Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Central trusted authority provides computer authentication
Reexamination Certificate
1998-08-06
2001-02-13
Barrón, Jr., Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Central trusted authority provides computer authentication
C713S156000, C713S170000, C713S181000, C713S183000, C713S185000, C713S178000
Reexamination Certificate
active
06189096
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to a method for providing strong authentication of users within a Public Key Infrastructure (PKI).
In one preferred embodiment, the invention involves using a virtual private key. The invention also relates to a program product bearing software which enables user authentication with a virtual private key to be practiced on a computer system. The invention further relates to a computer system which operates so that user authentication is performed using a virtual private key.
In a second preferred embodiment, the invention involves a method for providing strong authentication of users within a PKI using a device such as a magnetic swipe card or a biometric device. The invention also relates to a program product bearing software which enables user authentication with a magnetic swipe card or the like to be practiced on a computer system. The invention further relates to a computer system which operates so that user authentication is performed using a magnetic swipe card or the like.
In a third preferred embodiment, the invention involves a method for providing strong authentication of users within a PKI using a pass phrase. The invention also relates to a program product bearing software which enables user authentication with a pass phrase to be practiced on a computer system. The invention further relates to a computer system which operates so that user authentication is is performed using a pass phrase.
2. Related Art
In PKI systems today, authentication of a user may be based on that user's knowledge of a private key. Private keys, however, are not something that a user can be expected to remember and to enter himself. It is often the case, therefore, that a user's private key is stored in encrypted from on the user's personal computer, and is accessed by the user with a password. This is a problem, however, because now it the password which becomes the weakest link in the security chain. Passwords that users can remember are notorious for being easy to determine by the clever intruder or hacker. If that password can be hacked by an intruder, then the otherwise strong security offered by the PKI is reduced to simple password-based security.
Thus, today's PKI systems may be said to have a weak link problem because of the private key being only password protected.
Another problem is that PKI is cannot readily be used in certain environments where storage is limited.
To explain, it should be noted that PKI systems use digital signatures to ensure the authenticity of the sender is of a message. Up to 2,000 bytes are required for digital signatures based on 1024-bit keys. However, in some situations, it is not practical or possible to directly use PKI technology, especially digital signatures, due to limitations in the environment.
One example of such an environment involves cards with magnetic strips. Devices such as credit cards and other magnetic swipe cards do not have the capacity to store 2,000 bytes. Thus, such devices cannot use digital ignatures.
Another example of a limiting environment exists in remote access systems. Here, the client station does not communicate directly with a security server. Instead, the client station communicates with a communications server, which, in turn, communicates with a remote access security server. The protocol used for communication between the client station and the communications server is typically designed to get a userid and password from the user. A typical example of such a protocol is the Point to Point Protocol (PPP). Such userid/password oriented protocols can pass about 60 bytes in their userid/password fields, which is insufficient to support for the direct use of public key technology for user authentication, encryption, or for digital signatures. Thus, PKI authentication cannot effectively be used in this type of remote access system.
To combat the weak link problem, there have been developed so-called “two-factor” techniques for improving the strength of the user authentication procedure. Here, authentication of the user is based on two factors:
something the user knows (e.g., a password), and something a user has (e.g., a smart card, a fingerprint, or the like). In a system operating according to a two factor technique, even if an intruder knows the password of a ser, the intruder will not be authenticated unless he satisfies the other factor (i.e., possesses the necessary smart card or fingerprint).
Two factor techniques provide very strong protection, and overcome the weak link problem of password protection, but are very disadvantageous. The disadvantage of a system using a two factor technique is the requirement for additional devices to perform user authentication. For example, a system using the two factor technique might employ a smart card as one of the two factors. This necessitates the presence of a card reader adapted to read the smart card. Likewise, relying on a user's fingerprint is as a factor requires a fingerprint scanner.
Such additional devices are not commonly included with computer systems today, and this is problematic for the user who needs to use a workstation that has no such additional device. Moreover, such additional devices may be costly.
Two-factor techniques provide for improved user authentication, and overcome the weak link problem of password protection, but they are nevertheless an undesirable solution.
What is needed is an improved approach to user authentication which overcomes the weak link problem of password protected private keys, but which also avoids the above-identified disadvantages of the two factor techniques.
Also, what is needed is a way to use PKI technology in environments where storage is limited.
SUMMARY OF THE INVENTION
This invention involves solving the above-identified problems using digests in a two step process of registration and authentication.
In one preferred embodiment, there is a method of user authentication using PKI technology in environments where limited capacity prevents direct PKI technology use. In a magnetic swipe card system, the data storage is the capacity that is limited. In a remote access (dial-up) system, the length of the userid/password fields is the capacity that is limited. The method according to the invention is most useful where there are limitations on the space available for PKI credentials.
According to this first embodiment of the invention, a novel dialog is used in such a way that PKI techniques can be used without actually transferring lengthy keys or certificates. The method of the invention also includes a technique for mapping a relatively short data field onto a full private key field.
In the case of applying the method of the invention to remote access environments, the invention modifies both the conventional registration and authentication processes normally used.
According to the invention, a virtual private key is used so that PKI can be used without passing actual PKI keys, certificates, or digital signatures.
In the main, the invention resides in a method, a computer system, and a computer program product providing for authentication of user messages using PKI technology in environments where limited capacity prevents direct PKI technology use. The invention is advantageous where there are limitations on the space available for PKI credentials, such as in the userid and password fields of a remote access protocol. PKI techniques are used without actually transferring lengthy keys, certificates, or digital signatures once an initial registration process is complete. A private key authenticates a user at a client and is used to retrieve a stored, encrypted secret key. A digest is computed of the secret key, the user's X.509 ISO standard public key certificate, and a time stamp. To further minimize the size of the message, the unique serial number of the user's certificate (the certificate serial number, also referred to as the certificate s
) may be employed. The digest, together with the user's certif
Barron Jr. Gilberto
Kyberpass Corporation
Sughrue Mion Zinn Macpeak & Seas, PLLC
LandOfFree
User authentification using a virtual private key does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with User authentification using a virtual private key, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and User authentification using a virtual private key will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2564683