System and method for password throttling

US 6,883,095 B2
Filed: 12/19/2000
Issued: 04/19/2005
Est. Priority Date: 12/19/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for authenticating a user, comprising:

receiving a request for access from a user claiming to be a particular user;

transmitting a first challenge having a first level of complexity, corresponding to a size of the first challenge, to the user;

transmitting a response to the transmitted first challenge;

determining if the transmitted response authenticates the user as the particular user;

allowing the requested access to the user if the transmitted response authenticates the user; and

transmitting a second challenge having a second level of complexity, corresponding to a size of the second challenge, the second level of complexity being greater than the first level of complexity, to the user if the transmitted response does not authenticate the user.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating a user includes receiving a request for access from a user claiming to be a particular user. A first challenge having a first level of complexity is transmitted to the user. A response to the transmitted first challenge is transmitted. A determination is made as to whether or not the transmitted response authenticates the user as the particular user. The requested access by the user is allowed if the transmitted response authenticates the user. However, a second challenge having a second level of complexity, greater than the first level of complexity, is transmitted to the user if the transmitted response does not authenticate the user.

113 Citations

18 Claims

1. A method for authenticating a user, comprising:
- receiving a request for access from a user claiming to be a particular user;
  
  transmitting a first challenge having a first level of complexity, corresponding to a size of the first challenge, to the user;
  
  transmitting a response to the transmitted first challenge;
  
  determining if the transmitted response authenticates the user as the particular user;
  
  allowing the requested access to the user if the transmitted response authenticates the user; and
  
  transmitting a second challenge having a second level of complexity, corresponding to a size of the second challenge, the second level of complexity being greater than the first level of complexity, to the user if the transmitted response does not authenticate the user.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method according to claim 1, wherein:
    - the first level of complexity corresponds to a length of the first challenge;
      
      the second level of complexity corresponds to a length of the second challenge; and
      
      the length of the first challenge is less than the length of the second challenge.
  - 3. A method according to claim 2, further comprising:
    - transmitting multiple other challenges, each of the transmitted multiple other challenges having one of a length greater than the length of the immediately proceeding transmitted challenge if the length of the immediately proceeding challenge is less than a maximum length and a length which is equal to the length of the immediately preceding challenge if the length of the immediately preceding challenge is equal to the maximum length.
  - 4. A method according to claim 1, wherein:
    - the transmitted response to the transmitted first challenge includes the transmitted first challenge transformed with a first crypto-key; and
      
      the transmitted response is determined to authenticate the user as the particular user by further transforming the transformed first challenge with a second crypto-key to recover the transmitted first challenge.
  - 5. A method according to claim 4, wherein the first and the second crypto-keys are associated asymmetric crypto-keys.

6. A method for authenticating a user, comprising:
- receiving a request for access from a user claiming to be a particular user;
  
  transmitting, after passage of a first time period following receipt of the request, a first challenge to the user;
  
  receiving a response to the transmitted first challenge;
  
  determining if received response authenticates the user as the particular user;
  
  allowing the requested access to the user if the received response authenticates the user; and
  
  transmitting, after passage of a second time period, which is longer than the first time period, following receipt of the response, a second challenge to the user if the received response does not authenticate the user.
- View Dependent Claims (7, 8, 9, 10)
- - 7. A method according to claim 6, further comprising:
    - transmitting multiple other challenges, each of the transmitted multiple other challenges being transmitted after passage of one of a time period which is longer than the time period at which the immediately proceeding transmitted challenge was transmitted if the time period of the immediately proceeding challenge is less than a maximum time period and a time period which is equal to the time period of the immediately preceding challenge if the time period of the immediately preceding challenge is equal to the maximum time period.
  - 8. A method according to claim 6, wherein:
    - the received response to the transmitted first challenge includes the transmitted first challenge transformed with a first crypto-key;
      
      the received response is determined to authenticate the user as the particular user by further transforming the transformed first challenge with a second crypto-key to recover the transmitted first challenge.
  - 9. A method according to claim 8, wherein the first and the second crypto-keys are associated asymmetric crypto-keys.
  - 10. A method according to claim 6, wherein the particular user has an associated particular password, the received request includes a first password, the first and the second challenges include a request for the user to enter the particular password, the received response includes a second password, the received response is determined to authenticate the user as the particular user if the second password matches the particular password, and further comprising:
    - determining that the received first password does not authenticate the user as the particular user.

