value=D_n-1), used for inspecting client'"'"'s authentication data, is stored in a server in advance, while the client also stores first seed data (value=D_n-1) for generating authentication data. The client first sends an authentication request to the server, and receives an authentication data request from the server. Then the client generates authentication data (value=D_n) by enciphering the first seed data (value=D_n-1) using a client'"'"'s secret key (K_s), and sends the enciphered data to the server. The server deciphers the received authentication data (value=D_n) by using a public key (K_p) of the client to generate second inspection data (value=D_n-1), compares the second inspection data with the first inspection data (value=D_n-1), and when they are coincident, grants the authentication request and stores the authentication data (value=D_n) in place of the first inspection data. Upon receiving the grant, the client stores the authentication data (value=D_n) as second seed data in place of the first seed data (value=D_n-1).

285 Citations

23 Claims

1. An authentication method for authenticating an authentication requester by using a public-key enciphering scheme in response to an authentication request sent by the authentication requester, comprising:
- a storing step of storing first inspection data into an authenticator'"'"'s memory in advance for inspecting authentication data of the authentication requester;
  
  an authentication request sending step of sending an authentication request from the authentication requester to the authenticator;
  
  an authentication-data requesting step of sending an authentication-data request from the authenticator to the authentication requester in response to the authentication request sent by the authentication requester;
  
  an authentication-data sending step of sending from the authentication requester to the authenticator, in response to the authentication-data request, first authentication information which is generated by enciphering first seed data held by the authentication requester with utilizing a secret key of the authentication requester, and storing the generated first authentication data as second seed data for a next authentication request in place of the stored first seed data;
  
  a comparing step of deciphering the first authentication data, sent by the authentication requester, by utilizing a public key of the authentication requester, generating second inspection data, and comparing the second inspection data with the first inspection data stored in advance; and
  
  an updating step of notifying the authentication requester of grant of the authentication request in a case where the second inspection data coincides with the first inspection data, and storing the first authentication data in place of the first inspection data in the memory.
- View Dependent Claims (6, 10, 13, 17, 18, 20)
- - 6. The authentication method according to claim 1, wherein in said authentication-data sending step, the first seed data is replaced with the second seed data in a case where the authentication requester receives a notification of grant of the authentication request, while in a case where the authentication requester does not receive the notification, the first seed data is not replaced.
  - 10. The authentication method according to claim 1, wherein identification data of the authentication requester is used as an initial value of the first seed data.
  - 13. The authentication method according to claim 1, wherein in said authentication-data sending step, authentication data is sent to the authentication server together with a public-key certificate.
  - 17. The authentication method according to claim 13, wherein the authenticator stores the sent public-key certificate.
  - 18. The authentication method according to claim 1, wherein in a case where the first inspection data is not coincident with the second inspection data, the authentication request sent by the authentication requester is rejected.
  - 20. The authentication method according to claim 1, wherein the secret key of the authentication requester is enciphered such that only an authentic owner can decipher.

2. An authentication server storing authentication data for granting authentication in response to an authentication request sent by a plurality of authentication requesters, comprising:
- a memory storing inspection data for inspecting authentication data of an authentication requester for each authentication request;
  
  sending means for sending an authentication-data request message to an arbitrary authentication requester when the server receives an authentication request from the arbitrary authentication requester;
  
  comparing means for generating new inspection data by deciphering authentication data sent by the authentication requester by utilizing a public key of the authentication requester, and comparing the newly generated inspection data with the inspection data stored in said memory; and
  
  grant means for granting the authentication request in a case where the newly generated inspection data coincides with the stored inspection data, and storing the authentication data sent by the authentication requester in place of the stored inspection data.
- View Dependent Claims (16, 19)
- - 16. The authentication server according to claim 2, wherein said memory stores a public key of each authentication requester together with inspection data.
  - 19. The authentication server according to claim 2, wherein in a case where the newly generated inspection data is not coincident with the stored inspection data, the authentication request sent by the authentication requester is rejected.

