Password-based authentication system and method in group network

US 8,745,715 B2
Filed: 04/16/2003
Issued: 06/03/2014
Est. Priority Date: 04/16/2003
Status: Active Grant

First Claim

Patent Images

1. A method for password-based authentication in a communication system including a group of at least two units associated with a common password, wherein each of said two units comprises at least one processor and at least one memory, said at least one memory containing instructions that, when executed by said at least one processor, are operative to perform the steps of:

assigning individual authentication tokens to the respective units in the group based on the password such that each authentication token is irreversibly determined by the password;

determining, in a first unit, a check token for a second unit based on the password inputted by a user of said first unit and the authentication token of the first unit, wherein the step of determining the check token comprises the steps of;

determining, in the first unit, a token secret using the authentication token of the first unit and the password; and

,creating, in the first unit, the check token for the second unit based on the token secret and the password;

sending the check token to the second unit; and

,comparing, in the second unit, the check token with the authentication token of the second unit for authentication of the first unit towards the second unit, wherein said user of said first unit is authenticated if said check token is the same as said authentication token of said second unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to password-based authentication in group networks. Each device has an authentication token irreversibly based on the password. The authentication involves a first device at which the password P is entered and a second device towards which the authentication occurs. The first device determines a check token M_jfor the second based on the password and its own authentication token R_land this check token is sent to the second device, where it is compared with the authentication token of that device. The procedure may include update of a device to exclude a non-trusted device from the group or change the password. Advantageous features are that the information in one device does not allow retrieval of the password and that the password is only exposed at one device, and only temporarily, during the authentication.

Citations

42 Claims

1. A method for password-based authentication in a communication system including a group of at least two units associated with a common password, wherein each of said two units comprises at least one processor and at least one memory, said at least one memory containing instructions that, when executed by said at least one processor, are operative to perform the steps of:
- assigning individual authentication tokens to the respective units in the group based on the password such that each authentication token is irreversibly determined by the password;
  
  determining, in a first unit, a check token for a second unit based on the password inputted by a user of said first unit and the authentication token of the first unit, wherein the step of determining the check token comprises the steps of;
  
  determining, in the first unit, a token secret using the authentication token of the first unit and the password; and
  
  ,creating, in the first unit, the check token for the second unit based on the token secret and the password;
  
  sending the check token to the second unit; and
  
  ,comparing, in the second unit, the check token with the authentication token of the second unit for authentication of the first unit towards the second unit, wherein said user of said first unit is authenticated if said check token is the same as said authentication token of said second unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, further comprising the step of:
    - deleting the password and all significant parameters generated except the authentication tokens after usage thereof.
  - 3. The method of claim 1, further comprising the step of:
    - accepting, in the second unit, in response to a successful authentication, update information securely transferred from the first unit, at least a portion of the update information being created at the first unit.
  - 4. The method of claim 3, wherein the update information is associated with revocation of a non-trusted group member.
  - 5. The method of claim 3, wherein the update information relates to a password change.
  - 6. The method of claim 3, wherein the update information is selected from the group consisting of:
    - new authentication tokens,a new group key, a group-defining list, and,a revocation list, including combinations thereof.
  - 7. The method of claim 3, further comprising the step of delegating update rights to a third intermediate unit, and sending at least a portion of the update information for the second unit to the intermediate unit.
  - 8. The method of claim 7, wherein the update information is accompanied by a time stamp for determining whether the update information is still valid when the intermediate unit encounters the second unit.
  - 9. The method of claim 7, wherein the delegation of update rights comprises delegation of rights to further delegate update rights.
  - 10. The method of claim 3, wherein a unit that is switched-on after being inactive for a predetermined period of time automatically requests appropriate update information from at least two other units.
  - 11. The method of claim 1, wherein the assigning step further comprises the steps of:
    - determining, in an assigning unit in the group, a token secret common for the group and non-correlated with the password; and
      
      ,creating, in the assigning unit, the authentication token for another unit in the group based on the token secret common for the group and the password.
  - 12. The method of claim 11 wherein the step of determining the token secret common for the group involves generating the token secret as a part of an initial set-up procedure.
  - 13. The method of claim 11, wherein the creating step involves using a bijective locking function having input parameters which include the token secret common for the group and a one-way function of the password.
  - 14. The method of claim 13, wherein the locking function is a symmetric encryption function.
  - 15. The method of claim 13, wherein the locking function is implemented through password-based secret sharing.
  - 16. The method of claim 1, further comprising policies in at least one of the units in the group for limiting a number and/or frequency of authentication attempts.
  - 17. The method of claim 1, further comprising the step of generating an alarm signal if a number of authentication attempts exceeds a predetermined value.
  - 18. The method of claim 1, further comprising the step of sending an authentication response message from the second unit indicating a result of the comparing step.
  - 19. The method of claim 1, further comprising the step of authentication of the second unit towards the first unit, whereby the first and second units are mutually authenticated towards each other.
  - 20. The method of claim 19, further comprising the steps of:
    - generating a respective random value in the first and second unit;
      
      determining temporary test secrets in the first and second unit based on the random values; and
      
      ,exchanging the temporary test secrets between the first and second unit for mutual authentication purposes.
  - 21. The method of claim 1, wherein critical operations for which authentication is needed are listed in policies in at least one of the units.
  - 22. The method of claim 1, wherein the group of units constitutes a Personal Area Network (PAN).
  - 23. The method of claim 1, wherein the authentication tokens are tamper-resistantly stored in the respective units.

