Strong mutual authentication of devices

US 7,020,773 B1
Filed: 07/17/2000
Issued: 03/28/2006
Est. Priority Date: 07/17/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for enabling strong mutual authentication on a computer network comprising the steps of:

transmitting a first indicia of a user to a first computer over a first communication channel;

generating by said first computer a first authentication number, a second authentication number, and a third authentication number;

transmitting by said first computer a first message to a second computer, wherein said first message comprises said first authentication number encrypted by said second authentication number;

transmitting by said first computer a second message to a verifier over a second communication channel, wherein said second message comprises said second authentication number encrypted and said third authentication number;

decrypting by said verifier said second message to obtain a first decrypted message, wherein said first decrypted message comprises said second authentication number;

transmitting by said verifier said second authentication number to said second computer over a third communication channel;

decrypting by said second computer said first message transmitted by said first computer to recover said first authentication number;

transmitting by said second computer a third message to said first computer over said first communication channel, wherein said third message comprises said second authentication number encrypted by said first authentication number; and

validating said second computer by said first computer by decrypting said third message to obtain said second authentication number.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a method for enabling strong mutual authentication between two computers in a communication system. A user from a client attempts to gain access to a server. The server transmits a first key encrypted by a second key to the client and a second key encrypted by a user'"'"'s private key to a verifier. The verifier uses the user'"'"'s login information to obtain the user'"'"'s private key, which the verifier uses to obtain the second key. The verifier transmits the second key to the client and the client decrypts the first key with the second key. The client then transmits the second key encrypted by the first key to the server. If the received second key is the same as the generated second key, the client is authenticated to the server.

204 Citations

47 Claims

1. A method for enabling strong mutual authentication on a computer network comprising the steps of:
- transmitting a first indicia of a user to a first computer over a first communication channel;
  
  generating by said first computer a first authentication number, a second authentication number, and a third authentication number;
  
  transmitting by said first computer a first message to a second computer, wherein said first message comprises said first authentication number encrypted by said second authentication number;
  
  transmitting by said first computer a second message to a verifier over a second communication channel, wherein said second message comprises said second authentication number encrypted and said third authentication number;
  
  decrypting by said verifier said second message to obtain a first decrypted message, wherein said first decrypted message comprises said second authentication number;
  
  transmitting by said verifier said second authentication number to said second computer over a third communication channel;
  
  decrypting by said second computer said first message transmitted by said first computer to recover said first authentication number;
  
  transmitting by said second computer a third message to said first computer over said first communication channel, wherein said third message comprises said second authentication number encrypted by said first authentication number; and
  
  validating said second computer by said first computer by decrypting said third message to obtain said second authentication number.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein said first authentication number is a session number.
  - 3. The method of claim 1, wherein said first indicia is login information of said user for said first computer.
  - 4. The method of claim 1, wherein said second authentication number is a random number.
  - 5. The method of claim 1, wherein said third authentication number is a random number.
  - 6. The method of claim 1, wherein said first message further comprises said first authentication number encrypted with said second authentication number.
  - 7. The method of claim 1, wherein said second message further comprises an encrypted portion.
  - 8. The method of claim 7, wherein said encrypted portion further comprises said second authentication number encrypted in response to said first indicia.
  - 9. The method of claim 8, wherein said encrypted portion further comprises said first indicia encrypted with a private key.
  - 10. The method of claim 1, wherein said first decrypted message is decrypted by said verifier to validate said first computer to said verifier by recovering said third authentication number from said first decrypted message.
  - 11. The method of claim 1, wherein said third message further comprises a third indicia of said user.
  - 12. The method of claim 11, wherein said third indicia and said second authentication number are encrypted with said first authentication number.
  - 13. The method of claim 1, wherein said first communication channel is a confidential communication channel.
  - 14. The method of claim 7, wherein said verifier has tamperproof memory and processing to ensure the validity of said second message or said encrypted portion of said second message.
  - 15. The method of claim 1, wherein said third communication channel is an output device.
  - 16. The method of claim 1, wherein transmitting said second message further comprises the steps of starting a clock by said first computer and measuring a timeout period by said clock therein said timeout period defines the period of time during which said third message must be received by said first computer.

