WikiPatents - Community Patent Review
Create Free Account  |  License or Sell Your Patent  |  WikiPatents Marketplace  |  WikiPatents Blog
Username:  Password:  
    
Advanced Search
System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens    
United States Patent5491752   
Link to this pagehttp://www.wikipatents.com/5491752.html
Inventor(s)Kaufman; Charles W. (Northborough, MA); Pearlman; Radia J. (Acton, MA); Gasser; Morrie (Hopkinton, MA)
AbstractAn improved security system inhibits eavesdropping, dictionary attacks, and intrusion into stored password lists. In one implementation, the user provides a workstation with a "password", and a "token" obtained from a passive authentication token generator. The workstation calculates a "transmission code" by performing a first hashing algorithm upon the password and token. The workstation sends the transmission code to the server. Then, the server attempts to reproduce the transmission code by combining passwords from a stored list with tokens generated by a second identical passive authentication token generator just prior to receipt of the transmission code. If any password/token combination yields the transmission code, the workstation is provided with a message useful in communicating with a desired computing system; the message is encrypted with a session code calculated by applying a different hashing algorithm to the password and token. In another embodiment, the workstation transmits a user name to the authentication server. The server verifies the user name's validity, and uses an active authentication token generator to obtain a "response" to an arbitrarily selected challenge. The server generates a session code by performing a hashing algorithm upon the response and the password. The server sends the challenge and a message encrypted with the session code to the workstation. The workstation generates the session code by performing the hashing algorithm on the password and the received challenge, and uses the session code to decrypt the encrypted message. The message is useful in communicating with a desired computing system.
   














 Title Information Submit all comments and votes
 
Patent Text Patent PDF Print Page Summary File History
Plain text PDF images Print Summary File History
Drawing from US Patent 5491752
System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens - US Patent 5491752 Drawing
System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens
Inventor     Kaufman; Charles W. (Northborough, MA); Pearlman; Radia J. (Acton, MA); Gasser; Morrie (Hopkinton, MA)
Owner/Assignee     Digital Equipment Corporation, Patent Law Group (Maynard, MA)
Patent assignment
All assignments
Publication Date     February 13, 1996
Application Number     08/300,576
PAIR File History     Application Data   Transaction History
Image File Wrapper   Patent Term   Fees
Litigation
Filing Date     September 2, 1994
US Classification     380/30 713/155 713/156
Int'l Classification     H04K 001/00
Examiner     Swann; Tod R.
Assistant Examiner    
Attorney/Law Firm     Johnston; A. Sidney
Address
Parent Case     This application is a file-wrapper continuation, of application Ser. No. 08/034,225, filed Mar. 18, 1993, which is now abandoned.
Priority Data    
USPTO Field of Search     380/23 380/24 380/25 380/30
Patent Tags     increasing difficulty password guessing attacks a distributed authentication scheme employing authentication tokens
   
Enter a comma (,) or semicolon (;) between multiple tag words/phrases.
Describe this patent:
 Amusing   
 Clever   
 Complex   
 Efficient   
 Historic   
 Important   
 Innovative   
 Interesting   
 Practical   
 Simple   
[no votes]
Patent WIKI

Share information and news about this patent, including information and news about the technology, inventors, company, ligation and licensing.
 References Submit all comments and votes
 
*references marked with an asterisk below are user-added references
 U.S. References
 
Add a new US reference:  
ReferenceRelevancyCommentsReferenceRelevancyComments
5297206
Orton

Mar,1994
[0 after 0 votes]		5235644
Gupta

Aug,1993
[0 after 0 votes]
5224163
Gasser
380/30
Jun,1993
[0 after 0 votes]		5220604
Gasser
707/9
Jun,1993
[0 after 0 votes]
5204966
Wittenberg
726/6
Apr,1993
[0 after 0 votes]		5201000
Matyas
380/30
Apr,1993
[0 after 0 votes]
5163096
Clark
711/164
Nov,1992
[0 after 0 votes]		5148479
Bird
713/155
Sep,1992
[0 after 0 votes]
5146499
Geffrotin
713/172
Sep,1992
[0 after 0 votes]		5136647
Haber
713/178
Aug,1992
[0 after 0 votes]
5136646
Haber
713/178
Aug,1992
[0 after 0 votes]		5109152
Takagi
235/380
Apr,1992
[0 after 0 votes]
5081678
Kaufman

Jan,1992
[0 after 0 votes]		5068894
Hoppe

Nov,1991
[0 after 0 votes]
5050212
Dyson
713/187
Sep,1991
[0 after 0 votes]		5029208
Tanaka
380/279
Jul,1991
[0 after 0 votes]
5023908
Weiss
713/184
Jun,1991
[0 after 0 votes]		4993068
Piosenka

