System and method for using an authentication applet to identify and authenticate a user in a computer network

US 6,766,454 B1
Filed: 07/23/1997
Issued: 07/20/2004
Est. Priority Date: 04/08/1997
Status: Expired due to Term

First Claim

Patent Images

1. A dynamic authentication system on a server computer system, comprising:

a user ID module for obtaining a user ID;

a password module for obtaining a password;

a response generator, coupled to the password module, for using the password as a variable in an algorithm to decrypt a token in response;

a communications module, coupled to the response generator and to the user ID module, for sending the response and the user ID to the server computer system from a client computer system;

a module for downloading the user ID module, the password module, the response generator and the communications module dynamically to a client computer system that requests access to the server computer system, enabling the server computer system to provide to the client computer system, after a different access request, a different algorithm for decrypting the token, each different algorithm for decrypting the token enabling a corresponding varying procedure for authenticating a user on the client computer system; and

a module for determining whether the response and user ID authenticate a user on the client computer system.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system includes a server coupled via a computer network to a client. Upon receiving a request for access, the server sends an authentication applet to the client. The authentication applet includes a user identification (ID) module for obtaining a user ID and a password module for obtaining a client password. The authentication applet also includes a response generator coupled to the password module for using the client password as a variable in an algorithm to compute a client response. The authentication applet further includes a communications module coupled to the response generator and to the user ID module for sending the client response and the user ID back to the server for verifying the response and authenticating the user. The client uses an applet engine to execute the applet. The server uses the user ID to retrieve user information, and uses the user information as a variable in an algorithm to generate a verification response. If the verification response is the same as the client response, then the identity of the user is verified and access may be granted.

415 Citations

54 Claims

1. A dynamic authentication system on a server computer system, comprising:
- a user ID module for obtaining a user ID;
  
  a password module for obtaining a password;
  
  a response generator, coupled to the password module, for using the password as a variable in an algorithm to decrypt a token in response;
  
  a communications module, coupled to the response generator and to the user ID module, for sending the response and the user ID to the server computer system from a client computer system;
  
  a module for downloading the user ID module, the password module, the response generator and the communications module dynamically to a client computer system that requests access to the server computer system, enabling the server computer system to provide to the client computer system, after a different access request, a different algorithm for decrypting the token, each different algorithm for decrypting the token enabling a corresponding varying procedure for authenticating a user on the client computer system; and
  
  a module for determining whether the response and user ID authenticate a user on the client computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the user ID module obtains the user ID by prompting for user input.
  - 3. The system of claim 1, wherein the password module obtains the password by prompting for user input.
  - 4. The system of claim 1, wherein the algorithm includes a one-way hash function.
  - 5. The system of claim 4, wherein the response generator receives a random challenge and uses the one-way hash function to hash the password and the random challenge together.
  - 6. The system of claim 1, wherein the response generator uses a modification factor to modify the decrypted token.
  - 7. The system of claim 6, wherein the response generator uses the password and the algorithm to re-encrypt the modified token and wherein the response includes the re-encrypted token.
  - 8. The system of claim 1, wherein the response generator has a strength of authentication, and wherein the server computer system enables access to the server computer system based on the strength of the authentication.
  - 9. The system of claim 8, wherein the server computer system request information identifying a strength of authentication from a user, and downloads the response generator associated with that information.

10. A dynamic authentication system on a server computer system, comprising:
- first means for obtaining a user ID;
  
  second means for obtaining a password;
  
  third means, coupled to the second means, for using the password as a variable in an algorithm to decrypt a token in response;
  
  fourth means, coupled to the first means and to the third means, for sending the response and the user ID to the server computer system from a client computer system;
  
  fifth means for downloading the first means, the second means, the third means and the fourth means dynamically to a client computer system that requests access to the server computer system, enabling the server computer system to provide to the client computer system, after a different access request, a different algorithm for decrypting the token, each different algorithm for decrypting the token enabling a corresponding varying procedure for authenticating a user on the client computer system; and
  
  sixth means for determining whether the response and user ID authenticate a user on the client computer system.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10, wherein the first means obtains the user ID by prompting for user input.
  - 12. The system of claim 10, wherein the second means obtains the password by prompting for user input.
  - 13. The system of claim 10, wherein the algorithm includes a one-way hash function.
  - 14. The system of claim 13, wherein the third means receives a random challenge and uses the one-way hash function to hash the password and the random challenge together.
  - 15. The system of claim 10, wherein the third means uses a modification factor to modify the decrypted token.
  - 16. The system of claim 15, wherein the third means uses the password and the algorithm to re-encrypt the modified token and wherein the response includes the re-encrypted token.

