Password-based generation and management of secret cryptographic keys

US 9,847,877 B2
Filed: 08/26/2015
Issued: 12/19/2017
Est. Priority Date: 08/26/2014
Status: Active Grant

First Claim

Patent Images

1. A method for generating, at a user computer connectable to a server via a network, a secret cryptographic key of the user computer, the method comprising:

providing at the user computer a secret user value;

providing at the server a secret server value and a check value which encodes the secret user value and a user password;

at the user computer, in response to input of an input password, encoding the secret user value and the input password to produce a first value corresponding to said check value, and communicating the first value to the server via the network;

at the server, in response to communication of the first value, comparing the first value and the check value to check whether the input password equals the user password and, if so, encoding the first value and said secret server value to produce a second value and communicating the second value to the user computer via the network; and

at the user computer, in response to communication of the second value, generating the secret cryptographic key by encoding the second value, the input password and the secret user value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for generating a secret cryptographic key of a user computer connectable to a server via a network. A secret user value is provided at the user computer. A secret server value is provided at the server with a check value which encodes the secret user value and a user password. The user computer encodes the secret user value and an input password to produce a first value corresponding to said check value, and communicates the first value to the server. The server compares the first and the check values to check whether the input password equals the user password. If so, the server encodes the first and the secret server values to produce a second value and communicates the second value to the user computer. The user computer generates the secret cryptographic key by encoding the second value, the input password and the secret user value.

Citations

15 Claims

1. A method for generating, at a user computer connectable to a server via a network, a secret cryptographic key of the user computer, the method comprising:
- providing at the user computer a secret user value;
  
  providing at the server a secret server value and a check value which encodes the secret user value and a user password;
  
  at the user computer, in response to input of an input password, encoding the secret user value and the input password to produce a first value corresponding to said check value, and communicating the first value to the server via the network;
  
  at the server, in response to communication of the first value, comparing the first value and the check value to check whether the input password equals the user password and, if so, encoding the first value and said secret server value to produce a second value and communicating the second value to the user computer via the network; and
  
  at the user computer, in response to communication of the second value, generating the secret cryptographic key by encoding the second value, the input password and the secret user value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as claimed in claim 1 including, in a setup procedure, prior to generation of said key:
    - at the user computer, in response to input of said user password, encoding the secret user value and the user password to produce said check value, and communicating the check value to the server via the network; and
      
      at the server, storing the received check value.
  - 3. A method as claimed in claim 2 including, in said setup procedure:
    - at the user computer, generating and storing the secret user value; and
      
      at the server, generating and storing the secret server value.
  - 4. A method as claimed in claim 2 wherein the setup procedure includes:
    - at the server, encoding said received check value and said secret server value to produce said second value and communicating the second value to the user computer via the network; and
      
      at the user computer, in response to communication of the second value, generating the secret cryptographic key for a first time by encoding the second value, the user password and the secret user value, using the key in a cryptographic operation, and deleting the user password, the check value, the second value and the key after use.
  - 5. A method as claimed in claim 1 including:
    - providing at the user computer a user identifier for uniquely identifying the user computer to the server;
      
      at the server, providing the user identifier with the check value for the user computer; and
      
      at the user computer, communicating the user identifier to the server with said first value.
  - 6. A method as claimed in claim 5 including, at the user computer, encoding the user identifier in the first value.
  - 7. A method as claimed in claim 5 including, at the user computer, encoding the user identifier in the cryptographic key.
  - 8. A method as claimed in claim 5 including, at the server, encoding the user identifier in the second value.
  - 9. A method as claimed in claim 6 including:
    - at the server, providing a server identifier for uniquely identifying the server to the user computer;
      
      at the user computer, retrieving the server identifier and encoding the server identifier in said first value;
      
      at the server, encoding the server identifier in the second value; and
      
      at the user computer, encoding the server identifier in the cryptographic key.
  - 10. A method as claimed in claim 1 including establishing, via interaction of the user computer and the server, a secure channel over said network, wherein said communicating by the user computer and server is conducted over the secure channel.
  - 11. A method as claimed in claim 1 including, at the server, implementing a throttling mechanism in dependence on whether the input password equals the user password.
  - 12. A method as claimed in claim 1 wherein:
    - the check value encodes the secret user value and the user password via a hash function;
      
      the user computer produces the first value by encoding the secret user value and the input password via said hash function;
      
      the server produces the second value by encoding the first value and the secret server value via said hash function; and
      
      the user computer generates the secret cryptographic key by encoding the second value, the input password and the secret user value via said hash function.

13. A computer program product, the computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform:
- providing at the user computer a secret user value;
  
  providing at the server a secret server value and a check value which encodes the secret user value and a user password;
  
  at the user computer, in response to input of an input password, encoding the secret user value and the input password to produce a first value corresponding to said check value, and communicating the first value to the server via the network;
  
  at the server, in response to communication of the first value, comparing the first value and the check value to check whether the input password equals the user password and, if so, encoding the first value and said secret server value to produce a second value and communicating the second value to the user computer via the network; and
  
  at the user computer, in response to communication of the second value, generating the secret cryptographic key by encoding the second value, the input password and the secret user value.

14. A user computer for communicating with a server via a network to generate a secret cryptographic key of the user computer, said server storing a secret server value and a check value which encodes a secret user value of the user computer and a user password, wherein the user computer comprises memory for storing said secret user value, a user interface, a communications interface for communicating with the server via the network, and control logic adapted:
- in response to input via said user interface of an input password, to encode said secret user value and the input password to produce a first value corresponding to said check value, and to communicate the first value to the server via said communications interface; and
  
  in response to communication by the server of a second value produced by encoding the first value and said secret server value, to generate the secret cryptographic key by encoding the second value, the input password and the secret user value.

15. A server for use in generating a secret cryptographic key of a user computer, storing a secret user value, which is connectable to the server via a network, the server comprising:
- memory for storing a secret server value and a check value which encodes said secret user value and a user password;
  
  a communications interface for communicating with the user computer via the network; and
  
  control logic adapted, in response to receipt from the user computer of a firstvalue which corresponds to said check value and encodes said secret user value and an input password, to compare the first value and the check value to check whether said input password equals said user password and, if so, to encode the first value and said secret server value to produce a second value, and to communicate the second value to the user computer via said communications interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Camenisch, Jan, Enderlein, Robert, Krenn, Stephan, Lehmann, Anja, Neven, Gregory
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
McCoy, Richard A

Application Number

US14/835,965
Publication Number

US 20160065366A1
Time in Patent Office

846 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 9/0863 involving passwords or one-...

Password-based generation and management of secret cryptographic keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Password-based generation and management of secret cryptographic keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links