Computer network security system employing portable storage device

US 7,228,438 B2
Filed: 10/23/2001
Issued: 06/05/2007
Est. Priority Date: 04/30/2001
Status: Active Grant

First Claim

Patent Images

1. A security system for controlling access to a trusted computer network by a client computer, comprising:

a bastion host that controls access to said trusted computer network;

a first data store associated with said bastion host and configured to store a set of key-password pairs;

a portable storage device;

a second data store associated with said portable storage device and configured to store passwords represented in said key-password pairs;

a user operable initialization mechanism that interfaces with said first and second data stores, said initialization mechanism generating and storing said key-password pairs in said first data store and generating and storing said passwords in said second data store;

an authentication mechanism having a first component associated with said bastion host and having a second component associated with said client computer;

said first component being configured to communicate a password-specific key associated with one of said key-password pairs to said second component;

said second component being configured to access said second data store and retrieve at least one password represented in said key-password pair;

said second component being further configured to communicate said at least one password to said first component based on input from the user and based on said password-specific key communicated from said first component;

wherein said second component is further configured to prompt a user to provide an identification value, retrieve a symmetric key from a protected area within said portable storage device that is only accessible upon authentication of said portable storage device, produce an encrypted identification value by encrypting said second identification value with said symmetric key, and retrieve the password by decrypting a corresponding encrypted value in said second datastore using a combination of the encrypted identification value and the password-specific key.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The trusted computer network is protected behind a gateway that includes a bastion host and screening router which blocks all URLs associated with the trusted network. The bastion host includes a remote client authentication mechanism and web proxy component that verifies and translates incoming URL requests from authenticated remote clients. Authentication is performed using one-time passwords that are stored on a portable storage device. The user configures the portable storage device by operating configuration software from the protected side of the gateway. The portable storage device also stores plug-in software to enable the client computer to properly retrieve the one-time password and exchange authentication messages with the bastion host. Further security is obtained by basing the one-time password on an encrypted version of the user'"'"'s PIN. A symmetric key used to encrypt the PIN is stored in a protected area within the portable storage device.

92 Citations

View as Search Results

49 Claims

1. A security system for controlling access to a trusted computer network by a client computer, comprising:
- a bastion host that controls access to said trusted computer network;
  
  a first data store associated with said bastion host and configured to store a set of key-password pairs;
  
  a portable storage device;
  
  a second data store associated with said portable storage device and configured to store passwords represented in said key-password pairs;
  
  a user operable initialization mechanism that interfaces with said first and second data stores, said initialization mechanism generating and storing said key-password pairs in said first data store and generating and storing said passwords in said second data store;
  
  an authentication mechanism having a first component associated with said bastion host and having a second component associated with said client computer;
  
  said first component being configured to communicate a password-specific key associated with one of said key-password pairs to said second component;
  
  said second component being configured to access said second data store and retrieve at least one password represented in said key-password pair;
  
  said second component being further configured to communicate said at least one password to said first component based on input from the user and based on said password-specific key communicated from said first component;
  
  wherein said second component is further configured to prompt a user to provide an identification value, retrieve a symmetric key from a protected area within said portable storage device that is only accessible upon authentication of said portable storage device, produce an encrypted identification value by encrypting said second identification value with said symmetric key, and retrieve the password by decrypting a corresponding encrypted value in said second datastore using a combination of the encrypted identification value and the password-specific key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 23)
- - 2. The system of claim 1 further comprising a key management system that encrypts and stores said passwords in said second data store.
  - 3. The system of claim 1 wherein said passwords stored in said second data store are encrypted and said second component is configured to decrypt and communicate said at least one password to said first component.
  - 4. The system of claim 1 wherein said portable storage device is a non-volatile memory device.
  - 5. The system of claim 1 wherein said portable storage device is an optical disk.
  - 6. The system of claim 1 further comprising a screening router system that blocks interaction with said trusted computer network.
  - 7. The system of claim 6 further comprising a proxy system that integrates with said screening router to permit interaction with said trusted computer network under control of said authentication mechanism.
  - 8. The system of claim 1 further comprising a session management system that restricts interaction with said trusted computer network to an authenticated active session.
  - 9. The system of claim 1 further comprising a session management system that restricts interaction with said trusted computer network to predetermined time duration.
  - 10. The system of claim 1 further comprising a plug-in module stored on said portable storage device and accessible to said client computer to provide said client computer with instructions in implementing said second component of said authentication mechanism.
  - 23. The security system of claim 2 wherein said function is a bitwise exclusive-or.

