Challenge-based authentication without requiring knowledge of secret authentication data

US 7,519,815 B2
Filed: 08/13/2004
Issued: 04/14/2009
Est. Priority Date: 10/29/2003
Status: Expired due to Fees

First Claim

Patent Images

1. In an environment that includes an authenticatee computing entity, a supplemental authenticatee computing entity, an authenticator computing entity, and a supplemental authenticator computing entity, a method for the authenticator computing entity to authenticate to the authenticatee computing entity using challenge based authentication and without requiring the authenticatee and authenticator computing entities be aware of secret data used for the authentication, the method comprising the following:

an act of the authenticatee computing entity generating secret key data that is not known to the supplemental authenticatee, authenticator or supplemental authenticator computing entities;

an act of the authenticatee computing entity providing the secret key data to the supplemental authenticatee computing entity thereby informing the supplemental authenticatee computing entity of the secret key data;

an act of the supplemental authenticatee computing entity encrypting the secret key data using secret data known to the supplemental authenticatee and supplemental authenticator computing entities, but not known to the authenticatee and authenticator computing entities, the secret data for use in protecting a proper answer to a challenge based on the secret key data;

an act of the authenticatee computing entity acquiring the challenge along with the encrypted secret key data from the supplemental authenticatee computing entity;

an act of the authenticatee computing entity providing the challenge along with the encrypted secret key data to the authenticator computing entity;

an act of the authenticator computing entity providing the challenge along with encrypted secret key data to the supplemental authenticator computing entity;

an act of the supplemental authenticator computing entity decrypting the encrypted secret key data using the secret data known to the supplemental authenticatee and supplemental authenticator computing entities thereby informing the supplemental authenticator computing entity of the secret key data;

an act of the supplemental authenticator computing entity using the secret key data to create a purported answer to the challenge;

an act of the authenticator computing entity acquiring the purported answer to the challenge from the supplemental authenticator computing entity;

an act of the authenticator computing entity providing the purported answer to the authenticatee computing entity; and

an act of the authenticatee computing entity comparing the purported answer to the proper answer to authenticate the authenticator computing entity at the authenticatee computing entity without having to generate an answer to the challenge at the authenticatee computing entity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A challenge based authentication mechanism that does not require that the authenticating computing entities be aware of the secret data used for the initial authentication. An authenticator computing entity is to authenticate to the authenticatee computing entity. First, the authenticatee computing entity acquires a challenge from a supplemental authenticatee computing entity. The authenticatee computing entity provides the challenge to the authenticator computing entity, which has a supplemental authenticator computing entity solve the challenge. The authenticator computing entity sends the answer to the authenticatee computing entity, which uses the answer to authenticate the authenticator computing entity.

28 Citations

View as Search Results

37 Claims

1. In an environment that includes an authenticatee computing entity, a supplemental authenticatee computing entity, an authenticator computing entity, and a supplemental authenticator computing entity, a method for the authenticator computing entity to authenticate to the authenticatee computing entity using challenge based authentication and without requiring the authenticatee and authenticator computing entities be aware of secret data used for the authentication, the method comprising the following:
- an act of the authenticatee computing entity generating secret key data that is not known to the supplemental authenticatee, authenticator or supplemental authenticator computing entities;
  
  an act of the authenticatee computing entity providing the secret key data to the supplemental authenticatee computing entity thereby informing the supplemental authenticatee computing entity of the secret key data;
  
  an act of the supplemental authenticatee computing entity encrypting the secret key data using secret data known to the supplemental authenticatee and supplemental authenticator computing entities, but not known to the authenticatee and authenticator computing entities, the secret data for use in protecting a proper answer to a challenge based on the secret key data;
  
  an act of the authenticatee computing entity acquiring the challenge along with the encrypted secret key data from the supplemental authenticatee computing entity;
  
  an act of the authenticatee computing entity providing the challenge along with the encrypted secret key data to the authenticator computing entity;
  
  an act of the authenticator computing entity providing the challenge along with encrypted secret key data to the supplemental authenticator computing entity;
  
  an act of the supplemental authenticator computing entity decrypting the encrypted secret key data using the secret data known to the supplemental authenticatee and supplemental authenticator computing entities thereby informing the supplemental authenticator computing entity of the secret key data;
  
