System and method for generating a single use password based on a challenge/response protocol
First Claim
1. A method for secure authentication, comprising:
- issuing, by a management console, a challenge request to a security appliance in response to an entity inserting a smart card and entering a username and a password into the management console to verify the identity of the entity;
in response to receiving the request issued by the management console, identifying, by the security appliance, a public key and a salt value stored on the security appliance wherein the public key and the salt value are associated with the entity and the smart card inserted by the entity into the management console;
generating, on the security appliance, a bit pattern, the bit pattern associated with the username of the entity and stored in the security appliance;
sending a challenge to the management console, the challenge including a secure hash of the bit pattern, an identification value associated with the security appliance, a version of the bit pattern and identification value encrypted with the public key, and the salt value;
is in response to receiving the challenge, decrypting, by the smart card, the version of the bit pattern and identification value using a private key contained within the smart card;
using, on the management console, the decrypted bit pattern to compute the secure hash received from the security appliance;
comparing, on the management console, the decrypted security appliance identification value and computed secure hash of the bit pattern with the security appliance identification value and secure hash of the bit pattern received from the security appliance in the challenge to determine if they match;
in response to a match of the comparison, returning, by the management console, a response to the security appliance, the response including a keyed hash message authentication code (HMAC), wherein the associated bit pattern is used as a key to encrypt the HMAC;
utilizing the bit pattern stored on the security appliance and associated with the entity'"'"'s username to compute the keyed HMAC received from the management console;
matching the computed keyed HMAC with the received keyed HMAC at the security appliance; and
in response to matching the computed keyed HMAC with the received keyed HMAC at the security appliance, authenticating the entity.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method which generates a single use password based on a challenge/response protocol. A box manager module executing within a security appliance identifies a public key (P) and salt value (S) associated with an administrator'"'"'s smart card and generates a random nonce (N). The box manager transmits a challenge comprising the following elements: <SHA1(N), BM_ID, P[N, BM_ID], S>. Upon receiving the challenge, the administration card decrypts P[N, BM_ID] using the private key contained within the card and computes SHA1(N). The administration card then compares its computed values with the received values from the box manager. If the values match, then to the administration card returns a response comprising the following elements: HMAC_N[user, SHA1 (password, S)], where HMAC_N represents the SHA1 keyed hash message authentication check of the response elements using the nonce N as the key.
109 Citations
20 Claims
-
1. A method for secure authentication, comprising:
-
issuing, by a management console, a challenge request to a security appliance in response to an entity inserting a smart card and entering a username and a password into the management console to verify the identity of the entity; in response to receiving the request issued by the management console, identifying, by the security appliance, a public key and a salt value stored on the security appliance wherein the public key and the salt value are associated with the entity and the smart card inserted by the entity into the management console; generating, on the security appliance, a bit pattern, the bit pattern associated with the username of the entity and stored in the security appliance; sending a challenge to the management console, the challenge including a secure hash of the bit pattern, an identification value associated with the security appliance, a version of the bit pattern and identification value encrypted with the public key, and the salt value; is in response to receiving the challenge, decrypting, by the smart card, the version of the bit pattern and identification value using a private key contained within the smart card; using, on the management console, the decrypted bit pattern to compute the secure hash received from the security appliance; comparing, on the management console, the decrypted security appliance identification value and computed secure hash of the bit pattern with the security appliance identification value and secure hash of the bit pattern received from the security appliance in the challenge to determine if they match; in response to a match of the comparison, returning, by the management console, a response to the security appliance, the response including a keyed hash message authentication code (HMAC), wherein the associated bit pattern is used as a key to encrypt the HMAC; utilizing the bit pattern stored on the security appliance and associated with the entity'"'"'s username to compute the keyed HMAC received from the management console; matching the computed keyed HMAC with the received keyed HMAC at the security appliance; and in response to matching the computed keyed HMAC with the received keyed HMAC at the security appliance, authenticating the entity. - View Dependent Claims (2, 3)
-
-
