Distributed password-based authentication in a public key cryptography authentication system
First Claim
1. A method comprising:
- storing in a plurality of servers of an authentication system respective shares of a private key;
receiving in the authentication system a message comprising a password encrypted using a public key corresponding to the private key; and
performing distributed password-based authentication in the authentication system based at least in part on the encrypted password utilizing the shares of the private key stored in the respective servers;
wherein the message comprises a request message formatted in accordance with a Kerberos PKINIT protocol extension that has been modified to support password-based authentication by configuring the request message to include a message element that incorporates the encrypted password;
wherein an unmodified version of the Kerberos PKINIT protocol extension is configured to utilize public key signatures as a mechanism for authentication;
wherein the request message comprises an (a, b, c)-formatted authentication service request message of the Kerberos PKINIT protocol extension that has been modified to incorporate the encrypted password;
wherein the modified (a, b, c)-formatted authentication service request message of the Kerberos PKINIT protocol extension comprises a modified authentication service request message ASREQ*=(a, b*, c), where message elements a and c are the same as in an unmodified authentication service request message ASREQ and message element b* incorporates the encrypted password; and
wherein the method is implemented by at least one processing device comprising a processor coupled to memory.
9 Assignments
0 Petitions
Accused Products
Abstract
An authentication system comprises a plurality of servers storing respective shares of a private key, and a controller associated with the servers. The authentication system is configured to receive a message comprising a password encrypted using a public key corresponding to the private key. The controller directs performance of distributed password-based authentication in the authentication system based at least in part on the encrypted password utilizing the shares of the private key stored in the respective servers. The message is formatted in a manner consistent with an authentication protocol that normally utilizes public key signatures as a mechanism for authentication but is modified to support password-based authentication. For example, the message may be formatted in a manner consistent with a request message of a Kerberos PKINIT protocol extension.
-
Citations
21 Claims
-
1. A method comprising:
-
storing in a plurality of servers of an authentication system respective shares of a private key; receiving in the authentication system a message comprising a password encrypted using a public key corresponding to the private key; and performing distributed password-based authentication in the authentication system based at least in part on the encrypted password utilizing the shares of the private key stored in the respective servers; wherein the message comprises a request message formatted in accordance with a Kerberos PKINIT protocol extension that has been modified to support password-based authentication by configuring the request message to include a message element that incorporates the encrypted password; wherein an unmodified version of the Kerberos PKINIT protocol extension is configured to utilize public key signatures as a mechanism for authentication; wherein the request message comprises an (a, b, c)-formatted authentication service request message of the Kerberos PKINIT protocol extension that has been modified to incorporate the encrypted password; wherein the modified (a, b, c)-formatted authentication service request message of the Kerberos PKINIT protocol extension comprises a modified authentication service request message ASREQ*=(a, b*, c), where message elements a and c are the same as in an unmodified authentication service request message ASREQ and message element b* incorporates the encrypted password; and wherein the method is implemented by at least one processing device comprising a processor coupled to memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
storing in a plurality of servers of an authentication system respective shares of a private key; receiving in the authentication system a message comprising a password encrypted using a public key corresponding to the private key; and performing distributed password-based authentication in the authentication system based at least in part on the encrypted password utilizing the shares of the private key stored in the respective servers; wherein the message comprises a request message formatted in accordance with a Kerberos PKINIT protocol extension that has been modified to support password-based authentication by configuring the request message to include a message element that incorporates the encrypted password; wherein an unmodified version of the Kerberos PKINIT protocol extension is configured to utilize public key signatures as a mechanism for authentication; wherein the request message includes a ciphertext EncPK dist [P] on password P under a public key PKdist for distributed verification using key shares of a corresponding private key SKdist stored on respective ones of the plurality of servers; andwherein the method is implemented by at least one processing device comprising a processor coupled to memory.
