Security method and system for persistent storage and communications on computer network systems and computer network systems employing the same
First Claim
1. A secure login method to enhance security in a network computer system having at least one server computer coupled over a communication network to a plurality of client computers comprising:
- sending a login request and an encrypted public key form a first processor to a second processor to obtain KEK from the second processor, first and second processor communicating to generate a session key for use in privately encrypted communication between the first and second processor, wherein the sending of the login request and the encrypted public key from the first processor comprises computing a hash value using a user password and encrypting the public key with the hash value; and
first and second processor communicating to generate a persistent storage key for use in communicating with persistent storage, wherein the first and second processor communicating to generate the persistent storage key for use in communicating with persistent storage further comprises locating the first split persistent storage key at the second processor and sending the first split persistent storage key to the first processor, wherein a second split persistent storage key is generated at the first processor, wherein the first and second split persistent storage keys are combined at the first processor to produce a persistent storage key for communication between the first processor and a persistent storage.
0 Assignments
0 Petitions
Accused Products
Abstract
A multi-stage login procedure and system involves a first stage in which a login ID and a public key (encrypted) is transmitted from a client computer to a server computer and a key-exchange key (encrypted) is provided from the server computer to the client computer. In a second stage, a first split symmetric key and a server authentication string is generated and encrypted by the client computer and then transmitted to the server computer. In addition, the server computer generates a second split symmetric key and combines the same with the first split symmetric key to obtain a complete symmetric key for encrypting further communications from the server to the client computer. The server also generates a client authentication string, encrypts the same and transmits the encrypted string, the server authentication string (encrypted and incremented) and the second split symmetric key (encrypted) to the client computer. In a third stage, the client computer uses the server authentication string to authenticate the server. In addition, the client computer combines the second split symmetric key with the first split symmetric key to obtain the complete symmetric key for encrypting further communications from the client computer to the server computer. The client computer also decrypts, increments and encrypts the client authentication string and transmits the same to the server. The server then uses the client authentication string (after decryption and decrementation) to authenticate the client computer. Thereafter, the server provides the client computer with a first split symmetric persistent storage key (encrypted), which the client computer combines (after decryption) with a one-way hash value to obtain a persistent storage key for use by the client computer to communication information to and from persistent storage.
131 Citations
16 Claims
-
1. A secure login method to enhance security in a network computer system having at least one server computer coupled over a communication network to a plurality of client computers comprising:
-
sending a login request and an encrypted public key form a first processor to a second processor to obtain KEK from the second processor, first and second processor communicating to generate a session key for use in privately encrypted communication between the first and second processor, wherein the sending of the login request and the encrypted public key from the first processor comprises computing a hash value using a user password and encrypting the public key with the hash value; and
first and second processor communicating to generate a persistent storage key for use in communicating with persistent storage, wherein the first and second processor communicating to generate the persistent storage key for use in communicating with persistent storage further comprises locating the first split persistent storage key at the second processor and sending the first split persistent storage key to the first processor, wherein a second split persistent storage key is generated at the first processor, wherein the first and second split persistent storage keys are combined at the first processor to produce a persistent storage key for communication between the first processor and a persistent storage. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
whereby the hash value is a result of the decrypting of the public key. -
4. The method of claim 3 further comprises randomly generating a KEK at the second processor, encrypting the KEK with the public key and the hash value, and sending the encrypted KEK to the first processor.
-
5. The method of claim 4 further comprises aborting a login request at the second processor after waiting a predetermined period of time after sending a login request response to the first processor.
-
6. The method of claim 4, wherein the first and second processor communicating to generate a session key further comprises decrypting, at the first processor, the encrypted KEK using the hash value, and a private key.
-
7. The method of claim 1, wherein the first and second processor communicating to generate a session key further comprises randomly generating a first split session key at the first processor and a second split session key at the second processor, encrypting the first and second split session key with the KEK and sending the first and second split session key to the second and first processor, respectively.
-
8. The method of claim 7 further comprises decrypting the encrypted first split session key at the second processor, wherein the decrypting provides the first split session key and the KEK upon a successful authentication of a second login request at the second processor,
whereby the KEK is a result of the decrypting of the encrypted first split session key. -
9. The method of claim 7, wherein sending the first and second split session key further comprises combining the first split session key with the second split session key at the second processor to form the session key, and wherein the second split session key is encrypted with the KEK and sent to the first processor.
-
10. The method of claim 7, further comprises determining, at the second processor, if a randomly generated client authentication string is to be sent to the first processor, wherein the client authentication string is encrypted with the KEK.
-
11. The method of claim 10, further comprises determining authenticity of the client authentication string, if the client authentication string is sent to the second processor, wherein the client authentication string is decrypted.
-
12. The method of claim 1, further comprises determining, at the first processor, if a randomly generating a server authentication string is to be sent to the second processor, wherein the server authentication string is encrypted with the KEK.
-
13. The method of claim 12 further comprises decrypting the encrypted server authentication string at the second processor, wherein the decrypting provides the server authentication string and the KEK, wherein the server authentication string is modified to produce a modified server authentication string, which is encrypted and sent to the first processor,
whereby the KEK is a result of the decrypting of the encrypted server authentication string. -
14. The method of claim 1 further comprises decrypting the encrypted first split persistent storage key at the first processor upon a successful authentication of a third login response from the second processor.
-
15. The method of claim 1, wherein the generating a second split persistent storage key at the first processor further comprises generating the second split persistent storage key from a second hash value, a second password corresponding to the second split persistent storage key, or by reading a token corresponding to the second split persistent storage key.
-
16. The method of claim 15, wherein reading the token corresponding to the second split persistent storage key further comprises reading a pre-encoded smart card, biometric data, or a retina scan.
-
Specification
-
- Resources
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsReed, Benjamin Clay, Morgan, Stephen P., Russell, Lance W.
-
Primary Examiner(s)Vu, Kim
-
Assistant Examiner(s)Wu, Allen S
-
Application NumberUS09/759,901Publication NumberTime in Patent Office1,397 DaysField of Search713/183, 713/185, 713/186, 713/168, 713/171, 713/182, 713/193, 380/259, 380/260, 380/277, 380/278, 380/283, 380/284, 380/286, 380/30, 707/203, 707/9, 707/201US Class Current713/183CPC Class CodesH04L 9/0841 involving Diffie-Hellman or...H04L 9/3271 using challenge-responseY10S 707/99939 Privileged accessY10S 707/99952 Coherency, e.g. same view t...Y10S 707/99953 Recoverability
