Back-end matching method supporting front-end knowledge-based probabilistic authentication systems for enhanced credential security
First Claim
1. A method for knowledge-based probabilistic authentication of a client by server side resources, using a client identifier and a client credential having a number of elements, where each element of the credential represents a character that is mapped to a selected grid location parameter, indicated in a challenge, from a set of N×
- N grid parameters, the method comprising;
storing data in a computer memory including a first data set for a client identifier including a representation of a client credential accessible by a first server in server side resources, wherein the representation includes at least one of processed credential elements generated from a one-way function of the at least one credential element and protected data, and wherein the protected data cannot be determined by the first server, and a second data set including at least part of said protected data accessible by a second server in the server side resources;
sending from the first server, to authenticate a user, a set of N×
N grid parameters (N as a greater than zero integer) of fields filled with random digital content different in each of a plurality of sessions and a challenge of a plurality of session values, and in response from the user, receiving using the first server via data communications, a client identifier and an authentication response corresponding to the challenge that comprises said plurality of session values and each of the plurality of session values can be specified as, at least, a character that is mapped to a selected grid location parameter, indicated in the challenge, from the set of N×
N grid parameters;
transforming in the server side resources, said session values of the authentication response into corresponding sets of intermediate values, each set in said sets of intermediate values having a member for the selected grid location parameter to which the corresponding session value of the response can be mapped, and sending said sets of intermediate values to the second server;
generating a plurality of sets of processed credential element match values using the second server, wherein each set of processed credential element match values of the authentication response is derived based upon said one-way function of said protected data and a corresponding one of said sets of intermediate values, and sending said plurality of sets of processed credential element match values to the first server in an order different from an order in which the sets of intermediate values were received using the second server;
determining using the first server, whether each of the sets of processed credential element match values includes one member that matches one of the processed credential elements in the representation of the client credential; and
if all of the sets of processed credential element match values for a given authentication response include one member that matches one of the processed credential elements in the representation of the client credential, then signaling authentication success.
1 Assignment
0 Petitions
Accused Products
Abstract
A party can authenticate itself by interacting with multiple servers without revealing the shared secret to any of the involved parties. The stored shared secret is strengthened and broken into shares and saved on the servers. The shared secret is safe against offline brute force attack unless all servers where the shares are stored are compromised. The compromise of any single server, or multiple servers—but less than the maximum number—will not allow the attacker to do a brute force analysis on the shared secret. This back end security enhancement is suitable for probabilistic front end authentication algorithms.
-
Citations
49 Claims
-
1. A method for knowledge-based probabilistic authentication of a client by server side resources, using a client identifier and a client credential having a number of elements, where each element of the credential represents a character that is mapped to a selected grid location parameter, indicated in a challenge, from a set of N×
- N grid parameters, the method comprising;
storing data in a computer memory including a first data set for a client identifier including a representation of a client credential accessible by a first server in server side resources, wherein the representation includes at least one of processed credential elements generated from a one-way function of the at least one credential element and protected data, and wherein the protected data cannot be determined by the first server, and a second data set including at least part of said protected data accessible by a second server in the server side resources; sending from the first server, to authenticate a user, a set of N×
N grid parameters (N as a greater than zero integer) of fields filled with random digital content different in each of a plurality of sessions and a challenge of a plurality of session values, and in response from the user, receiving using the first server via data communications, a client identifier and an authentication response corresponding to the challenge that comprises said plurality of session values and each of the plurality of session values can be specified as, at least, a character that is mapped to a selected grid location parameter, indicated in the challenge, from the set of N×
N grid parameters;transforming in the server side resources, said session values of the authentication response into corresponding sets of intermediate values, each set in said sets of intermediate values having a member for the selected grid location parameter to which the corresponding session value of the response can be mapped, and sending said sets of intermediate values to the second server; generating a plurality of sets of processed credential element match values using the second server, wherein each set of processed credential element match values of the authentication response is derived based upon said one-way function of said protected data and a corresponding one of said sets of intermediate values, and sending said plurality of sets of processed credential element match values to the first server in an order different from an order in which the sets of intermediate values were received using the second server; determining using the first server, whether each of the sets of processed credential element match values includes one member that matches one of the processed credential elements in the representation of the client credential; and if all of the sets of processed credential element match values for a given authentication response include one member that matches one of the processed credential elements in the representation of the client credential, then signaling authentication success. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- N grid parameters, the method comprising;
-
17. A client-server authentication system for knowledge-based probabilistic authentication of a client by server side resources, using a client identifier and a client credential having a number of elements, where each element of the credential represents a character that is mapped to a selected grid location parameter, indicated in a challenge, from a set of N×
- N grid parameters, comprising;
server-side data processing resources, including one or more processors, memory and a communication interface, the server-side data processing resources including at least first and second servers; data stored in said memory including a first data set for a client identifier including a representation of the client credential accessible by a first server in server side resources, wherein the representation includes at least one of processed credential elements generated from a one-way function of the at least one credential element and protected data, and wherein the protected data cannot be determined by the first server, and a second data set including at least part of said protected data accessible by a second server in the server side resources; the data processing resources including executable instructions stored in said memory adapted for execution by the processor, including logic to receive using the first server via data communications, a client identifier and an authentication response corresponding to the challenge that comprises said plurality of session values and each of the plurality of session values can be specified as, at least, a character that is mapped to a selected grid location parameter, indicated in the challenge, from the set of N×
