Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
1998-07-06
2002-03-05
Chung, Phung M. (Department: 2136)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C713S169000, C380S241000, C705S065000, C705S067000
Reexamination Certificate
active
06353888
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to an access rights authentication apparatus for authenticating user's access rights.
2. Description of the Prior Art
The program execution control technology is known as a prior art belonging to the same field as the present invention. With the program execution control technology,
1) a user authentication routine is embedded in an application program,
2) the routine checks that a user attempting to execute the application possesses an authorized authentication key, and
3) the program continues to execute only when the existence of the authentication key is confirmed, and in other cases, program execution is stopped.
Use of this technology permits only authorized users possessing an authentication key to execute an application program. This technology is commercially available in the software distribution business and the following products are available, for example: SentinelSuperPro (trademark) by Rainbow Technologies, Inc. and HASP (trademark) by Aladdin Knowledge Systems Ltd.
Hereinafter, the program execution control technology will be described in more detail.
1) A user to execute software possesses an authentication key as user identification information. The authentication key, which is used for encryption, is delivered to users by a software license provider, for example, a software vendor. The authentication key is carefully stored in a memory or the like within hardware to prevent duplication and is delivered to a user by use of physical means such as mail.
2) The user installs the hardware incorporating the authentication key in a personal computer or workstation of his own in a specified way. The hardware is installed in a printer board, for example.
3) The user starts the application program, and when the program execution reaches the above described user authentication routine, the program communicates with the hardware incorporating the user's authentication key. The program identifies the authentication key based on the result of the communication, and proceeds to the next step when the existence of the correct authentication key is confirmed. When the communication fails and the existence of the authentication key cannot be confirmed, the program stops itself and refrains from further execution.
The access rights authentication routine identifies an authentication key according to the following protocol, for example.
1) The access rights authentication routine generates a proper number and sends it to hardware incorporating a key.
2) The key incorporating hardware encrypts the sent number using the incorporated authentication key and sends it to the authentication routine.
3) The authentication routine determines whether or not the returned number is an expected number, namely, a number obtained by encrypting the number sent to the hardware with the correct authentication key.
4) When the returned number matches an expected number, the program continues to execute, and if not so, the program execution stops.
In this case, the communication between the application program and the authentication key incorporating hardware must be different for each execution even in the case of communication with the same hardware in the same location within the same application program. Otherwise, by once recording communication contents in normal execution processes and subsequently making responses to the application program conformably to the recording, users not possessing the correct authentication key could execute the program. Invalid execution of an application program by such reproduction of communication contents is called a replay attack.
To prevent a replay attack, usually, a random number generated newly for each communication is sent to key incorporating hardware.
Problems of the prior art result from the fact that, when creating an application program, the program author must assume in advance an authentication key possessed by a user before providing protection for the program, based on the authentication key.
In other words, the program author must predict a correct response from key incorporating hardware at program creation and create the program so that it is normally executed only when a correct response is received.
The prior art of the characteristics described above basically has two usage modes; in either case, they have a problem described below.
1) In a first method, different users' authentication keys are provided for different users. Namely, a different authentication key is provided for each user; for example, an authentication key A is assigned to a user A and an authentication key B to a user B.
In this case, the program author must create the program so that authentication routines in the program are switched appropriately for each user. In other words, since authentication keys are different for different users, the authentication routines in the program must be created so that they can identify an authentication key unique to a user using the program, therefore the program author must create as many different programs as the number of users.
When there are many target users, a task of specializing a program for each user requires unendurable efforts of a program author and there are an enormous number of user authentication keys to be managed.
2) In a second method, the program author provides a different authentication key for each application. Namely, a different authentication key is provided for each application; for example, an authentication key A is assigned to an application A and an authentication key B to an application B, and the application programs are created so that they can identify unique authentication keys.
Although this method eliminates the need to create a program individually for each user as in the case of the first method, a user must possess as many authentication keys as the number of applications to be used.
This restriction poses a problem described below to program authors and users.
As described previously, an authentication key must be carefully stored in hardware for distribution to users. Accordingly, programs themselves can be simply distributed via a network, whereas the distribution of hardware incorporating an authentication key must look to physical means such as mail. This restriction places a great burden on program authors in terms of cost, time, and packaging efforts.
The program authors, to meet users' requests, must stock a given number of pieces of hardware which are different for each application, requiring stock control costs.
The users have to put up with a troublesome task of replacing hardware each time an application to be used is changed.
When a user wants to use an application, inconveniently the user cannot use it until hardware incorporating an authentication key arrives.
A method used to reduce this burden is to in advance incorporate a plurality of authentication keys in hardware and tell a user a password for using an unused authentication key in the hardware each time permission is given to the user for the use of a new application. However, even though this method is used, it is apparent that the problem described previously is not solved in principle. Actually, for the purpose of commercial production, a system is designed so that plural pieces of hardware can be serially coupled to reduce inconveniences resulting from the above problem.
In this way, any of the two methods described above leaves a problem with convenience for program authors and users.
Taking the external characteristics of the execution control technology into account, it is conceivable that it is also applicable to mail privacy protection, control of access to files and computer resources, and control of access to other general digital contents. However, the prior art is inapplicable to these fields because of the above described problem.
SUMMARY OF THE INVENTION
The present invention has been made in consideration of the above described circumstances, and it is an object of the present invention to offer an
Kakehi Rumiko
Kyojima Masaki
Chung Phung M.
Fuji 'Xerox Co., Ltd.
Jack Todd
Oliff & Berridg,e PLC
LandOfFree
Access rights authentication apparatus does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Access rights authentication apparatus, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Access rights authentication apparatus will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2862080