  an act of the supplemental authenticator computing entity using the secret key data to create a purported answer to the challenge;
  
  an act of the authenticator computing entity acquiring the purported answer to the challenge from the supplemental authenticator computing entity;
  
  an act of the authenticator computing entity providing the purported answer to the authenticatee computing entity; and
  
  an act of the authenticatee computing entity comparing the purported answer to the proper answer to authenticate the authenticator computing entity at the authenticatee computing entity without having to generate an answer to the challenge at the authenticatee computing entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. A method in accordance with claim 1, wherein the act of the authenticatee computing entity acquiring a challenge from the supplemental authenticatee computing entity comprises the following:
    - an act of the authenticatee computing entity providing a challenge request to the supplemental authenticatee computing entity;
      
      an act of the supplemental authenticatee computing entity generating a challenge in response to the challenge request; and
      
      an act of the supplemental authenticatee computing entity providing the challenge to the authenticatee computing entity in response to the request.
  - 3. A method in accordance with claim 2, wherein the act of the authenticator computing entity acquiring purported answer to the challenge from the supplemental authenticator computing entity comprises the following:
    - an act of the authenticator computing entity providing the challenge to the supplemental authenticator computing entity; and
      
      an act of the supplemental authenticator computing entity determining purported answer to the challenge; and
      
      an act of the supplemental authenticator computing entity providing the purported answer to the authenticator computing entity.
  - 4. A method in accordance with claim 1, further comprising:
    - an act of the supplemental authenticatee computing entity providing the challenge along with encrypted secret key data to the authenticatee computing entity.
  - 5. A method in accordance with claim 4, further comprising the following:
    - an act of the authenticatee and authenticator computing entities communicating using messages that are at least partially secured using the secret key data.
  - 6. A method in accordance with claim 4, wherein the act of the authenticatee computing entity providing the challenge to the authenticator computing entity and the act of the authenticatee computing entity providing the encrypted secret key data to the authenticator computing entity are performed by the authenticatee computing entity providing a single message that includes both the challenge and the encrypted secret key data to the authenticator computing entity.
  - 7. A method in accordance with claim 4, further comprising the following:
    - an act of the authenticatee computing entity generating a digest of the secret key data combined with one or more other data items;
      
      an act of the authenticator computing entity also generating the digest of the secret key data combined with the one or more other data items; and
      
      an act of the authenticatee and authenticator computing entities communicating using messages that are at least partially secured using the digest.
  - 8. A method in accordance with claim 7, wherein the one or more other data items includes the challenge.
  - 9. A method in accordance with claim 8, wherein the one or more other data items includes the purported answer.
  - 10. A method in accordance with claim 9, wherein the secret key data is first secret key data, wherein the one or more other data items includes second secret key data known to the authenticatee and authenticator computing entities, but not known to the supplemental authenticatee and supplemental authenticator computing entities.
  - 11. A method in accordance with claim 7, wherein the one or more other data items includes the purported answer.
  - 12. A method in accordance with claim 11, wherein the secret key data is first secret key data, wherein the one or more other data items includes second secret key data known to the authenticatee and authenticator computing entities, but not known to the supplemental authenticatee and supplemental authenticator computing entities.
  - 13. A method in accordance with claim 7, wherein the secret key data is first secret key data, wherein the one or more other data items includes second secret key data known to the authenticatee and authenticator computing entities, but not known to the supplemental authenticatee and supplemental authenticator computing entities.
  - 14. A method in accordance with claim 4, wherein the secret key data is first secret key data, the method further comprising:
    - an act of the authenticator computing entity generating second secret key data;
      
      an act of the authenticator computing entity providing the second secret key data to the supplemental authenticator computing entity;
      
      an act of the supplemental authenticator computing entity encrypting the second secret key data using the secret data known to the supplemental authenticatee and supplemental authenticator computing entities;
      
      an act of the supplemental authenticator computing entity providing the encrypted second secret key data to the authenticator computing entity;
      
      an act of the authenticator computing entity providing the encrypted second secret key data to the authenticatee computing entity;
      
      an act of the authenticatee computing entity providing the encrypted second secret key data to the supplemental authenticatee computing entity;
      
      an act of the supplemental authenticatee computing entity decrypting the encrypted second secret key data using the secret data known to the supplemental authenticatee and supplemental authenticator computing entities; and
      
