Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-07-14
2003-03-25
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S200000, C709S223000, C709S224000, C709S228000, C713S151000, C713S152000, C713S152000, C380S227000, C380S279000, C380S285000
Reexamination Certificate
active
06539479
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates generally to systems and methods for enabling a user using a host computer to securely log onto a server computer even in the presence of eavesdroppers and other forms of security attacks.
While there are many different password authentication protocols, they all solve the same problem: one party must somehow prove to another party that he knows a password p, which might have been set in advance. These protocols vary from the trivial to the incredibly complex, and many offer some form of protection from various attacks mounted by third parties.
Password protection has been the cornerstone of multiuser system security for decades. The advent of networking has given users convenient and transparent remote access to their systems. It has also created a whole new set of problems for people who use public networks to access these systems, because such networks are vulnerable to passive snooping and to some degree, active interference.
The present invention addresses these issues with a protocol that can be safely negotiated over an insecure network without compromising system security and which has several other useful properties not present in other commonly-used authentication protocols. Some of these properties make the present invention uniquely suitable for integration with existing system security applications.
All multiuser systems need some mechanism to identify which users are allowed to access the system and what privileges those users have. Nearly all such systems require that the user type in some sort of secret string, referred to as a password, that presumably is known only to that user. When the user identifies himself at login time, the system asks him for his password, and if he enters it correctly, the system gives him access to his account. This works fine when users are sitting at the console of the machine or at terminals connected directly to it, but networked systems are troublesome because even an inexperienced intruder can monitor the activity on a network fairly easily. Since most systems carry out the login and password exchange without encryption, anyone can “snoop” the network while someone logs in, capture their usemame and password as they are typed, and impersonate that user at a later time on that system.
Although networking has been commonplace for over a decade, most modem multiuser systems still do not employ any built-in form of encryption to prevent passwords from being snooped. Instead, there exist a variety of add-on products that attempt to address the security problems associated with networks. They offer varying degrees of protection from different kinds of potential attacks, but they generally require both users and administrators to take extra steps to achieve this security. Some of them require that the user maintain an entire list of passwords or keep key files on the client side for use by the authentication software.
The present invention relates to direct password authentication. Mechanisms that fall into this category of authentication cannot rely on persistent stored information stored on the client side. The user's password, which is a memorized quantity, is the only secret available to the client software. It is assumed that the network between the client and server is vulnerable to both eavesdropping and deliberate tampering. In addition, no trusted third party such as a key server or arbitrator can be used; only the original two parties can engage in the authentication protocol.
The present invention distinguishes itself from the rest of the field by offering features long thought to be unattainable simultaneously:
Secure against passive snooping. A passive attacker cannot obtain any information that would enable him to authenticate successfully to the server. This includes immunity to replay attacks.
End-to-end session encryption. An intruder cannot monitor a user's activities or “hijack” an authenticated session. In other words, any attempt to tamper with the network connection and to hijack an authenticated session will fail.
Forward secrecy and compromise containment. A captured password cannot be used to compromise past or currently encrypted sessions. A broken or compromised session key will not help an attacker deduce or even make guesses at the password.
Two-party operation. Neither a trusted third party nor a secure, central key server is needed.
Password-only client-side operation. Users do not need to maintain any files or keys on the client side. They only need to input their password to the client login program.
No secret information stored on the server. The password file stored on the server can be made public with little or no impact on system security. Very few secure protocols permit this, and those that do invariably fail to meet one or more of the other requirements.
The last two features taken together allow the protocol of the present invention to be used as a general-purpose remote and local authenticated login system, augmenting or even replacing the utilities now found on most operating systems.
The Players in a Hostile Login Environment
For the rest of this document, computer login security will be described with reference to the following set of hypothetical characters and the computer system
100
shown in FIG.
1
:
Steve operates the network's server
102
.
Carol, a user sitting at a client machine/terminal
104
, wishes to log in remotely to the server
102
belonging to Steve.
Since Steve knows Carol, he has given her some privileges that an ordinary (and potentially hostile) user on the system, like Henry, doesn't have.
Henry is also a user of the system who assesses the server using another client machine or terminal
106
. However, Henry would like nothing more than to gain access to Carol's account, if for no better reason than to use all those fancy privileges and read Carol's e-mail.
Eve is an eavesdropper who has managed to install some packet sniffing software on her computer
108
, which happens to be located on the network between Carol's client computer
104
and Steve's server
102
.
Mallory works for a rival company and has a client computer
110
with direct access to the same network (and more resources). He can intercept, alter, and inject messages into the network at will, and he can make any of his messages appear to come from anywhere he chooses.
In other words, Carol's computer
104
is a client, and Steve's computer
102
is the server. Alice is another friendly party requiring parallel access to the system. Henry is a hostile user who already has access to the system but who seeks access to Carol's account. Eve is conducting passive (eavesdropping) attacks over the network, while Mallory is conducting active (malicious) attacks.
It is assumed that Henry, Eve, and Mallory are cooperating and can exchange information freely, while Steve and Carol might not be able to meet very often and do not have any other means of secure communication that cannot be compromised by Eve or Mallory.
The server computer
102
includes a central processing unit
120
, memory
122
and a network interface (NIC)
124
. The memory
122
, which will typically include both random access memory (RAM) and non-volatile memory (e.g., disk storage), stores:
an operating system
126
;
a server side password authentication procedure
128
, used for verifying that user asking to log onto the server are who they claim to be;
a password file
130
, which may be a publicly accessible file (i.e., readable by all users of the system
100
) containing password information for each authorized users of the system;
client files
132
, including programs and data belonging to the various authorized users of the server
102
.
As will be described in more detail below, the password information in the password file
130
for each user may be the users public key, or the hash of the user's password, or some other value that can be used to verify a user's asserted password without revealing the passwo
Arani Taghi T.
Dorsey & Whitney LLP
Hayes Gail
The Board of Trustees of the Leland Stanford Junior University
LandOfFree
System and method for securely logging onto a remotely... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for securely logging onto a remotely..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for securely logging onto a remotely... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3027386