Robust digest authentication method

US 8,336,087 B2
Filed: 02/29/2008
Issued: 12/18/2012
Est. Priority Date: 03/01/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A method, performed by an authentication server, of authenticating a user in a communication system comprising a user terminal and the authentication server which is capable of storing two types of nonce values comprising dedicated nonce values unique in the system and common nonce values constant and common to all users managed by the authentication server during a fixed time period, the method comprising:

receiving from the user terminal an access request;

determining, using a given criterion, the type of a first nonce value to be sent to the user terminal as a response to the access request, wherein, in case the given criterion is fulfilled the type of the first nonce value is a dedicated nonce value, otherwise the type of the first nonce value is a common nonce value which is constant and common to all of the users managed by the authentication server during the fixed time period;

sending the first nonce value which has been determined;

receiving a response from the user terminal, the response comprising a second nonce value and a response code to the first nonce value sent by the authentication server; and

determining whether the response code is correct and whether the second nonce value corresponds to the first nonce value sent by the authentication server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a method of authenticating a user in a communication system comprising a user terminal and an authentication server which is capable of storing two types of nonce values, namely dedicated nonce values unique in the system and common nonce values shared between users in the system. In the method the authentication server receives (401) from the user terminal an access request. Then the authentication server uses a predefined criterion for determining the type of a first nonce value to be sent to the user terminal as a response to the access request. In case the predefined criterion is fulfilled, then a dedicated nonce value is sent, otherwise a common nonce value is sent (402). Then the authentication server receives (403) from the user terminal a response comprising a second nonce value and a response code to the first nonce value. The authentication server then determines whether the response code is correct and whether the second nonce value corresponds to the first nonce value.

18 Citations

View as Search Results

19 Claims

1. A method, performed by an authentication server, of authenticating a user in a communication system comprising a user terminal and the authentication server which is capable of storing two types of nonce values comprising dedicated nonce values unique in the system and common nonce values constant and common to all users managed by the authentication server during a fixed time period, the method comprising:
- receiving from the user terminal an access request;
  
  determining, using a given criterion, the type of a first nonce value to be sent to the user terminal as a response to the access request, wherein, in case the given criterion is fulfilled the type of the first nonce value is a dedicated nonce value, otherwise the type of the first nonce value is a common nonce value which is constant and common to all of the users managed by the authentication server during the fixed time period;
  
  sending the first nonce value which has been determined;
  
  receiving a response from the user terminal, the response comprising a second nonce value and a response code to the first nonce value sent by the authentication server; and
  
  determining whether the response code is correct and whether the second nonce value corresponds to the first nonce value sent by the authentication server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, wherein the given criterion comprises the authentication server generating a dedicated nonce value and determining a memory location for the generated dedicated nonce value and if the memory location is vacant, then concluding that the given criterion is fulfilled.
  - 3. The method according to claim 2, wherein the dedicated nonce value is generated randomly by the authentication server.
  - 4. The method according to claim 1, wherein the given criterion comprises determining the number of received access requests in a time unit and if the number is lower than a predetermined threshold, then concluding that the given criterion is fulfilled.
  - 5. The method according to any of the preceding claims, wherein the response code is calculated by the user terminal based on the nonce value received from the authentication server and password and username of the user.
  - 6. The method according to claim 1, further comprising:
    - forwarding the access request to a server, after having determined that the response code to the dedicated nonce value is correct and that the second nonce value corresponds to the first nonce value, when the given criterion is fulfilled.
  - 7. The method according to claim 1, further comprising:
    - refusing the access request in case it is determined that the response code is not correct or that the second nonce value does not correspond to the first nonce value.
  - 8. The method according to claim 1, further comprising:
    - storing, in a table, the dedicated nonce value, when the given criterion is fulfilled; and
      
      indexing a memory location in the table using an internet protocol source address of the user terminal, user datagram protocol source port of the user terminal, and the dedicated nonce value.
  - 9. The method according to claim 1, further comprising:
    - generating a dedicated nonce value, sending the dedicated nonce value to the user terminal, receiving a second response code from the user terminal, verifying that the second response code is correct and forwarding the access request to a server, when the given criterion is not fulfilled, after having determined that the response code to the common nonce value is correct and that the second nonce value corresponds to the first nonce value.
  - 10. The method according to claim 1, further comprising:
    - storing the dedicated nonce value in a table, a memory location in the table being indexed using a username of the user terminal, the storing occurring when the given criterion is not fulfilled, after having determined that the response code to the common nonce value is correct and that the second nonce value corresponds to the first nonce value.
  - 11. The method according to claim 8 or 10, wherein a single table is used irrespective of the method of indexing the memory locations in the table.
  - 12. The method according to claim 1, wherein the common nonce and the dedicated nonce values have limited time validities.
  - 13. The method according to claim 8, wherein each entry in a certain memory location of the table is associated with a priority bit, an authentication bit and timestamp and each entry can be overwritten by a new nonce value, if the priority bit is unset or if the authentication bit indicates that the corresponding request has already been approved or if the timestamp indicates that the current entry is no longer valid.
  - 14. The method according to claim 13, wherein the priority bit is set when the response code to the common nonce value has been determined to be correct and when the second nonce value corresponds to the first nonce value, otherwise the priority bit is unset.
  - 15. The method according to claim 13, wherein the authentication bit is set when the access request has been forwarded to a server, otherwise the authentication bit is unset.
  - 16. A computer program product comprising instructions for implementing the steps of a method according to claim 1 when loaded and run on a computer of the authentication server.

17. A device for authenticating a user terminal in a communication system, the device being capable of storing two types of nonce values comprising dedicated nonce values unique in the system and common nonce values constant and common to all users managed by the device during a fixed time period, the device comprising:
- a receiver for receiving from the user terminal messages; and
  
  a processor for using a given criterion for determining the type of a first nonce value to be sent to the user terminal as a response to an access request from the user terminal, wherein, in case the given criterion is fulfilled, the processor is arranged to send a dedicated nonce value, otherwise the processor is arranged to send a common nonce value which is constant and common to all of the users managed by the device during the fixed time period, the processor is further arranged to determine whether a response comprising a second nonce value and a response code received from the user terminal as a response to the first nonce value is correct.
- View Dependent Claims (18, 19)
- - 18. The device according to claim 17, further comprising:
    - a memory for storing common and dedicated nonce values.
  - 19. An authentication server for authenticating a user terminal, the authentication server comprising a device according to claim 17.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitsubishi Electric Corporation
Original Assignee
Mitsubishi Electric Corporation
Inventors
Rollet, Romain
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US12/040,152
Publication Number

US 20080216160A1
Time in Patent Office

1,754 Days
Field of Search

726/2, 726/6, 726/27, 713/171, 713/168, 713151-155, 713/160, 709/229
US Class Current

726/6
CPC Class Codes

G06F 21/33   using certificates

H04L 63/083   using passwords cryptograph...

H04L 63/205   involving negotiation or de...

H04L 9/3271   using challenge-response

Robust digest authentication method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Robust digest authentication method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links