Cryptography – Key management – Having particular key generator
Reexamination Certificate
2000-05-17
2004-12-07
Morse, Gregory (Department: 2134)
Cryptography
Key management
Having particular key generator
C713S171000, C380S286000, C380S046000, C380S277000
Reexamination Certificate
active
06829356
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
This invention relates generally to the secure regeneration of a user's strong secret when the user supplies a corresponding weak secret, such as a user-chosen password. For example, in computer network applications, the strong secret might be an encryption key which is used to protect the user's highly sensitive private data (such as the user's private key used in public key cryptography). In this example, the invention relates to the secure regeneration of the encryption key (and the secure recovery of the user's private key) when the user supplies his password. As another example, the strong secret might be used by the user to authenticate to a server, by demonstrating to the server the user's ability to regenerate the strong secret, without that server needing to hold data that allows the weak secret to be attacked by exhaustive trials.
2. Background Art
As a result of the continuous development of new technologies, particularly in the areas of computer networks and communications, the use of large computer networks such as the Internet is becoming more widespread. This has resulted in an increase in electronic commerce and other electronic transactions conducted over these networks. It has also resulted in increased flexibility for users, as users may increasingly access these networks from any number of locations and/or devices. The increase in electronic transactions has resulted in a corresponding increased need for security for these transactions; but the increased flexibility imposes additional requirements on security since any security measures preferably would accommodate users even as they roam across the network.
In one common scenario, the user may access the computer network from many different locations and may wish to use his private key from each location. However, at each location, he may be accessing the network from a device (hereafter referred to as a “client terminal”) which cannot or does not store any data for the user, other than for transitory periods. For example, an employee might access a company's central computer network from different terminals on the company's premises, or a consumer might access the Internet from any web browser or might access a private network from a consumer kiosk. The client terminal typically can be trusted to execute its code in a trustworthy manner, to maintain the secrecy of sensitive data (e.g., the user's private key or a secret shared with an application server) during the period in which the user is actively using that terminal, and to securely destroy sensitive data when the user has finished using it. Thus, the user's private data could be securely used at the client terminal if the client terminal could somehow securely obtain a copy of the private data.
In one approach, the private data is stored on some secure hardware storage or processing token, such as a smartcard. The hardware token is physically connected to the client terminal and the private data is made accessible to the client. This approach suffers from high cost and user inconvenience since dedicated hardware is required, thus making it inappropriate for many applications.
In another approach, the private data is recovered with the assistance of other devices connected to the network (hereafter referred to as “servers”). In one example, recovery of the private data is part of the user's session login process. The user authenticates by presenting a user account name and a password subject to modest (but not extreme) guessablity controls. In particular, any party attempting a password guessing attack is limited to a small number of tries and, given this control, users can be permitted reasonably friendly password choices. Once the user is authenticated, the client terminal recovers the user's private data with the assistance of the servers.
The problem of recovering private data, such as a private key, into a stateless client terminal has been addressed in prior work through the use of a server which stores secret data for the client and facilitates the recovery process. Various protocols for using such servers, with different security and performance characteristics, were surveyed in R. Perlman and C. Kaufman, “Secure Password-Based Protocol for Downloading a Private Key,”
Proc
. 1999
Network and Distributed System Security Symposium
, Internet Society, January 1999. The protocols described in that work are primarily variants or derivatives of Bellovin and Merritt's EKE protocol (e.g., see S. Bellovin and M. Merritt, “Encrypted Key Exchange: Password-based protocols secure against dictionary attacks,”
Proc. IEEE Symposium on Research in Security and Privacy
, May 1992; and S. Bellovin and M. Merritt, “Augmented Encrypted Key Exchange: a password-based protocol secure against dictionary attacks and password file compromise,”
ATT Labs Technical Report
, 1994) and Jablon's SPEKE protocol (e.g., see D. Jablon, “Strong password-only authenticated key exchange,”
ACM Computer Communications Review
, October 1996; and D. Jablon, “Extended Password Protocols Immune to Dictionary Attack,”
Proc. of the WETICE '
97
Enterprise Security Workshop
, June 1997. Related patents include U.S. Pat. No. 5,241,599 (“Cryptographic protocol for secure communications” by Bellovin and Merritt) and U.S. Pat. No. 5,440,635 (“Cryptographic protocol for remote authentication” by Bellovin and Merritt). Other related server-assisted secret recovery protocols have been proposed by Gong, et al. (e.g., L. Gong, T. M. A. Lomas, R. M. Needham, and J. H. Salzer, “Protecting Poorly Chosen Secrets from Guessing Attacks,”
IEEE Journal on Selected Areas in Communications
, vol.11, no.5, June 1993, pp. 648-656; L. Gong, “Optimal Authentication Protocols Resistant to Password Guessing Attacks,”
Proc
. 8
th
IEEE Computer Security Foundations Workshop
, Ireland, Jun. 13, 1995, pp. 24-29; and L. Gong, “Increasing Availability and Security of an Authentication Service,” IEEE Journal on Selected Areas in Communications, vol. 11, no. 5, June 1993, pp. 657-662); by Wu (e.g., T. Wu, “The Secure Remote Password Protocol,”
Proc.
1998
Network and Distributed System Security Symposium
, Internet Society, January 1998, pp. 97-111), and by Halevi and Krawcyzk (e.g., S. Halevi and H. Krawczyk, “Public-key cryptography and password protocols. Public-key cryptography and password protocols,”
Proceedings of the Fifth ACM Conference on Computer and Communications Security
, 1998).
However, all of the above methods suffer from a significant shortcoming. The server represents a major vulnerability. If a server operator, or someone who compromises a server, wishes to determine a user's password or private data (either of which will generally enable the attacker to masquerade as the user), viable attacks are possible, despite aspects of some approaches that minimize the sensitivity of the data stored on the server. For example, in certain of the work mentioned above, the server does not store the user's password but instead stores a value computed as a one-way function of the password. Anyone learning that value might be able to determine the password by exhaustively applying the one-way function to guessed passwords and comparing the result with the stored value. In general terms, the previously mentioned approaches suffer from the weakness that anyone who can access the server database or can disable any throttling or lockout mechanism on the server can try passwords exhaustively until a user's account on the server is penetrated.
In some application scenarios the above weakness can significantly undermine the attractiveness of the server-assisted approach to recovery of private data. For example, the above attack scenario significantly hampers the non-repudiation properties otherwise inherent in digital signature technology. If a roaming user digitally signs a transaction using the user's private key from a client terminal and later wishes to deny the user'
Lipman Jacob
Morse Gregory
VeriSign, Inc.
LandOfFree
Server-assisted regeneration of a strong secret from a weak... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Server-assisted regeneration of a strong secret from a weak..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Server-assisted regeneration of a strong secret from a weak... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3312712