Feb,1991
[0 after 0 votes]
4974193
Beutelspacher
726/20
Nov,1990
[0 after 0 votes]		4965568
Atalla
340/5.85
Oct,1990
[0 after 0 votes]
4932056
Shamir
713/180
Jun,1990
[0 after 0 votes]		4924515
Matyas
380/280
May,1990
[0 after 0 votes]
4919545
Yu
713/167
Apr,1990
[0 after 0 votes]		4910773
Hazard
380/277
Mar,1990
[0 after 0 votes]
4881264
Merkle
713/177
Nov,1989
[0 after 0 votes]		4868877
Fischer
713/157
Sep,1989
[0 after 0 votes]
4815031
Furukawa
726/19
Mar,1989
[0 after 0 votes]		4799061
Abraham
340/5.26
Jan,1989
[0 after 0 votes]
4755940
Brachtl
705/44
Jul,1988
[0 after 0 votes]		4736423
Matyas
713/185
Apr,1988
[0 after 0 votes]
4661991
Logemann
455/26.1
Apr,1987
[0 after 0 votes]		4626845
Ley
340/5.2
Dec,1986
[0 after 0 votes]
4430728
Beitel
379/93.02
Feb,1984
[0 after 0 votes]		4399323
Henry
380/30
Aug,1983
[0 after 0 votes]
4386266
Chesarek
705/72
May,1983
[0 after 0 votes]		4288659
Atalla
380/281
Sep,1981
[0 after 0 votes]
4264782
Konheim
705/75
Apr,1981
[0 after 0 votes]		4227253
Ehrsam
380/45
Oct,1980
[0 after 0 votes]
4218738
Matyas
705/72
Aug,1980
[0 after 0 votes]		3996449
Attanasio
235/431
Dec,1976
[0 after 0 votes]
3798605
Feistel
713/155
Mar,1974
[0 after 0 votes]		5315658
Micali
380/286
Dec,1969
[0 after 0 votes]
 Foreign References
 Other References
 Market Review Submit all comments and votes
   
Market Size
Estimate the gross annual revenues of the relevant market sector:
> $10B
$5B - $10B
$2B - $5B
$500M - $2B
$100M - $500M
$10M - $100M
$1M - $10M
$500K - $1M
$100K - $500K
< $100K
[No votes]
$0
 
$0   $2.5B   $5B   $7.5B   $10B
Market Share
Estimate the percentage of the relevant market sector this invention will capture:
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%
Reasonable Royalty
What percentage of gross sales should the inventor or assignee be paid?
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%
Public's "Guesstimation" of Royalty Value
Market SizeN/A[No votes]
xMarket ShareN/A[No votes]
xReasonable RoyaltyN/A[No votes]
N/A
License Availablity
If you are NOT the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
License Availablity
If you ARE the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
Competitive Advantage
Does this invention have a significant competitive advantage over similar technologies?
Yes

No



 [No votes]
Most helpful competitive advantage comment
[No comments]
Commercial Alternatives
Are there viable commercial alternatives for this invention?
Yes

No



 [No votes]
Most helpful commercial alternative comment
[No comments]
 Technical Review Submit all comments and votes
 Claims Submit all comments and votes
 


What is claimed is:

1. A method for securely accessing a computing system, comprising the steps of:

(a) a workstation receiving a token from a first passive authentication token generator and receiving a secret password associated with a user;

(b) the workstation generating a transmission code by performing a first hashing algorithm upon data comprising:

(1) the token and

(2) the secret password;

(c) the workstation sending the transmission code to an authentication server;

(d) the server receiving and verifying the validity of the transmission code;

(e) if the transmission code is valid, the server transmitting to the workstation a message encrypted with a session code generated by performing a second hashing algorithm upon data comprising the token and the password, the second hashing algorithm being substantially different than the first hashing algorithm;

(f) the workstation receiving the message;

(g) the workstation computing the session code by performing the second hashing algorithm on the password and the token; and

(h) the workstation using the session code to decrypt the message.

2. The method of claim 1, wherein the step of generating the transmission code comprises the steps of:

(1) hashing the password according to a selected one-way hashing equation;

(2) concatenating the token onto the hashed password to form a concatenation; and

(3) hashing the concatenation according to the selected one-way hashing equation.

3. The method of claim 1, wherein the step of generating the transmission code comprises the steps of:

(1) hashing the password according to a selected one-way hashing equation;

(2) concatenating the hashed password onto the token to form a concatenation; and

(3) hashing the concatenation according to the selected one-way hashing equation.

