User authentification using a virtual private key
First Claim
1. A method of authentication, comprising:
- obtaining a user private key from a user;
retrieving an encrypted client secret key value associated with said user;
decrypting said encrypted user secret key value using said user private key to provide a client secret key;
computing a preliminary digest of;
a first time stamp, a user certificate serial number associated with said user, and said client secret key;
providing an unencrypted message including said first time stamp, said user certificate serial number, and said preliminary digest;
retrieving an encrypted server secret key value associated with said user certificate serial number of said unencrypted message;
decrypting said encrypted server secret key value using a server private key to provide a server secret key;
computing a computed digest of;
said first time stamp of said unencrypted message, said user certificate serial number of said unencrypted message, and said server secret key; and
determining said present message to be authentic based on a comparison between said preliminary digest of said unencrypted message and said computed digest.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, computer system, and program product provides for authentication of user messages using PKI technology in environments where limited capacity prevents direct PKI technology use, and strong security is provided using magnetic swipe cards or the like, and a pass phrase is used for enhanced security and to avoid the need for special purpose devices. The invention is advantageous where there are limitations on the space available for PKI credentials, such as in the userid and password fields of a remote access protocol. PKI techniques are used without transferring lengthy keys or certificates once an initial registration process is complete. A secret key is used. A digest is computed of the secret key, the user'"'"'s certificate serial number, and a time stamp. The digest, together with the user'"'"'s certificate serial number and the time stamp, forms a compact message that may be transmitted. Private keys and secret keys are not sent during authentication. Replay attacks are prevented.
-
Citations
62 Claims
-
1. A method of authentication, comprising:
-
obtaining a user private key from a user;
retrieving an encrypted client secret key value associated with said user;
decrypting said encrypted user secret key value using said user private key to provide a client secret key;
computing a preliminary digest of;
a first time stamp, a user certificate serial number associated with said user, and said client secret key;
providing an unencrypted message including said first time stamp, said user certificate serial number, and said preliminary digest;
retrieving an encrypted server secret key value associated with said user certificate serial number of said unencrypted message;
decrypting said encrypted server secret key value using a server private key to provide a server secret key;
computing a computed digest of;
said first time stamp of said unencrypted message, said user certificate serial number of said unencrypted message, and said server secret key; and
determining said present message to be authentic based on a comparison between said preliminary digest of said unencrypted message and said computed digest. - View Dependent Claims (2, 55)
a registration step which comprises;
generating said client secret key;
encrypting said client secret key with a public key of said user to provide said encrypted client secret key value;
providing a secret key message, encrypted with a server public key, said secret key message including said client secret key, said user certificate serial number, and a user digital signature;
performing decryption of said encrypted said secret key message using said server private key;
determining said secret key message to be authentic based on said decryption being successful and based on said digital signature; and
storing said client secret key as said server secret key in association with said user certificate serial number.
-
-
55. The method for authentication as set forth in claim 1, further comprising validating a certificate of said user.
-
3. A method for server authentication of messages from a user at a client, comprising:
-
storing at said client and at said server a secret key associated with said user, said secret key being different from a private key of said user, said secret key at said client defining a client secret key, said secret key at said server defining a server secret key;
authenticating said user at said client;
computing at said client a present preliminary digest of a first time stamp, a user certificate serial number associated with said user, and said client secret key;
providing to said server a present message including said first time stamp, said user certificate serial number, and said present preliminary digest;
retrieving said server secret key on the basis of said user certificate serial number;
generating at said server a present computed digest of said first time stamp, said user certificate serial number included in said present message, and said server secret key;
determining said present message to be authentic when said present preliminary digest and said present computed digest are identical. - View Dependent Claims (4, 5, 6, 7, 8, 56)
sending from said server a server certificate to said client;
obtaining from said user said private key of said user;
generating at said client said secret key;
sending to said server a secret key message including said secret key, said user certificate serial number, and a digital signature of said user;
authenticating said secret key message at said server based on said digital signature; and
storing said secret key as said server secret key.
