Establishing secure mutual trust using an insecure password

US 7,836,306 B2
Filed: 06/29/2005
Issued: 11/16/2010
Est. Priority Date: 06/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method of establishing secure mutual trust between a first device and a second device, comprising:

receiving, by the second device, a one-time-password known to the first device;

receiving a first device identifier, a first device certificate, and a first authenticator, wherein the first authenticator is a cryptographic encoding comprising;

a first nonce,the first device certificate,the first device identifier, anda password sub-string of a first plurality of password sub-strings generated from the one-time-password by the first device;

receiving the first nonce;

calculating a corresponding authenticator by applying the cryptographic encoding to the first nonce, the first device certificate, the first device identifier, and a corresponding password sub-string of a second plurality of password sub-strings generated from the one-time-password by the second device; and

verifying that the received first authenticator and the calculated corresponding authenticator are the same.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process for establishing secure mutual trust includes generating a one-time-password. The one-time-password is transferred between the devices in a communication occurring off of the network. Each device generates a set of authenticators by hashing a plurality of sub-strings of the password and the device'"'"'s authentication certificate with a respective set of nonces. The devices exchange the respective sets of authenticators. Each device then alternates revealing its respective set of nonces and its authentication certificate in a multi-stage process. The devices re-calculate the authenticators based upon the respective set of nonces and authentication certificate revealed by the other device along with the one-time-password sub-strings that it posses. If each device determines that the authenticators re-calculated by the given device matches the authenticators previously received from the other device, secure mutual trust is established.

92 Citations

View as Search Results

15 Claims

1. A method of establishing secure mutual trust between a first device and a second device, comprising:
- receiving, by the second device, a one-time-password known to the first device;
  
  receiving a first device identifier, a first device certificate, and a first authenticator, wherein the first authenticator is a cryptographic encoding comprising;
  
  a first nonce,the first device certificate,the first device identifier, anda password sub-string of a first plurality of password sub-strings generated from the one-time-password by the first device;
  
  receiving the first nonce;
  
  calculating a corresponding authenticator by applying the cryptographic encoding to the first nonce, the first device certificate, the first device identifier, and a corresponding password sub-string of a second plurality of password sub-strings generated from the one-time-password by the second device; and
  
  verifying that the received first authenticator and the calculated corresponding authenticator are the same.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first plurality of password sub-strings is generated by decomposing the one-time-password into a definite number, n, of password sub-strings.
  - 3. The method of claim 2, wherein the second plurality of password sub-strings is generated by decomposing the one-time-password into the definite number, n, of password sub-strings.
  - 4. The method of claim 1, wherein an authenticator is received for each password sub-string of the first plurality of password sub-strings.
  - 5. The method of claim 4, wherein an authenticator corresponding to each received authenticator is calculated using a corresponding password sub-string of the second plurality of password sub-strings.
  - 6. The method of claim 1, wherein after receiving the first authenticator, the second device sends a second device identifier, a second device certificate, and a second authenticator to the first device, wherein the second authenticator is a cryptographic encoding comprising:
    - a second nonce;
      
      the second device certificate;
      
      the second device identifier; and
      
      the corresponding password sub-string of the second plurality of password sub-strings generated from the one-time-password by the second device.
  - 7. The method of claim 6, further comprising:
    - sending the second nonce to the first device.

8. A computer-readable medium not consisting of propagating data signals having computer-readable instructions that when executed by one or more processors configure the one or more processors to perform a method of establishing secure mutual trust, the method comprising:
- receiving, by a second device, a one-time-password known to a first device;
  
  receiving a first device identifier, a first device certificate, and a first authenticator, wherein the first authenticator is a cryptographic encoding comprising;
  
  a first nonce,the first device certificate,the first device identifier, anda password sub-string of a first plurality of password sub-strings generated from the one-time-password by the first device;
  
  receiving the first nonce;
  
  calculating a corresponding authenticator by applying the cryptographic encoding to the first nonce, the first device certificate, the first device identifier, and a corresponding password sub-string of a second plurality of password sub-strings generated from the one-time-password by the second device; and
  
  verifying that the received first authenticator and the calculated corresponding authenticator are the same.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The computer-readable medium not consisting of propagating data signals of claim 8, wherein the first plurality of password sub-strings is generated by decomposing the one-time-password into a definite number, n, of password sub-strings.
  - 10. The computer-readable medium not consisting of propagating data signals of claim 9, wherein the second plurality of password sub-strings is generated by decomposing the one-time-password into the definite number, n, of password sub-strings.
  - 11. The computer-readable medium not consisting of propagating data signals of claim 8, wherein an authenticator is received for each password sub-string of the first plurality of password sub-strings.
  - 12. The computer-readable medium not consisting of propagating data signals of claim 11, wherein an authenticator corresponding to each received authenticator is calculated using a corresponding password sub-string of the second plurality of password sub-strings.
  - 13. The computer-readable medium not consisting of propagating data signals of claim 8, wherein after receiving the first authenticator, the second device sends a second device identifier, a second device certificate, and a second authenticator to the first device, wherein the second authenticator is a cryptographic encoding comprising:
    - a second nonce;
      
      the second device certificate;
      
      the second device identifier; and
      
      the corresponding password sub-string of the second plurality of password sub-strings generated from the one-time-password by the second device.
  - 14. The computer-readable medium not consisting of propagating data signals of claim 13, further comprising:
    - sending the second nonce to the first device.
  - 15. The computer-readable medium not consisting of propagating data signals of claim 14, wherein the first device calculates a second corresponding authenticator by applying the cryptographic encoding to the second nonce, the second device certificate, the second device identifier, and the password sub-string of the first plurality of password sub-strings generated by the first device;
    - and wherein the first device verifies that the received second authenticator and the calculated second corresponding authenticator are the same.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Simon, Daniel R., Pyle, Harry S., Lieberman, Bruce Louis, Dollar, William, Simonnet, Guillaume
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
Su; Sarah

Application Number

US11/170,523
Publication Number

US 20070005955A1
Time in Patent Office

1,966 Days
Field of Search

713/169, 713/155, 713/156, 713/168, 380/278
US Class Current

713/169
CPC Class Codes

H04L 9/3228   One-time or temporary data,...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

Establishing secure mutual trust using an insecure password

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Establishing secure mutual trust using an insecure password

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links