17. The method for authenticating a third device to a first device comprising the steps of:
- encrypting a first key with a second key by said first device;
  
  transmitting by said first device said encrypted first key to said third device;
  
  encrypting said second key with a third key by said first device;
  
  transmitting by said first device said encrypted second key to a second device;
  
  decrypting said encrypted second key in response to obtaining from said first device said third key by a second device; and
  
  decrypting by said third device said encrypted first key using said second key obtained from said second device.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17 further comprising the step of encrypting said second key with said first key by said third device.
  - 19. The method of claim 18 further comprising the step of decrypting said encrypted second key using said first key by said first device.
  - 20. The method of claim 19 further comprising the step of comparing said second key decrypted using said first key with said second key used to encrypt said first key by said first device.

21. The method for authenticating a third device to a first device comprising the steps of:
- transmitting by said first device a first message to said third device;
  
  transmitting by said first device a second message to a second device;
  
  transmitting by said second device a second key of said second message to said third device;
  
  obtaining by said third device a first key of said first message using said second key of said second message; and
  
  transmitting by said third device a third message to said first device.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The method of claim 21, wherein said first message comprises said first key encrypted by said second key.
  - 23. The method of claim 21, wherein said second message further comprises an encrypted portion.
  - 24. The method of claim 23, wherein said encrypted portion further comprises said second key encrypted by a public key.
  - 25. The method of claim 21, wherein said third message comprises said second key encrypted by said first key.
  - 26. The method of claim 25 further comprising obtaining by said first device said second key of said third message using said first key of said first message.
  - 27. The method of claim 26 further comprising said first device comparing said second key of said third message with said second key of said first message.
  - 28. The method of claim 21, wherein transmitting said second message further comprises the steps of starting a clock by said first device and measuring a timeout period by said clock wherein said timeout period defines the period of time during which said third message must be received by said first device.

29. A system for enabling strong mutual authenticating comprising:
- a first transmitter;
  
  a first receiver in communication with said first transmitter;
  
  an output device in communication with said first receiver;
  
  a second receiver in communication with said output device;
  
  a second transmitter; and
  
  a comparator in communication with said second transmitter and said first transmitter, wherein said first transmitter transmits a first message to said second receiver over a first communication channel;
  
  wherein said first transmitter transmits a second message to said first receiver over a second communication channel;
  
  wherein said output device transmits a second key derived from said second message to said second receiver over a third communication channel;
  
  wherein said second transmitter transmits a third message to said comparator over said first communication channel;
  
  wherein said comparator compares said second key of said third message with said second key of said first message.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 30. The system of claim 29, wherein said first receiver further comprises a smart card.
  - 31. The system of claim 30, wherein said smart card comprises a tamperproof storage.
  - 32. The system of claim 31, wherein said smart card further comprises the identification of the positive identity of a user.
  - 33. The system of claim 29, wherein said first transmitter encrypts a first key with said second key to produce said first message.
  - 34. The system of claim 29 wherein said first transmitter constructs an encrypted portion to produce said second message.
  - 35. The system of claim 34, wherein said first transmitter encrypts said second key to produce said encrypted portion.
  - 36. The system of claim 29, wherein said first receiver obtains said second key by decrypting said second message with a public key.
  - 37. The system of claim 36, wherein said first receiver retrieves said public key from its computer memory.
  - 38. The system of claim 29, wherein said second receiver decrypts said first message with said second key received from said output device to obtain said first key.
  - 39. The system of claim 38, wherein said second receiver encrypts said second key received from said output device with said first key of said first message to produce said third message.
  - 40. The system of claim 29, wherein said comparator decrypts said third message to obtain said second key.
  - 41. The system of claim 29, wherein said first communication channel is a confidential channel.
  - 42. The system of claim 29, wherein said second communication channel is a confidential channel.
  - 43. The system of claim 29, wherein said third communication channel is a confidential channel.
  - 44. The system of claim 29, wherein said second communication channel is a cellular communication channel.
  - 45. The system of claim 29 further comprises a first input device in communication with said second receiver and said output device.
  - 46. The system of claim 45, wherein said output device is in communication with said first input device over a confidential communication channel.
  - 47. The system of claim 29, wherein said first transmitter comprises a clock used to measure the time period between transmitting said second message to said first receiver and receiving said third message from said second transmitter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Otway, David John, Bull, John Albert
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
HENEGHAN, MATTHEW E

Application Number

US09/617,380
Time in Patent Office

2,080 Days
Field of Search

713/155, 713/156, 713/169, 713/171, 713/168, 380/178
US Class Current

713/171
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/0869   for achieving mutual authen...

H04L 63/18   using different networks or...

H04L 9/321   involving a third party or ...

H04L 9/3215   using a plurality of channe...

H04L 9/3273   for mutual authentication n...

Strong mutual authentication of devices

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

204 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Strong mutual authentication of devices

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

204 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links