Secure password-based authentication for cloud computing services
First Claim
1. A method for operating a computing system, the computer system including a client computer, a security device, and a server, wherein the client computer and the server engage in a communications session constituting a sequence of request-response communications between the client computer and the server, to authenticate a client program executing on the client computer to a server service executing on the server upon the client program making a service request of the server during said communications session, the method comprising:
- operating the client computer to form the service request to the server in a request-response communications protocol using a process that includes transmitting a command to the security device to provide username and a derivative-password;
operating the security device;
in response to the command from the client computer to provide a username and derivative-password;
to generate a derivative-password using a first parameter and a password-equivalent value stored in the security device;
at least one time during the communications session, in conjunction with a user device operated by a user, to obtain authorization from the user granting permission to the security device to provide a derivative password to the client computer; and
transmit an answer-message to the client computer, the answer-message including the first parameter, the derivative-password and the username;
operating the client computer to;
form the service request by including the answer-message received from the security device in the service request; and
transmit the service request to the server; and
operating the server to;
receive the service request from the client;
extract the first parameter, the derivative-password and the username from the service request;
compute a server-side-computed derivative of the password-equivalent value using the extracted first parameter and a server-side-stored password-equivalent value;
compare the received derivative-password to the server-side-computed derivative-password; and
upon determining that the received derivative-password matches the server-side-computed derivative-password, fulfilling the service requested by the client computer.
3 Assignments
0 Petitions
Accused Products
Abstract
Secure password-based authentication for cloud service computing. A request for cloud computing resource access includes a derivative password that contains a parameter that the recipient may extract in order to independently calculate the derivative password based on the parameter and a stored password which may then be verified against a known-to-be-correct password. Other systems and methods are disclosed.
-
Citations
27 Claims
-
1. A method for operating a computing system, the computer system including a client computer, a security device, and a server, wherein the client computer and the server engage in a communications session constituting a sequence of request-response communications between the client computer and the server, to authenticate a client program executing on the client computer to a server service executing on the server upon the client program making a service request of the server during said communications session, the method comprising:
-
operating the client computer to form the service request to the server in a request-response communications protocol using a process that includes transmitting a command to the security device to provide username and a derivative-password; operating the security device; in response to the command from the client computer to provide a username and derivative-password; to generate a derivative-password using a first parameter and a password-equivalent value stored in the security device; at least one time during the communications session, in conjunction with a user device operated by a user, to obtain authorization from the user granting permission to the security device to provide a derivative password to the client computer; and transmit an answer-message to the client computer, the answer-message including the first parameter, the derivative-password and the username; operating the client computer to; form the service request by including the answer-message received from the security device in the service request; and transmit the service request to the server; and operating the server to; receive the service request from the client; extract the first parameter, the derivative-password and the username from the service request; compute a server-side-computed derivative of the password-equivalent value using the extracted first parameter and a server-side-stored password-equivalent value; compare the received derivative-password to the server-side-computed derivative-password; and upon determining that the received derivative-password matches the server-side-computed derivative-password, fulfilling the service requested by the client computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A cloud computing system comprising:
-
a client computer having a hardware processor and a storage device for storing programs executable by the processor of the client computer to cause the client computer to perform certain actions, the client computer storage device including instructions to cause the client computer to form a service request of a server in a request-response communications protocol the instructions directing the processor to; issue a command to a security device to provide a username and password and receive an answer-message including username, a derivative-password generated by the security device using a first parameter and a password-equivalent value, and the first parameter; form the service request to the server by including the answer-message from the security device in the service request; the security device having a processor and a storage device for storing programs executable by the processor of the security device to cause the security device to perform certain actions, the security device storage device including instructions to cause the security device to; at least one time during the communications session, in conjunction with a user device operated by a user, to obtain authorization from the user granting permission to the security device to provide a derivative password to the client computer; generate a derivative-password using a first parameter and a password equivalent value stored on the security device in response the command to provide a username and derivative password; and transmit an answer-message including the user name, the derivative-password and the first parameter used to compute the derivative-password to the client computer; and a server having a processor and a storage device for storing programs executable by the processor of the server to cause the server to perform certain actions, the server storage device including instructions to cause the server to; receive the service request from the client; extract the first parameter, the derivative-password and the username from the service request; compute a server-side-computed derivative of the password using the extracted first parameter and a server-side-stored password-equivalent value; compare the received derivative-password to the server-side-computed derivative-password; and upon determining that the received derivative-password matches the server-side-computed derivative-password, fulfilling the service requested by the client computer. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A security device with a processor programmed to perform the security device steps of a method comprising:
-
operating a client computer to form a service request to a server using a process that includes transmitting an answer-message to the security device to provide username and a derivative-password; operating the security device to; generate a derivative-password using a parameter and a password-equivalent value stored in the security device; at least one time during the communications session, in conjunction with a user device operated by a user, to obtain authorization from the user granting permission to the security device to provide a derivative password to the client computer; and transmit an answer-message to the client computer, the answer-message including the parameter, the derivative-password and the username; operating the client computer to; form the service request by including the answer-message received from the security device in the service request; and transmit the service request to the server; and operating the server to; receive the service request from the client; extract the parameter, the derivative-password and the username from the service request; compute a server-side-computed derivative of the password-equivalent value using the extracted parameter and a server-side-stored password-equivalent value; compare the received derivative-password to the server-side-computed derivative-password; and upon determining that the received derivative-password matches the server-side-computed derivative-password, fulfilling the service requested by the client computer.
-
Specification