-
-
5. The method for server authentication as set forth in claim 4, further comprising:
-
storing said client secret key encrypted with a public key of said user;
storing said server secret key encrypted with a public key of said server; and
storing said server secret key in association with said user certificate serial number.
-
-
6. The method for server authentication of messages as set forth in claim 3, further comprising:
-
computing at said client a subsequent preliminary digest of a second time stamp, said user certificate serial number, and said client secret key;
providing to said server a subsequent message including said second time stamp, said user certificate serial number, and said subsequent preliminary digest;
generating at said server a subsequent computed digest of said second time stamp, said user certificate serial number included in said subsequent message, and said server secret key;
determining said subsequent message to be authentic when said subsequent preliminary digest is identical to said subsequent computed digest and said second time stamp is later than said first time stamp.
-
-
7. The method for server authentication as set forth in claim 6, wherein said step of storing includes:
-
sending from said server a server certificate to said client;
obtaining from said user said private key of said user;
generating at said client said secret key;
sending to said server a secret key message including said secret key, said user certificate serial number, and a digital signature of said user;
authenticating said secret key message at said server based on said digital signature; and
storing said secret key as said server secret key.
-
-
8. The method for server authentication as set forth in claim 7, further comprising:
-
storing said client secret key encrypted with a public key of said user;
storing said server secret key encrypted with a public key of said server; and
storing said server secret key in association with said user certificate serial number.
-
-
56. The method for server authentication as set forth in claim 3, further comprising validating a certificate of said user.
-
9. A method for server authentication of messages, comprising:
-
storing at said server a plurality of registered secret keys, each associated with a respective registered user;
receiving a present transmission message;
obtaining a sending user certificate serial number, a present first stamp, and a received digest from said present transmission message;
retrieving one of said plurality of registered secret keys based on said sending user certificate serial number;
generating a computed digest of said sending user certificate serial number, said first time stamp, and said one of said plurality of registered secret keys;
comparing said computed digest with said received digest; and
determining said present message to be authentic when said computed digest and said received digest are identical. - View Dependent Claims (10, 11, 12, 13, 14, 57)
receiving a registration request message from a user;
sending to said user a server certificate;
receiving a secret key message;
decrypting said secret key message using a public key of said user to provide a decrypted secret key message;
obtaining a digital signature and a sent secret key from said decrypted secret key message;
authenticating said secret key message based on said digital signature; and
storing at said server said sent secret key as one of said plurality of registered secret keys.
-
-
11. The method for server authentication as set forth in claim 10, further comprising:
-
encrypting said sent secret key with a public key of said server before storing said sent secret key; and
storing said sent secret key in association with a certificate of said user.
-
-
12. The method for server authentication as set forth in claim 9, further comprising:
-
receiving a subsequent transmission message;
obtaining said sending user certificate serial number, a second time stamp, and a subsequent received digest from said subsequent transmission message;
generating a subsequent computed digest of said sending user certificate serial number, said second time stamp, and said one of said plurality of registered secret keys;
determining said subsequent message to be authentic when said subsequent received digest is identical to said subsequent computed digest and said second time stamp is later than said first time stamp.
-
-
13. The method for server authentication as set forth in claim 12, wherein said step of storing includes:
-
receiving a registration request message from a user;
sending to said user a server certificate;
receiving a secret key message;
decrypting said secret key message using a public key of said user to provide a decrypted secret key message;
obtaining a digital signature and a sent secret key from said decrypted secret key message;
authenticating said secret key message based on said digital signature; and
storing at said server said sent secret key as one of said plurality of registered secret keys.
-
-
14. The method for server authentication as set forth in claim 13, further comprising:
-
encrypting said sent secret key with a public key of said server before storing said sent secret key; and
storing said sent secret key in association with a certificate of said user.
-
-
57. The method for server authentication as set forth in claim 9, further comprising validating a certificate of said user.
