System for remote pass-phrase authentication
First Claim
1. A method of authentication, said method comprising the steps of:
- (a) assigning a first identifier and a first pass-phrase to a first entity, said first identifier and said first pass-phrase associated with a realm;
(b) assigning a second identifier and a second pass-phrase to a second entity, said second identifier and said second pass-phrase associated with said realm;
(c) storing said first identifier, said first pass-phrase, said second identifier, and said second pass-phrase at an authentication entity;
(d) requesting access to said second entity, said request initiated by said first entity and including said first identifier;
(e) transmitting a first challenge from said second entity to said first entity;
(f) transmitting a second challenge from said first entity to said second entity;
(g) calculating a first response involving said realm, first identifier, said first pass-phrase, said first challenge, said second identifier, and said second challenge, said first response calculated by said first entity;
(h) calculating a second response involving said realm, said second identifier, said second pass-phrase, said second challenge, said first identifier, and said first challenge, said second response calculated by said second entity;
(i) transmitting said first response to said second entity;
(j) transmitting said realm, said first identifier, said first challenge, said first response, said second identifier, said second challenge, and said second response to said authentication entity;
(k) verifying said first response, said verification involving said realm, said first identifier, said first pass-phrase, said first challenge, said first response, said second identifier, and said second challenge, and said verification performed by said authentication entity;
(l) verifying said second response, said verification involving said realm, said first identifier, said first challenge, said second identifier, said second pass-phrase, and said second challenge, and said verification performed by said authentication entity;
(m) generating a first authentication proof for said first entity, said first authentication proof generated by said authentication entity and involving said realm, said first identifier, said first pass-phrase, said first challenge, said second identifier, and said second challenge;
(n) generating a second authentication proof for said second entity, said second authentication proof generated by said authentication entity and involving said realm, said first identifier, said first challenge, said second identifier, said second pass-phrase, and said second challenge;
(o) transmitting said first authentication proof and said second authentication proof from said authentication entity to said second entity; and
(p) verifying said second authentication proof, said verification performed by said second entity;
(q) transmitting said first authentication proof from said second entity to said first entity; and
(r) verifying said first authentication proof, said verification performed by said first entity.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for authenticating users and services communicating over an insecure network. Each user and service has a pass-phrase used for authentication. However, the pass-phrases are not revealed during the authentication process as challenge-response techniques are used to keep the pass-phrase secret. In addition, the users and services do not need to know nor do they learn each other'"'"'s pass-phrases making the process useful in a distributed environment. Pass-phrases are known by an authentication entity with which the service communicates to authenticate both users and services. Users may have identities in and services may support a number of realms, each of which may be viewed as large collection of users (e.g., CompuServe.com). Users choose the realm in which they would like to be authenticated. In one embodiment of the present invention, the system and method are adapted for use with the HyperText Transfer Protocol of the World Wide Web so that secure transactions may be accomplished between users and services communicating via the Internet.
168 Citations
26 Claims
-
1. A method of authentication, said method comprising the steps of:
-
(a) assigning a first identifier and a first pass-phrase to a first entity, said first identifier and said first pass-phrase associated with a realm; (b) assigning a second identifier and a second pass-phrase to a second entity, said second identifier and said second pass-phrase associated with said realm; (c) storing said first identifier, said first pass-phrase, said second identifier, and said second pass-phrase at an authentication entity; (d) requesting access to said second entity, said request initiated by said first entity and including said first identifier; (e) transmitting a first challenge from said second entity to said first entity; (f) transmitting a second challenge from said first entity to said second entity; (g) calculating a first response involving said realm, first identifier, said first pass-phrase, said first challenge, said second identifier, and said second challenge, said first response calculated by said first entity; (h) calculating a second response involving said realm, said second identifier, said second pass-phrase, said second challenge, said first identifier, and said first challenge, said second response calculated by said second entity; (i) transmitting said first response to said second entity; (j) transmitting said realm, said first identifier, said first challenge, said first response, said second identifier, said second challenge, and said second response to said authentication entity; (k) verifying said first response, said verification involving said realm, said first identifier, said first pass-phrase, said first challenge, said first response, said second identifier, and said second challenge, and said verification performed by said authentication entity; (l) verifying said second response, said verification involving said realm, said first identifier, said first challenge, said second identifier, said second pass-phrase, and said second challenge, and said verification performed by said authentication entity; (m) generating a first authentication proof for said first entity, said first authentication proof generated by said authentication entity and involving said realm, said first identifier, said first pass-phrase, said first challenge, said second identifier, and said second challenge; (n) generating a second authentication proof for said second entity, said second authentication proof generated by said authentication entity and involving said realm, said first identifier, said first challenge, said second identifier, said second pass-phrase, and said second challenge; (o) transmitting said first authentication proof and said second authentication proof from said authentication entity to said second entity; and (p) verifying said second authentication proof, said verification performed by said second entity; (q) transmitting said first authentication proof from said second entity to said first entity; and (r) verifying said first authentication proof, said verification performed by said first entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of authentication, said method comprising the steps of:
-