      an act of the supplemental authenticatee computing entity providing the second secret key data to the authenticatee computing entity.
  - 15. A method in accordance with claim 14, further comprising the following:
    - an act of the authenticatee computing entity generating a digest of the first and second secret key data combined with one or more other data items;
      
      an act of the authenticator computing entity also generating the digest of the first and second secret key data combined with the one or more other data items; and
      
      an act of the authenticatee and authenticator computing entities communicating using messages that are at least partially secured using the digest.
  - 16. A method in accordance with claim 15, wherein the one or more other data items includes the challenge.
  - 17. A method in accordance with claim 16, wherein the one or more other data items includes the purported answer.
  - 18. A method in accordance with claim 17, wherein the one or more other data items includes third secret key data known to the authenticatee and authenticator computing entities, but not known to the supplemental authenticatee and supplemental authenticator computing entities.
  - 19. A method in accordance with claim 15, wherein the one or more other data items includes the purported answer.
  - 20. A method in accordance with claim 19, wherein the one or more other data items includes third secret key data known to the authenticatee and authenticator computing entities, but not known to the supplemental authenticatee and supplemental authenticator computing entities.
  - 21. A method in accordance with claim 15, wherein the one or more other data items includes third secret key data known to the authenticatee and authenticator computing entities, but not known to the supplemental authenticatee and supplemental authenticator computing entities.

22. In an environment that includes an authenticatee computing entity, a supplemental authenticatee computing entity, an authenticator computing entity, and a supplemental authenticator computing entity, a method for the authenticatee computing entity to authenticate the authenticator computing entity using challenge based authentication and without requiring the authenticatee and authenticator computing entities be aware of secret data used for the authentication, the method comprising the following:
- an act of authenticatee computing entity generating secret key data that is not known to the supplemental authenticatee, authenticator or supplemental authenticator computing entities;
  
  an act of providing the secret key data to the supplemental authenticatee computing entity thereby informing the supplemental authenticatee computing entity of the secret key data;
  
  an act of the supplemental authenticatee computing entity encrypting the secret key data using secret data to create encrypted secret key data, the secret data known to the supplemental authenticatee and supplemental authenticator computing entities, but not known to the authenticatee and authenticator computing entities, the secret data for use in determining an answer to a challenge;
  
  an act of the authenticatee computing entity acquiring the challenge along with the encrypted secret key data from the supplemental authenticatee computing entity;
  
  an act of the authenticatee computing entity providing the challenge along with the encrypted secret key data to the authenticator computing entity, wherein the authenticator computing entity acquires purported answer to the challenge from the supplemental authenticator computing entity by providing the encrypted secret key data to the supplemental authenticator computing entity for decryption by the supplemental authenticator computing entity, and receiving back the secret key data;
  
  an act of the authenticatee computing entity acquiring the purported answer from the authenticator computing entity; and
  
  an act of the using the purported answer to authenticate the authenticator computing entity.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. A method in accordance with claim 22, wherein the act of acquiring a challenge from the supplemental authenticatee computing entity comprises the following:
    - an act of providing a challenge request to the supplemental authenticatee computing entity; and
      
      an act of acquiring proper answer to the challenge request from the supplemental authenticatee computing entity.
  - 24. A method in accordance with claim 22,wherein the act of using the purported answer to authenticate the authenticator computing entity comprises the following:
    - an act of matching the purported answer as acquired from the supplemental authenticatee computing entity with appropriate answer as provided by the authenticator computing entity.
  - 25. A method in accordance with claim 22, wherein the act of using the purported answer to authenticate the authenticator computing entity comprises the following:
    - an act of providing the purported answer to the supplemental authenticatee computing entity; and
      
      an act of receiving from the supplemental authenticatee computing entity an indication that the purported answer is a proper answer for the challenge acquired from the supplemental authenticatee computing entity.
  - 26. A method in accordance with claim 22, further comprising:
    - an act of the supplemental authenticator computing entity decrypting the secret key data using the secret data known to the supplemental authenticatee and supplemental authenticator computing entities.
  - 27. A method in accordance with claim 26, further comprising the following:
    - an act of communicating with the authenticator computing entity using messages that are at least partially secured using the secret key data.
  - 28. A method in accordance with claim 26, wherein the act of providing the challenge to the authenticator computing entity and the act of the providing the encrypted secret key data to the authenticator computing entity are performed by providing a single message that includes both the challenge and the encrypted secret key data to the authenticator computing entity.
  - 29. A method in accordance with claim 26, further comprising the following:
    - an act of the generating a digest of the secret key data combined with one or more other data items;
      
      an act of the communicating with the authenticator computing entity using messages that are at least partially secured using the digest.

