Tunneled authentication protocol for preventing man-in-the-middle attacks
First Claim
1. A method of at least partially authenticating a user on a communications network, the method comprising acts of:
- (A) receiving, with a second network device, a first communication from a first network device, wherein the first communication includes a challenge;
(B) in response to receiving the challenge, generating, with the second network device, a preliminary hash value by performing only a first part of a hash function on a first part of the challenge when the second network device received the challenge via a secure network tunnel between the first network device and the second network device, wherein the first part of the challenge is less than the complete challenge;
(C) transmitting a second communication from the second network device to the first network device via the secure network tunnel, the second communication including the preliminary hash value;
(D) applying, with the first network device, a remaining part of the hash function to the preliminary hash value, thereby generating a final hash value; and
(F) authenticating the user based on the final hash value.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for preventing a Man-in-the-Middle attack on a communications network, without combining encryption keys of an inner authentication protocol and a tunneling protocol encapsulating the inner authentication protocol. The performance of a hash function may be split between two network devices on the communications network. For example, in response to a challenge issued by a tunnel server, a client may initiate performance of a hash function using only a first part only of the challenge and generate an intermediate result of the hash function (i.e., a preliminary hash). The client then may transmit the preliminary hash to the tunnel server as part of a response to the challenge. The tunnel server then may complete the hash function using the preliminary hash and the remaining part of the challenge to produce a final hash. The final hash then may be used to authenticate a user.
47 Citations
84 Claims
-
1. A method of at least partially authenticating a user on a communications network, the method comprising acts of:
-
(A) receiving, with a second network device, a first communication from a first network device, wherein the first communication includes a challenge; (B) in response to receiving the challenge, generating, with the second network device, a preliminary hash value by performing only a first part of a hash function on a first part of the challenge when the second network device received the challenge via a secure network tunnel between the first network device and the second network device, wherein the first part of the challenge is less than the complete challenge; (C) transmitting a second communication from the second network device to the first network device via the secure network tunnel, the second communication including the preliminary hash value; (D) applying, with the first network device, a remaining part of the hash function to the preliminary hash value, thereby generating a final hash value; and (F) authenticating the user based on the final hash value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system for at least partially authenticating a user on a communications network, the system comprising:
-
a first network device that transmits a first communication to a second network device, wherein the first communication includes a challenge; a second network device that is configured to receive the challenge, to generate a preliminary hash value by performing only a first part of a hash function on a first part of the challenge when the second network device received the challenge via a secure network tunnel between the first network device and the second network device, wherein the first part of the challenge is less than the complete challenge, and to transmit a second communication from the second network device to the first network device via the secure tunnel, the second communication including the preliminary hash value, wherein the first network device is configured to apply a remaining part of the hash function to the preliminary hash value, thereby generating a final hash value; and an authentication device that authenticates the user based on the final hash value. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A system for at least partially authenticating a user on a communications network, the system comprising:
-
a first communication device operative to transmit a first communication to a second network device, wherein the first communication includes a challenge; and a second network device operative to receive the challenge and to transmit a second communication from the second network device to the first network device via secure network tunnel between the first network device and the second network device, the second communication including a preliminary hash value, wherein the second network device includes means for generating a preliminary hash value by performing only a first part of a hash function on a first part of the challenge when the second network device received the challenge via the secure network tunnel, wherein the first part of the challenge is less than the complete challenge, and wherein the first network device includes means for applying a remaining part of the hash function to the preliminary hash value, thereby producing a final hash value; and an authentication device that comprises means for authenticating the user based on the final hash value.
-
-
38. A computer-readable medium having computer-readable signals stored thereon that define instructions that, as a result of being executed by one or more processors of a second network device, cause the one or more processors to:
-
(A) receive a first communication from a first network device that is configured to authenticate a user of the second network device based on a final hash value generated by applying a remaining part of a hash function to a preliminary hash value, wherein the first communication includes a challenge; (B) generate, in response to receiving the challenge, the preliminary hash value by performing only a first part of the hash function on a first part of the challenge when the second network device received the challenge via a secure network tunnel between the first network device and the second network device, wherein the first part of the challenge is less than the complete challenge; and (C) transmit a second communication to the first network device via the secure network tunnel, the second communication including the preliminary hash value.