(a) assigning a first identifier and a first pass-phrase to a first entity, said first identifier and said first pass-phrase associated with a realm; (b) assigning a second identifier and a second pass-phrase to a second entity, said second identifier and said second pass-phrase associated with said realm; (c) storing said first identifier, said first pass-phrase, said second identifier, and said second pass-phrase at an authentication entity; (d) requesting access to said second entity, said access request initiated by said first entity and including said first identifier; (e) transmitting a first challenge from said second entity to said first entity; (f) transmitting a second challenge from said first entity to said second entity; (g) calculating a first response involving said realm, said first identifier, said first pass-phrase, said first challenge, said second identifier, and said second challenge, said first response calculated by said first entity; (h) calculating a second response involving said realm, said second identifier, said second pass-phrase, said second challenge, said first identifier, and said first challenge, said second response calculated by said second entity; (i) transmitting said first response to said second entity; (j) transmitting said realm, said first identifier, said first challenge, said first response, said second identifier, said second challenge, and said second response to said authentication entity; (k) verifying said first response, said verification involving said realm, said first identifier, said first pass-phrase, said first challenge, said first response, said second identifier, and said second challenge, and said verification performed by said authentication entity; (l) verifying said second response, said verification involving said realm, said first identifier, said first challenge, said second identifier, said second pass-phrase, and said second challenge, and said verification performed by said authentication entity; (m) generating a session key for said first entity and said second entity, said session key generated by said authentication entity; (n) obscuring said session key for said first entity, said obscuring involving said realm, said first identifier, said first pass-phrase, said first challenge, said second identifier, and said second challenge, and performed by said authentication entity; (o) obscuring said session key for said second entity, said obscuring involving said realm, said first identifier, said first challenge, said second identifier, said second pass-phrase, and said second challenge, and performed by said authentication entity; (p) generating a first authentication proof for said first entity, said first authentication proof generated by said authentication entity and involving said realm, said first identifier, said first pass-phrase, said first challenge, said second identifier, said second challenge, and said obscured session key for said first entity; (q) generating a second authentication proof for said second entity, said second authentication proof generated by said authentication entity and involving said realm, said first identifier, said first challenge, said second identifier, said second pass-phrase, said second challenge, and said obscured session key for said second entity; (r) transmitting said first authentication proof and said second authentication proof from said authentication entity to said second entity; and (s) verifying said second authentication proof, said verification performed by said second entity; (t) transmitting said first authentication proof from said second entity to said first entity; and (u) verifying said first authentication proof, said verification performed by said first entity. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A system for authentication comprising:
-
a first entity; a second entity; an authentication entity; a first identifier and a first pass-phrase for said first entity, said first identifier and said first pass-phrase associated with a realm; a second identifier and a second pass-phrase for said second entity, said second identifier and said second pass-phrase associated with said realm; means for said authentication entity to retrieve according to said realm said first identifier, said first pass-phrase, said second identifier, and said second pass-phrase; means for said second entity to transmit a first challenge to said first entity; means for said first entity to transmit a second challenge to said second entity; means for said first entity to calculate a first response involving said realm, said first identifier, said first pass-phrase, said first challenge, said second identifier, and said second challenge; means for said second entity to calcite a second response involving said realm, said second identifier, said second pass-phrase, said second challenge, said first identifier, and said first challenge; means for transmitting said realm;
said first identifier, said first challenge, said first response, said second identifier, said second challenge, and said second response to said authentication entity;means for said authentication entity to verify said first response, said verification involving said realms said first identifier, said first challenge, said second identifier, and said second challenge; means for said authentication entity to verify said second response, said verification involving said realms said first identifier, said first challenge, said first response, said second identifier, and said second challenge; means for said authentication entity to generate a first authentication proof for said first entity; means for said authentication entity to generate a second authentication proof for said second entity; means for transmitting said first and said second authentication proofs from said authentication entity to said second entity; means for said second entity to verify said second authentication proof; means for transmitting said first authentication proof from said second entity to said first entity; and means for said first entity to verify said first authentication proof. - View Dependent Claims (17, 18, 19)
-
-
20. A system for authentication comprising:
-
a realm identifier associated with a first identifier and a first pass-phrase for a first entity; a second identifier and a second pass-phrase for a second entity, said second identifier and said second pass-phrase associated with said realm; means for authenticating said first entity, said means including said realm identifier; and means for authenticating said second entity, said means including said realm identifier. - View Dependent Claims (21)
-
-
22. A method of authentication for use with Hyper-Text Transfer Protocol, said method comprising the steps of:
-
transmitting a connection request from a client to a server; creating a server security context and assigning an identifier to said server security context, said server security context created by and said identifier assigned by said server in response to said connection request from said client; transmitting a first authentication header from said server to said client, said first authorization header comprising a realm list, a status indicator, a service challenge, and said service security context; creating a client security context and assigning said identifier to said client security context, said client security context created by said client; transmitting an authorization header from said client to said server, said authorization header comprising a status indicator, said client security context, a realm selected from said realm list, a client identifier in said selected realm, a client challenge, and a client response to said service challenge; examining said client security context to determine an authentication state for said client security context, said examination performed by said server; and performing authentication if said client context identifier is recognized by said server, said authentication performed by said server. - View Dependent Claims (23, 24, 25, 26)
-
Specification