11. A system for authenticating a user, comprising:
- a communications port configured to receive communications from and to transmit communications to a user; and
  
  a processor configured (i) to generate a first challenge having a first level of complexity, corresponding to size of the first challenge, responsive to a first communication requesting access from a user claiming to be a particular user which is received via the communications port, (ii) to direct transmission of the generated first challenge to the user via the communications port, (iii) to allow the requested access to the user responsive to a second communication from the user responding to the generated first challenge which is received via the communications port, if the second communication authenticates the user as the particular user, (iv) to generate a second challenge having a second level of complexity, corresponding to a size of the second challenge, the second level of complexity being greater than the first level of complexity, responsive to the second communication, if the second communication does not authenticate the user as the particular user, and (v) to direct transmission of the generated second challenge to the user via the communications port.
- View Dependent Claims (12, 13)
- - 12. A system according to claim 11, wherein:
    - the first level of complexity corresponds to a length of the first challenge;
      
      the second level of complexity corresponds to a length of the second challenge;
      
      the length of the first challenge is less than the length of the second challenge; and
      
      the length of the second challenge is no greater than an established maximum length.
  - 13. A system according to claim 11, wherein:
    - the second communication includes the transmitted first challenge transformed with a first crypto-key;
      
      the processor is further configured to authenticate the user as the particular user by further transforming the second communication with a second crypto-key to recover the transmitted first challenge; and
      
      the first and the second crypto-keys are associated asymmetric crypto-keys.

14. A system for authenticating a user, comprising:
- a communications port configured to receive communications from and to transmit communications to a user; and
  
  a processor configured to (i) to direct transmission of a first challenge via the communications port, responsive to a first communication requesting access from a user claiming to be a particular user which is received via the communications port, after passage of a first time period following the receipt of the first communication, (ii) to allow the requested access to the user, responsive to a second communication from the user responding to the transmitted first challenge which is received via the communications port, if the second communication authenticates the user as the particular user, (iii) to direct transmission of a second challenge via the communications port, responsive to the second communication, after passage of a second time period following the receipt of the second communication which is greater than the first time period, if the second communication does not authenticate the user as the particular user.

15. A networked system for authenticating a user, comprising:
- a first network processor configured to transmit a request for access from a user claiming to be a particular user; and
  
  a second network processor configured to transmit a first challenge having a first level of complexity, corresponding to a size of the first challenge, to the first network processor responsive to the transmitted request;
  
  wherein the first network processor is further configured to transmit a response to the transmitted first challenge;
  
  wherein the second network processor is further configured (i) to allow the requested access to the user, if the transmitted response authenticates the user as the particular user, and (ii) to transmit a second challenge having a second level of complexity, corresponding to a size of the second challenge, the second level of complexity being greater than the first level of complexity to the first network station, if the transmitted response does not authenticate the user.
- View Dependent Claims (16, 17)
- - 16. A networked system according to claim 15, wherein:
    - the first level of complexity corresponds to a length of the first challenge;
      
      the second level of complexity corresponds to a length of the second challenge;
      
      the length of the first challenge is less than the length of the second challenge; and
      
      the length of the second challenge is no greater than an established maximum length.
  - 17. A networked system according to claim 15, wherein:
    - the first network processor transforms the transmitted first challenge with a first crypto-key to generate the response to the transmitted first challenge;
      
      the second network processor transforms the transmitted response to the transmitted first challenge with a second crypto-key to authenticate the user as the particular user; and
      
      the first and the second crypto-keys are associated asymmetric crypto-keys.

18. A networked system for authenticating a user, comprising:
- a first network processor configured to transmit a request for access from a user claiming to be a particular user; and
  
  a second network processor configured to transmit a first challenge to the first network processor responsive to the transmitted request, after passage of a first time period following receipt of the request;
  
  wherein the first network processor is further configured to transmit a response to the transmitted first challenge;
  
  wherein the second network processor is further configured (i) to allow the requested access to the user, if the transmitted response authenticates the user as the particular user, and (ii) to transmit a second challenge to the first network processor after passage of a second time period, which is longer than the first period, following receipt of the transmitted response, if the transmitted response does not authenticate the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VMware, Inc. (Broadcom, Inc.)
Original Assignee
SingleSignOn.net, Inc. (Broadcom, Inc.)
Inventors
Sandhu, Ravi, Ganesan, Karuna, deSa, Colin
Primary Examiner(s)
Moise, Emmanuel L.
Assistant Examiner(s)
Baum, Ronald

Application Number

US09/739,110
Publication Number

US 20020078350A1
Time in Patent Office

1,582 Days
Field of Search

713168-202
US Class Current

713/168
CPC Class Codes

G06F 21/46   by designing passwords or c...

H04L 63/083   using passwords cryptograph...

H04L 63/1441   Countermeasures against mal...

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

System and method for password throttling

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

113 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for password throttling

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links