Methods for pre-authentication of users using one-time passwords

US 6,983,381 B2
Filed: 06/28/2001
Issued: 01/03/2006
Est. Priority Date: 01/17/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method for communicating passwords comprises:

receiving at a server a challenge from a authentication server via a first secure communications channel, wherein the challenge includes at least a random password from the authentication server that is inactive;

communicating the challenge from the server to a client computer via a second secure communications channel, wherein the client computer receives the random password from the authentication server that is inactive;

receiving at the server a challenge response from the client computer via the second secure communications channel, wherein the challenge response includes a digital certificate and a digital data packet, wherein the digital certificate includes a public key in an encrypted form, and wherein the digital data packet is determined in the client and comprises a combination of at least a portion of the challenge and a private key corresponding to the public key; and

communicating the challenge response from the server to the authentication server via the first secure communications channel;

wherein the random password from the authentication server that is inactive is activated when the authentication server verifies the challenge response.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for communicating passwords includes receiving at a server a challenge from a authentication server via a first secure communications channel, the challenge comprising a random password that is inactive, communicating the challenge from the server to a client computer via a second secure communications channel, receiving at the server a challenge response from the client computer via the second secure communications channel, the challenge response comprising a digital certificate and a digital signature, the digital certificate including a public key in an encrypted form, the digital signature being determined in response to the random password and the private key, and communicating the challenge response from the server to the authentication server via the first secure communications channel, wherein the random password is activated when the authentication server verifies the challenge response.

Citations

20 Claims

1. A method for communicating passwords comprises:
- receiving at a server a challenge from a authentication server via a first secure communications channel, wherein the challenge includes at least a random password from the authentication server that is inactive;
  
  communicating the challenge from the server to a client computer via a second secure communications channel, wherein the client computer receives the random password from the authentication server that is inactive;
  
  receiving at the server a challenge response from the client computer via the second secure communications channel, wherein the challenge response includes a digital certificate and a digital data packet, wherein the digital certificate includes a public key in an encrypted form, and wherein the digital data packet is determined in the client and comprises a combination of at least a portion of the challenge and a private key corresponding to the public key; and
  
  communicating the challenge response from the server to the authentication server via the first secure communications channel;
  
  wherein the random password from the authentication server that is inactive is activated when the authentication server verifies the challenge response.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the client computer communicates the random password to a password-based security system, the password-based security system coupled to the authentication server.
  - 3. The method of claim 2 wherein the password-based security system comprises a firewall.
  - 4. The method of claim 1 wherein the public key and the private key are associated with an authenticated user.
  - 5. The method of claim 1wherein the private key is not associated with an authenticated user, andwherein the authentication server does not authenticate the challenge response.
  - 6. The method of claim 1 wherein the first secure communications channel is selected from a group consisting of:
    - secure socket layer and secure HTTP.

7. A method for a client computer comprises:
- receiving challenge data from a authentication server in the client computer via a first secure communications channel, wherein the challenge data comprises a challenge and a password from the authentication server that is inactive;
  
  receiving a user PIN;
  
  recovering a private key and a digital certificate in response to the user PIN;
  
  sending the digital certificate to the authentication server via an external server, wherein the digital certificate comprises a public key in an encrypted form;
  
  sending a digital data packet to the authentication server via the external server, wherein the digital data packet is determined in the client computer and comprises a combination of at least a portion of the challenge and the private key; and
  
  thereaftersending a user login and the password from the authentication server from the client computer to a password-based security system coupled to the authentication server,wherein when the authentication server verifies the digital data packet, the password that is inactive is activated.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7 wherein when the authentication server does not verify the digital data packet, the password from the authentication server that is inactive remains inactive.
  - 9. The method of claim 7 wherein the password-based security system comprises a server selected from a group consisting of:
    - a firewall and a VPN Gateway.
  - 10. The method of claim 7 wherein recovering the private key and the digital certificate in response to the user PIN comprises:
    - recovering a private key associated with the user when the user PIN is correct; and
      
      generating a private key not associated with the user when the user PIN is incorrect.
  - 11. The method of claim 10 further comprising manually entering the user login and the password from the authentication server to the client computer.
  - 12. The method of claim 7 wherein the password from the authentication server that is inactive is activated for a pre-determined amount of time.
  - 13. The method of claim 12 wherein after the pre-determined amount of time, the password from the authentication server that is activated is inactivated.

14. A method for a verification server comprises:
- receiving a request for a one-time password in the verification server from a client computer;
  
  determining a one-time password within the verification server, wherein the one-time password within the verification server is initially inactive;
  
  communicating data comprising the one-time password that is initially inactive from the verification server to the client computer;
  
  receiving user identification data from a user at the client computer in the verification server;
  
  verifying in the verification server, the user in response to the user identification data; and
  
  activating the one-time password in the verification serer when the user is verified.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14 wherein communicating data comprising the one-time password that is initially inactive to the client computer comprises communicating via an external server via a secure communications channel.
  - 16. The method of claim 14 wherein the one-time password that is initially inactive is selected from a group consisting of:
    - random, pre-determined, pseudo-random.
  - 17. The method of claim 14 wherein the user identification data comprises a digital signature of the one-time password that is initially inactive.
  - 18. The method of claim 17 wherein the digital signature comprises a private key selected from a group consisting of:
    - a private key associated with the user, a private key not associated with the user.
  - 19. The method of claim 18 wherein verifying the user comprises verifying the user when the private key is associated with the user.
  - 20. The method of claim 14 further comprising:
    - receiving a verification request from a password-based security system, the verification request comprising a user login and the one-time password;
      
      determining whether the one-time password is activated; and
      
      approving the verification request when the one-time password is determined to be active.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Arcot Systems, Inc. (Broadcom, Inc.)
Inventors
Jerdonek, Robert A.
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Tran, Ellen C.

Application Number

US09/896,560
Publication Number

US 20020095507A1
Time in Patent Office

1,650 Days
Field of Search

713/200, 713/201, 713/168, 713/160, 380/30
US Class Current

726/5
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/0861   using biometrical features,...

H04L 63/12   Applying verification of th...

H04L 9/3215   using a plurality of channe...

H04L 9/3271   using challenge-response

Methods for pre-authentication of users using one-time passwords

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for pre-authentication of users using one-time passwords

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links