Client credential based secure session authentication method and apparatus

US 8,418,235 B2
Filed: 11/15/2006
Issued: 04/09/2013
Est. Priority Date: 11/15/2006
Status: Active Grant

First Claim

Patent Images

1. A method for client credential based authentication of messages between a client and a server, said client and server both knowing said client credential, the method comprising the steps of:

utilizing the client credential to create a first key;

preparing a message for transmission at the client;

computing, at the client, a message authentication code ‘

MAC’

with the first key and the message by using a MAC function known to both the client device and the server;

sending the message and the MAC from the client to the server;

receiving, at the client, a response message from the server, the response message including a session identifier;

utilizing the client credential and the session identifier to create a second key; and

using the MAC function and the second key to authenticate subsequent messages between the client and the server;

wherein creation of at least one of the first key and the second key is performed using a secure pseudo-random number generator that employs a seed being the client credential combined with either a security token or a nonce.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for client credential based authentication of messages between a client and a server, the client and server both knowing the client credential, the method comprising the steps of: utilizing the client credential to create a key; and using the key to authenticate messages between the client and the server.

28 Citations

View as Search Results

35 Claims

1. A method for client credential based authentication of messages between a client and a server, said client and server both knowing said client credential, the method comprising the steps of:
- utilizing the client credential to create a first key;
  
  preparing a message for transmission at the client;
  
  computing, at the client, a message authentication code ‘
  
  MAC’
  
  with the first key and the message by using a MAC function known to both the client device and the server;
  
  sending the message and the MAC from the client to the server;
  
  receiving, at the client, a response message from the server, the response message including a session identifier;
  
  utilizing the client credential and the session identifier to create a second key; and
  
  using the MAC function and the second key to authenticate subsequent messages between the client and the server;
  
  wherein creation of at least one of the first key and the second key is performed using a secure pseudo-random number generator that employs a seed being the client credential combined with either a security token or a nonce.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein said client credential is a password.
  - 3. The method of claim 2, wherein creation of said first key is further performed by repeating said password until a desired key length is achieved.
  - 4. The method of claim 1, wherein creation of at least one of said first key and said second key is further performed by utilizing a hash function known to both the client and server.
  - 5. The method of claim 4, wherein the results of the hash function are truncated to a desired key length.
  - 6. The method of claim 1, wherein the security token includes information provided by the client to the server offline, said information including one or more items selected from the group consisting of:
    - birthdate, birthplace, mother'"'"'s maiden name, and security answers.
  - 7. The method of claim 1, wherein said nonce is from an activation message.
  - 8. The method of claim 1, wherein said using the MAC function and the second key to authenticate subsequent messages comprises:
    - adding a MAC computed from the message and the second key to the message to create a secure message; and
      
      sending the secure message.
  - 9. The method of claim 8, wherein said secure message is verified as authentic and unaltered by recreating the MAC upon receipt of the secure message and comparing the recreated MAC with the received MAC.
  - 10. The method of claim 8, wherein said message is an activation request message and includes a client identifier.
  - 11. The method of claim 8, wherein the message is an HTTP message, and the MAC is added to an HTTP footer.
  - 12. The method of claim 1, further comprising the step of adding a sequence number to the message before said using step.

13. A client device adapted for client credential based authentication of messages between the client device and a server, said client device and server both knowing said client credential, the client device comprising:
- memory for storing the shared credential;
  
  a processor communicating with said memory and adapted to;
  
  prepare a message for transmission;
  
  utilize the client credential to create a first key;
  
  use the key and a message to create a message authentication code ‘
  
  MAC’
  
  using a MAC function known to both the client device and the server;
  
  add the message authentication code to the message to create a secure message;
  
  send the secure message to the server;
  
  receive a response message from the server, the response message including a session identifier;
  
  utilize the client credential and the session identifier to create a second key;
  
  use the MAC function and the second key to authenticate subsequent messages received from the server; and
  