-
15. A method for server authentication of messages from a user at a client, comprising:
-
storing at said server a server secret key associated with said user, said server secret key being different from a private key of said user;
authenticating said user at said client;
obtaining from said user a reference;
digesting said reference to provide a client secret key;
computing at said client a present preliminary digest of a first time stamp, a user certificate serial number associated with said user, and said client secret key;
providing to said server a present message including said first time stamp, said user certificate serial number, and said present preliminary digest;
retrieving said server secret key on the basis of said user certificate serial number;
generating at said server a present computed digest of said first time stamp, said user certificate serial number included in said present message, and said server secret key;
determining said present message to be authentic when said present preliminary digest and said present computed digest are identical. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 53, 58)
sending from said server a server certificate to said client;
obtaining from said user said private key of said user;
sending to said server a secret key message including said client secret key, said user certificate serial number, and a digital signature of said user;
authenticating said secret key message at said server based on said digital signature; and
storing said client secret key as said server secret key.
-
-
17. The method for server authentication as set forth in claim 16, further comprising:
-
storing said server secret key encrypted with a public key of said server; and
storing said server secret key in association with said user certificate serial number.
-
-
18. The method for server authentication of messages as set forth in claim 15, further comprising:
-
computing at said client a subsequent preliminary digest of a second time stamp, said user certificate serial number, and said client secret key;
providing to said server a subsequent message including said second time stamp, said user certificate serial number, and said subsequent preliminary digest;
generating at said server a subsequent computed digest of said second time stamp, said user certificate serial number included in said subsequent message, and said server secret key;
determining said subsequent message to be authentic when said subsequent preliminary digest is identical to said subsequent computed digest and said second time stamp is later than said first time stamp.
-
-
19. The method for server authentication as set forth in claim 18, wherein said step of storing includes:
-
sending from said server a server certificate to said client;
obtaining from said user said private key of said user;
sending to said server a secret key message including said client secret key, said user certificate serial number, and a digital signature of said user;
authenticating said secret key message at said server based on said digital signature; and
storing said client secret key as said server secret key.
-
-
20. The method for server authentication as set forth in claim 19, further comprising:
-
storing said server secret key encrypted with a public key of said server; and
storing said server secret key in association with said user certificate serial number.
-
-
21. The method for server authentication as set forth in claim 15, wherein said step of obtaining from said user said reference comprises reading said reference from a magnetic swipe card.
-
22. The method for server authentication as set forth in claim 15, wherein said step of obtaining from said user said reference comprises reading as said reference an output from a biometric device.
-
23. The method for server authentication as set forth in claim 15, wherein said step of obtaining from said user said reference comprises obtaining said reference from a magnetic store affixed to an article.
-
24. The method for server authentication as set forth in claim 15, wherein said step of obtaining from said user said reference comprises obtaining said reference from a magnetic store affixed to paper.
-
53. The method for server authentication as set forth in claim 15, wherein said step of obtaining from said user said reference comprises said user entering a pass phrase as said reference.
-
58. The method for server authentication as set forth in claim 15, further comprising validating a certificate of said user.
-
25. A network system for server authentication of messages from a user at a client, comprising:
-
a client storing a client secret key associated with said user, and a server storing a server secret key identical to said client secret key;
said client secret key being different from a private key of said user;
said client including a respective computer system comprising;
a respective processor, and a respective memory including software instructions adapted to enable said respective computer system to perform, under control of said respective processor, the steps of;
authenticating said user using said private key, computing a present preliminary digest of a first time stamp, a user certificate serial number associated with said user, and said client secret key, and creating for transmission a present message including said first time stamp, said user certificate serial number, and said present preliminary digest;
said server including a respective computer system comprising;
a respective processor, and a respective memory including software instructions adapted to enable said respective computer system to perform, under control of said respective processor, the steps of;
retrieving said server secret key on the basis of said user certificate serial number in said present message, generating a present computed digest of said first time stamp, said user certificate serial number included in said present message, and said server secret key, and determining said present message to be authentic when said present preliminary digest and said present computed digest are identical. - View Dependent Claims (26, 27, 28, 29, 30, 59)
said respective memory of said client further includes software instructions adapted to enable said respective client computer system to;
generate said client secret key, and send to said server a secret key message including said secret key, said user certificate serial number, and a digital signature of said user; and
said respective memory of said server further includes software instructions adapted to enable said respective computer system of said server to;
authenticate said secret key message based on said digital signature, and store said secret key as said server secret key.
