Method and system for client-server mutual authentication using event-based OTP
First Claim
1. A method of authenticating and encrypting a client-server communication, comprising:
- a) generating, by a hardware client device, a first one-time password (OTP1) and an immediately subsequent to said OTP1 second one-time password (OTP2) from a cryptographic token;
b) generating an encryption key (K_ENC) and a MAC (Message Authentication Code) key (K_MAC) based on said OTP2;
c) protecting client data by encrypting said client data using said K_ENC and generating a digest of said client data using said K_MAC;
d) sending a request message from the hardware client device to a hardware server computer, the request message containing the protected client data, a cryptographic token identifier (TID) and said OTP1;
e) validating said OTP1 at the hardware server computer, and regenerating said OTP2 at the hardware server computer upon successful validation of said OTP1;
f) regenerating said K_ENC and said K_MAC from said OTP2 at the hardware server computer;
g) decrypting and authenticating the protected client data using said K_ENC and said K_MAC respectively at the hardware server computer;
h) processing the request message and generating result data;
i) encrypting the result data using said K_ENC and creating a digest of said result data using said K_MAC;
j) sending the encrypted result data to the hardware client device; and
k) decrypting the result data at the hardware client device using said K_ENC and verifying the authenticity of the result data using said K_MAC.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention comprises a method of authenticating and encrypting a client-server communication, comprising the steps of: a) generating a first one-time password (OTP1) and a second one-time password (OTP2) from a cryptographic token; b) generating an encryption key (K_ENC) and a MAC key (K_MAC) based on OTP2; c) preparing and protecting the client data using K_ENC and K_MAC; d) sending a request message from the client to the server, the request message containing the protected client data, a cryptographic token identifier (TID) and OTP1; e) validating OTP1 at the server, and generating OTP2 at the server upon successful validation; f) deriving K_ENC and K_MAC from OTP2 at the server; g) processing the request message and generating result data h) encrypting the result data using K_ENC and creating a digest using K_MAC; i) sending the encrypted result data to the client; and i) decrypting the result data at the client using K_ENC and verifying the authenticity of the result data using K_MAC.
37 Citations
11 Claims
-
1. A method of authenticating and encrypting a client-server communication, comprising:
-
a) generating, by a hardware client device, a first one-time password (OTP1) and an immediately subsequent to said OTP1 second one-time password (OTP2) from a cryptographic token; b) generating an encryption key (K_ENC) and a MAC (Message Authentication Code) key (K_MAC) based on said OTP2; c) protecting client data by encrypting said client data using said K_ENC and generating a digest of said client data using said K_MAC; d) sending a request message from the hardware client device to a hardware server computer, the request message containing the protected client data, a cryptographic token identifier (TID) and said OTP1; e) validating said OTP1 at the hardware server computer, and regenerating said OTP2 at the hardware server computer upon successful validation of said OTP1; f) regenerating said K_ENC and said K_MAC from said OTP2 at the hardware server computer; g) decrypting and authenticating the protected client data using said K_ENC and said K_MAC respectively at the hardware server computer; h) processing the request message and generating result data; i) encrypting the result data using said K_ENC and creating a digest of said result data using said K_MAC; j) sending the encrypted result data to the hardware client device; and k) decrypting the result data at the hardware client device using said K_ENC and verifying the authenticity of the result data using said K_MAC. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for authenticating and encrypting a client-server communication, comprising:
-
a hardware server computer; said hardware server computer configured to receive a request message from a client, the request message containing protected client data, a cryptographic identifier token (TID) and a first one-time password (OTP1), said protected client data being encrypted using an encryption key (K_ENC) and having a digest created using a MAC (Message Authentication Code) key (K_MAC), both said K_ENC and said K_MAC being generated from a cryptographic token by said client using an immediately subsequent to said OTP1 second one-time password (OTP2), said hardware server computer further configured to validate said OTP1 and regenerate said OTP2 upon successful validation of said OTP1, regenerate said K_ENC and said K_MAC from said OTP2, decrypt and authenticate the protected client data using said K_ENC and said K_MAC respectively, process the request message and generate result data, encrypt the result data using said K_ENC, create a digest of the result data using said K_MAC, and send said encrypted result data to said client. - View Dependent Claims (8, 9, 10, 11)
-
Specification