WO2012036683A2 - Universal authentication method - Google Patents

Universal authentication method Download PDF

Info

Publication number
WO2012036683A2
WO2012036683A2 PCT/US2010/049018 US2010049018W WO2012036683A2 WO 2012036683 A2 WO2012036683 A2 WO 2012036683A2 US 2010049018 W US2010049018 W US 2010049018W WO 2012036683 A2 WO2012036683 A2 WO 2012036683A2
Authority
WO
WIPO (PCT)
Prior art keywords
character string
authenticator
requester
encryption key
authentication
Prior art date
Application number
PCT/US2010/049018
Other languages
French (fr)
Other versions
WO2012036683A3 (en
Inventor
James Ng
Original Assignee
James Ng
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by James Ng filed Critical James Ng
Priority to PCT/US2010/049018 priority Critical patent/WO2012036683A2/en
Publication of WO2012036683A2 publication Critical patent/WO2012036683A2/en
Publication of WO2012036683A3 publication Critical patent/WO2012036683A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption

Definitions

  • the universal authentication method is a challenge-response method which does not require the user to generate or remember passwords. It may reside on the electronic system as an auxiliary application or reside on the hardware specific for the
  • the universal authentication method can be used for one and two way authentication.
  • the challenger or requester can be either the user or the electronic system.
  • Fig. 1 is a flow chart showing conventional authentication methods.
  • the authenticator (1) is the electronic system.
  • the authenticator displays a screen prompting for username and password or password (2).
  • the user or requester enters his username and password or password (3).
  • the username and password is transmitted over some communication medium (4) and the requester is authenticated (5).
  • usernames and passwords are limited in size and content.
  • Conventional authentication methods also allow would be thief easy access to passwords and usernames.
  • electronic systems that use the conventional authentication method usually store usernames and passwords within the electronic system. If, for example, an electronic system is stolen, a thief can, by using the numerous brute force programs available, determine the usernames and passwords to that particular electronic system as well as usernames and passwords that may be stored in the electronic system for other electronic system.
  • Some electronic systems accept authentication data via internet protocol technology.
  • the universal authentication method removes these barriers, among others, by removing the human user from the equation.
  • the universal authentication method comprises methods for one-way authentication, two-way authentication, and two-way authentication which utilizes one time authentication keys.
  • Fig. 2 is a flow chart showing one-way universal authentication method.
  • the requester makes a request for authentication to the authenticator (1).
  • the authenticator passes its unique identifier and randomly generated character string to the requester (2).
  • the requester uses the identifier to retrieve an encryption key for the authenticator and encrypts the passed in randomly generated character string (3).
  • the encrypted randomly generated character string, and an identifier which uniquely identifies the requester is passed back to the authenticator (4).
  • the authenticator retrieves the encryption key, which corresponds to the identifier, and decrypts the encrypted string (5). If the decrypted character string matches the random character string sent in the initial request, the requester is authenticated (6).
  • Fig. 3 is a flow chart showing two-way authentication. In two way authentication the requester makes a request for authentication to the authenticator (1).
  • the requester makes a request for authentication to the authenticator (1).
  • authenticator passes its unique identifier and randomly generated character string to the requester (2).
  • the requester uses the identifier to retrieve an encryption key for the authenticator and encrypts the randomly generated passed in character string (3).
  • the encrypted character string, an identifier which uniquely identifying the requester, and a new randomly generated character string is passed back to the authenticator (4).
  • the authenticator retrieves the encryption key corresponding to the received identifier, and decrypts the encrypted character string (5). If the decrypted character string does not match the random character string sent in the initial request, authentication fails and communication is terminated (6).
  • the random character string from the requester is encrypted (7).
  • the encrypted character string is passed back to the requester along with the authenticator' s identifier (8).
  • the requester uses the identifier to retrieve the encryption key for the authenticator and decrypts the encrypted string (9). If the decrypted character string matches the random character string sent in the initial request, both parties are authenticated (11).
  • Fig. 4 is a flow chart showing the two-way universal authentication method which utilizes one time authentication keys.
  • the requester makes a request for authentication to the authenticator (1).
  • the authenticator passes its unique identifier and randomly generated character string to the requester (2).
  • the requester uses the identifier to retrieve a one time encryption key (eg. Key A) for the authenticator and encrypts the randomly generated passed in character string (3).
  • the encrypted character string, an identifier which uniquely identifying the requester, and a new randomly generated character string is passed back to the authenticator (4).
  • the authenticator retrieves the encryption key (eg. Key A) corresponding to the received identifier, and decrypts the encrypted character string (5). If the decrypted character string does not match the random character string sent in the initial request, authentication fails and communication is terminated (6).
  • the random character string from the requester is encrypted (7).
  • the encrypted character string is passed back to the requester along with the authenticator' s identifier (8).
  • the requester uses the identifier to retrieve the encryption key for the authenticator and decrypts the encrypted string (9). If the decrypted character string matches the random character string sent in the initial request, both parties are
  • a new random encryption key (eg. Key C) is then created and encrypted with the next encryption key in the rotation (eg. Key B) and sent to the authenticator (12).
  • the new random encryption key (eg. Key C) is received and decrypted by the authenticator (13). Both the requester and authenticator replace the key use in the current
  • Encryption Key A is used once and discarded.
  • the next time through the authentication method the system will use Key B to encrypt and decrypt the random string, and used Key C to transmit the new Key D.
  • the number of keys held by the requester and authenticator can be predetermined. For example, if the predetermined number of keys is 5 and Keys A, B, C, D, E are the first set of authentication keys, then Keys B, C, D, E, F will be the second set of authentication keys. Keys C, D, E, F, G will be the third set of authentication keys, etc..
  • the universal authentication system can use either one or two encryption keys per authentication. When two encryption keys are used, one key is designated for incoming requests and another is designated for outgoing responses. If one time keys are to be used, both keys would be replaced after each authentication. Users of the universal authentication method can also request rotating encryption key(s); either a single encryption key or one encryption key for incoming requests and one encryption key for outgoing responses. For website authentication, the IP address of the requester and authenticator can be added as part of the encryption key(s) to prevent "man in the middle" scams.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Signal Processing For Digital Recording And Reproducing (AREA)

