Username based key exchange

US 9,258,113 B2
Filed: 08/29/2008
Issued: 02/09/2016
Est. Priority Date: 08/29/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

sending, by a processor over a network, a first random string in response to a request from a device;

receiving, by the processor over the network, a second random string and a username from the device in response to the first random string;

concatenating, by the processor, the first random string, the second random string and the username to form a first value;

generating, by the processor, a first secret using the first value as input to a cryptographic function and a hashed password associated with the username as a cryptographic key; and

establishing, by the processor, a communication session with the device over the network using a second secret derived from the first secret.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for an system and process for sharing a secret over an unsecured channel in conjunction with an authentication system. A client computes a message authentication code based on a hashed password value and a first random string received from the server. The client sends a response to the server that includes authentication data including a second random string. Both the client and server concatenate the first random string, second random string and username. Theses values are processed to generate as a shared master secret to further generate shared secrets or keys to establish a secured communication channel between the client and server. The secured communication can be based on stateless messaging where the decryption key associated with the message is identified by the message authentication code, which is placed within the message.

62 Citations

View as Search Results

19 Claims

1. A method comprising:
- sending, by a processor over a network, a first random string in response to a request from a device;
  
  receiving, by the processor over the network, a second random string and a username from the device in response to the first random string;
  
  concatenating, by the processor, the first random string, the second random string and the username to form a first value;
  
  generating, by the processor, a first secret using the first value as input to a cryptographic function and a hashed password associated with the username as a cryptographic key; and
  
  establishing, by the processor, a communication session with the device over the network using a second secret derived from the first secret.
- View Dependent Claims (2, 3, 4, 18, 19)
- - 2. The method of claim 1, further comprising:
    - generating the second secret from the first secret for use in a secure communication protocol for the communication session.
  - 3. The method of claim 1, further comprising:
    - calculating a first message authentication code in view of the second secret.
  - 4. The method of claim 3, further comprising:
    - inserting a second message authentication code into a message as a decryption key identifier.
  - 18. The method of claim 1, wherein the network is at least one of a wide area network (WAN) or a local area network (LAN).
  - 19. The method of claim 1, wherein sending the first random string in response to a request comprises sending the first random string by a server device over the network in response to the request from a client device.

5. A non-transitory computer-readable medium comprising instructions encoded thereon which, when executed by a processor, cause the processor to:
- send, by the processor over a network, a first random string in response to a request from a device;
  
  receive, by the processor over the network, a second random string and a username in response to the first random string;
  
  concatenate, by the processor, the first random string, the second random string and the username to form a first value;
  
  generate, by the processor, a first secret using the first value as input to a cryptographic function and a hashed password associated with the username as a cryptographic key; and
  
  establish, by the processor, a communication session with the device over the network using a second secret derived from the first secret.
- View Dependent Claims (6, 7)
- - 6. The non-transitory computer-readable medium of claim 5, wherein the processor further to:
    - generate the second secret from the first secret for use in a secure communication protocol for the communication session.
  - 7. The non-transitory computer-readable medium of claim 6, wherein the processor further to:
    - insert a second message authentication code into a message as a decryption key identifier.

8. A method comprising:
- receiving, by a processor over a network, a first random string from a device;
  
  sending, by the processor over the network, a second random string and a username in response to the first random string; and
  
  concatenating, by the processor, the first random string, the second random string and the username to form a first value;
  
  generating, by the processor, a first secret using the first value as input to a cryptographic function and a hashed password associated with the username as a cryptographic key; and
  
  establishing, by the processor, a communication session with the device over the network using a second secret derived from the first secret.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, further comprising:
    - generating the second secret from the first secret for use in a secure communication protocol for the communication session.
  - 10. The method of claim 8, further comprising:
    - calculating a first message authentication code in view of the second secret.
  - 11. The method of claim 10, further comprising:
    - inserting a second message authentication code into a message as a decryption key identifier.

12. A non-transitory computer-readable medium comprising instructions encoded thereon which, when executed by a processor, cause the processor to:
- receive, by the processor over a network, a first random string from a device;
  
  send, by the processor over the network, a second random string and a username in response to the first random string;
  
  concatenate, by the processor, the first random string, the second random string and the username to form a first value;
  
  generate, by the processor, a first secret using the first value as input to a cryptographic function and a hashed password associated with the username as a cryptographic key; and
  
  establish, by the processor, a communication session with the device over the network using a second secret derived from the first secret.
- View Dependent Claims (13, 14, 15)
- - 13. The non-transitory computer-readable medium of claim 12, wherein the processor further to:
    - generate the second secret from the first secret for use in a secure communication protocol for the communication session.
  - 14. The non-transitory computer-readable medium of claim 13, wherein the processor further to:
    - calculate a first message authentication code in view of the second secret.
  - 15. The non-transitory computer-readable medium of claim 14, wherein the processor further to:
    - insert a second message authentication code into a message as a decryption key identifier.

16. A system comprising:
- a memory;
  
  a network interface device; and
  
  a processor operatively coupled to the memory, the processor to;
  
  send, over a network using the network interface device, a first random string in response to a request from a device;
  
  receive, over the network using the network interface device, a second random string and a username in response to the first random string;
  
  concatenate the first random string, the second random string and the username to form a first value;
  
  generate a first secret using the first value as input to a cryptographic function and a hashed password associated with the username as a cryptographic key; and
  
  establish a communication session with the device over the network using a second secret derived from the first secret.
- View Dependent Claims (17)
- - 17. The system of claim 16, wherein the processor is further to:
    - generate the second secret from the first secret for use in a secure communication protocol for the communication session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Schneider, James Paul
Primary Examiner(s)
KIM, TAE K

Application Number

US12/201,321
Publication Number

US 20100058060A1
Time in Patent Office

2,720 Days
Field of Search

713/171
US Class Current

1/1
CPC Class Codes

H04L 9/0844 with user authentication or...

H04L 9/3271 using challenge-response

Username based key exchange

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Username based key exchange

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links