17. A computer-readable storage medium on a server computer system storing dynamically downloadable program code for causing a client computer system to perform the steps of:
- obtaining a user ID;
  
  obtaining a password;
  
  using the password as a variable in an algorithm to decrypt a token in response;
  
  sending the response and the user ID to the server computer system from the client computer system, the dynamically downloadable program code enabling the server computer system to provide to the client computer system, after a different access request, a different algorithm for decrypting the token, each different algorithm for decrypting the token enabling a corresponding varying procedure for authenticating a user on the client computer system.

18. A computer-based authentication method, comprising the steps of:
- requesting access to a server computer system;
  
  receiving, after the step of requesting, downloaded program code dynamically from the server computer system;
  
  initiating execution of the program code;
  
  obtaining, by the program code, a user ID;
  
  obtaining, by the program code, a corresponding password;
  
  using, by the program code, the password as a variable in an algorithm to decrypt a token in response; and
  
  sending, by the program code, the response and the user ID to the server computer system, the server computer system verifying the response to authenticate the user, enabling the server computer system to provide to the client computer system, after a different access request, a different algorithm decrypting the token, each different algorithm for decrypting the token enabling a corresponding varying procedure for authenticating a user on the client computer system.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The method of claim 18, wherein the step of obtaining the user ID includes prompting for user input.
  - 20. The method of claim 18, wherein the step of obtaining the password includes prompting for user input.
  - 21. The method of claim 18, wherein the algorithm includes a one-way hash function.
  - 22. The method of claim 21, further comprising the step of receiving a random challenge and wherein the step of using the password includes using the one-way has function to hash the password and the random challenge together.
  - 23. The method of claim 18, wherein the algorithm includes using a modification factor to modify the decrypted token.
  - 24. The method of claim 23, wherein the algorithm uses the password to re-encrypt the modified token and wherein the response includes the re-encrypted token.

25. A dynamic authentication system on a server computer system, comprising:
- an engine for receiving a service request from a client;
  
  a password database storing a first password; and
  
  an authentication program, coupled to the engine and to the password database, for downloading dynamically to the client authentication code, which when executed by the client uses a client password as a variable in an algorithm to decrypt a token response, for receiving the client response from the client, and for using the first password to verify the client response, enabling the server computer system to provide to the client, after a different access request, a different algorithm for decrypting the token, each different algorithm for decrypting the token enabling a corresponding varying procedure for authenticating a user on the client computer system.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 26. The method of claim 25, wherein the service request includes a request to access the contents of a server.
  - 27. The method of claim 25, wherein the password database further stores a first user ID corresponding to the first password.
  - 28. The system of claim 27, wherein the authentication program includes a user ID module for obtaining and sending a client user ID back to the authentication program.
  - 29. The System of claim 28, wherein the authentication program compares the client user ID with the first user ID to retrieve the first password from the password database.
  - 30. The system of claim 29, wherein the authentication program uses the first password as a variable in the algorithm to compute a verification response and compares the verification response with the client response.
  - 31. The system of claim 30, wherein the authentication program grants the service request when the verification response is the same as the client response.
  - 32. The system of an claim 25, wherein the algorithm includes a one-way hash function.
  - 33. The system of claim 32, wherein the authentication program forwards a random challenge to the client and the one-way hah function hashes the client password and the random challenge together.
  - 34. The system of claim 25, wherein the authentication program uses the first password to encrypt a token and forwards the encrypted token to the client.
  - 35. The system of claim 34, wherein the authentication applet includes a response generator for using the client password and the algorithm to decrypt the encrypted token.
  - 36. The system of claim 35, wherein the response generator uses a modification factor to modify the decrypted token.
  - 37. The system of claim 36, wherein the response generator uses the client password and the algorithm to re-encrypt the modified token and wherein the response includes the re-encrypted token.