4. The method of claim 1, wherein the step of generating the transmission code comprises the steps of:

(1) concatenating the token onto the password to form a concatenation; and

(2) hashing the concatenation according to the selected one-way hashing equation.

5. The method of claim 1, wherein the step of generating the transmission code comprises the steps of:

(1) concatenating the password onto the token to form a concatenation; and

(2) hashing the concatenation according to the selected one-way hashing equation.

6. The method of claim 1, wherein the step of verifying the validity of the transmission code comprises the steps of:

(1) the server utilizing a second passive authentication token generator that simultaneously supplies tokens substantially identical to those of the first passive token generator to identify possible tokens occurring at the time the workstation sent the transmission code to the server;

(2) the server identifying one or more passwords from a stored list; and

(3) the server attempting to reproduce the transmission code by performing the first hashing algorithm on the identified one or more passwords and different identified possible tokens in turn.

7. The method of claim 6, wherein step (2) comprises the step of utilizing a user name received from the workstation to identify a single password from a cross-referenced list of user names and passwords.

8. The method of claim 1, wherein the step of verifying the validity of the transmission code comprises the steps of:

(1) the server utilizing a second passive authentication token generator that simultaneously supplies tokens substantially identical to those of the first passive token generator to identify possible tokens occurring at the time the workstation sent the transmission code to the server;

(2) the server identifying one or more hashed passwords from a stored list; and

(3) the server attempting to reproduce the transmission code by performing the first hashing algorithm on the identified one or more hashed passwords and different identified possible tokens in turn.

9. The method of claim 8, wherein step (2) comprises the step of utilizing a user name received from the workstation to identify a single hashed password from a cross-referenced list of user names and hashed passwords.

10. The method of claim 1, wherein the step of generating the session code comprises the steps of:

(1) hashing the password according to a selected one-way hashing equation;

(2) concatenating the token and the hashed password to form a concatenation; and

(3) hashing the concatenation according to the selected one-way hashing equation.

11. The method of claim 1, wherein the step of generating the session code comprises the steps of:

(1) hashing the token according to a selected one-way hashing equation;

(2) concatenating the hashed token and the password to form a concatenation; and

(3) hashing the concatenation according to the selected one-way hashing equation.

12. The method of claim 1, wherein the step of generating the session code comprises the steps of:

(1) concatenating the token onto the password to form a concatenation; and

(2) hashing the concatenation according to the selected one-way hashing equation.

13. The method of claim 1, wherein the step of generating the session code comprises the steps of:

(1) concatenating the password onto the token to form a concatenation; and

(2) hashing the concatenation according to the selected one-way hashing equation.

14. The method of claim 1, further comprising the step of the workstation using the message to encrypt subsequent communications between the workstation and a desired computing system.

15. The method of claim 1, further comprising the step of the workstation using the session code to decrypt subsequent communications between the workstation and a desired computing system.

16. The method of claim 1, additionally including the step of the authentication server maintaining a log of verified transmission codes.

17. The method of claim 1, wherein the step of the workstation receiving the password is accomplished by a user typing the password upon keys of a data entry device.

18. The method of claim 1, wherein the step of the workstation receiving the token is accomplished by a user typing the token upon keys of a data entry device.

19. The method of claim 1, wherein the token is generated by the first authentication token generator based upon an external reference.

20. The method of claim 1, wherein the step of the workstation receiving the token is accomplished by an electrical link.

21. The method of claim 1, wherein the step of the workstation receiving the token is accomplished by the workstation reading a bar code provided by the first authentication token generator.

22. A secure method for obtaining access to a computing system, wherein a workstation performs steps comprising:

(a) receiving an initial password and an initial token, wherein the initial password is supplied by a user and the initial token is supplied by a first authentication token generator;

(b) generating a transmission code by performing a first hashing algorithm upon the password and the token;

(c) sending the transmission code to an authentication server having a second authentication token generator that simultaneously supplies tokens substantially identical to those provided by the first authentication token generator;

(d) if the authentication server successfully reproduces the transmission code by performing successive calculations utilizing different combinations of possible tokens occurring at the time the transmission code was sent and one or more passwords identified from a list of passwords accessible by the authentication server, then receiving a message from the authentication server that is encrypted with a selected secret key routine using a session code obtained by performing a second hashing algorithm upon data comprising the initial token and the initial password, the second hashing algorithm being substantially different than the first hashing algorithm.

23. The method of claim 22, wherein the workstation additionally performs steps comprising:

(1) decrypting the message; and

(2) utilizing the message to encrypt subsequent communications with a desired computing system.

24. The method of claim 22, wherein the workstation additionally performs steps compris