Establishing secure mutual trust using an insecure password

US 8,332,643 B2
Filed: 10/19/2010
Issued: 12/11/2012
Est. Priority Date: 06/29/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method of establishing trust between a first device and a second device, comprising:

generating, by the first device, a first set of n password substrings from a one-time-password known to the second device, wherein n is an integer greater than one;

receiving n received authenticators from the second device, wherein a first received authenticator of the n received authenticators is a cryptographic encoding comprising a first nonce of n nonces and a first password substring of a second set of n password substrings generated by the second device;

receiving the n nonces from the second device;

generating, by the first device, n corresponding authenticators, wherein each of the n corresponding authenticators is a cryptographic encoding comprising one of the nonces of the n nonces and one of the password substrings of the first set of n password substrings, wherein a first corresponding authenticator of the n corresponding authenticators is a cryptographic encoding comprising a first nonce of the n nonces and a first password substring of the first set of n password substrings;

verifying that each received authenticator of the n received authenticators matches a corresponding authenticator of the n corresponding authenticators including verifying that the first corresponding authenticator matches the first received authenticator; and

establishing trust between the first device and the second device after each received authenticator of the n received authenticators has been verified.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process for establishing secure mutual trust includes generating a one-time-password. The one-time-password is transferred between the devices in a communication occurring off of the network. Each device generates a set of authenticators by hashing a plurality of sub-strings of the password and the device'"'"'s authentication certificate with a respective set of nonces. The devices exchange the respective sets of authenticators. Each device then alternates revealing its respective set of nonces and its authentication certificate in a multi-stage process. The devices re-calculate the authenticators based upon the respective set of nonces and authentication certificate revealed by the other device along with the one-time-password sub-strings that it posses. If each device determines that the authenticators re-calculated by the given device matches the authenticators previously received from the other device, secure mutual trust is established.

Citations

20 Claims

1. A method of establishing trust between a first device and a second device, comprising:
- generating, by the first device, a first set of n password substrings from a one-time-password known to the second device, wherein n is an integer greater than one;
  
  receiving n received authenticators from the second device, wherein a first received authenticator of the n received authenticators is a cryptographic encoding comprising a first nonce of n nonces and a first password substring of a second set of n password substrings generated by the second device;
  
  receiving the n nonces from the second device;
  
  generating, by the first device, n corresponding authenticators, wherein each of the n corresponding authenticators is a cryptographic encoding comprising one of the nonces of the n nonces and one of the password substrings of the first set of n password substrings, wherein a first corresponding authenticator of the n corresponding authenticators is a cryptographic encoding comprising a first nonce of the n nonces and a first password substring of the first set of n password substrings;
  
  verifying that each received authenticator of the n received authenticators matches a corresponding authenticator of the n corresponding authenticators including verifying that the first corresponding authenticator matches the first received authenticator; and
  
  establishing trust between the first device and the second device after each received authenticator of the n received authenticators has been verified.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein each received authenticator of the n received authenticators is received individually from the second device, wherein each nonce of the n nonces is received individually from the second device, wherein one of the n corresponding authenticators is generated for each received nonce, and wherein each received authenticator is matched to one of the n corresponding authenticators before a next received authenticator of the n received authenticators and a next nonce of the n nonces are received.
  - 3. The method of claim 1, wherein the verification step is conducted n times.
  - 4. The method of claim 1, further comprising:
    - sending a confirmation to the second device after verifying that each received authenticator of the n received authenticators matches a corresponding authenticator of the n corresponding authenticators.
  - 5. The method of claim 1, further comprising:
    - generating, by the first device, a second set of n nonces; and
      
      generating, by the first device, n generated authenticators, wherein each generated authenticator is a cryptographic encoding comprising one nonce of the second set of n nonces and one password substring of the first set of n password substrings.
  - 6. The method of claim 5, further comprising:
    - sending each generated authenticator of the n generated authenticators to the second device; and
      
      sending each nonce of the second set of n nonces to the second device.
  - 7. The method of claim 6, further comprising:
    - receiving a confirmation from the second device after verification of each generated authenticator of the n generated authenticators; and
      
      establishing secure mutual trust between the first device and the second device when each received authenticator of the n received authenticators has been verified by the first device and each generated authenticator of the n generated authenticators has been verified by the second device.
  - 8. The method of claim 1, wherein the cryptographic encoding of each received authenticator of the n received authenticators further comprises a second device identifier.

