Secure password-based authentication for cloud computing services

US 8,959,335 B2
Filed: 04/17/2012
Issued: 02/17/2015
Est. Priority Date: 04/17/2012
Status: Active Grant

First Claim

Patent Images

1. A method for operating a computing system, the computer system including a client computer, a security device, and a server, wherein the client computer and the server engage in a communications session constituting a sequence of request-response communications between the client computer and the server, to authenticate a client program executing on the client computer to a server service executing on the server upon the client program making a service request of the server during said communications session, the method comprising:

operating the client computer to form the service request to the server in a request-response communications protocol using a process that includes transmitting a command to the security device to provide username and a derivative-password;

operating the security device;

in response to the command from the client computer to provide a username and derivative-password;

to generate a derivative-password using a first parameter and a password-equivalent value stored in the security device;

at least one time during the communications session, in conjunction with a user device operated by a user, to obtain authorization from the user granting permission to the security device to provide a derivative password to the client computer; and

transmit an answer-message to the client computer, the answer-message including the first parameter, the derivative-password and the username;

operating the client computer to;

form the service request by including the answer-message received from the security device in the service request; and

transmit the service request to the server; and

operating the server to;

receive the service request from the client;

extract the first parameter, the derivative-password and the username from the service request;

compute a server-side-computed derivative of the password-equivalent value using the extracted first parameter and a server-side-stored password-equivalent value;

compare the received derivative-password to the server-side-computed derivative-password; and

upon determining that the received derivative-password matches the server-side-computed derivative-password, fulfilling the service requested by the client computer.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure password-based authentication for cloud service computing. A request for cloud computing resource access includes a derivative password that contains a parameter that the recipient may extract in order to independently calculate the derivative password based on the parameter and a stored password which may then be verified against a known-to-be-correct password. Other systems and methods are disclosed.

Citations

27 Claims

1. A method for operating a computing system, the computer system including a client computer, a security device, and a server, wherein the client computer and the server engage in a communications session constituting a sequence of request-response communications between the client computer and the server, to authenticate a client program executing on the client computer to a server service executing on the server upon the client program making a service request of the server during said communications session, the method comprising:
- operating the client computer to form the service request to the server in a request-response communications protocol using a process that includes transmitting a command to the security device to provide username and a derivative-password;
  
  operating the security device;
  
  in response to the command from the client computer to provide a username and derivative-password;
  
  to generate a derivative-password using a first parameter and a password-equivalent value stored in the security device;
  
  at least one time during the communications session, in conjunction with a user device operated by a user, to obtain authorization from the user granting permission to the security device to provide a derivative password to the client computer; and
  
  transmit an answer-message to the client computer, the answer-message including the first parameter, the derivative-password and the username;
  
  operating the client computer to;
  
  form the service request by including the answer-message received from the security device in the service request; and
  
  transmit the service request to the server; and
  
  operating the server to;
  
  receive the service request from the client;
  
  extract the first parameter, the derivative-password and the username from the service request;
  
  compute a server-side-computed derivative of the password-equivalent value using the extracted first parameter and a server-side-stored password-equivalent value;
  
  compare the received derivative-password to the server-side-computed derivative-password; and
  
  upon determining that the received derivative-password matches the server-side-computed derivative-password, fulfilling the service requested by the client computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method for operating a computing system of claim 1 wherein the first parameter is a random number.
  - 3. The method of claim 2 wherein the client computer is a computer server.
  - 4. The method for operating a computing system of claim 1 further comprising operating the client computer to transmit a second parameter to the security device and wherein the derivative-password is generated by the security device using the first parameter and the second parameter, and wherein the answer-message from the security device includes the second parameter, and wherein the server extracts the second parameter and uses the second parameter to compute the server-side-computed derivative password.
  - 5. The method for operating a computing system of claim 4 wherein the second parameter is a timestamp.
  - 6. The method of claim 1 wherein the client computer is a user device.
  - 7. The method for operating a computing system of claim 1 wherein the derivative-password is computed using a one-way cryptographic function F with a secret, the first parameter, and the stored password-equivalent value as arguments.
  - 8. The method for operating a computing system of claim 1 wherein the derivative-password is computed using a one-way cryptographic keyed hash function, the first parameter and the stored password-equivalent value.
  - 9. The method for operating a computing system of claim 1 wherein the server stores registered usernames and passwords, password-equivalent values, or one-way hashes of passwords in a database.
  - 10. The method for operating a computing system of claim 1 wherein the password-equivalent value is the password.
  - 11. The method for operating a computing system of claim 1 wherein the password-equivalent value is a one-way hash of the password.
  - 12. The method for operating a computing system of claim 1 wherein the derivative-password is an encryption of the first parameter and the password-equivalent value using a public key of the server.
  - 13. The method for operating a computing system of claim 1 wherein the derivative-password is an encryption of the first parameter and the password-equivalent value using a shared secret.

