Multifactor username based authentication

US 9,225,526 B2
Filed: 11/30/2009
Issued: 12/29/2015
Est. Priority Date: 11/30/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a processing device of a server, a message comprising a username and a first hashed value;

retrieving a hashed password associated with the username;

calculating a time-dependent value associated with the username;

calculating a second hashed value using the username, the hashed password, and the time-dependent value;

determining whether the second hashed value matches the first hashed value from the message;

receiving a client session random value and a Message Authentication Code (MAC) value;

validating the MAC value at the server using the client session random value, the second hashed value, and a displayed code value from a hardware token;

generating a server session random value at the server; and

generating, by the processing device of the server, a session key by executing an iterative MAC function over;

a concatenation of the server session random value and the client session random value, and a concatenation of the hashed password and the displayed code value from the hardware token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A hashed value is computed from an encrypted password value and a displayed code value from a hardware token at a client. The encrypted password value is based on a username, a context identifier, and a password. The client provides the username and the hashed value to a server. The encrypted password value associated with the username is retrieved at the server. An expected hashed value is computed at the server. The client is validated based on a comparison of the hashed value and the expected hashed value.

51 Citations

View as Search Results

16 Claims

1. A method comprising:
- receiving, by a processing device of a server, a message comprising a username and a first hashed value;
  
  retrieving a hashed password associated with the username;
  
  calculating a time-dependent value associated with the username;
  
  calculating a second hashed value using the username, the hashed password, and the time-dependent value;
  
  determining whether the second hashed value matches the first hashed value from the message;
  
  receiving a client session random value and a Message Authentication Code (MAC) value;
  
  validating the MAC value at the server using the client session random value, the second hashed value, and a displayed code value from a hardware token;
  
  generating a server session random value at the server; and
  
  generating, by the processing device of the server, a session key by executing an iterative MAC function over;
  
  a concatenation of the server session random value and the client session random value, and a concatenation of the hashed password and the displayed code value from the hardware token.

2. A method comprising:
- computing, by a processing device of a client, a hashed password value from a password, a username, and a security context identifier;
  
  computing a hashed value from a time-dependent value associated with the username and the hashed password value;
  
  transmitting a message comprising the username, the hashed value, a client session random value, and a Message Authentication Code (MAC) value, wherein the MAC value is generated with a first MAC function executed by the processing device of the client;
  
  generating the client session random value at the client;
  
  concatenating the client session random value, the hashed value, and the username;
  
  computing the MAC value over the client session random value, the hashed value, and the username using one or more of the hashed password value and a displayed code value from a hardware token at the client;
  
  receiving a server session random value and an acknowledgment that is enciphered using a session key at the client; and
  
  generating, by the processing device of the client, the session key by executing an iterative second MAC function over;
  
  a concatenation of the server session random value and the client session random value, and a concatenation of the hashed password value and the displayed code value from the hardware token.
- View Dependent Claims (3, 4)
- - 3. The method of claim 2, wherein hardware token changes the displayed code value on a regular basis.
  - 4. The method of claim 2, wherein computing the hashed value further comprises one or more of concatenating different values or hashing a value.

5. A non-transitory computer-accessible storage medium comprising data that, when accessed by a processing device, cause the processing device to:
- receive, by the processing device of a server, a message comprising a username and a first hashed value;
  
  retrieve a hashed password associated with the username;
  
  calculate a time-dependent value associated with the username;
  
  calculate a second hashed value using the username, the hashed password, and the time-dependent value;
  
  determine whether the second hashed value matches the first hashed value from the message;
  
  receive a client session random value and a Message Authentication Code (MAC);
  
  validate the MAC value at the server;
  
  generate a server session random value at the server; and
  
  generate, by the processing device of the server, a session key by executing an iterative MAC function over;
  
  a concatenation of the server session random value and the client session random value, and a concatenation of the hashed password value and a displayed code value from a hardware token.

