One time password entry to access multiple network sites

US 7,055,032 B2
Filed: 05/21/2004
Issued: 05/30/2006
Est. Priority Date: 12/19/2000
Status: Expired due to Term

First Claim

Patent Images

1. A system for accessing multiple different network stations without entry of a password, comprising:

a first network station representing a network entity and configured totransmit a request for authentication of a user seeking access, the user havingan associated password,an associated user identifier, andan associated asymmetric crypto-key, includinga first private key portion obtainable with the password,a second private key portion and havingthe user identifier,the combination symmetric crypto-key,the first symmetric crypto-key, andthe second private key portion stored thereat, and configured to(i) retrievethe stored combination symmetric crypto-key by matching the transmitted user identifier with the stored user identifier,(ii) verifythe MAC with the retrieved combination symmetric crypto-key to verify identity of the user,(iii) decryptthe transmitted encrypted authentication request with the retrieved combination symmetric crypto-key to recover the authentication request,(iv) encryptthe recovered authentication request with the stored second private key portion and(v) transmita public key portion;

a second network station representing the user, and havingthe user identifier,a combination symmetric crypto-key corresponding toa first symmetric crypto-key anda second symmetric crypto-key, andthe obtained first private key portion encrypted with the first symmetric crypto-key stored thereat, and configured to(i) transmitthe stored user identifier message authenticated coded with the stored combination symmetric crypto-key responsive to the transmitted authentication request, and(ii) transmitthe transmitted authentication request encrypted with the stored combination symmetric crypto-key; and

a third network station, representing a sponsor,the encrypted authentication request andthe first symmetric crypto-key,both encrypted with the retrieved combination symmetric crypto-key;

wherein the second network station is further configured to(i) decryptthe transmitted encrypted authentication request and first symmetric crypto-key, with the stored combination symmetric crypto-key to recover the encrypted authentication request and the first symmetric crypto-key,(ii) decryptthe stored encrypted first private key portion with the recovered first symmetric crypto-key to recover the first private key portion,(iii) to transmitthe recovered encrypted authentication request further encrypted with the recovered first private key portion; and

wherein the first station is further configured todecrypt the transmitted further encrypted authentication request with the public key to thereby authenticate the user.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for accessing multiple different network stations without entry of a password is provided. The password is obtainable by use of a portion of an asymmetric crypto-key. A first station, representing any network entity, transmits an authentication request of a user seeking access. A second station, representing the user, forwards the request and user identity information to a third station. The third station, representing a sponsor, matches the transmitted identity information with stored identity information, generates a certificate, and transmits the certificate. The second station further transmits the certificate to the first station. To provide the password, each of the stations encrypt and decrypt messages utilizing different ones of an asymmetric crypto-key having a public key portion and first and second private key portions, the first private portion used to obtain the password, first and second symmetric crypto-keys, and a combination symmetric crypto-key corresponding to the first symmetric crypto-key.

Citations

18 Claims

1. A system for accessing multiple different network stations without entry of a password, comprising:
- a first network station representing a network entity and configured totransmit a request for authentication of a user seeking access, the user havingan associated password,an associated user identifier, andan associated asymmetric crypto-key, includinga first private key portion obtainable with the password,a second private key portion and havingthe user identifier,the combination symmetric crypto-key,the first symmetric crypto-key, andthe second private key portion stored thereat, and configured to(i) retrievethe stored combination symmetric crypto-key by matching the transmitted user identifier with the stored user identifier,(ii) verifythe MAC with the retrieved combination symmetric crypto-key to verify identity of the user,(iii) decryptthe transmitted encrypted authentication request with the retrieved combination symmetric crypto-key to recover the authentication request,(iv) encryptthe recovered authentication request with the stored second private key portion and(v) transmita public key portion;
  
  a second network station representing the user, and havingthe user identifier,a combination symmetric crypto-key corresponding toa first symmetric crypto-key anda second symmetric crypto-key, andthe obtained first private key portion encrypted with the first symmetric crypto-key stored thereat, and configured to(i) transmitthe stored user identifier message authenticated coded with the stored combination symmetric crypto-key responsive to the transmitted authentication request, and(ii) transmitthe transmitted authentication request encrypted with the stored combination symmetric crypto-key; and
  
  a third network station, representing a sponsor,the encrypted authentication request andthe first symmetric crypto-key,both encrypted with the retrieved combination symmetric crypto-key;
  
  wherein the second network station is further configured to(i) decryptthe transmitted encrypted authentication request and first symmetric crypto-key, with the stored combination symmetric crypto-key to recover the encrypted authentication request and the first symmetric crypto-key,(ii) decryptthe stored encrypted first private key portion with the recovered first symmetric crypto-key to recover the first private key portion,(iii) to transmitthe recovered encrypted authentication request further encrypted with the recovered first private key portion; and
  
