System and method of non-centralized zero knowledge authentication for a computer network

US 7,840,806 B2
Filed: 10/16/2003
Issued: 11/23/2010
Est. Priority Date: 10/16/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method of protecting a host computer from unauthorized access by a client computer over a computer network, comprising the steps of:

installing a prover agent application on the client computer;

installing a verifier agent application on the host computer;

creating a trusted source application on the computer network to generate and publish encrypted values of a secret and product of first and second large prime numbers;

reading the encrypted values for the secret and product, by the prover and verifier from the trusted source;

decrypting the secret, by the prover and verifier;

decrypting the product, by the prover and verifier;

performing a plurality of verification dialog between the prover and verifier over the network, wherein the prover demonstrates knowledge of the secret and product without exposing the values of the secret and product, and wherein the client is denied access to a secure area of the host when the prover fails to demonstrate knowledge of the secret and product and granted access to the secure area when the client succeeds in demonstrating knowledge of the secret and product;

installing a first agent to be authenticated on a third computer on the network, the first agent having values for s, n and t, s being the secret, n being the product, and t being a size of an answer set;

installing a second agent on a fourth computer on the network, to authenticate the first agent, the second agent having values for s, n, and t;

generating r as a random number generated by the first agent;

calculating x by the first agent, r being raised to power of t modulus n;

sending x from the first agent to the second agent, over the network;

calculating b by the second agent, b being further defined as a member of set of integers from zero through t−

1;

sending b from the second agent to the first agent, over the network;

calculating y by the first agent, y being a product of r*s raised to power of b;

sending y from the first agent to the second agent, over the network; and

determining authentication of the first agent, by determining equivalence of a first equation to a second equation, if y is not equal to zero, first equation is y^t mod n and second equation is (xv^b) mod n.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Zero-knowledge authentication proves identity without revealing information about a secret that is used to prove that identity. An authentication agent performs authentication of a prover agent without knowledge or transfer of the secret. A non-centralized zero-knowledge authentication system contains multiple authentication agents, for access by multiple computers seeking access on a computer network through local prover agents. Once authenticated, those multiple computers may also implement authentication agents. The secret may periodically expire by publishing a new encrypted secret by a trusted source, thwarting attempts to factor or guess information about the secret.

99 Citations

View as Search Results

13 Claims

1. A method of protecting a host computer from unauthorized access by a client computer over a computer network, comprising the steps of:
- installing a prover agent application on the client computer;
  
  installing a verifier agent application on the host computer;
  
  creating a trusted source application on the computer network to generate and publish encrypted values of a secret and product of first and second large prime numbers;
  
  reading the encrypted values for the secret and product, by the prover and verifier from the trusted source;
  
  decrypting the secret, by the prover and verifier;
  
  decrypting the product, by the prover and verifier;
  
  performing a plurality of verification dialog between the prover and verifier over the network, wherein the prover demonstrates knowledge of the secret and product without exposing the values of the secret and product, and wherein the client is denied access to a secure area of the host when the prover fails to demonstrate knowledge of the secret and product and granted access to the secure area when the client succeeds in demonstrating knowledge of the secret and product;
  
  installing a first agent to be authenticated on a third computer on the network, the first agent having values for s, n and t, s being the secret, n being the product, and t being a size of an answer set;
  
  installing a second agent on a fourth computer on the network, to authenticate the first agent, the second agent having values for s, n, and t;
  
  generating r as a random number generated by the first agent;
  
  calculating x by the first agent, r being raised to power of t modulus n;
  
  sending x from the first agent to the second agent, over the network;
  
  calculating b by the second agent, b being further defined as a member of set of integers from zero through t−
  
  1;
  
  sending b from the second agent to the first agent, over the network;
  
  calculating y by the first agent, y being a product of r*s raised to power of b;
  
  sending y from the first agent to the second agent, over the network; and
  
  determining authentication of the first agent, by determining equivalence of a first equation to a second equation, if y is not equal to zero, first equation is y^t mod n and second equation is (xv^b) mod n.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the steps of decrypting the secret and product further utilize previous values of the secret and product as operators in the modulus inverse operations, to decrypt new values for the secret and the product.
  - 3. The system of claim 1, the client computer comprising a cell phone.
  - 4. The system of claim 1, the computer network comprising one or more of the Internet, a local area network, a communications link, and a wireless network.
  - 5. The system of claim 1, the prover agent, verifier agent, first agent and second agent being respectively installed on the client computer, the host computer, the third computer and the fourth computer through common software.