  a communication subsystem adapted to send the secure message, wherein creation of at least one of the first key and the second key is performed using a secure pseudo-random number generator that employs a seed being the client credential combined with either a security token or a nonce.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The client device of claim 13, wherein said client credential is a password.
  - 15. The client device of claim 13, wherein said processor is adapted to create the first key by further performing an operation of repeating the password until a desired key length is achieved.
  - 16. The client device of claim 13, wherein said processor is adapted to create at least one of the first key and the second key by further performing an operation of utilizing a hash function known to both the client and server.
  - 17. The client device of claim 16, wherein the processor is further adapted to truncate the results of the hash function to a desired key length.
  - 18. The client device of claim 13, wherein the security token includes information provided by the client device to the server offline, said information including one or more items selected from the group consisting of:
    - birthdate, birthplace, mother'"'"'s maiden name, and security answers.
  - 19. The client device of claim 13, wherein the nonce is from an activation message.
  - 20. The client device of claim 13, wherein said message is an activation request message and includes a client identifier.
  - 21. The client device of claim 13, wherein the processor is further adapted to add a sequence number to the message.
  - 22. The client device of claim 13, wherein said client device is a mobile device.

23. A non-transitory computer readable medium storing program code executable by a computer processor for causing client credential based authentication of messages between a client and a server, said client and server both knowing said client credential, comprising:
- utilizing the client credential to create a first key;
  
  preparing a message for transmission at the client;
  
  computing, at the client, a message authentication code ‘
  
  MAC’
  
  with the first key and the message by using a MAC function known to both the client device and the server;
  
  sending the message and the MAC from the client to the server;
  
  receiving, at the client, a response message from the server, the response message including a session identifier;
  
  utilizing the client credential and the session identifier to create a second key; and
  
  using the MAC function and the second key to authenticate subsequent messages between the client and the server;
  
  wherein creation of at least one of the first key and the second key is performed using a secure pseudo-random number generator that employs a seed being the client credential combined with either a security token or a nonce.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 24. The non-transitory computer-readable medium of claim 23, wherein said client credential is a password.
  - 25. The non-transitory computer-readable medium of claim 23, wherein the security token includes information provided by the client to the server offline, said information including one or more items selected from the group consisting of:
    - birthdate, birthplace, mother'"'"'s maiden name, and security answers.
  - 26. The non-transitory computer-readable medium of claim 23, wherein said nonce is from an activation message.
  - 27. The non-transitory computer-readable medium of claim 23, wherein said using the MAC function and the second key to authenticate subsequent messages comprises:
    - adding a MAC computed from the message and the second key to the message to create a secure message; and
      
      sending the secure message.
  - 28. The non-transitory computer-readable medium of claim 27, wherein said secure message is verified as authentic and unaltered by recreating the MAC upon receipt of the secure message and comparing the recreated MAC with the received MAC.
  - 29. The non-transitory computer-readable medium of claim 27, wherein said message is an activation request message and includes a client identifier.
  - 30. The non-transitory computer-readable medium of claim 27, wherein the message is an HTTP message, and the MAC is added to an HTTP footer.
  - 31. The non-transitory computer-readable medium of claim 23, further comprising the step of adding a sequence number to the message before said using step.
  - 32. The non-transitory computer-readable medium of claim 23, wherein said client credential is a password.
  - 33. The non-transitory computer-readable medium of claim 32, wherein creation of said first key is further performed by repeating said password until a desired key length is achieved.
  - 34. The non-transitory computer-readable medium of claim 23, wherein creation of at least one of said first key and said second key is further performed by utilizing a hash function known to both the client and server.
  - 35. The non-transitory computer-readable medium of claim 34, wherein the results of the hash function are truncated to a desired key length.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited
Inventors
Sherkin, Alexander, Shenfield, Michael
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
Kabir, Jahangir

Application Number

US11/559,923
Publication Number

US 20080114983A1
Time in Patent Office

2,337 Days
Field of Search

726/2, 726/3, 726/5, 726 17- 21
US Class Current

726/5
CPC Class Codes

H04L 63/083 using passwords cryptograph...

Client credential based secure session authentication method and apparatus

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Client credential based secure session authentication method and apparatus

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links