  wherein the first station is further configured todecrypt the transmitted further encrypted authentication request with the public key to thereby authenticate the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A system according to claim 1, wherein the authentication request is a hash message.
  - 3. A system according to claim 1, wherein the second network station is further configured to receive the password as a user input and obtain the first private key portion with the input password, prior to transmission of the authorization request by the first station.
  - 4. A system according to claim 1, wherein the combination symmetric crypto-key corresponds to the first symmetric crypto-key XOR'"'"'d with the second symmetric crypto-key.
  - 5. A system according to claim 1, wherein the second network station is further configured to automatically respond to the authentication request without the user inputting the password.
  - 6. A system according to claim 1, wherein the first symmetric crypto-key is a first random number having a length of 192 bits and the second symmetric crypto-key is a second random number, different than the first random number having a length of 192 bits.
  - 7. A system according to claim 1, wherein the third station has a time value, representing a time period for authenticating the user, stored thereat, and is further configured to retrieve the stored time value prior to encrypting the recovered authenticating request and to only encrypt the recovered authentication request if the present time is within the time period represented by the time value.
  - 8. A system according to claim 1, wherein the second network station is further configured to generate the first symmetric crypto-key, and transmit the first symmetric crypto-key encrypted with the obtained first private key portion to the third network station;
    - the third station is further configured to decrypt the transmitted encrypted first symmetric crypto-key with the second private key portion to recover the first symmetric crypto-key and thereby authenticate the user, to store the decrypted first symmetric crypto-key, to generate the second symmetric crypto-key, to combine the first and the second symmetric crypto-key to form the combination symmetric crypto-key to store the combination symmetric crypto-key, to transmit the second symmetric crypto-key encrypted with the first symmetric crypto-key to the second network station, and to destroy the second symmetric crypto-key; and
      
      the second network station is further configured to decrypt the transmitted encrypted second symmetric crypto-key with the first symmetric crypto-key to recover the second symmetric crypto-key and thereby authenticate the sponsor, to combine the recovered second symmetric crypto-key with the first symmetric crypto-key to form the combination symmetric crypto-key, to store the combination symmetric crypto-key, to encrypt the first private key portion, with the first symmetric crypto-key, to store the encrypted first private key portion, and to destroy the first symmetric crypto-key and the unencrypted first private key portion.

9. A system for accessing multiple different network stations, comprising:
- a first station representing a userhavinga password,an identifier, andan asymmetric crypto-key, includinga first private key portion,a second private key portion anda public key portion, and configuredto transmit a log-in request includingthe user identifier; and
  
  a second station representing a sponsor and configuredto transmit a challenge responsive to the transmitted log-in request;
  
  wherein the first station is further configured(i) to process the user password to obtain the first private key portion,(ii) to encrypta first symmetric crypto-key and the transmitted challenge with the obtained first private key portion to form a first encrypted message, and(iii) to transmit the first encrypted message;
  
  wherein the second station is further configured(i) to decryptthe transmitted first encrypted message with the second private key portion to recover the challenge and the first symmetric crypto-key, thereby authenticating the user,(ii) to combinethe recovered first symmetric crypto-key with a second symmetric crypto-key to form a combined symmetric crypto-key,(iii) to store the combined symmetric crypto-key,(iv) to encryptthe second symmetric crypto-key and a time value with the first symmetric crypto-key to form a second encrypted message, and(v) to transmit the second encrypted message;
  
  wherein the first station is further configured(i) to decryptthe transmitted second encrypted message with the first symmetric crypto-key to recover the second symmetric crypto-key and the time value, thereby authenticating the sponsor,(ii) to combinethe recovered second symmetric crypto-key with the first symmetric crypto-key to form the combined symmetric crypto-key,(iii) to encryptthe first private key portion with the first symmetric crypto-key,(iv) to destroythe first symmetric crypto-key and the obtained first private key portion,(v) to encrypta request for user authentication from another network entity with the combined symmetric crypto-key to form a third encrypted message and(vi) to transmitthe user identifier, message authenticated coded with the combined symmetric crypto-key, andthe third encrypted message;
  
  wherein the second station is further configured(i) to matchthe transmitted user identifier with the previously transmitted user identifier to retrieve the combined symmetric crypto-key,(ii) verifythe MAC with the retrieved combined symmetric crypto-key to verify identity of the user,(iii) to decryptthe third encrypted message with the combined symmetric crypto-key to recover the request for user authentication,(iv) to encryptthe request for user authentication with the second private key portion to form a fourth encrypted message,(v) to encryptthe first symmetric crypto-key and the fourth encrypted message with the combined symmetric crypto-key to form a fifth encrypted message and(vi) to transmit the fifth encrypted message;
  
  wherein the first network station is further configured(i) to decryptthe transmitted fifth encrypted message with the combined symmetric crypto-key to recover the transmitted first symmetric crypto-key and the transmitted fourth encrypted message, and thereby verify an identity of the sponsor,(ii) to decryptthe encrypted first private key portion with the recovered first symmetric crypto-key,(iii) to further encryptthe recovered fourth encrypted message with the decrypted first private key portion to form an authentication message,(iv) to transmit the authentication message tothe other network entity to authenticate the user.

