Secure authentication in TLS sessions

US 10,972,455 B2
Filed: 04/24/2018
Issued: 04/06/2021
Est. Priority Date: 04/24/2018
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for secure authentication within a communication protocol session, comprising:

in response to receiving authentication information of a user of a client computer of a transport layer security (TLS) session, retrieving, by the client computer, a challenge string associated with the TLS session, wherein the challenge string is based, at least, on a selected TLS session record;

communicating, by the client computer, the selected TLS session to a server of the TLS session;

generating, by the client computer, a first digest based on the challenge string and the authentication information; and

sending, by the client computer, the first digest to the server of the TLS session, wherein the retrieving, communicating, generating, and sending, by the client computer, are carried out after the TLS session has been established between the client computer and the server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment of the invention may include a method, computer program product and system for secure authentication within a communication protocol session. The embodiment may include retrieving, by a client computer of the TLS session, a challenge string associated with the TLS session. The embodiment may include generating, by the client computer, a first digest based on the challenge string and authentication information of a user of the client computer. The embodiment may include sending, by the client computer, the first digest to a server of the TLS session. The retrieving, generating and sending, by the client computer, are carried out after the TLS session has been established between the client computer and the server.

45 Citations

20 Claims

1. A computer implemented method for secure authentication within a communication protocol session, comprising:
- in response to receiving authentication information of a user of a client computer of a transport layer security (TLS) session, retrieving, by the client computer, a challenge string associated with the TLS session, wherein the challenge string is based, at least, on a selected TLS session record;
  
  communicating, by the client computer, the selected TLS session to a server of the TLS session;
  
  generating, by the client computer, a first digest based on the challenge string and the authentication information; and
  
  sending, by the client computer, the first digest to the server of the TLS session, wherein the retrieving, communicating, generating, and sending, by the client computer, are carried out after the TLS session has been established between the client computer and the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer implemented method of claim 1, wherein the challenge string is synchronized between the client computer and the server, and wherein the challenge string is different in subsequent authentications.
  - 3. The computer implemented method of claim 1, wherein the first digest is generated by applying a hash function on a combination of the challenge string and the authentication information.
  - 4. The computer implemented method of claim 1, wherein the selected TLS session record comprises at least one of a current TLS session record or a previous TLS session record.
  - 5. The computer implemented method of claim 1, wherein the authentication information includes a password.
  - 6. The computer implemented method of claim 1, further comprising:
    - receiving, from the server of the TLS session, a result of an authentication.
  - 7. The computer implemented method of claim 1, further comprising:
    - retrieving, by the server, the authentication information of the user;
      
      generating, by the server, a second digest based on the retrieved authentication information and the challenge string associated with the TLS session;
      
      comparing, by the server, the second digest with the first digest received from the client computer;
      
      authenticating, by the server, the user in response to a result of the comparison, wherein the retrieving, generating, comparing and authenticating, by the server, are carried out after the TLS session has been established between the client and the server.
  - 8. The computer implemented method of claim 7, wherein the first digest and the second digest are generated respectively by applying a same hash function on a combination of the challenge string and the authentication information.

9. A computer program product for secure authentication within a Transport Layer Security (TLS) session, the computer program product comprising:
- one or more computer-readable tangible storage devices and program instructions stored on at least one of the one or more computer-readable tangible storage devices, the program instructions comprising;
  
  program instructions to retrieve authentication information of a user from a client of the TLS session;
  
  in response to retrieving the authentication information from the client, program instructions to retrieve a challenge string associated with the TLS session, wherein the challenge string is based, at least, on a selected TLS session record;
  
  program instructions to communicate, by the client, the selected TLS session record;
  
  program instructions to generate a first digest based on the retrieved authentication information and the challenge string;
  
  program instructions to compare the first digest with a second digest received from the client of the TLS session, wherein the second digest is generated by the client of the TLS session based on the authentication information and the challenge string; and
  
  program instructions to authenticate the user in response to a result of the comparison, wherein the retrieving, communicating, generating, comparing and authenticating are carried out after the TLS session has been established between the client of the TLS session and a server of the TLS session.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer program product of claim 9, wherein the challenge string is synchronized between the client of the TLS session and the server of the TLS session, and wherein the challenge string is different in subsequent authentications.
  - 11. The computer program product of claim 9, wherein the first digest and the second digest are generated respectively by applying a same hash function on a combination of the challenge string and the authentication information.
  - 12. The computer program product of claim 9, wherein the selected TLS session record comprises at least one of a current TLS session record or a previous TLS session record.
  - 13. The computer program product of claim 9, wherein the authentication information includes a password.
  - 14. The computer program product of claim 9, further comprising:
    - program instructions to receive, by the client of the TLS session, the result of the comparison.

15. A computer system for secure authentication within a Transport Layer Security (TLS) session, the computer system comprising:
- one or more processors, one or more computer-readable memories, one or more computer-readable tangible storage devices, and program instructions stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, the program instructions comprising;
  
  program instructions to retrieve authentication information of a user from a client of the TLS session;
  
  in response to retrieving the authentication information from the client, program instructions to retrieve a challenge string associated with the TLS session, wherein the challenge string is based, at least, on a selected TLS session record;
  
  program instructions to communicate, by the client, the selected TLS session record;
  
  program instructions to generate a first digest based on the retrieved authentication information and the challenge string;
  
  program instructions to compare the first digest with a second digest received from the client of the TLS session, wherein the second digest is generated by the client of the TLS session based on the authentication information and the challenge string; and
  
  program instructions to authenticate the user in response to a result of the comparison, wherein the retrieving, communicating, generating, comparing and authenticating are carried out after the TLS session has been established between the client of the TLS session and a server of the TLS session.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer system of claim 15, wherein the challenge string is synchronized between the client of the TLS session and the server of the TLS session, and wherein the challenge string is different in subsequent authentications.
  - 17. The computer system of claim 15, wherein the selected TLS session record comprises at least one of a current TLS session record or a previous TLS session record.
  - 18. The computer system of claim 15, wherein the first digest and the second digest are generated respectively by applying a same hash function on a combination of the challenge string and the authentication information.
  - 19. The computer system of claim 15, wherein the authentication information includes a password.
  - 20. The computer system of claim 15, further comprising:
    - program instructions to receive, by the client of the TLS session, the result of the comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hsu, Sheng-Tung, Hsiung, Wei-Hsiang, Chen, Kuo-Chun, Chou, Wayne
Primary Examiner(s)
Korsak, Oleg
Assistant Examiner(s)
Nguyen, Nhan Huu

Application Number

US15/960,757
Publication Number

US 20190327222A1
Time in Patent Office

1,078 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/083 using passwords cryptograph...

H04L 63/166 at the transport layer

Secure authentication in TLS sessions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure authentication in TLS sessions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links