-
-
27. The network system for authentication as set forth in claim 26, wherein:
-
said respective memory of said client further includes software instructions adapted to enable said respective client computer system to store said client secret key encrypted with a public key of said user; and
said respective memory of said server further includes software instructions adapted to enable said respective computer system of said server to;
store said server secret key encrypted with a public key of said server, and store said server secret key in association with said user certificate serial number.
-
-
28. The network system for authentication of messages as set forth in claim 25, wherein:
-
said respective memory of said client further includes software instructions adapted to enable said respective client computer system to;
compute a subsequent preliminary digest of a second time stamp, said user certificate serial number, and said client secret key, and provide to said server a subsequent message including said second time stamp, said user certificate serial number, and said subsequent preliminary digest; and
said respective memory of said server further includes software instructions adapted to enable said respective computer system of said server to;
generate a subsequent computed digest of said second time stamp, said user certificate serial number included in said subsequent message, and said server secret key, and determine said subsequent message to be authentic when said subsequent preliminary digest is identical to said subsequent computed digest and said second time stamp is later than said first time stamp.
-
-
29. The network system for authentication as set forth in claim 28, wherein:
-
said respective memory of said client further includes software instructions adapted to enable said respective client computer system to;
generate said secret key, and send to said server a secret key message including said secret key, said user certificate serial number, and a digital signature of said user;
said respective memory of said server further includes software instructions adapted to enable said respective computer system of said server to;
authenticate said secret key message based on said digital signature, and store said secret key as said server secret key.
-
-
30. The network system for authentication as set forth in claim 29, wherein:
-
said respective memory of said client further includes software instructions adapted to enable said respective client computer system to store said client secret key encrypted with a public key of said user; and
said respective memory of said server further includes software instructions adapted to enable said respective computer system of said server to;
store said server secret key encrypted with a public key of said server, and store said server secret key in association with said user certificate serial number.
-
-
59. The network system for authentication as set forth in claim 25, wherein said respective memory of said server further includes software instructions adapted to enable said respective computer system of said server to validate a certificate of said user.
-
31. A computer system adapted to authenticate messages, comprising:
-
a processor, and a memory including software instructions adapted to enable the computer system, under control of said processor, to perform the steps of;
storing a plurality of registered secret keys, each associated with a respective registered user;
receiving a present transmission message;
obtaining a sending user certificate serial number, a present first stamp, and a received digest from said present transmission message;
retrieving one of said plurality of registered secret keys based on said sending user certificate serial number;
generating a computed digest of said sending user certificate serial number, said first time stamp, and said one of said plurality of registered secret keys;
comparing said computed digest with said received digest; and
determining said present message to be authentic when said computed digest and said received digest are identical. - View Dependent Claims (32, 33, 34, 35, 36, 60)
receiving a registration request message from a user;
sending to said user a server certificate;
receiving a secret key message;
decrypting said secret key message using a public key of said user to provide a decrypted secret key message;
obtaining a digital signature and a sent secret key from said decrypted secret key message;
authenticating said secret key message based on said digital signature; and
storing said sent secret key as one of said plurality of registered secret keys.
-
-
33. The computer system adapted to authenticate messages, as set forth in claim 32, wherein said memory further includes software instructions adapted to enable the computer system further to perform the steps of:
-
encrypting said sent secret key with a public key of said server before storing said sent secret key; and
storing said sent secret key in association with a certificate of said user.
-
-
34. The computer system adapted to authenticate messages, as set forth in claim 31, wherein said memory further includes software instructions adapted to enable the computer system further to perform the steps of:
-
receiving a subsequent transmission message;
obtaining said sending user certificate serial number, a second time stamp, and a subsequent received digest from said subsequent transmission message;
generating a subsequent computed digest of said sending user certificate serial number, said second time stamp, and said one of said plurality of registered secret keys;
determining said subsequent message to be authentic when said subsequent received digest is identical to said subsequent computed digest and said second time stamp is later than said first time stamp.