N grid parameters (N as a greater than zero integer) of fields filled with random digital content different in each of a plurality of sessions sent by the server;transform in the server side resources, said session values of the authentication response into corresponding sets of intermediate values, each set in said sets of intermediate values having a member for the selected grid location parameter to which the corresponding session value of the response can be mapped, and sending said sets of intermediate values to the second server; generate a plurality of sets of processed credential element match values using the second server, wherein each set of processed credential element match values of the authentication response is derived based upon said one-way function of said protected data and a corresponding one of said sets of intermediate values, and send said plurality of sets of processed credential element match values to the first server in an order different from an order in which the sets of intermediate values were received using the second server; determine using the first server, whether each of the sets of processed credential element match values includes one member that matches one of the processed credential elements in the representation of the client credential; and if all of the sets of processed credential element match values for a given authentication response include one member that matches one of the processed credential elements in the representation of the client credential, then signaling authentication success. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- N grid parameters, comprising;
-
33. A computer program stored on a non-transitory computer readable medium to authenticate a client, comprising instructions when executable by a computer processor to:
-
store data in a computer memory including a first data set for a client identifier including a representation of client credential accessible by a first server in server side resources, wherein the representation including at least one of processed credential elements generated from a one-way function of the at least one credential element and protected data, and wherein the protected data cannot be determined by the first server, and a second data set including at least part of said protected data accessible by a second server in the server side resources; send from the first server, to authenticate a user, a set of N×
N grid parameters (N as a greater than zero integer) of fields filled with random digital content different in each of a plurality of sessions and a challenge of a plurality of session values, and in response from the user, receive using the first server via data communications, a client identifier and an authentication response corresponding to the challenge that comprises said plurality of session values and each of the plurality of session values can be specified as, at least, a character that is mapped to a selected grid location parameter, indicated in the challenge, from the set of N×
N grid parameterstransform in the server side resources, said session values of the authentication response into corresponding sets of intermediate values, each set in said sets of intermediate values having a member for the selected grid location parameter to which the corresponding session value of the response can be mapped, and sending said sets of intermediate values to the second server; generate a plurality of sets of processed credential element match values using the second server, wherein each set of processed credential element match values of the authentication response is derived based upon said one-way function of said protected data and a corresponding one of said sets of intermediate values, and send said plurality of sets of processed credential element match values to the first server in an order different from an order in which the sets of intermediate values were received using the second server; determine using the first server, whether each of the sets of processed credential element match values includes one member that matches one of the processed credential elements in the representation of the client credential; and if all of the sets of processed credential element match values for a given authentication response include one member that matches one of the processed credential elements in the representation of the client credential, then signaling authentication success. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
-
-
49. A server in client-server authentication system for knowledge-based probabilistic authentication of a client by server side resources, using a client identifier and a credential having a number of elements, where each element of the client credential represents a character that is mapped to a selected grid location parameter, indicated in a challenge, from a set of N×
- N grid, comprising;
data processing resources, including one or more processors, memory and a communication interface; data stored in said memory including a first data set for a client identifier including a representation of the client credential accessible by a first server in server side resources, wherein the representation includes at least one of processed credential elements generated from a one-way function of the at least one credential element and protected data, and wherein the protected data cannot be determined by the first server, and a second data set including at least part of said protected data accessible by a second server in the server side resources; the data processing resources including executable instructions stored in said memory adapted for execution by the processor, including logic to receive using the first server via data communications, a client identifier and an authentication response corresponding to the challenge that comprises said plurality of session values and each of the plurality of session values can be specified as, at least, a character that is mapped to a selected grid location parameter, indicated in the challenge, from the set of N×
N grid parameters (N as a greater than zero integer) of fields filled with random digital content different in each of a plurality of sessions sent by the server;transform in the server side resources, said session values of the authentication response into corresponding sets of intermediate values, each set in said sets of intermediate values having a member for the selected grid location parameter to which the corresponding session value of the response can be mapped, and sending said sets of intermediate values to a second server; receive a plurality of sets of processed credential element match values from the second server, wherein each set of processed credential element match values of the authentication response is derived based upon said one-way function of said protected data and a corresponding one of said sets of intermediate values, said plurality of sets of processed credential element match values to the first server in an order different from an order in which the sets of intermediate values were sent to the second server; determine using the first server, whether each of the sets of processed credential element match values includes one member that matches one of the processed credential elements in the representation of the client credential; and if all of the sets of processed credential element match values for a given authentication response include one member that matches one of the processed credential elements in the representation of the client credential, then signaling authentication success.
- N grid, comprising;
Specification