10. A method for accessing multiple different network stations without entry of a password associated with a user also having an associated identifier and an associated asymmetric crypto-key, including a first private key portion obtainable with the password, a second private key portion and a public key portion, comprising:
- receiving a request for authentication of the user;
  
  retrieving from a first memory,without entry of the user password,the user identifier,a combination symmetric crypto-key corresponding toa first symmetric crypto-key anda second symmetric crypto-key, andthe first private key portionencrypted with the first symmetric crypto-key;
  
  encryptingthe transmitted authentication request with the retrieved combination symmetric crypto-key;
  
  transmittingthe retrieved user identifier message authenticated coded with the retrieved combination symmetric crypto-key, andthe received authentication request encrypted with the retrieved combination symmetric crypto-key;
  
  matchingthe transmitted user identifier with a user identifier stored in a second memory, different than the first memory, to retrieve the combination symmetric crypto-key from the second memory;
  
  verifyingthe MAC with the retrieved combination symmetric crypto-key to verify identity of the user;
  
  decryptingthe transmitted encrypted authentication request with the combination symmetric crypto-key to recover the authorization request;
  
  retrievingthe second private key portion and the first symmetric crypto-key from the second memory;
  
  encryptingthe recovered authorization request with the retrieved second private key portion to form an authentication message;
  
  transmittingthe authentication message and the retrieved first symmetric crypto-key, both encrypted with the combination symmetric crypto-key;
  
  decryptingthe transmitted encrypted authentication message and first symmetric crypto-key, withthe combination symmetric crypto-key retrieved from the first memory to recover the authentication message and the first symmetric crypto-key;
  
  decryptingthe retrieved encrypted first private key portion with the recovered first symmetric crypto-key;
  
  encryptingthe recovered authentication message with the decrypted first private key portion to complete the authentication message;
  
  transmitting the completed authentication message; and
  
  decryptingthe transmitted completed authentication message with the user public key to thereby authenticate the user.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. A method according to claim 10, wherein the authentication request is a hash message.
  - 12. A method according to claim 10, further comprising:
    - processing the user password to obtain the first private key portion, prior to receipt of the authentication request.
  - 13. A method according to claim 10, further comprising:
    - XOR'"'"'ing the first symmetric crypto-key with the second symmetric crypto-key to generate the combination symmetric crypto-key.
  - 14. A method according to claim 10, wherein the first symmetric crypto-key is a first random number having a length of 192 bits and the second symmetric crypto-key is a second random number, different than the first random number having a length of 192 bits.
  - 15. A method according to claim 10, further comprising:
    - retrieving a time value, representing a time period for authenticating the user, from the second memory; and
      
      only encrypting the recovered authentication request if the present time is within the time period represented by the retrieved time value.
  - 16. A method according to claim 10, further comprising:
    - generating the first symmetric crypto-key;
      
      transmitting the first symmetric crypto-key encrypted with the obtained first private key portion;
      
      decrypting the transmitted encrypted first symmetric crypto-key with the second private key portion to recover the first symmetric crypto-key and thereby authenticate the user;
      
      storing the decrypted first symmetric crypto-key in the second memory;
      
      generating the second symmetric crypto-key;
      
      combining the first and the second symmetric crypto-key encrypted with the first symmetric crypto-key;
      
      storing the combination symmetric crypto-key in the second memory;
      
      transmitting the second symmetric crypto-key encrypted with the first symmetric crypto-key;
      
      destroying the second symmetric crypto-key;
      
      decrypting the transmitted encrypted second symmetric crypto-key with the first symmetric crypto-key to recover the second symmetric crypto-key and thereby authenticate the sponsor;
      
      combining the recovered second symmetric crypto-key with the first symmetric crypto-key to form the combination symmetric crypto-key;
      
      storing the combination symmetric crypto-key in the first memory;
      
      encrypting the first private key portion with the first symmetric crypto-key;
      
      storing the encrypted first private key portion in the first memory; and
      
      destroying the first symmetric crypto-key used to encrypt the first private key portion and the unencrypted first private key portion.