3. An authentication apparatus for granting authentication, in response to an authentication request sent by an authentication requester, in support of an external authentication server, comprising:
- a memory storing seed data from which authentication data is generated for authentication of the authentication requester;
  
  sending/receiving means for sending an authentication request message to the authentication server, and receiving an authentication-data request message from the authentication server responding to the authentication request message;
  
  enciphering means for enciphering, in response to the authentication-data request message sent by the authentication server, the seed data stored in said memory by utilizing a secret key to generate authentication data; and
  
  authentication-data sending means for sending the generated authentication data to the authentication server, and storing the generated authentication data in said memory in place of the stored seed data.
- View Dependent Claims (7, 11, 14)
- - 7. The authentication apparatus according to claim 3, said authentication-data sending means updates the seed data in a case where a notification of grant of the authentication request is received from the authentication server, while in a case where the notification is not received, said authentication-data sending means does not perform updating.
  - 11. The authentication apparatus according to claim 3, wherein identification data of the authentication requester is used as an initial value of the seed data.
  - 14. The authentication apparatus according to claim 3, wherein said authentication-data sending means sends authentication data to the authentication server together with a public-key certificate.

4. An authentication terminal apparatus for granting authentication to an authentication request sent by an authentication requester via a storage medium, in support of an external authentication server, comprising:
- a main body; and
  
  interface means for accepting a storage medium storing;
  
  seed data used for generating authentication data to authenticate an authentication requester,a secret key of the authentication requester anda program for generating authentication data based on the seed data utilizing the secret key, andsaid main body comprising;
  
  receiving means for receiving an authentication request from the authentication requester;
  
  requesting means for sending an authentication request message to the authentication server in response to the authentication request, and receiving an authentication-data request message from the authentication server responding to the authentication request;
  
  instructing means for executing the program stored in the storage medium via said interface means in response to the authentication-data request message, said instructing means instructing the program to generate authentication data of the authentication requester based on the seed data by using the secret key, instructing the program to return the generated authentication data to the main body via said interface means, and instructing the program to update the seed data stored in the storage medium with the generated authentication data; and
  
  authentication-data sending means for sending the returned authentication data to the authentication server.
- View Dependent Claims (8, 12, 15, 21, 22, 23)
- - 8. The authentication terminal apparatus according to claim 4, wherein said instructing means instructs the program stored in the storage medium to update the seed data in a case where a notification of grant of the authentication request is received from the authentication server, while in a case where the notification is not received, said instructing means instructs the program not to update the seed data.
  - 12. The authentication terminal apparatus according to claim 4, wherein identification data of the authentication requester is used as an initial value of the seed data.
  - 15. The authentication terminal apparatus according to claim 4, wherein said authentication-data sending means sends authentication data to the authentication server together with a public-key certificate.
  - 21. The authentication terminal apparatus according to claim 4, wherein the storage medium is an IC card.
  - 22. The authentication terminal apparatus according to claim 4, wherein the storage medium further stores a password, compares a password inputted by the authentication requester with the password stored in the storage medium, and only when the passwords are coincident, returns the authentication data to the main body.
  - 23. The authentication terminal apparatus according to claim 4, wherein the generation of the authentication data based on the seed data by using the secret key is performed only within the storage medium so that the secret key is not sent to the main body.

5. A storage medium storing an authentication program for granting authentication to an authentication request sent by an authentication requester, in support of an external authentication server, said authentication program comprising:
- first program code means for storing seed data in a memory for generating authentication data to authenticate the authentication requester;
  
  second program code means for sending an authentication request message to the authentication server;
  
  third program code means for receiving the authentication request message from the authentication server;
  
  fourth program code means for generating authentication data based on the seed data stored in the memory by utilizing a secret key in response to the authentication data request message; and
  
  fifth program code means for sending the generated authentication data to the authentication server and storing the generated authentication data as new seed data in place of the old seed data.
- View Dependent Claims (9)
- - 9. The storage medium according to claim 5, wherein said fifth program code means includes sixth program code means for updating the seed data in a case where a notification of grant of the authentication request is received from the authentication server, while in a case where the notification is not received, not updating the seed data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nihon Unisys Limited
Original Assignee
Nihon Unisys Limited
Inventors
Yatsukawa, Naonobu
Primary Examiner(s)
Iqbal, Nadeem

Application Number

US09/084,497
Time in Patent Office

902 Days
Field of Search

713/200, 713/201, 713/202, 380/1-3, 380/4, 380/23, 380/24, 380/25, 380/28, 380/29, 380/30, 380/42, 380/43, 380/44, 380/45, 380/286, 380/258, 380/259, 364/286.4, 364/286.5, 364/286.6, 340/825.34, 340/825.31
US Class Current

726/2
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 2211/008   Public Key, Asymmetric Key,...

G06F 2221/2151   Time stamp

H04L 9/0869   involving random numbers or...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

Authentication system using authentication information valid one-time

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

285 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Authentication system using authentication information valid one-time

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

285 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others