9. A computer system comprising a first device and a second device, the first device comprising:
- one or more processors;
  
  a memory storing computer-readable instructions that when executed by the one or more processors perform a method of establishing trust between the first device and the second device, the method comprising;
  
  generating, by the first device, a first set of n password substrings from a one-time-password known to the second device, wherein n is an integer greater than one;
  
  receiving a first authenticator of n received authenticators from the second device, wherein the first authenticator is a cryptographic encoding comprising a first nonce of a set of n nonces and a first password substring of a second set of n password substrings generated by the second device;
  
  receiving the first nonce of the set of n nonces from the second device;
  
  generating, by the first device, a first corresponding authenticator of n corresponding authenticators, wherein the first corresponding authenticator is a cryptographic encoding comprising the first nonce and a first password substring of the first set of n password substrings, and wherein each corresponding authenticator of the n corresponding authenticators is a cryptographic encoding of one nonce of the n nonces and one password substring of the first set of n password substrings;
  
  verifying that the first received authenticator matches the first corresponding authenticator;
  
  receiving a next authenticator of the n received authenticators and a next nonce of the n nonces from the second device, wherein the next authenticator is a cryptographic encoding comprising the next nonce of the set of n nonces and a next password substring of the second set of n password substrings generated by the second device;
  
  generating, by the first device, a next corresponding authenticator of the n corresponding authenticators, wherein the next corresponding authenticator is a cryptographic encoding comprising the next nonce and a next password substring of the first set of n password substrings;
  
  verifying that the next received authenticator matches the next corresponding authenticator; and
  
  establishing trust between the first device and the second device when each received authenticator of the n received authenticators has been verified.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer system of claim 9, further comprising:
    - repeating the verification step until each of the n received authenticators has been verified.
  - 11. The computer system of claim 9, wherein steps are conducted in any order.
  - 12. The computer system of claim 9, further comprising:
    - sending a confirmation to the second device after verifying that each received authenticator of the n received authenticators matches a corresponding authenticator of the n corresponding authenticators.
  - 13. The computer system of claim 9, further comprising:
    - generating, by the first device, a second set of n nonces; and
      
      generating, by the first device, n generated authenticators, wherein each generated authenticator is a cryptographic encoding comprising one nonce of the second set of n nonces and one password substring of the first set of n password substrings.
  - 14. The computer system of claim 13, further comprising:
    - sending each generated authenticator of the n generated authenticators to the second device; and
      
      sending each nonce of the second set of n nonces to the second device.
  - 15. The computer system of claim 14, further comprising:
    - receiving a confirmation from the second device after verification of each generated authenticator of the n generated authenticators; and
      
      establishing secure mutual trust between the first device and the second device when each received authenticator of the n received authenticators has been verified by the first device and each generated authenticator of the n generated authenticators has been verified by the second device.
  - 16. The computer system of claim 9, wherein the cryptographic encoding of each received authenticator of the n received authenticators further comprises a second device identifier.

17. A computer medium not consisting of a propagated data signal, the computer medium storing instructions that when executed by one or more processors configure the one or more processors to perform a method of establishing trust between a first device and a second device, the method comprising:
- generating, by the first device, a first set of n password substrings from a one-time-password known to the second device, wherein n is an integer greater than one;
  
  receiving n received authenticators from the second device, wherein a first received authenticator of the n received authenticators is a cryptographic encoding comprising a first nonce of n nonces and a first password substring of a second set of n password substrings generated by the second device;
  
  receiving the n nonces from the second device;
  
  generating, by the first device, n corresponding authenticators, wherein each of the n corresponding authenticators is a cryptographic encoding comprising one of the nonces of the n nonces and one of the password substrings of the first set of password substrings, wherein a first corresponding authenticator of the n corresponding authenticators is a cryptographic encoding comprising a first nonce of the n nonces and a first password substring of the first set of n password substrings;
  
  verifying that each received authenticator of the n received authenticators matches a corresponding authenticator of the n corresponding authenticators including verifying that the first corresponding authenticator matches the first received authenticator; and
  
  establishing trust between the first device and the second device after each received authenticator of the n received authenticators has been verified.
- View Dependent Claims (18, 19, 20)
- - 18. The computer medium of claim 17, wherein each received authenticator of the n received authenticators is received individually from the second device, wherein each nonce of the n nonces is received individually from the second device, wherein one of the n corresponding authenticators is generated for each received nonce, and wherein each received authenticator is matched to one of the n corresponding authenticators before a next received authenticator of the n received authenticators and a next nonce of the n nonces are received.
  - 19. The computer medium of claim 17, further comprising:
    - generating, by the first device, a second set of n nonces; and
      
      generating, by the first device, n generated authenticators, wherein each generated authenticator is a cryptographic encoding comprising one nonce of the second set of n nonces and one password substring of the first set of n password substrings.
  - 20. The computer medium of claim 19, further comprising:
    - sending each generated authenticator of the n generated authenticators to the second device;
      
      sending each nonce of the second set of n nonces to the second device; and
      
      establishing secure mutual trust between the first device and the second device when each received authenticator of the n received authenticators has been verified by the first device and each generated authenticator of the n generated authenticators has been verified by the second device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Pyle, Harry S., Lieberman, Bruce Louis, Simon, Daniel R., Simonnet, Guillaume, Dollar, William
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Su, Sarah

Application Number

US12/907,775
Publication Number

US 20110035593A1
Time in Patent Office

784 Days
Field of Search

713/155, 713/156, 713/168, 713/169, 380/278
US Class Current

713/169
CPC Class Codes

H04L 9/3228   One-time or temporary data,...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

Establishing secure mutual trust using an insecure password

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Establishing secure mutual trust using an insecure password

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links