6. A method of protecting a host computer from unauthorized access by a client computer over a computer network, comprising the steps of:
- installing a prover agent application on the client computer;
  
  installing a verifier agent application on the host computer;
  
  creating a trusted source application on the computer network to generate and publish encrypted values of a secret and product of first and second prime numbers;
  
  reading the encrypted values for the secret and product, by the prover and verifier from the trusted source;
  
  decrypting the secret, by the prover and verifier;
  
  decrypting the product, by the prover and verifier;
  
  performing a plurality of verification dialog between the prover and verifier over the network, wherein the prover demonstrates knowledge of the secret and product without exposing the values of the secret and product, and wherein the client is denied access to a secure area of the host when the prover fails to demonstrate knowledge of the secret and product and granted access to the secure area when the client succeeds in demonstrating knowledge of the secret and product;
  
  wherein the prover has values for s, n and t, s being the secret, n being the product, and t being a size of an answer set and wherein the verifier having values for s, n and t;
  
  the verification dialog between the prover and verifier including;
  
  generating r as a random number by the prover agent;
  
  calculating x by the prover agent, r being raised to power of t modulus n;
  
  sending x from the prover agent to the verifier agent, over the network;
  
  calculating b by the verifier agent, b being further defined as a member of set of integers from zero through t−
  
  1;
  
  sending b from the verifier agent to the prover agent, over the network;
  
  calculating y by the prover agent, y being a product of r*s raised to power of b;
  
  sending y from the prover agent to the verifier agent, over the network; and
  
  determining authentication of the prover agent, by determining equivalence of a first equation to a second equation, if y is not equal to zero, the first equation is y^t mod n and the second equation is (xv^b) mod n.
- View Dependent Claims (7, 8, 9)
- - 7. The system of claim 6, the client computer comprising a cell phone.
  - 8. The system of claim 6, the computer network comprising one or more of the Internet, a local area network, a communications link, and a wireless network.
  - 9. The system of claim 6, the prover agent and the verifier agent being respectively installed on the client computer and the host computer through common software.

10. A method of protecting a host computer from unauthorized access over a computer network, comprising the steps of:
- installing a prover agent application on a client computer;
  
  installing a verifier agent application on the host computer;
  
  creating a trusted source application on the computer network to generate and publish encrypted values of a secret and product of first and second large prime numbers;
  
  reading the encrypted values for the secret and product, by the prover and verifier from the trusted source;
  
  decrypting the secret, by the prover and verifier;
  
  decrypting the product, by the prover and verifier;
  
  performing a plurality of verification dialog between the prover and verifier over the network, wherein the prover demonstrates knowledge of the secret and product without exposing the values of the secret and product, and wherein the client is denied access to a secure area of the host when the prover fails to demonstrate knowledge of the secret and product and granted access to the secure area when the client succeeds in demonstrating knowledge of the secret and product;
  
  installing a first agent to be authenticated on a third computer on the network, the first agent having values for s, n and t, s being the secret, n being the product, and t being a size of an answer set;
  
  installing a second agent on a fourth computer on the network, to authenticate the first agent, the second agent having values for s, n, and t;
  
  generating r as a random number generated by the first agent;
  
  calculating x by the first agent, r being raised to power of t modulus n;
  
  sending x from the first agent to the second agent, over the network;
  
  calculating b by the second agent, b being further defined as a member of set of integers from zero through t−
  
  1;
  
  sending b from the second agent to the first agent, over the network;
  
  calculating y by the first agent, y being a product of r*s raised to power of b;
  
  sending y from the first agent to the second agent, over the network; and
  
  determining authentication of the first agent, by determining equivalence of a first equation to a second equation, if y is not equal to zero, first equation is y^t mod n and second equation is (xv^b) mod n.
- View Dependent Claims (11, 12, 13)
- - 11. The system of claim 10, the client computer comprising a cell phone.
  - 12. The system of claim 10, the computer network comprising one or more of the Internet, a local area network, a communications link, and a wireless network.
  - 13. The system of claim 10, the prover agent, verifier agent, first agent and second agent being respectively installed on the client computer, the host computer, the third computer and the fourth computer through common software.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Burstiq, Inc.
Original Assignee
Enterprise Information Management, Inc.
Inventors
Ricotta, Frank J. Jr., Hammond, Frank J. II, Carlander, Steven J.
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US10/687,320
Publication Number

US 20040123156A1
Time in Patent Office

2,595 Days
Field of Search

713/168, 713/169, 726/4
US Class Current

713/169
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0407   wherein the identity of one...

H04L 63/08   for authentication of entit...

H04L 9/0891   Revocation or update of sec...

H04L 9/3218   using proof of knowledge, e...

H04L 9/3271   using challenge-response

System and method of non-centralized zero knowledge authentication for a computer network

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

99 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

System and method of non-centralized zero knowledge authentication for a computer network

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

99 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others