6. A non-transitory computer-accessible storage medium comprising data that, when accessed by a processing device, cause the processing device to:
- compute, by the processing device of a client, a hashed password value from a password, a username, and a security context identifier;
  
  compute a hashed value from a time-dependent value associated with the username and the hashed password value;
  
  transmit a message comprising the username, the hashed value, a client session random value, and a Message Authentication Code (MAC) value, the MAC value generated with a first MAC function executed by the processing device of the client;
  
  generate the client session random value at the client;
  
  concatenate the client session random value, the hashed value, and the username;
  
  compute the MAC value over the client session random value, the hashed value, and the username using one or more of the hashed password value and a displayed code value from a hardware token at the client;
  
  send the client session random value, the hashed value, the username, and the MAC value to a server;
  
  receive a server session random value and an acknowledgment that is enciphered using a session key at the client; and
  
  generate, by the processing device of the client, the session key by executing an iterative second MAC over;
  
  a concatenation of the server session random value and the client session random value, and a concatenation of the hashed password value and the displayed code value from the hardware token.
- View Dependent Claims (7, 8)
- - 7. The non-transitory computer-accessible storage medium of claim 6, wherein hardware token changes the displayed code value on a regular basis.
  - 8. The non-transitory computer-accessible storage medium of claim 6, wherein the data to compute the hashed value further comprises data to cause the processing device to compute one or more of concatenating different values or hashing a value.

9. A server comprising:
- a processing device;
  
  a hashed value computation module executable by the processing device to receive a message comprising a username and a first hashed value, and retrieve a hashed password associated with the username;
  
  a client validation module operatively coupled to the hashed value computation module, wherein the client validation module is executable by the processing device to calculate a time-dependent value associated with the username, to calculate a second hashed value using the username, the hashed password, and the time-dependent value, and to determine whether the second hashed value matches the first hashed value from the message;
  
  a hardware token interface coupled to the hashed value computation module, the hardware token interface to retrieve an encrypted password value associated with the username,wherein the hashed value computation module is to receive a client session random value and a Message Authentication Code (MAC) value;
  
  wherein the client validation module is to validate the MAC value at the server; and
  
  a session key generator coupled to the client validation module, the session key generator to generate a session key by executing an iterative MAC function over;
  
  a concatenation of a server session random value and the client session random value, and a concatenation of the hashed password value and a displayed code value from the hardware token.
- View Dependent Claims (10)
- - 10. The server of claim 9, further comprising:
    - a storage device coupled to the session key generator, the storage device to store the session key.

11. A client comprising:
- a processing device;
  
  an encrypted password value generator executable by the processing device to generate a hashed password value in view of a username and a security context identifier;
  
  a hash value generator operatively coupled to the encrypted password value generator, the hash value generator executable by the processing device to compute a hashed value from a time-dependent value associated with the username and the hashed password value, and to transmit a message comprising the username, the hashed value, and a message authentication code (MAC) value, the MAC value generated with a first MAC function executed by the processing device;
  
  a hardware token interface coupled to the hash value generator, the hardware token interface to receive a displayed code value from a hardware token; and
  
  a session key generator coupled to the hash value generator, the session key generator to generate a client session random value, and to compute a session key by executing an iterative second MAC function over;
  
  a concatenation of a server session random value and the client session random value, and a concatenation of the hashed password value and a displayed code value from the hardware token.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The client of claim 11, further comprising:
    - a storage device coupled to the session key generator, the storage device to store the session key,wherein the hash value generator is to receive the client session random value and the MAC value.
  - 13. The client of claim 12, wherein the hash value generator is to concatenate the client session random value, the hashed value, and the username;
    - to compute the MAC value over the client session random value, the hashed value, and the username, using one or more of the hashed password value and the displayed code value from the hardware token at the client; and
      
      to send the client session random value, the hashed value, the username, and the MAC value to a server.
  - 14. The client of claim 13, wherein the session key generator is to receive the server session random value and an acknowledgment that is enciphered using the session key, and to generate the session key in view of the server session random value, the client session random value, the hashed password value, the displayed code value from the hardware token.
  - 15. The client of claim 13, wherein hardware token changes the displayed code value on a regular basis.
  - 16. The client of claim 13, wherein the hash value generator is further to compute the hashed value by concatenating different values or hashing a value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Schneider, James Paul
Primary Examiner(s)
PARSONS, THEODORE C

Application Number

US12/628,109
Publication Number

US 20110131415A1
Time in Patent Office

2,220 Days
Field of Search

726 5- 7, 726/19
US Class Current

1/1
CPC Class Codes

G06F 21/34   involving the use of extern...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3242   involving keyed hash functi...

Multifactor username based authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Multifactor username based authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others