30. A computer program product for use in an environment that includes an authenticatee computing entity, a supplemental computing entity, an authenticator computing entity, and a supplemental authenticator computing entity, the computer program product for implementing a method for the authenticatee computing entity to authenticate the authenticator computing entity using challenge based authentication and without requiring the authenticatee and authenticator computing entities be aware of secret data used for the authentication, the computer program product comprising one or more computer readable storage media having thereon computer-executable instructions, that when executed by the authenticatee computing entity, causes the computing entity to perform the method, the method comprising the following:
- an act of authenticatee computing entity generating secret key data that is not known to the supplemental authenticatee, authenticator or supplemental authenticator computing entities;
  
  an act of providing the secret key data to the supplemental authenticatee computing entity thereby informing the supplemental authenticatee computing entity of the secret key data;
  
  an act of the supplemental authenticatee computing entity encrypting the secret key data using secret data to create encrypted secret key data, the secret data known to the supplemental authenticatee and supplemental authenticator computing entities, but not known to the authenticatee and authenticator computing entities, the secret data for use in determining an answer to a challenge;
  
  an act of the authenticatee computing entity acquiring the challenge along with the encrypted secret key data from the supplemental authenticatee computing entity;
  
  an act of authenticatee computing entity providing the challenge along with the encrypted secret key data to the authenticator computing entity, wherein the authenticator computing entity acquires purported answer to the challenge from the supplemental authenticator computing entity by providing the encrypted secret key data to the supplemental authenticator computing entity for decryption by the supplemental authenticator computing entity, and receiving back the secret key data;
  
  an act of the authenticatee computing entity acquiring the purported answer from the authenticator computing entity; and
  
  an act of the using the purported answer to authenticate the authenticator computing entity.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37)
- - 31. A computer program product in accordance with claim 30, wherein the act of acquiring a challenge from the supplemental authenticatee computing entity comprises the following:
    - an act of providing a challenge request to the supplemental authenticatee computing entity; and
      
      an act of acquiring proper answer to the challenge request from the supplemental authenticatee computing entity.
  - 32. A computer program product in accordance with claim 31, whereinthe act of using the proper answer to authenticate the authenticator computing entity comprises the following:
    - an act of matching the purported with the proper answer.
  - 33. A computer program product in accordance with claim 30, wherein the act of using the purported answer to authenticate the authenticator computing entity comprises the following:
    - an act of providing the purported answer to the supplemental authenticatee computing entity; and
      
      an act of receiving from the supplemental authenticatee computing entity an indication that the purported answer is a proper answer for the challenge.
  - 34. A computer program product in accordance with claim 30, wherein the method further comprises:
    - an act of the supplemental authenticator computing entity decrypting the secret key data using the secret data known to the supplemental authenticatee and supplemental authenticator computing entities.
  - 35. A computer program product in accordance with claim 34, wherein the method further comprises the following:
    - an act of communicating with the authenticator computing entity using messages that are at least partially secured using the secret key data.
  - 36. A computer program product in accordance with claim 34, wherein the act of providing the challenge to the authenticator computing entity and the act of the providing the encrypted secret key data to the authenticator computing entity are performed by providing a single message that includes both the challenge and the encrypted secret key data to the authenticator computing entity.
  - 37. A computer program product in accordance with claim 34, wherein the method further comprises the following:
    - an act of the generating a digest of the secret key data combined with one or more other data items;
      
      an act of the communicating with the authenticator computing entity using messages that are at least partially secured using the digest.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kaler, Christopher G., Morris, Max G.
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US10/917,786
Publication Number

US 20050097325A1
Time in Patent Office

1,705 Days
Field of Search

713/168, 726/3, 380/278
US Class Current

713/168
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0428   wherein the data content is...

H04L 63/0853   using an additional device,...

H04L 9/3271   using challenge-response

Challenge-based authentication without requiring knowledge of secret authentication data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Challenge-based authentication without requiring knowledge of secret authentication data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links