Computer network security system employing portable storage device
First Claim
1. A security system for controlling access to a trusted computer network by a client computer, comprising:
- a bastion host that controls access to said trusted computer network;
a first data store associated with said bastion host and configured to store a set of key-password pairs;
a portable storage device;
a second data store associated with said portable storage device and configured to store passwords represented in said key-password pairs;
a user operable initialization mechanism that interfaces with said first and second data stores, said initialization mechanism generating and storing said key-password pairs in said first data store and generating and storing said passwords in said second data store;
an authentication mechanism having a first component associated with said bastion host and having a second component associated with said client computer;
said first component being configured to communicate a password-specific key associated with one of said key-password pairs to said second component;
said second component being configured to access said second data store and retrieve at least one password represented in said key-password pair;
said second component being further configured to communicate said at least one password to said first component based on input from the user and based on said password-specific key communicated from said first component;
wherein said second component is further configured to prompt a user to provide an identification value, retrieve a symmetric key from a protected area within said portable storage device that is only accessible upon authentication of said portable storage device, produce an encrypted identification value by encrypting said second identification value with said symmetric key, and retrieve the password by decrypting a corresponding encrypted value in said second datastore using a combination of the encrypted identification value and the password-specific key.
3 Assignments
0 Petitions
Accused Products
Abstract
The trusted computer network is protected behind a gateway that includes a bastion host and screening router which blocks all URLs associated with the trusted network. The bastion host includes a remote client authentication mechanism and web proxy component that verifies and translates incoming URL requests from authenticated remote clients. Authentication is performed using one-time passwords that are stored on a portable storage device. The user configures the portable storage device by operating configuration software from the protected side of the gateway. The portable storage device also stores plug-in software to enable the client computer to properly retrieve the one-time password and exchange authentication messages with the bastion host. Further security is obtained by basing the one-time password on an encrypted version of the user'"'"'s PIN. A symmetric key used to encrypt the PIN is stored in a protected area within the portable storage device.
92 Citations
49 Claims
-
1. A security system for controlling access to a trusted computer network by a client computer, comprising:
-
a bastion host that controls access to said trusted computer network; a first data store associated with said bastion host and configured to store a set of key-password pairs; a portable storage device; a second data store associated with said portable storage device and configured to store passwords represented in said key-password pairs; a user operable initialization mechanism that interfaces with said first and second data stores, said initialization mechanism generating and storing said key-password pairs in said first data store and generating and storing said passwords in said second data store; an authentication mechanism having a first component associated with said bastion host and having a second component associated with said client computer; said first component being configured to communicate a password-specific key associated with one of said key-password pairs to said second component; said second component being configured to access said second data store and retrieve at least one password represented in said key-password pair; said second component being further configured to communicate said at least one password to said first component based on input from the user and based on said password-specific key communicated from said first component; wherein said second component is further configured to prompt a user to provide an identification value, retrieve a symmetric key from a protected area within said portable storage device that is only accessible upon authentication of said portable storage device, produce an encrypted identification value by encrypting said second identification value with said symmetric key, and retrieve the password by decrypting a corresponding encrypted value in said second datastore using a combination of the encrypted identification value and the password-specific key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 23)
-
-
11. A security system comprising:
-
a gateway device situated between a trusted network and an untrusted network, which stores a set of N password-key pairs, N being an integer greater than one; a portable storage device that stores a set of N encrypted values; and a remote client that communicates with said gateway device via the untrusted network and accesses said portable storage device, wherein said remote client receives a password-specific key of one of said set of password-key pairs from said gateway device, requests an identification value from a user, decrypts a corresponding encrypted value from said set of encrypted values using a combination of said identification value and said password-specific key, and transmits a result of said decryption to said gateway device, and wherein said gateway device authenticates said remote client if said result is equal to a password of said one of said set of password-key pairs; wherein said remote client requests a first identification value from a user and sends it to said gateway device as a condition precedent to receipt of an index value and the password-specific key of one of said set of password-key pairs from said gateway device, receives the index value and the password-specific key from said gateway device, requests a second identification value from the user, retrieves a symmetric key from a protected area within said portable storage device that is only accessible upon authentication of said portable storage device, produces an encrypted identification value by encrypting said second identification value with said symmetric key, uses the index to identify a corresponding encrypted value from the set of encrypted values, and decrypts the corresponding encrypted value using a combination of the encrypted identification value and the password-specific key. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 24, 25, 26)
-
-
27. A security method comprising:
-
storing a set of N password-key pairs in a gateway device situated between a trusted network and an untrusted network, N being an integer greater than one; storing a set of N encrypted values in a portable storage device; placing the portable storage device in communication with a remote client; communicating between the remote client and the gateway device via the untrusted network; sending a password-specific key_of one of said set of password-key pairs to the remote client; requesting an identification value from a user of the remote client; creating a combination of said identification value and said password-specific key; decrypting a corresponding encrypted value from said set of encrypted values using said combination; transmitting a result of said decryption to the gateway device; authenticating the remote client if said result is equal to a password of said one of said set of password-key pairs; further comprising requesting said identification value from the user, and wherein said generating includes generating said set of encrypted values from said identification value and said set of password-key pairs; wherein said generating includes generating each of said set of encrypted values by encrypting a respective password of said set of password-key pairs with a combination of a respective key of said set of password-key pairs and said identification value; wherein said generating includes encrypting said identification value with a symmetric key; further comprising storing the symmetric key in a protected area of the portable storage device that is only accessible upon authentication of the portable storage device; and encrypting the identification value with the symmetric key stored on the portable device prior to said creating the combination, said decrypting, and said transmitting. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A gateway device situated between a trusted network and an untrusted network, comprising:
-
a firewall module that restricts access to the trusted network; a storage module that stores a set of N password-key pairs, N being an integer greater than one; an initialization module that generates said set of password-key pairs, requests an identification value from a user, generates a set of N encrypted values from said set of password-key pairs and said identification value, and is capable of communicating said set of encrypted values to a portable storage device when the portable storage device is in secure communication with said gateway device; an authentication module that sends a password-specific key of one of said set of password-key pairs to a remote client over the untrusted network, receives a decryption result from the remote client, and authenticates the remote client if said decryption result is equal to a password of said one of said set of password-key pairs; wherein said initialization module generates each of said set of encrypted values by encrypting a respective password of said set of password-key pairs with a combination of a respective key of said set of password-key pairs and said identification value; wherein said combination of said respective key and said identification value includes a function of said identification value encrypted with a symmetric key and said respective key; and wherein said initialization module stores the symmetric key in a protected area of the portable storage device that is only accessible upon authentication of the portable storage device. - View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
-
Specification