17. A method for accessing multiple different network stations by a user having a user identifier, a user password and an asymmetric crypto-key, including a first private key portion, a second private key portion and a public key portion;
- transmitting a log-in request including the user identifier;
  
  transmittinga challenge of a sponsor responsive to the transmitted log-in request;
  
  processingthe user password to obtain the first private key portion;
  
  encryptinga first symmetric crypto-key and the transmitted challenge with the obtained first private key portion to form a first encrypted message;
  
  transmitting the first encrypted message;
  
  decryptingthe transmitted first encrypted message with the second private key portion to recover the challenge and the first symmetric crypto.-key, and thereby authenticate the user to the sponsor;
  
  combiningthe recovered first symmetric crypto-key with a second symmetric crypto-key to form a combined symmetric crypto-key;
  
  storingthe combined symmetric crypto-key in a first memory;
  
  encryptingthe second symmetric crypto-key with the first symmetric crypto-key to form a second encrypted message;
  
  transmitting the second encrypted message;
  
  decryptingthe transmitted second encrypted message with the first symmetric crypto-key to recover the second symmetric crypto-key, and thereby authenticate the sponsor to the user;
  
  combiningthe recovered second symmetric crypto-key with the first symmetric crypto-key to form the combined symmetric crypto-key;
  
  storingthe combined symmetric crypto-key in a second memory, different than the first memory;
  
  encryptingthe first private key portion with the first symmetric crypto-key;
  
  destroyingthe first symmetric crypto-key used to encrypt the first private key portion and the obtained first private key portion;
  
  encryptinga request for authentication of the user with the combined symmetric crypto-key to form a third encrypted message;
  
  transmittingthe user identifier, message authenticated coded with the combined symmetric crypto-key, and the third encrypted message;
  
  matchingthe transmitted user identifier with the previously transmitted user identifier to retrieve the combined symmetric crypto-key from the second memory;
  
  verifyingthe transmitted MAC with the retrieved combined symmetric crypto-key to verify an identity of the user;
  
  decryptingthe third encrypted message with the combined symmetric crypto-key to recover the request for user authentication;
  
  encryptingthe request for user authentication with the second private key portion to form a fourth encrypted message;
  
  encryptingthe first symmetric crypto-key and the fourth encrypted message with the combined symmetric crypto-key stored in the first memory to form a fifth encrypted message;
  
  transmitting the fifth encrypted message;
  
  decryptingthe transmitted fifth encrypted message with the combined symmetric crypto-key stored in the second memory to recover the transmitted first symmetric crypto-key and the transmitted fourth encrypted message, and thereby verify an identity of the sponsor;
  
  decryptingthe encrypted first private key portion with the recovered first symmetric crypto-key;
  
  further encryptingthe recovered fourth encrypted message with the decrypted first private key portion to form an authentication message;
  
  transmittingthe authentication message to the other network entity to authenticate the user.

18. A method for accessing multiple different network stations without entry of a password associated with a user having an associated first symmetric crypto-key, an associated second symmetric crypto-key and an associated asymmetric crypto-key, including a first private key portion, a second private key portion and a public key portion, comprising:
- encrypting the first private key portion with the first symmetric crypto-key;
  
  transmitting a request, of a network station, for authentication of the user, encrypted with the second symmetric crypto-key to a sponsor;
  
  decrypting the transmitted encrypted authentication request with the second symmetric crypto-key to recover the authentication request;
  
  encrypting the recovered authentication request with the second private key portion to form an authentication message;
  
  transmitting the authentication message and the first symmetric crypto-key, both encrypted with the second symmetric crypto-key to the user;
  
  decrypting both the transmitted encrypted authentication message and the transmitted encrypted first symmetric crypto-key with the second symmetric crypto-key to recover the authentication message and the first symmetric crypto-key;
  
  decrypting the first private key portion with the recovered first symmetric crypto-key;
  
  transmitting the authentication message encrypted the recovered first symmetric crypto-key to the network station; and
  
  decrypting the transmitted encrypted authentication message with the public key portion to recover the authentication request and thereby authenticate the user to the network station.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VMware, Inc. (Broadcom, Inc.)
Original Assignee
TriCipher, Inc. (Broadcom, Inc.)
Inventors
Sandhu, Ravi, Ganesan, Karuna, deSa, Colin
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Baum, Ronald

Application Number

US10/849,818
Publication Number

US 20050027989A1
Time in Patent Office

739 Days
Field of Search

None
US Class Current

713/171
CPC Class Codes

H04L 63/045   wherein the sending and rec...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 9/0844   with user authentication or...

H04L 9/3226   using a predetermined code,...

One time password entry to access multiple network sites

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

One time password entry to access multiple network sites

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links