-
-
14. A computer program product comprising a non-transitory processor-readable storage medium having embodied therein one or more software programs, wherein the one or more software programs when executed by at least one processing device cause said at least one processing device:
-
to store in a plurality of servers of an authentication system respective shares of a private key; to receive in the authentication system a message comprising a password encrypted using a public key corresponding to the private key; and to perform distributed password-based authentication in the authentication system based at least in part on the encrypted password utilizing the shares of the private key stored in the respective servers; wherein the message comprises a request message formatted in accordance with a Kerberos PKINIT protocol extension that has been modified to support password-based authentication by configuring the request message to include a message element that incorporates the encrypted password; wherein an unmodified version of the Kerberos PKINIT protocol extension is configured to utilize public key signatures as a mechanism for authentication; wherein the request message comprises an (a, b, c)-formatted authentication service request message of the Kerberos PKINIT protocol extension that has been modified to incorporate the encrypted password; and wherein the modified (a, b, c)-formatted authentication service request message of the Kerberos PKINIT protocol extension comprises a modified authentication service request message ASREQ*=(a, b*, c), where message elements a and c are the same as in an unmodified authentication service request message ASREQ and message element b* incorporates the encrypted password. - View Dependent Claims (15, 16, 17)
-
-
18. An apparatus comprising:
-
a server comprising a local verifier; wherein the server is configured for use as one of a plurality of servers of an authentication system storing respective shares of a private key; the server being configured to store its corresponding share of the private key; the local verifier being configured to generate an indication based on the stored share and at least a portion of a received message comprising a password encrypted using a public key corresponding to the private key; wherein the indication is utilizable in conjunction with corresponding indications generated by respective ones of the other servers to implement distributed password-based authentication based at least in part on the encrypted password utilizing the shares of the private key stored in the respective servers; wherein the message comprises a request message formatted in accordance with a Kerberos PKINIT protocol extension that has been modified to support password-based authentication by configuring the request message to include a message element that incorporates the encrypted password; wherein an unmodified version of the Kerberos PKINIT protocol extension is configured to utilize public key signatures as a mechanism for authentication; wherein the request message comprises an (a, b, c)-formatted authentication service request message of the Kerberos PKINIT protocol extension that has been modified to incorporate the encrypted password; wherein the modified (a, b, c)-formatted authentication service request message of the Kerberos PKINIT protocol extension comprises a modified authentication service request message ASREQ*=(a, b*, c), where message elements a and c are the same as in an unmodified authentication service request message ASREQ and message element b* incorporates the encrypted password; and wherein the server is implemented by at least one processing device comprising a processor coupled to memory.
-
-
19. An apparatus comprising:
-
a controller comprising a global verifier; the global verifier being configured to interface with a plurality of servers of an authentication system storing respective shares of a private key; the global verifier being configured to authenticate a received message based on indications from respective ones of the plurality of servers generated in accordance with distributed password-based authentication, the received message comprising a password encrypted using a public key corresponding to the private key; wherein the message comprises a request message formatted in accordance with a Kerberos PKINIT protocol extension that has been modified to support password-based authentication by configuring the request message to include a message element that incorporates the encrypted password; wherein an unmodified version of the Kerberos PKINIT protocol extension is configured to utilize public key signatures as a mechanism for authentication; wherein the request message comprises an (a, b, c)-formatted authentication service request message of the Kerberos PKINIT protocol extension that has been modified to incorporate the encrypted password; wherein the modified (a, b, c)-formatted authentication service request message of the Kerberos PKINIT protocol extension comprises a modified authentication service request message ASREQ*=(a, b*, c), where message elements a and c are the same as in an unmodified authentication service request message ASREQ and message element b* incorporates the encrypted password; and wherein the controller is implemented by at least one processing device comprising a processor coupled to memory.
-
-
20. An authentication system comprising:
-
a plurality of servers storing respective shares of a private key; and a controller associated with the servers; wherein the authentication system is configured to receive a message comprising a password encrypted using a public key corresponding to the private key; wherein the controller directs performance of distributed password-based authentication in the authentication system based at least in part on the encrypted password utilizing the shares of the private key stored in the respective servers; wherein the message comprises a request message formatted in accordance with a modified Kerberos PKINIT protocol extension that supports password-based authentication by configuring the request message to include a message element that incorporates the encrypted password; wherein an unmodified version of the modified Kerberos PKINIT protocol extension is configured to utilize public key signatures as a mechanism for authentication; wherein the request message comprises an (a, b, c)-formatted authentication service request message of the Kerberos PKINIT protocol extension that has been modified to incorporate the encrypted password; wherein the modified (a, b, c)-formatted authentication service request message of the Kerberos PKINIT protocol extension comprises a modified authentication service request message ASREQ*=(a, b*, c), where message elements a and c are the same as in an unmodified authentication service request message ASREQ and message element b* incorporates the encrypted password; and wherein the plurality of servers and the controller are implemented by at least one processing device comprising a processor coupled to memory. - View Dependent Claims (21)
-
Specification