Username based authentication security

US 8,156,333 B2
Filed: 05/29/2008
Issued: 04/10/2012
Est. Priority Date: 05/29/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by a processing device at a server, a request for an authentication challenge from a client;

generating and sending the authentication challenge to the client;

receiving a response to the authentication challenge from the client; and

authenticating the client based on the response, the response based on a salt value, the salt value based on a username and an authentication context identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and a method for an authentication protocol. In one embodiment, a client requests for an authentication challenge from a server. The server generates the authentication challenge and sends it to the client. The authentication challenge includes the authentication context identifier, a random string, a timestamp, and a signature value. The client computes a salt value based on a username and the authentication context identifier from the authentication challenge. The signature value is computed based on the authentication context identifier, the random string, and the timestamp. The client computes a hashed password value based on the computed salt value, and a message authentication code based on the hashed password value and the random string. The client sends a response to the server. The response includes the username, the message authentication code, the random string, the timestamp, and the signature value.

Citations

20 Claims

1. A computer-implemented method comprising:
- receiving, by a processing device at a server, a request for an authentication challenge from a client;
  
  generating and sending the authentication challenge to the client;
  
  receiving a response to the authentication challenge from the client; and
  
  authenticating the client based on the response, the response based on a salt value, the salt value based on a username and an authentication context identifier.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1 wherein generating the authentication challenge further comprises:
    - generating a random string, the authentication context identifier, a timestamp, and a signature value.
  - 3. The computer-implemented method of claim 2 wherein the signature value is computed based on the authentication context identifier, the random string, and the timestamp.
  - 4. The computer-implemented method of claim 3 wherein the response further comprises the username, a client message authentication code, the random string, the timestamp, and the signature value.
  - 5. The computer-implemented method of claim 4 further comprising:
    - verifying the validity of the timestamp and the signature value;
      
      retrieving a hashed password associated with the username provided in the response;
      
      computing a server message authentication code based on the random string and the retrieved hashed password; and
      
      comparing the server message authentication code with the client message authentication code to authenticate the client.

6. A non-transitory computer-accessible storage medium including data that, when accessed by a computer, cause the computer to perform a method comprising:
- receiving, by a processing device at a server, a request for an authentication challenge from a client;
  
  generating and sending the authentication challenge to the client;
  
  receiving a response to the authentication challenge from the client; and
  
  authenticating the client based on the response, the response based on a salt value, the salt value based on a username and an authentication context identifier.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The non-transitory computer-accessible storage medium of claim 6 wherein generating the authentication challenge further comprises:
    - generating a random string, the authentication context identifier, a timestamp, and a signature value.
  - 8. The non-transitory computer-accessible storage medium of claim 7 wherein the signature value is computed based on the authentication context identifier, the random string, and the timestamp.
  - 9. The non-transitory computer-accessible storage medium of claim 8 wherein the response further comprises the username, a client message authentication code, the random string, the timestamp, and the signature value.
  - 10. The non-transitory computer-accessible storage medium of claim 9 wherein the method further comprises:
    - verifying the validity of the timestamp and the signature value;
      
      retrieving a hashed password associated with the username provided in the response;
      
      computing a server message authentication code based on the random string and the retrieved hashed password, or the random string, the timestamp, and the retrieved hashed password; and
      
      comparing the server message authentication code with the client message authentication code to authenticate the client.

11. A server comprising:
- a processing device;
  
  an authentication challenge generator, executable by the processing device and configured to generate a random string and generate an authentication challenge comprising an authentication context identifier, the random string, a timestamp, a signature value based on the authentication context identifier, the random string, and the timestamp;
  
  a time stamp verifier coupled to the authentication challenge generator, the time stamp verifier configured to verify the validity of the timestamp in a response, the response based on a salt value, the salt value based on a username and the authentication context identifier;
  
  a signature value verifier coupled to the time stamp verifier, the signature value verifier configured to verify the validity of a signature value in the response; and
  
  a message authentication code verifier coupled to the time stamp verifier, the message authentication code verifier configured to verify the validity of a client message authentication code in the response.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The server of claim 11 wherein the signature value is computed based on the authentication context identifier, the random string, and the timestamp.
  - 13. The server of claim 12 wherein the response further comprises the username, the client message authentication code, the random string, the timestamp, and the signature value.
  - 14. The server of claim 13 wherein the message authentication code verifier is configured to retrieve a hashed password associated with the username provided in the response, to compute a server message authentication code based on the random string and the retrieved hashed password, and to compare the server message authentication code with the client message authentication code to authenticate the client.
  - 15. The server of claim 13 wherein the server is configured to communicate with a client comprising:
    - an authentication challenge requestor configured to request an authentication challenge;
      
      a salt computation engine coupled to the authentication challenge requestor, the salt computation engine configured to compute the salt value based on the username and the authentication context identifier of the authentication challenge;
      
      a hashed password computation engine coupled to the salt computation engine, the hashed password computation engine configured to compute a hashed password value based on the salt value; and
      
      a message authentication code computation engine coupled to the salt computation engine, the message authentication code computation engine configured to compute the message authentication code based on a random string of the authentication challenge and the hashed password value, or the random string, the timestamp, and the hashed password value.

16. A computer-implemented method comprising:
- requesting, by a processing device of a client, an authentication challenge from a server;
  
  receiving the authentication challenge from the server, andcomputing a salt value based on a username and an authentication context identifier of the authentication challenge.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-implemented method of claim 16 wherein the authentication challenge comprises the authentication context identifier, a random string, a timestamp, and a signature value.
  - 18. The computer-implemented method of claim 17 wherein the signature value is computed based on the authentication context identifier, the random string, and the timestamp.
  - 19. The computer-implemented method of claim 18 further comprising:
    - computing a hashed password value based on the computed salt value;
      
      computing a message authentication code based on the random string and the hashed password value, or the random string, the timestamp, and the hashed password value; and
      
      returning a response to the server.
  - 20. The computer-implemented method of claim 16 wherein the response comprises the username, the message authentication code, the random string, the timestamp, and the signature value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Schneider, James Paul
Primary Examiner(s)
Pich, Ponnoreay

Application Number

US12/156,278
Publication Number

US 20090300364A1
Time in Patent Office

1,412 Days
Field of Search

713/168, 713/178
US Class Current

713/168
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

Username based authentication security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Username based authentication security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links