24. A communication system including a group of at least two units associated with a common password, and means for password-based authentication, comprising:
- means for assigning individual authentication tokens to the respective units in the group based on the password such that each authentication token is irreversibly determined by the password;
  
  means for determining, at a first unit, a check token for a second unit based on the password and the authentication token of the first unit; and
  
  means for comparing, at the second unit, the check token with the authentication token of the second unit for authentication of the first unit towards the second unit;
  
  wherein the means for determining the check token comprises;
  
  means for retrieving, at the first unit, a token secret using the authentication token of the first unit and the password; and
  
  ,means for creating, at the first unit, the check token for the second unit based on the token secret and the password.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 25. The system of claim 24, further comprising means for deleting the password and parameters generated except the authentication tokens after usage thereof.
  - 26. The system of claim 24, further comprising;
    - means for transferring update information from the first unit to the second unit; and
      
      ,means for accepting, at the second unit, update information from the first unit in response to a successful authentication.
  - 27. The system of claim 26, wherein the update information is associated with revocation of a non-trusted group member.
  - 28. The system of claim 26, wherein the update information relates to a password change.
  - 29. The system of claim 26, wherein the update information is selected from the group consisting of new authentication tokens, a new group key, a group-defining list, and a revocation list, including combinations thereof.
  - 30. The system of claim 26, further comprising means for delegation of update rights to a third intermediate unit, and means for sending at least a portion of the update information for the second unit to the intermediate unit.
  - 31. The system of claim 24, wherein the means for assigning further comprises:
    - means for determining, at an assigning unit in the group, a token secret common for the group and non-correlated with the password; and
      
      ,means for creating, at the assigning unit, the authentication token for another unit in the group based on the token secret and the password.
  - 32. The system of claim 31, wherein the means for creating involves a bijective locking function having input parameters which include the token secret and a one-way function of the password.
  - 33. The system of claim 24, further comprises policies implemented in at least one of the units in the group for limiting a number and/or frequency of authentication attempts.
  - 34. The system of claim 24, further comprising means for generating an alarm signal if a number of authentication attempts exceeds a predetermined value.
  - 35. The system of claim 24, further comprising means for sending an authentication response message from the second unit.
  - 36. The system of claim 24, further comprising means for mutual authentication between two units in the group.
  - 37. The system of claim 24, wherein said communication system being a Personal Area Network (PAN).

38. A first device belonging to a group of at least two devices associated with a common password, and including means for password-based authentication, the first device comprises:
- means for receiving a password;
  
  means for assigning individual authentication tokens to other devices in the group based on the password such that each authentication token is irreversibly determined by the password;
  
  means for determining a check token for a second device in the group based on the password and the authentication token of the first device; and
  
  means for transmitting the check token to the second device for authentication towards the second device;
  
  wherein the means for determining the check token comprises;
  
  means for retrieving a token secret using the authentication token of the first device and the password; and
  
  ,means for creating the check token for the second device based on the token secret and the password.
- View Dependent Claims (39, 40, 41, 42)
- - 39. The first device of claim 38, further comprising means for deleting the password and parameters generated except the authentication token after usage thereof.
  - 40. The first device of claim 38, further comprising:
    - means for creating update information for the second device; and
      
      ,means for securely transferring update information to the second device.
  - 41. The first device of claim 40, further comprising means for delegation of update rights to an intermediate device, and means for sending update information for the second device to the intermediate device.
  - 42. The first device of claim 38, wherein the means for assigning further comprises:
    - means for determining a token secret common for the group and non-correlated with the password; and
      
      ,means for creating the authentication token for another device in the group based on the token secret and the password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Lindholm, Fredrik, Naeslund, Mats
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
NGUYEN, TRONG H

Application Number

US10/552,955
Publication Number

US 20060236384A1
Time in Patent Office

4,066 Days
Field of Search

713/155, 713160-164, 713168-174, 713/176, 713182-186, 380/277
US Class Current

726/9
CPC Class Codes

H04L 2209/80   Wireless

H04L 63/0435   wherein the sending and rec...

H04L 63/083   using passwords cryptograph...

H04L 63/0869   for achieving mutual authen...

H04L 63/104   Grouping of entities

H04L 9/0833   involving conference or gro...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3273   for mutual authentication n...

Password-based authentication system and method in group network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Password-based authentication system and method in group network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links