38. A dynamic authentication system on a server computer system, comprising:
- first means for receiving a service request from a client;
  
  second means, coupled to the first means, for downloading dynamically to the client authentication code, which when executed by the client uses client input as a variable in an algorithm to decrypt a token in response, enabling the server computer system to provide to the client, after a different access request, a different algorithm for decrypting the taken, each different algorithm for decrypting the token enabling a corresponding varying procedure for authenticating a user on the client computer system;
  
  third means, coupled to the second means, for receiving the token from the client; and
  
  fourth means, coupled to the third means, for verifying the token.

39. A computer-readable storage medium storing program code for causing a server computer system to perform the steps of:
- receiving a service request from a client;
  
  downloading dynamically to the client authentication code, which when executed by the client uses client input as a variable in an algorithm to decrypt a token, enabling the server computer system to provide to the client, after a different access request, a different algorithm for detecting the token, each different algorithm for decrypting the token enabling a corresponding varying procedure for authenticating a user on the client computer system;
  
  receiving the token from the client; and
  
  verifying the token.

40. A computer-based method in a server computer system, comprising the steps of:
- receiving a service request from a client;
  
  downloading dynamically to the client authentication code, which when executed by the client uses client input as a variable in an algorithm to decrypt a token in response, enabling the server computer system to provide to the client, after a different access request, a different algorithm for decrypting the token, each different algorithm for decrypting the token enabling a corresponding varying procedure for authenticating a user on the client computer system;
  
  receiving the client response from the client; and
  
  verifying the client response.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 41. The method of claim 40, wherein the service request includes a request to access the contents of a server.
  - 42. The method of claim 40, further comprising the step of storing a first password in a password database.
  - 43. The method of claim 42, further comprising the step of storing a first user ID corresponding to the first password in the password database.
  - 44. The method of claim 43, wherein the authentication code includes a user ID module for obtaining and sending a client user in back to the server.
  - 45. The method of claim 44, comprising the step of comparing the client user ID with the first user ID to retrieve the first password from the password database.
  - 46. The method of claim 45, further comprising the steps of using the first password as a variable in the algorithm to compute a verification response and comparing the verification response with the client response.
  - 47. The method of claim 46, further comprising the step of granting the service request when the verification response is the same as the client response.
  - 48. The method of claim 40, wherein th algorithm includes a one-way hash function.
  - 49. The method of claim 48, further comprising forwarding a random challenge to the client and wherein the one-way hash function hashes the password and the random challenge together.
  - 50. The method of claim 40, further comprising the steps of using the first password to encrypt a token and forwarding the encrypted token to the client.
  - 51. The method of claim 50, wherein the authentication code includes a response generator for using the client password and the algorithm to decrypt the encrypted token.
  - 52. The method of claim 51, wherein the response generator uses a modification factor to modify the decrypted token.
  - 53. The method of claim 52, the response generator uses the client password and the algorithm to re-encrypt the modified token and wherein the response includes the re-encrypted token.

54. A method of authentication in a client computer system, comprising:
- receiving authentication code dynamically from a server computer system; and
  
  executing the authentication code, which causes obtaining a user ID and a password from a user;
  
  using the password as a variable in an algorithm to decrypt a token; and
  
  sending the user ID and the token to the server computer system, the server computer system verifying the token to authenticate the user, enabling the server computer system to provide to the client, after a different access request, a different algorithm for decrypting the token, each different algorithm for decrypting the token enabling a corresponding varying procedure for authenticating a user on the client computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Good Technology Corporation (Blackberry Limited)
Inventors
Riggins, Mark D.
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Seal, James

Application Number

US08/899,277
Time in Patent Office

2,554 Days
Field of Search

380/25, 380/49, 380/23, 380/24, 380/10, 395/186, 395/187.01, 395/188.01, 395/200.59, 395/200.33, 364/286.5, 713/200, 713/201, 713/202, 713/6, 709/201, 709/203, 709/229, 709/99, 171/310.3, 171/168, 171/252
US Class Current

713/185
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0838   using one-time-passwords

H04L 63/10   for controlling access to d...

System and method for using an authentication applet to identify and authenticate a user in a computer network

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

415 Citations

54 Claims

Specification

Use Cases

Quick Links

Others

System and method for using an authentication applet to identify and authenticate a user in a computer network

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

415 Citations

54 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others