Multifactor username based authentication
First Claim
Patent Images
1. A method comprising:
- receiving, by a processing device of a server, a message comprising a username and a first hashed value;
retrieving a hashed password associated with the username;
calculating a time-dependent value associated with the username;
calculating a second hashed value using the username, the hashed password, and the time-dependent value;
determining whether the second hashed value matches the first hashed value from the message;
receiving a client session random value and a Message Authentication Code (MAC) value;
validating the MAC value at the server using the client session random value, the second hashed value, and a displayed code value from a hardware token;
generating a server session random value at the server; and
generating, by the processing device of the server, a session key by executing an iterative MAC function over;
a concatenation of the server session random value and the client session random value, and a concatenation of the hashed password and the displayed code value from the hardware token.
1 Assignment
0 Petitions
Accused Products
Abstract
A hashed value is computed from an encrypted password value and a displayed code value from a hardware token at a client. The encrypted password value is based on a username, a context identifier, and a password. The client provides the username and the hashed value to a server. The encrypted password value associated with the username is retrieved at the server. An expected hashed value is computed at the server. The client is validated based on a comparison of the hashed value and the expected hashed value.
51 Citations
16 Claims
-
1. A method comprising:
-
receiving, by a processing device of a server, a message comprising a username and a first hashed value; retrieving a hashed password associated with the username; calculating a time-dependent value associated with the username; calculating a second hashed value using the username, the hashed password, and the time-dependent value; determining whether the second hashed value matches the first hashed value from the message; receiving a client session random value and a Message Authentication Code (MAC) value; validating the MAC value at the server using the client session random value, the second hashed value, and a displayed code value from a hardware token; generating a server session random value at the server; and generating, by the processing device of the server, a session key by executing an iterative MAC function over;
a concatenation of the server session random value and the client session random value, and a concatenation of the hashed password and the displayed code value from the hardware token.
-
-
2. A method comprising:
-
computing, by a processing device of a client, a hashed password value from a password, a username, and a security context identifier; computing a hashed value from a time-dependent value associated with the username and the hashed password value; transmitting a message comprising the username, the hashed value, a client session random value, and a Message Authentication Code (MAC) value, wherein the MAC value is generated with a first MAC function executed by the processing device of the client; generating the client session random value at the client; concatenating the client session random value, the hashed value, and the username; computing the MAC value over the client session random value, the hashed value, and the username using one or more of the hashed password value and a displayed code value from a hardware token at the client; receiving a server session random value and an acknowledgment that is enciphered using a session key at the client; and generating, by the processing device of the client, the session key by executing an iterative second MAC function over;
a concatenation of the server session random value and the client session random value, and a concatenation of the hashed password value and the displayed code value from the hardware token. - View Dependent Claims (3, 4)
-
-
5. A non-transitory computer-accessible storage medium comprising data that, when accessed by a processing device, cause the processing device to:
-
receive, by the processing device of a server, a message comprising a username and a first hashed value; retrieve a hashed password associated with the username; calculate a time-dependent value associated with the username; calculate a second hashed value using the username, the hashed password, and the time-dependent value; determine whether the second hashed value matches the first hashed value from the message; receive a client session random value and a Message Authentication Code (MAC); validate the MAC value at the server; generate a server session random value at the server; and generate, by the processing device of the server, a session key by executing an iterative MAC function over;
a concatenation of the server session random value and the client session random value, and a concatenation of the hashed password value and a displayed code value from a hardware token.
-
-
6. A non-transitory computer-accessible storage medium comprising data that, when accessed by a processing device, cause the processing device to:
-
compute, by the processing device of a client, a hashed password value from a password, a username, and a security context identifier; compute a hashed value from a time-dependent value associated with the username and the hashed password value; transmit a message comprising the username, the hashed value, a client session random value, and a Message Authentication Code (MAC) value, the MAC value generated with a first MAC function executed by the processing device of the client; generate the client session random value at the client; concatenate the client session random value, the hashed value, and the username; compute the MAC value over the client session random value, the hashed value, and the username using one or more of the hashed password value and a displayed code value from a hardware token at the client; send the client session random value, the hashed value, the username, and the MAC value to a server; receive a server session random value and an acknowledgment that is enciphered using a session key at the client; and generate, by the processing device of the client, the session key by executing an iterative second MAC over;
a concatenation of the server session random value and the client session random value, and a concatenation of the hashed password value and the displayed code value from the hardware token. - View Dependent Claims (7, 8)
-
-
9. A server comprising:
-
a processing device; a hashed value computation module executable by the processing device to receive a message comprising a username and a first hashed value, and retrieve a hashed password associated with the username; a client validation module operatively coupled to the hashed value computation module, wherein the client validation module is executable by the processing device to calculate a time-dependent value associated with the username, to calculate a second hashed value using the username, the hashed password, and the time-dependent value, and to determine whether the second hashed value matches the first hashed value from the message; a hardware token interface coupled to the hashed value computation module, the hardware token interface to retrieve an encrypted password value associated with the username, wherein the hashed value computation module is to receive a client session random value and a Message Authentication Code (MAC) value; wherein the client validation module is to validate the MAC value at the server; and a session key generator coupled to the client validation module, the session key generator to generate a session key by executing an iterative MAC function over;
a concatenation of a server session random value and the client session random value, and a concatenation of the hashed password value and a displayed code value from the hardware token. - View Dependent Claims (10)
-
-
11. A client comprising:
-
a processing device; an encrypted password value generator executable by the processing device to generate a hashed password value in view of a username and a security context identifier; a hash value generator operatively coupled to the encrypted password value generator, the hash value generator executable by the processing device to compute a hashed value from a time-dependent value associated with the username and the hashed password value, and to transmit a message comprising the username, the hashed value, and a message authentication code (MAC) value, the MAC value generated with a first MAC function executed by the processing device; a hardware token interface coupled to the hash value generator, the hardware token interface to receive a displayed code value from a hardware token; and a session key generator coupled to the hash value generator, the session key generator to generate a client session random value, and to compute a session key by executing an iterative second MAC function over;
a concatenation of a server session random value and the client session random value, and a concatenation of the hashed password value and a displayed code value from the hardware token. - View Dependent Claims (12, 13, 14, 15, 16)
-
Specification