Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2000-04-14
2002-11-26
Coulter, Kenneth R. (Department: 2154)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S229000
Reexamination Certificate
active
06487667
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to authentication of computer users and services in distributed environments. Particularly, the present invention relates to a Remote Pass-phrase Authentication scheme that provides a way to authenticate users and services using a pass-phrase over a computer network without revealing the pass-phrase.
2. Description of the Related Art
The importance of secure communication is increasing as world-wide networks such as the Internet and the World Wide Web (WWW) portion of the Internet expand. As global networks expand through the interconnection of existing networks, users may gain access to an unprecedented number of services. The services, each of which may be maintained by a different provider, give users access to academic, business, consumer, government, etc. information. Service providers are now able to make their services available to an ever-expanding user base.
The ease with which services and users are able to find each other and the convenience associated with on-line transactions is leading to an increase in the number of remote business and related transactions. However, users and services are not always certain who or what is at the other end of a transaction. Therefore, before they engage in business and other transactions, users and services want and need reassurance that each entity with whom they communicate is who or what it purports to be. For example, users will not be willing to make on-line purchases that require them to reveal their credit card numbers unless they are confident that the service with which they are communicating is in fact the service they wanted to access. Commercial and other private entities who provide on-line services may be more reluctant than individuals to conduct business on-line unless they are confident the communication is with the desired individual or service.
Both users and services need reassurance that neither will compromise the integrity of the other nor that confidential information will be revealed unintentionally to third parties while communications are occurring. Security in a global network, however, may be difficult to achieve for several reasons. First, the connections between remote users and services are dynamic. With the use of portable devices, users may change their remote physical locations frequently. The individual networks that comprise the global networks have many entry and exit points. Also, packet switching techniques used in global networks result in numerous dynamic paths that are established between participating entities in order to achieve reliable communication between two parties. Finally, communication is often accomplished via inherently insecure facilities such as the public telephone network and many private communication facilities. Secure communication is difficult to achieve in such distributed environments because security breaches may occur at the remote user's site, at the service computer site, or along the communication link. Consequently, reliable two-way authentication of users and the services is essential for achieving security in a distributed environment.
Two-way authentication schemes generally involve handshaking techniques so that each party may verify he or she is in communication with the desired party regardless of each party's location or the types of devices in use. The problem to be solved is one in which a user communicates with a service that wishes to learn and authenticate the user's identity and vice versa. To clarify the problem, there are three aspects of network security that may be distinguished:
Identification:
the way in which a user or service is
referenced.
Authentication:
the way in which a user may prove his or her
identity.
Authorization:
a method for determining what a given user
may do. The same aspects apply to services
as well as users.
Identification
A user's identity consists of a user name and a realm name. A realm is a universe of identities. CompuServe Interactive Services (CIS) user IDs and America Online (AOL) screen names are two examples of realms. The combination of user name and realm—typically shown as name@realm—identifies a user. Any given service recognizes some particular set of identities. A realm does not have to be large, though, either in number of users or size of service. For example, a single WWW server may have its own realm of users.
Often, a service recognizes only one realm: CIS recognizes only identities within the CIS realm and AOL recognizes only identities within the AOL realm. But, one can imagine a service that has agreements with both CIS and AOL. The service gives the user a choice of realms—“Please supply a CIS or AOL identity, and prove it”—and the user chooses a realm in which he or she has an identity. Identification, thus, provides the ability to identify, or to refer to, a user.
Authentication
Authentication provides the ability to prove identity. When asking to do something for which a user's identity matters, the user may be asked for his or her identity—a user name and realm—and the service requires the user to prove that he is who he says he is. To accomplish this, most services use a secret called a pass-phrase, although it is not necessarily derived from text. Such a secret is sometimes called a secret key, but it is not necessarily used for encryption. In this context, the fundamental problem to be solved is: How can a user prove his pass-phrase without revealing the pass-phrase in the process?
Authorization
Authorization refers to the process of determining whether a given user is allowed to do something. For example, may he post a message? May he use a surcharged service? It is important to realize that authentication and authorization are distinct processes—one related to proving an identity and the other related to the properties of an identity. The present invention is not related to authorization, but it is designed to co-exist with authorization mechanisms.
Pass-phrase
A service that wishes to authenticate a user requires the user to identify himself or herself and to prove that he or she knows the pass-phrase. Generally, the service prompts the user for the pass-phrase. However, transmitting the plain text pass-phrases through a network comprises security because an eavesdropper may learn the pass-phrase as it travels through the network. X.25 networks have been compromised, and LANs, modem pools, and “The Internet” likewise are not suitable for plain text pass-phrases due to the eavesdropper problem. Prompting for the pass-phrase, while sufficient in the past, no longer works for extensive world-wide networks.
Pass-phrase Encryption
Encryption of the pass-phrase provides additional security and addresses the eavesdropper problem. Using encryption, the user encrypts the pass-phrase, sends the result to the service which then decrypts it. Some techniques are based on a one-time key that prevents an eavesdropper from decrypting the pass-phrase.
There are, however, problems with this technique as well. Somebody else—a spoofer—may pretend to be the service. The spoofer decrypts the result, learns the pass-phrase, and gains the ability to masquerade as the user. Some people have spoofed services by getting users to dial into the spoofer's computer. The spoofer advertises a dial up number for the service that is claimed to have been omitted from the directory of service numbers. The spoofer may entice people to try the “unlisted” number by claiming it is much faster than the listed numbers. Therefore, there is a need for a mechanism that will not reveal the pass-phrase to anyone, even if the user is interacting with a spoofer.
Challenge-response Techniques
Challenge-response techniques involve a series of exchanges between a user and a service. The service sends the user a challenge, which is a random number, and the user applies a one-way function to the number to calculate a result that depends on the challenge and the user's pass-phrase. The user sends t
Coulter Kenneth R.
Standley & Gilcrest LLP
LandOfFree
System for remote pass-phrase authentication does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System for remote pass-phrase authentication, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System for remote pass-phrase authentication will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2988144