4. A method for securely authenticating an administrator to a computer, comprising:
-
issuing a challenge request to the computer; in response to receiving the challenge request, identifying, by the computer, a public key and a salt value; generating, by the computer, a nonce to be stored on the computer, wherein the public key and the salt value are associated with an administrator and a smart card inserted by the administrator; generating a challenge comprising a secure hash of the nonce, an identification associated with the computer, the salt value and a version of the nonce and identification value that is encrypted with the public key; sending the challenge to the smart card; in response to receiving the challenge, decrypting, by the smart card, the version of the nonce and identification value using a private key contained within the smart card; is using the decrypted nonce to compute the secure hash of the nonce; comparing the decrypted computer identification value and computed secure hash of the nonce with the computer identification value and secure hash of the nonce received from the computer in the challenge to determine if they match; in response to a match of the comparison, returning a response to the computer, the response including a message authentication code, wherein the associated nonce is used as a key to encrypt the message authentication code; utilizing the nonce stored on the computer and associated with the user'"'"'s username to compute the received message authentication code; matching the computed message authentication code with the received message authentication code on the computer; and in response to matching the computed message authentication code with the received message authentication code on the computer, authenticating the user. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable medium for securely authenticating a user to a computer, the computer readable medium containing executable program instructions for execution by a processor, comprising:
-
program instructions that issue a challenge request to the computer; program instructions that identify, on the computer, a public key and a salt value in response to receiving the challenge request; program instructions that generate, on the computer, a nonce to be stored on the computer, wherein the public key and the salt value are associated with the user and a smart card inserted by the user; program instructions that generate a challenge, the challenge comprising of a secure hash of the nonce, an identification value associated with the computer, the salt value and a version of the nonce and identification value encrypted with the public key; program instructions that send the challenge to the smart card; program instructions that decrypt, on the smart card, the version of the nonce and identification value using a private key contained within the smart card in response to receiving the challenge; program instructions that use the decrypted nonce to compute the secure hash of the nonce; program instructions that compare the decrypted computer identification value and computed secure hash of the nonce with the computer identification value and secure hash of the nonce received from the computer in the challenge to determine if they match; program instructions that return a response to the computer, the response including a keyed hash message authentication code (HMAC), wherein the associated nonce is used as a key to encrypt the HMAC in response to a match; program instructions that utilize the nonce stored on the computer and associated with the username of the user to compute the received keyed HMAC; program instructions that match the computed keyed HMAC with the received keyed HMAC on the computer; and program instructions that authenticate the user in response to a match.
-
-
16. A system for securely authenticating a user to a computer, the system comprising:
-
a management console operatively interconnected with the computer, the management console configured to issue a challenge request to the computer; wherein the computer is configured to, in response to receiving the challenge request, identify a public key and a salt value, generate a nonce to be stored on the computer, wherein the public key and the salt value are associated with the user and a smart card inserted by the user, generate a challenge comprising a secure hash of the nonce, an identification value associated with the computer, the salt value and a version of the nonce and identification value encrypted with the public key, and send the challenge to the smart card; the management console further configured to decrypt the version of the nonce and identification value using a private key contained within the smart card in response to receiving the challenge, use the decrypted nonce to compute the secure hash of the nonce, compare the decrypted computer identification value and computed secure hash of the nonce with the computer identification value and secure hash of the nonce received from the computer in the challenge to determine if they match, and return a response to the computer, the response including a keyed hash message authentication code (HMAC), wherein the associated nonce is used as a key to encrypt the HMAC in response to a match of the comparison; the computer further configured to utilize the nonce stored on the computer and associated with the username of the user to compute the received keyed HMAC, match the computed keyed HMAC with the received keyed HMAC on the computer, and authenticate the user in response to matching the computed keyed HMAC with the received keyed HMAC on the computer. - View Dependent Claims (17, 18, 19, 20)
-
Specification