-
-
35. The computer system adapted to authenticate messages, as set forth in claim 34, wherein said memory further includes software instructions adapted to enable the computer system further to perform said step of storing said plurality of registered secret keys by:
-
receiving a registration request message from a user;
sending to said user a server certificate;
receiving a secret key message;
decrypting said secret key message using a public key of said user to provide a decrypted secret key message;
obtaining a digital signature and a sent secret key from said decrypted secret key message;
authenticating said secret key message based on said digital signature; and
storing said sent secret key as one of said plurality of registered secret keys.
-
-
36. The computer system adapted to authenticate messages, as set forth in claim 35, wherein said memory further includes software instructions adapted to enable the computer system further to perform the steps of:
-
encrypting said sent secret key with a public key of said server before storing said sent secret key; and
storing said sent secret key in association with a certificate of said user.
-
-
60. The computer system adapted to authenticate messages, as set forth in claim 31, wherein said memory further includes software instructions adapted to enable the computer system further to perform a step of validating s a certificate of said user.
-
37. A network system for authentication of messages from a user, comprising:
-
a client storing a client secret key associated with said user, and a server storing a server secret key identical to said client secret key;
said client secret key being different from a private key of said user;
said client including a respective computer system comprising;
a respective processor, and a respective memory including software instructions adapted to enable said respective computer system to perform, under control of said respective processor, the steps of;
obtaining from said user a reference;
digesting said reference to provide a client secret key;
computing a present preliminary digest of a first time stamp, a user certificate serial number associated with said user, and said client secret key;
providing to said server a present message including said first time stamp, said user certificate serial number, and said present preliminary digest;
said server including a respective computer system comprising;
a respective processor, and a respective memory including software instructions adapted to enable said respective computer system to perform, under control of said respective processor, the steps of;
retrieving said server secret key on the basis of said user certificate serial number;
generating a present computed digest of said first time stamp, said user certificate serial number included in said present message, and said server secret key;
determining said present message to be authentic when said present preliminary digest and said present computed digest are identical. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 54, 61)
said respective memory of said client further includes software instructions adapted to enable said respective client computer system to send to said server a secret key message including said client secret key, said user certificate serial number, and a digital signature of said user;
said respective memory of said server further includes software instructions adapted to enable said respective computer system of said server to;
authenticate said secret key message based on said digital signature; and
store said client secret key as said server secret key.
-
-
39. The network system for authentication of messages from a user, as set forth in claim 38, wherein said respective memory of said server further includes software instructions adapted to enable said respective computer s system of said server to store said server secret key encrypted with a public key of said server, and to store said server secret key in association with said user certificate serial number.
-
40. The network system for authentication of messages from a user, as set forth in claim 37, further comprising:
-
said respective memory of said client further includes software instructions adapted to enable said respective client computer system to compute a subsequent preliminary digest of a second time stamp, said user certificate serial number, and said client secret key, and to provide to said server a subsequent message including said second time stamp, said user certificate serial number, and said subsequent preliminary digest;
said respective memory of said server further includes software instructions adapted to enable said respective computer system of said server to;
generate a subsequent computed digest of said second time stamp, said user certificate serial number included in said subsequent message, and said server secret key;
determine said subsequent message to be authentic when said subsequent preliminary digest is identical to said subsequent computed digest and said second time stamp is later than said first time stamp.
-
-
41. The network system for authentication of messages from a user, as set forth in claim 40, wherein:
-
said respective memory of said client further includes software instructions adapted to enable said respective client computer system to send to said server a secret key message including said client secret key, said user certificate serial number, and a digital signature of said user;
said respective memory of said server further includes software instructions adapted to enable said respective computer system of said server to;
authenticate said secret key message based on said digital signature; and
store said client secret key as said server secret key.
-
-
42. The network system for authentication of messages from a user, as set forth in claim 41, wherein said respective memory of said server further includes software instructions adapted to enable said respective computer system of said server to store said server secret key encrypted with a public key of said server, and to store said server secret key in association with said user certificate serial number.