-
-
39. A method of at least partially authenticating a user on a communications network, the method comprising acts of:
-
(A) transmitting a first communication from a first network device to a second network device, wherein the first communication includes a challenge; (B) receiving a second communication from the second network device via a secure network tunnel between the first network device and the second network device, the second communication including a preliminary hash value resulting from performance of only a first part of a hash function on a first part of the challenge when the second network device received the challenge via the secure network tunnel, wherein the first part of the challenge is less than the complete challenge; (C) applying, with the first network device, a remaining part of the hash function to the preliminary hash value, thereby generating a final hash value; and (D) authenticating the user based on the final hash value. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
-
-
52. A tunnel server residing on a first network device of a communications network for at least partially authenticating a user on the communications network, the tunnel server comprising:
-
a challenge generator to generate a challenge that is transmitted from the first network device to a second network device; a final hash value generator to receive via a secure network tunnel between the first network device and the second network device a preliminary hash value from the second network device, the preliminary hash value resulting from performance of only a first part of a hash function on a first part of the challenge when the second device received the challenge via the secure network tunnel, wherein the first part of the challenge is less than the complete challenge, wherein the final hash value generator is operative to apply a remaining part of the hash function device to the preliminary hash value, thereby generating a final hash value; and an authenticator that authenticates the user based on the final hash value. - View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
-
-
65. A tunnel server residing on a first network device of a communications network for at least partially authenticating a user on the communications network, the tunnel server comprising:
-
a challenge generator to generate a challenge that is transmitted from the first network device to a second network device, wherein the tunnel server is operative to receive a preliminary hash value from the second network device via a secure network tunnel between the first network device and the second network device, the preliminary hash value resulting from performance of only a first part of a hash function on a first part of the challenge when the second network device received the challenge via the secure network tunnel, wherein the first part is less than the complete challenge; means for applying a remaining part of the hash function to the preliminary hash value, thereby generating a final hash value; and means for authenticating the user based on the final hash value.
-
-
66. A computer-readable medium having computer-readable signals stored thereon that define instructions that, as a result of being executed by a first network device, control the first network device to perform a method of at least partially authenticating a user on a communications network, the method comprising acts of:
-
(A) transmitting a first communication from the first network device to a second network device, wherein the first communication includes a challenge; (B) receiving a second communication from the second network device to the first network device via a secure network tunnel between the first network device and the second network device, the second communication including a preliminary hash value generated by performing only a first part of a hash function on a first part of the challenge when the second network device received the challenge via the secure network tunnel, wherein the first part of the challenge is less than the complete challenge; and (C) applying a remaining part of the hash function to the preliminary hash value on the first network device, thereby generating a final hash value.
-
-
67. A method of at least partially authenticating a user on a communications network in response to a challenge received at a second network device from a first network device, the method comprising acts of:
-
receiving a challenge from a first network device that is configured to authenticate a user of the second network device based on a final hash value generated by applying a remaining part of a hash function to a preliminary hash value; generating the preliminary hash value by performing only a first part of a hash function on a first part of the challenge when the second network device received the challenge via a secure network tunnel between the first network device and the second network device, wherein the first part of the challenge is less than the complete challenge; and transmitting a communication from the second network device to the first network device via the secure network tunnel, the communication including the preliminary hash value. - View Dependent Claims (68, 69, 70, 71, 72, 73, 74)
-
-
75. A client residing on a second network device of a communications network, the client comprising:
-
an interface that receives a challenge from a first network device that is configured to authenticate a user of the second network device based on a final hash value generated by applying a remaining part of a hash function to a preliminary hash value; a preliminary hash generator to generate the preliminary hash value by performing only a first part of the hash function on a first part of the challenge when the client received the challenge via a secure network tunnel between the first network device and the second network device, wherein the first part of the challenge is less than the complete challenge, wherein the second network device is operative to transmit a communication from the second network device to the first network device via the secure network tunnel, the communication including the preliminary hash value. - View Dependent Claims (76, 77, 78, 79, 80, 81, 82)
-
-
83. A client residing on a second network device of a communications network, the client comprising:
-
means for receiving a challenge from a first network device that is configured to authenticate a user of the second network device based on a final hash value generated by applying a remaining part of a hash function to a preliminary hash value; means for generating the preliminary hash value by performing only a first part of the hash function on a first part of the challenge when the client received the challenge via a secure network tunnel between the first network device and the second network device, wherein the first part is less than the complete challenge, wherein the second network device is operative to transmit a communication from the second network device to the first network device via the secure network tunnel, the communication including the preliminary hash value.
-
-
84. A computer-readable medium having computer-readable signals stored thereon that define instructions that, as a result of being executed by a second network device, control the second network device to:
-
receive a challenge from a first network device that is configured to authenticate a user of the second network device based on a final hash value generated by applying a remaining part of a hash function to a preliminary hash value; generate the preliminary hash value by performing only a first part of the hash function on a first part of the challenge when the second network device received the challenge via a secure network tunnel between the first network device and the second network device, wherein the first part of the challenge is less than the complete challenge; and transmit a communication from the second network device to the first network device via the secure network tunnel, the second communication including the preliminary hash value.
-
Specification