Abstract

The object of the current invention is to provide the user with an authentication method that is more secure than conventional authentication methods and can be used on personal computers, PDAs, cell phones, personal digital media devices, home and car locks and security systems, televisions/VCR/DVD remote controls, credit card authentication systems, automatic teller machine authentication systems, among others.

Description

UNIVERSAL AUTHENTICATION METHOD
DETAILED DESCRIPTION OF THE INVENTION
The universal authentication method is a challenge-response method which does not require the user to generate or remember passwords. It may reside on the electronic system as an auxiliary application or reside on the hardware specific for the
authentication method. The term electronic system(s) is used to describe systems such as personal computers, personal digital media devices, cell phones, PDAs, among others. This list is not exclusive. The universal authentication method can be used for one and two way authentication. In the universal authentication method the challenger or requester can be either the user or the electronic system.
Fig. 1 is a flow chart showing conventional authentication methods. In conventional authentication methods the authenticator (1) is the electronic system. The authenticator displays a screen prompting for username and password or password (2). The user or requester enters his username and password or password (3). The username and password is transmitted over some communication medium (4) and the requester is authenticated (5).
Because the human requester can remember only a limited number and type of symbols , usernames and passwords are limited in size and content. Conventional authentication methods also allow would be thief easy access to passwords and usernames. Additionally, electronic systems that use the conventional authentication method usually store usernames and passwords within the electronic system. If, for example, an electronic system is stolen, a thief can, by using the numerous brute force programs available, determine the usernames and passwords to that particular electronic system as well as usernames and passwords that may be stored in the electronic system for other electronic system. Some electronic systems accept authentication data via internet protocol technology. This requires the user to pass along his username and password through cyberspace; a place where this information can be intercepted.The universal authentication method removes these barriers, among others, by removing the human user from the equation. The universal authentication method comprises methods for one-way authentication, two-way authentication, and two-way authentication which utilizes one time authentication keys.
Fig. 2 is a flow chart showing one-way universal authentication method. In oneway authentication the requester makes a request for authentication to the authenticator (1). The authenticator passes its unique identifier and randomly generated character string to the requester (2). The requester uses the identifier to retrieve an encryption key for the authenticator and encrypts the passed in randomly generated character string (3). The encrypted randomly generated character string, and an identifier which uniquely identifies the requester, is passed back to the authenticator (4). The authenticator retrieves the encryption key, which corresponds to the identifier, and decrypts the encrypted string (5). If the decrypted character string matches the random character string sent in the initial request, the requester is authenticated (6).
Fig. 3 is a flow chart showing two-way authentication. In two way authentication the requester makes a request for authentication to the authenticator (1). The
authenticator passes its unique identifier and randomly generated character string to the requester (2). The requester uses the identifier to retrieve an encryption key for the authenticator and encrypts the randomly generated passed in character string (3). The encrypted character string, an identifier which uniquely identifying the requester, and a new randomly generated character string is passed back to the authenticator (4). The authenticator retrieves the encryption key corresponding to the received identifier, and decrypts the encrypted character string (5). If the decrypted character string does not match the random character string sent in the initial request, authentication fails and communication is terminated (6).
If the decrypted character string matches the random character string sent in the initial request, the random character string from the requester is encrypted (7). The encrypted character string is passed back to the requester along with the authenticator' s identifier (8). The requester uses the identifier to retrieve the encryption key for the authenticator and decrypts the encrypted string (9). If the decrypted character string matches the random character string sent in the initial request, both parties are authenticated (11).