11. A security system comprising:
- a gateway device situated between a trusted network and an untrusted network, which stores a set of N password-key pairs, N being an integer greater than one;
  
  a portable storage device that stores a set of N encrypted values; and
  
  a remote client that communicates with said gateway device via the untrusted network and accesses said portable storage device,wherein said remote client receives a password-specific key of one of said set of password-key pairs from said gateway device, requests an identification value from a user, decrypts a corresponding encrypted value from said set of encrypted values using a combination of said identification value and said password-specific key, and transmits a result of said decryption to said gateway device, and wherein said gateway device authenticates said remote client if said result is equal to a password of said one of said set of password-key pairs;
  
  wherein said remote client requests a first identification value from a user and sends it to said gateway device as a condition precedent to receipt of an index value and the password-specific key of one of said set of password-key pairs from said gateway device, receives the index value and the password-specific key from said gateway device, requests a second identification value from the user, retrieves a symmetric key from a protected area within said portable storage device that is only accessible upon authentication of said portable storage device, produces an encrypted identification value by encrypting said second identification value with said symmetric key, uses the index to identify a corresponding encrypted value from the set of encrypted values, and decrypts the corresponding encrypted value using a combination of the encrypted identification value and the password-specific key.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 24, 25, 26)
- - 12. The security system of claim 11 wherein said gateway device includes an initialization module that generates said set of password-key pairs.
  - 13. The security system of claim 11 wherein said gateway device includes an initialization module that generates said set of encrypted values.
  - 14. The security system of claim 13 wherein said initialization module requests said identification value from the user, and generates said set of encrypted values from said identification value and said set of password-key pairs.
  - 15. The security system of claim 14 wherein said initialization module generates each of said set of encrypted values by encrypting a respective password of said set of password-key pairs with a combination of a respective key of said set of password-key pairs and said identification value.
  - 16. The security system of claim 15 wherein said combination of said respective key and said identification value includes a function of said respective key and said identification value encrypted with a symmetric key.
  - 17. The security system of claim 16 wherein said function is a bitwise exclusive-or.
  - 18. The security system of claim 11 wherein said set of password-key pairs is numbered, said one of said set of password-key pairs is associated with an index number i, said gateway device sends said index number i to said remote client, and said corresponding encrypted value is selected from said set of encrypted values using said index number i.
  - 19. The security system of claim 11 wherein said gateway device filters out all packets bound for the trusted network, except for packets from said remote client once said remote client has been authenticated by said gateway device.
  - 20. The security system of claim 11 wherein said gateway device revokes authentication of said remote client after a predetermined period.
  - 21. The security system of claim 11 wherein said gateway device and said remote client communicate using a Secure Sockets Layer connection.
  - 22. The security system of claim 11 wherein said combination of said identification value and said key includes a function of said key and said identification value encrypted with a symmetric key.
  - 24. The security system of claim 11 wherein said gateway device uses each of said set of password-key pairs at most once.
  - 25. The security system of claim 11 wherein said gateway device includes an initialization module that generates said set of password-key pairs and said set of encrypted values, and stores said set of encrypted values into said portable storage device when said portable storage device is-within a perimeter of said trusted network.
  - 26. The security system of claim 11 wherein said portable storage device is associated with a user identifier, said remote client communicates said user identifier to said gateway device, and said gateway device stores a set of password-key pairs for each user identifier.

27. A security method comprising:
- storing a set of N password-key pairs in a gateway device situated between a trusted network and an untrusted network, N being an integer greater than one;
  
  storing a set of N encrypted values in a portable storage device;
  
  placing the portable storage device in communication with a remote client;
  
  communicating between the remote client and the gateway device via the untrusted network;
  
  sending a password-specific key_of one of said set of password-key pairs to the remote client;
  
  requesting an identification value from a user of the remote client;
  
  creating a combination of said identification value and said password-specific key;
  
  decrypting a corresponding encrypted value from said set of encrypted values using said combination;
  
  transmitting a result of said decryption to the gateway device;
  
  authenticating the remote client if said result is equal to a password of said one of said set of password-key pairs;
  
  further comprising requesting said identification value from the user, and wherein said generating includes generating said set of encrypted values from said identification value and said set of password-key pairs;
  
  wherein said generating includes generating each of said set of encrypted values by encrypting a respective password of said set of password-key pairs with a combination of a respective key of said set of password-key pairs and said identification value;
  
  wherein said generating includes encrypting said identification value with a symmetric key;
  
  further comprising storing the symmetric key in a protected area of the portable storage device that is only accessible upon authentication of the portable storage device; and
  
