Systems, methods and software for remote password authentication using multiple servers
First Claim
Patent Images
1. A system that provides for remote password authentication, comprising:
- a client;
a plurality of authentication servers;
a network interconnecting the client computer and plurality of authentication servers; and
a memory, coupled to the client, the memory maintaining instructions that when executed by the client, cause the client to receive a password, transmit a unique random value yi to each of the servers, derive a group element (P) from the password, send a blinded password value (Px) to the servers, receive blinded key shares (Pxyi) from the servers, unblind and combine the key shares to create a master key (Km), and decrypt encrypted private data using the master key (Km).
6 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods and software that enable multiple servers to verify a password, without providing any single server, client or network attacker with the ability to validate guesses for the password off-line is disclosed. Password security is maintained in a very simple model, requiring no previously secured or server-authenticated channel between the client and any servers. Data may be protected by a small password, and no other keys, remains secret even against an enemy that compromises any, but not all, of two or more cooperating authenticating servers.
150 Citations
21 Claims
-
1. A system that provides for remote password authentication, comprising:
-
a client; a plurality of authentication servers; a network interconnecting the client computer and plurality of authentication servers; and a memory, coupled to the client, the memory maintaining instructions that when executed by the client, cause the client to receive a password, transmit a unique random value yi to each of the servers, derive a group element (P) from the password, send a blinded password value (Px) to the servers, receive blinded key shares (Pxyi) from the servers, unblind and combine the key shares to create a master key (Km), and decrypt encrypted private data using the master key (Km). - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method that provides for remote password authentication using a system including a client, a plurality of authentication servers, and a network interconnecting the client and the plurality of authentication servers, the method comprising the steps of:
-
receiving a password; deriving group elements (P) from the password; sending blinded password value (px) to the servers; receiving blinded key shares (Pxyi) from the servers; unblinding and combining the key shares to create a master key (Km); and decrypting encrypted private data using the master key (Km). - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program embodied on a computer-readable medium for enabling remote password authentication in a multiple-server system including a client, a plurality of authentication servers, and a network interconnecting the client and the plurality of authentication servers, the computer program comprising:
-
a code segment that enters a password; a data storage area that contains a unique random value yi on each of the servers, a code segment that derives a group element (P) from the password; a code segment that sends blinded password value (Px) to the servers; a code segment that provided for receiving blinded key shares (Pxy i ) from the servers;a code segment that unblinds and combines the shares to create a master key (Km); and a code segment that decrypts encrypted private data on the client computer using the master key (Km). - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification