System and method for generating a single use password based on a challenge/response protocol

US 8,042,155 B1
Filed: 09/29/2006
Issued: 10/18/2011
Est. Priority Date: 09/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method for secure authentication, comprising:

issuing, by a management console, a challenge request to a security appliance in response to an entity inserting a smart card and entering a username and a password into the management console to verify the identity of the entity;

in response to receiving the request issued by the management console, identifying, by the security appliance, a public key and a salt value stored on the security appliance wherein the public key and the salt value are associated with the entity and the smart card inserted by the entity into the management console;

generating, on the security appliance, a bit pattern, the bit pattern associated with the username of the entity and stored in the security appliance;

sending a challenge to the management console, the challenge including a secure hash of the bit pattern, an identification value associated with the security appliance, a version of the bit pattern and identification value encrypted with the public key, and the salt value;

is in response to receiving the challenge, decrypting, by the smart card, the version of the bit pattern and identification value using a private key contained within the smart card;

using, on the management console, the decrypted bit pattern to compute the secure hash received from the security appliance;

comparing, on the management console, the decrypted security appliance identification value and computed secure hash of the bit pattern with the security appliance identification value and secure hash of the bit pattern received from the security appliance in the challenge to determine if they match;

in response to a match of the comparison, returning, by the management console, a response to the security appliance, the response including a keyed hash message authentication code (HMAC), wherein the associated bit pattern is used as a key to encrypt the HMAC;

utilizing the bit pattern stored on the security appliance and associated with the entity'"'"'s username to compute the keyed HMAC received from the management console;

matching the computed keyed HMAC with the received keyed HMAC at the security appliance; and

in response to matching the computed keyed HMAC with the received keyed HMAC at the security appliance, authenticating the entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method which generates a single use password based on a challenge/response protocol. A box manager module executing within a security appliance identifies a public key (P) and salt value (S) associated with an administrator'"'"'s smart card and generates a random nonce (N). The box manager transmits a challenge comprising the following elements: <SHA1(N), BM_ID, P[N, BM_ID], S>. Upon receiving the challenge, the administration card decrypts P[N, BM_ID] using the private key contained within the card and computes SHA1(N). The administration card then compares its computed values with the received values from the box manager. If the values match, then to the administration card returns a response comprising the following elements: HMAC_N[user, SHA1 (password, S)], where HMAC_N represents the SHA1 keyed hash message authentication check of the response elements using the nonce N as the key.

109 Citations

View as Search Results

20 Claims

1. A method for secure authentication, comprising:
- issuing, by a management console, a challenge request to a security appliance in response to an entity inserting a smart card and entering a username and a password into the management console to verify the identity of the entity;
  
  in response to receiving the request issued by the management console, identifying, by the security appliance, a public key and a salt value stored on the security appliance wherein the public key and the salt value are associated with the entity and the smart card inserted by the entity into the management console;
  
  generating, on the security appliance, a bit pattern, the bit pattern associated with the username of the entity and stored in the security appliance;
  
  sending a challenge to the management console, the challenge including a secure hash of the bit pattern, an identification value associated with the security appliance, a version of the bit pattern and identification value encrypted with the public key, and the salt value;
  
  is in response to receiving the challenge, decrypting, by the smart card, the version of the bit pattern and identification value using a private key contained within the smart card;
  
  using, on the management console, the decrypted bit pattern to compute the secure hash received from the security appliance;
  
  comparing, on the management console, the decrypted security appliance identification value and computed secure hash of the bit pattern with the security appliance identification value and secure hash of the bit pattern received from the security appliance in the challenge to determine if they match;
  
  in response to a match of the comparison, returning, by the management console, a response to the security appliance, the response including a keyed hash message authentication code (HMAC), wherein the associated bit pattern is used as a key to encrypt the HMAC;
  
  utilizing the bit pattern stored on the security appliance and associated with the entity'"'"'s username to compute the keyed HMAC received from the management console;
  
  matching the computed keyed HMAC with the received keyed HMAC at the security appliance; and
  
  in response to matching the computed keyed HMAC with the received keyed HMAC at the security appliance, authenticating the entity.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1 wherein the entity comprises a software process.
  - 3. The method of claim 1 wherein the identification value comprises an identification of the security appliance to which the entity is being authenticated.

4. A method for securely authenticating an administrator to a computer, comprising:
- issuing a challenge request to the computer;
  
  in response to receiving the challenge request, identifying, by the computer, a public key and a salt value;
  
  generating, by the computer, a nonce to be stored on the computer, wherein the public key and the salt value are associated with an administrator and a smart card inserted by the administrator;
  
  generating a challenge comprising a secure hash of the nonce, an identification associated with the computer, the salt value and a version of the nonce and identification value that is encrypted with the public key;
  
  sending the challenge to the smart card;
  
  in response to receiving the challenge, decrypting, by the smart card, the version of the nonce and identification value using a private key contained within the smart card;
  
  is using the decrypted nonce to compute the secure hash of the nonce;
  
  comparing the decrypted computer identification value and computed secure hash of the nonce with the computer identification value and secure hash of the nonce received from the computer in the challenge to determine if they match;
  
  in response to a match of the comparison, returning a response to the computer, the response including a message authentication code, wherein the associated nonce is used as a key to encrypt the message authentication code;
  
  utilizing the nonce stored on the computer and associated with the user'"'"'s username to compute the received message authentication code;
  
  matching the computed message authentication code with the received message authentication code on the computer; and
  
  in response to matching the computed message authentication code with the received message authentication code on the computer, authenticating the user.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 5. The method of claim 4 wherein the secure hash comprises the SHA1 algorithm.
  - 6. The method of claim 4 wherein the identification of the computer comprises a box manager identifier.
  - 7. The method of claim 4 wherein the message authentication code comprises a keyed hash message authentication code.
  - 8. The method of claim 4 wherein the computer comprises a security appliance.
  - 9. The method of claim 4 wherein the computer computes the message authentication code of the user identifier and a secure hash of the password and the salt value.
  - 10. The method of claim 4 further comprising accepting a login in response to the computed message authentication code of the user identifier and a secure hash of the password and the salt value equaling the response.
  - 11. The method of claim 10 further comprising destroying the nonce.
  - 12. The method of claim 4 further comprising displaying the response.
  - 13. The method of claim 12 further comprising initiating a login operation to the computer using the displayed response as a password.
  - 14. The method of claim 10 wherein the login operation utilizes aSSH protocol.

15. A non-transitory computer readable medium for securely authenticating a user to a computer, the computer readable medium containing executable program instructions for execution by a processor, comprising:
- program instructions that issue a challenge request to the computer;
  
  program instructions that identify, on the computer, a public key and a salt value in response to receiving the challenge request;
  
  program instructions that generate, on the computer, a nonce to be stored on the computer, wherein the public key and the salt value are associated with the user and a smart card inserted by the user;
  
  program instructions that generate a challenge, the challenge comprising of a secure hash of the nonce, an identification value associated with the computer, the salt value and a version of the nonce and identification value encrypted with the public key;
  
  program instructions that send the challenge to the smart card;
  
  program instructions that decrypt, on the smart card, the version of the nonce and identification value using a private key contained within the smart card in response to receiving the challenge;
  
  program instructions that use the decrypted nonce to compute the secure hash of the nonce;
  
  program instructions that compare the decrypted computer identification value and computed secure hash of the nonce with the computer identification value and secure hash of the nonce received from the computer in the challenge to determine if they match;
  
  program instructions that return a response to the computer, the response including a keyed hash message authentication code (HMAC), wherein the associated nonce is used as a key to encrypt the HMAC in response to a match;
  
  program instructions that utilize the nonce stored on the computer and associated with the username of the user to compute the received keyed HMAC;
  
  program instructions that match the computed keyed HMAC with the received keyed HMAC on the computer; and
  
  program instructions that authenticate the user in response to a match.

16. A system for securely authenticating a user to a computer, the system comprising:
- a management console operatively interconnected with the computer, the management console configured to issue a challenge request to the computer;
  
  wherein the computer is configured to, in response to receiving the challenge request, identify a public key and a salt value, generate a nonce to be stored on the computer, wherein the public key and the salt value are associated with the user and a smart card inserted by the user, generate a challenge comprising a secure hash of the nonce, an identification value associated with the computer, the salt value and a version of the nonce and identification value encrypted with the public key, and send the challenge to the smart card;
  
  the management console further configured to decrypt the version of the nonce and identification value using a private key contained within the smart card in response to receiving the challenge, use the decrypted nonce to compute the secure hash of the nonce, compare the decrypted computer identification value and computed secure hash of the nonce with the computer identification value and secure hash of the nonce received from the computer in the challenge to determine if they match, and return a response to the computer, the response including a keyed hash message authentication code (HMAC), wherein the associated nonce is used as a key to encrypt the HMAC in response to a match of the comparison;
  
  the computer further configured to utilize the nonce stored on the computer and associated with the username of the user to compute the received keyed HMAC, match the computed keyed HMAC with the received keyed HMAC on the computer, and authenticate the user in response to matching the computed keyed HMAC with the received keyed HMAC on the computer.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16 wherein the management console is further configured to display the response to the user.
  - 18. The system of claim 17 wherein the management console further comprises a text based client configured to enable the user to login to the computer using the displayed response as a password.
  - 19. The system of claim 17 further comprising a computer executing a text based client configured to enable the user to login to the computer using the displayed response as a password and wherein the computer is geographically remote from the management console.
  - 20. The system of claim 18 wherein the computer comprises a security appliance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Network Appliance Incorporated (NetApp, Inc.)
Original Assignee
NetApp, Inc.
Inventors
Chang, Lawrence Wen-Hao, Subramanian, Ananthan
Primary Examiner(s)
ZIA, SYED

Application Number

US11/540,331
Time in Patent Office

1,845 Days
Field of Search

None
US Class Current

726/3
CPC Class Codes

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 67/1097   for distributed storage of ...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/3234   involving additional secure...

H04L 9/3242   involving keyed hash functi...

H04L 9/3271   using challenge-response

System and method for generating a single use password based on a challenge/response protocol

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

109 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for generating a single use password based on a challenge/response protocol

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links