-
43. The network system for authentication of messages from a user, as set forth in claim 37, further comprising a magnetic swipe card apparatus providing said reference to said computer system of said client.
-
44. The network system for authentication of messages from a user, as set forth in claim 37, further comprising a biometric device providing said reference to said computer system of said client.
-
45. The network system for authentication of messages from a user, as set forth in claim 37, further comprising a magnetic store affixed to an article and providing said reference to said computer system of said client.
-
46. The network system for authentication of messages from a user, as set forth in claim 37, further comprising a magnetic store affixed to paper and providing said reference to said computer system of said client.
-
54. The network system for authentication of messages from a user, as set forth in claim 37, further comprising said user entering a pass phrase as said reference.
-
61. The network system for authentication of messages from a user, as set forth in claim 37, wherein said respective memory of said server further includes software instructions adapted to enable said respective computer system of said server to validate a certificate of said user.
-
47. A computer program product for enabling a computer to authenticate messages, comprising:
-
software instructions for enabling the computer to perform predetermined operations, and a computer readable medium bearing the software instructions;
the predetermined operations including the steps of;
storing a plurality of registered secret keys, each associated with a respective registered user;
receiving a present transmission message;
obtaining a sending user certificate serial number, a present first stamp, and a received digest from said present transmission message;
retrieving one of said plurality of registered secret keys based on said sending user certificate serial number;
generating a computed digest of said sending user certificate serial number, said first time stamp, and said one of said plurality of registered secret keys;
comparing said computed digest with said received digest; and
determining said present message to be authentic when said computed digest and said received digest are identical. - View Dependent Claims (48, 49, 50, 51, 52, 62)
said software instructions further enable the computer to perform said predetermined operations including;
receiving a registration request message from a user;
sending to said user a server certificate;
receiving a secret key message;
decrypting said secret key message using a public key of said user to provide a decrypted secret key message;
obtaining a digital signature and a sent secret key from said decrypted secret key message;
authenticating said secret key message based on said digital signature; and
storing said sent secret key as one of said plurality of registered secret keys.
-
-
49. The computer program product for enabling a computer to authenticate messages, as set forth in claim 48, wherein:
-
said software instructions further enable the computer to perform said predetermined operations including;
encrypting said sent secret key with a public key of said server before storing said sent secret key; and
storing said sent secret key in association with a certificate of said user.
-
-
50. The computer program product for enabling a computer to authenticate messages, as set forth in claim 47, wherein:
-
said software instructions further enable the computer to perform said predetermined operations including;
receiving a subsequent transmission message;
obtaining said sending user certificate serial number, a second time stamp, and a subsequent received digest from said subsequent transmission message;
generating a subsequent computed digest of said sending user certificate serial number, said second time stamp, and said one of said plurality of registered secret keys;
determining said subsequent message to be authentic when said subsequent received digest is identical to said subsequent computed digest and said second time stamp is later than said first time stamp.
-
-
51. The computer program product for enabling a computer to authenticate messages, as set forth in claim 50, wherein:
-
said software instructions further enable the computer to perform said predetermined operations so that said step of storing said plurality of registered secret keys includes;
receiving a registration request message from a user;
sending to said user a server certificate;
receiving a secret key message;
decrypting said secret key message using a public key of said user to provide a decrypted secret key message;
obtaining a digital signature and a sent secret key from said decrypted secret key message;
authenticating said secret key message based on said digital signature; and
storing said sent secret key as one of said plurality of registered secret keys.
-
-
52. The computer program product for enabling a computer to authenticate messages, as set forth in claim 51, wherein:
-
said software instructions further enable the computer to perform said predetermined operations including;
encrypting said sent secret key with a public key of said server before storing said sent secret key; and
storing said sent secret key in association with a certificate of said user.
-
-
62. The computer program product for enabling a computer to authenticate messages, as set forth in claim 47, wherein said software instructions further enable the computer to perform so that said predetermined operations include validating a certificate of said user.
Specification