  encrypting the identification value with the symmetric key stored on the portable device prior to said creating the combination, said decrypting, and said transmitting.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 28. The method of claim 27 further comprising generating said set of password-key pairs.
  - 29. The method of claim 27 further comprising generating said set of encrypted values.
  - 30. The method of claim 27 wherein said generating includes combining said encrypted identification value with said respective key using a bitwise exclusive-or.
  - 31. The method of claim 27 further comprising:
    - assigning each of said set of password-key pairs an index number, wherein said one of said set of password-key pairs is associated with an index number i;
      
      sending said index number i to the remote client; and
      
      selecting said corresponding encrypted value from said set of encrypted values using said index number i.
  - 32. The method of claim 27 further comprising filtering out all packets bound for the trusted network, except for packets from the remote client once the remote client has been authenticated by the gateway device.
  - 33. The method of claim 27 further comprising revoking authentication of the remote client after a predetermined period.
  - 34. The method of claim 27 further comprising establishing a Secure Sockets Layer connection between the gateway device and the remote client.
  - 35. The method of claim 27 wherein said creating includes evaluating a function of said key and said identification value encrypted with a symmetric key.
  - 36. The method of claim 35 wherein said function is a bitwise exclusive-or.
  - 37. The method of claim 27 wherein said sending uses each of said set of password-key pairs at most once.
  - 38. The method of claim 27 further comprising generating said set of password-key pairs and said set of encrypted values, and storing said set of encrypted values into the portable storage device when the portable storage device is within a perimeter of said trusted network.
  - 39. The method of claim 27 wherein the portable storage device is associated with a user identifier, and further comprising communicating said user identifier to the gateway device, and storing a set of password-key pairs in the gateway device for each user identifier.

40. A gateway device situated between a trusted network and an untrusted network, comprising:
- a firewall module that restricts access to the trusted network;
  
  a storage module that stores a set of N password-key pairs, N being an integer greater than one;
  
  an initialization module that generates said set of password-key pairs, requests an identification value from a user, generates a set of N encrypted values from said set of password-key pairs and said identification value, and is capable of communicating said set of encrypted values to a portable storage device when the portable storage device is in secure communication with said gateway device;
  
  an authentication module that sends a password-specific key of one of said set of password-key pairs to a remote client over the untrusted network, receives a decryption result from the remote client, and authenticates the remote client if said decryption result is equal to a password of said one of said set of password-key pairs;
  
  wherein said initialization module generates each of said set of encrypted values by encrypting a respective password of said set of password-key pairs with a combination of a respective key of said set of password-key pairs and said identification value;
  
  wherein said combination of said respective key and said identification value includes a function of said identification value encrypted with a symmetric key and said respective key; and
  
  wherein said initialization module stores the symmetric key in a protected area of the portable storage device that is only accessible upon authentication of the portable storage device.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 41. The gateway device of claim 40 wherein said function is a bitwise exclusive-or.
  - 42. The gateway device of claim 40 wherein said set of password-key pairs is numbered, said one of said set of password-key pairs is associated with an index number i, and said authentication module sends said index number i to the remote client.
  - 43. The gateway device of claim 40 wherein said firewall module filters out all packets bound for the trusted network, except for packets from the remote client once the remote client has been authenticated.
  - 44. The gateway device of claim 40 wherein said authentication module revokes authentication of the remote client after a predetermined period.
  - 45. The gateway device of claim 40 wherein said gateway establishes a Secure Sockets Layer connection with the remote client.
  - 46. The gateway device of claim 40 wherein said authentication module uses each of said set of password-key pairs at most once.
  - 47. The gateway device of claim 40 wherein said storage module stores a plurality of sets of password-key pairs including said set of password-key pairs, each associated with a unique user identifier.
  - 48. The gateway device of claim 47 wherein said initialization module assigns a corresponding user identifier to the portable storage device.
  - 49. The gateway device of claim 40 wherein secure communication between the portable storage device and said gateway device is established by location of said portable storage device within a perimeter of said trusted network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sovereign Peak Ventures, LLC (Dominion Harbor Enterprises, LLC)
Original Assignee
Matsushita Electric Industrial Company Limited (Panasonic Holdings Corporation)
Inventors
Bushmitch, Dennis, Narayanan, Sathya, Memon, Nasir
Primary Examiner(s)
Revak; Christopher
Assistant Examiner(s)
Abrishamkar; Kaveh

Application Number

US10/001,687
Publication Number

US 20020159601A1
Time in Patent Office

2,051 Days
Field of Search

713/193, 713/153, 726/12, 726/13
US Class Current

713/193
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0435   wherein the sending and rec...

H04L 63/064   Hierarchical key distributi...

H04L 63/0838   using one-time-passwords

H04L 63/166   at the transport layer

H04L 9/40   Network security protocols

Computer network security system employing portable storage device

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

49 Claims

Specification

Use Cases

Quick Links

Others

Computer network security system employing portable storage device

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

49 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others