14. A cloud computing system comprising:
- a client computer having a hardware processor and a storage device for storing programs executable by the processor of the client computer to cause the client computer to perform certain actions, the client computer storage device including instructions to cause the client computer to form a service request of a server in a request-response communications protocol the instructions directing the processor to;
  
  issue a command to a security device to provide a username and password and receive an answer-message including username, a derivative-password generated by the security device using a first parameter and a password-equivalent value, and the first parameter;
  
  form the service request to the server by including the answer-message from the security device in the service request;
  
  the security device having a processor and a storage device for storing programs executable by the processor of the security device to cause the security device to perform certain actions, the security device storage device including instructions to cause the security device to;
  
  at least one time during the communications session, in conjunction with a user device operated by a user, to obtain authorization from the user granting permission to the security device to provide a derivative password to the client computer;
  
  generate a derivative-password using a first parameter and a password equivalent value stored on the security device in response the command to provide a username and derivative password; and
  
  transmit an answer-message including the user name, the derivative-password and the first parameter used to compute the derivative-password to the client computer; and
  
  a server having a processor and a storage device for storing programs executable by the processor of the server to cause the server to perform certain actions, the server storage device including instructions to cause the server to;
  
  receive the service request from the client;
  
  extract the first parameter, the derivative-password and the username from the service request;
  
  compute a server-side-computed derivative of the password using the extracted first parameter and a server-side-stored password-equivalent value;
  
  compare the received derivative-password to the server-side-computed derivative-password; and
  
  upon determining that the received derivative-password matches the server-side-computed derivative-password, fulfilling the service requested by the client computer.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The cloud computing system of claim 14 wherein the first parameter is a random number.
  - 16. The cloud computing system of claim 15 wherein the client computer is a computer server.
  - 17. The cloud computing system of claim 14 wherein the instructions to cause the client computer to form a service request further comprises transmitting a second parameter to the security device wherein the security device further includes instructions to generate the derivative-password using the first parameter and the second parameter, and wherein the answer-message from the security device includes the second parameter, and wherein the server includes instructions to extract the second parameter and to use the second parameter to compute the server-side-computed derivative password.
  - 18. The cloud computing system of claim 17 wherein the second parameter is a timestamp.
  - 19. The cloud computing system of claim 14 wherein the client computer is a user device.
  - 20. The cloud computing system of claim 14 wherein the derivative-password is computed using a one-way cryptographic function F with a secret, the first parameter, and the stored password-equivalent value as arguments.
  - 21. The cloud computing system of claim 14 wherein the derivative-password is computed using a one-way cryptographic keyed hash function, the first parameter and the stored password-equivalent value.
  - 22. The cloud computing system of claim 14 wherein the server stores registered usernames and passwords or one-way hashes of passwords in a database.
  - 23. The cloud computing system of claim 14 wherein the password-equivalent is the password.
  - 24. The cloud computing system of claim 14 wherein the password-equivalent is a one-way hash of the password.
  - 25. The cloud computing system of claim 14 wherein the derivative-password is an encryption of the first parameter and the password-equivalent using a public key of the server.
  - 26. The cloud computing system of claim 14 wherein the derivative-password is an encryption of the first parameter and the password-equivalent using a shared secret.

27. A security device with a processor programmed to perform the security device steps of a method comprising:
- operating a client computer to form a service request to a server using a process that includes transmitting an answer-message to the security device to provide username and a derivative-password;
  
  operating the security device to;
  
  generate a derivative-password using a parameter and a password-equivalent value stored in the security device;
  
  at least one time during the communications session, in conjunction with a user device operated by a user, to obtain authorization from the user granting permission to the security device to provide a derivative password to the client computer; and
  
  transmit an answer-message to the client computer, the answer-message including the parameter, the derivative-password and the username;
  
  operating the client computer to;
  
  form the service request by including the answer-message received from the security device in the service request; and
  
  transmit the service request to the server; and
  
  operating the server to;
  
  receive the service request from the client;
  
  extract the parameter, the derivative-password and the username from the service request;
  
  compute a server-side-computed derivative of the password-equivalent value using the extracted parameter and a server-side-stored password-equivalent value;
  
  compare the received derivative-password to the server-side-computed derivative-password; and
  
  upon determining that the received derivative-password matches the server-side-computed derivative-password, fulfilling the service requested by the client computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS France SAS (Thales SA)
Original Assignee
Gemalto SA (Thales SA)
Inventors
Lu, HongQian Karen
Primary Examiner(s)
HOLDER, BRADLEY W

Application Number

US13/448,928
Publication Number

US 20130275748A1
Time in Patent Office

1,036 Days
Field of Search

713/155
US Class Current

713/155
CPC Class Codes

G06F 21/31 User authentication

H04L 9/3226 using a predetermined code,...

Secure password-based authentication for cloud computing services

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Secure password-based authentication for cloud computing services

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links