Fig. 4 is a flow chart showing the two-way universal authentication method which utilizes one time authentication keys. In two way authentication which utilizes one time authentication keys, the requester makes a request for authentication to the authenticator (1). The authenticator passes its unique identifier and randomly generated character string to the requester (2). The requester uses the identifier to retrieve a one time encryption key (eg. Key A) for the authenticator and encrypts the randomly generated passed in character string (3). The encrypted character string, an identifier which uniquely identifying the requester, and a new randomly generated character string is passed back to the authenticator (4). The authenticator retrieves the encryption key (eg. Key A) corresponding to the received identifier, and decrypts the encrypted character string (5). If the decrypted character string does not match the random character string sent in the initial request, authentication fails and communication is terminated (6).
If the decrypted character string matches the random character string sent in the initial request, the random character string from the requester is encrypted (7). The encrypted character string is passed back to the requester along with the authenticator' s identifier (8). The requester uses the identifier to retrieve the encryption key for the authenticator and decrypts the encrypted string (9). If the decrypted character string matches the random character string sent in the initial request, both parties are
authenticated (11).
A new random encryption key (eg. Key C) is then created and encrypted with the next encryption key in the rotation (eg. Key B) and sent to the authenticator (12). The new random encryption key (eg. Key C) is received and decrypted by the authenticator (13). Both the requester and authenticator replace the key use in the current
authentication (eg. Key A) with the new encryption key (eg. Key C) (14).
The following is an example how the requested random encryption keys will cycle through the authentication process. Encryption Key A is used once and discarded. The next time through the authentication method the system will use Key B to encrypt and decrypt the random string, and used Key C to transmit the new Key D. The next time the system will use Key C and Key D. It is important to note that each encryption key is used only once. The number of keys held by the requester and authenticator can be predetermined. For example, if the predetermined number of keys is 5 and Keys A, B, C, D, E are the first set of authentication keys, then Keys B, C, D, E, F will be the second set of authentication keys. Keys C, D, E, F, G will be the third set of authentication keys, etc..
In the two-way universal authentication method the universal authentication system can use either one or two encryption keys per authentication. When two encryption keys are used, one key is designated for incoming requests and another is designated for outgoing responses. If one time keys are to be used, both keys would be replaced after each authentication. Users of the universal authentication method can also request rotating encryption key(s); either a single encryption key or one encryption key for incoming requests and one encryption key for outgoing responses. For website authentication, the IP address of the requester and authenticator can be added as part of the encryption key(s) to prevent "man in the middle" scams.
In view of the above, it will be seen that various aspects and features of the invention are achieved and other results and advantages can be attained. While preferred embodiments of the invention have been shown and described, it will be obvious to those skilled in the art that changes and modification may be made therein without departing from the invention in its broader aspects.

Claims

What is claimed:
1. A method for one way authentication using a challenge and response system where a first apparatus (requester) initiates a request for authentication to a second apparatus (authenticator), the method comprising the steps of:
a. the authenticator passing its unique identifier and a randomly generated character string to the requester;
b. the requester uses the identifier to retrieve an encryption key for the authenticator and encrypts the passed in randomly generated character string; c. the encrypted character string and the requester's unique identifier is passed back to the authenticator;
d. the authenticator retrieves the encryption key that corresponds to the received identifier and decrypts the encrypted character string;
e. if the decrypted character string matches the random character string sent in the initial request, the requester is authenticated.
2. The encryption key of claim 1 is determined from a plurality of rotating encryption keys.
3. The rotation of encryption keys of claim 2 is determined by a predefined pattern in the randomly generated character string of claim 1.
4. A means to determine the rotation of encryption keys of claim 2.
5. The authentication method of claim 1 is configured to authenticate a website by using the website name as an identifier.
6. The authentication method of claim 1 uses the IP address of the website as part of the encryption key.
7. A method for two way authentication using a challenge and response system where a first apparatus (requester) initiates a request for authentication to a second apparatus (authenticator), the method comprising the steps of :
a. the authenticator passing its unique identifier and a randomly generated character string to the requester;
b. the requester uses the identifier to retrieve an encryption key for the authenticator and encrypts the passed in randomly generated character string; c. the encrypted character string, the requester's unique identifier, and a new randomly generated character string is passed back to the authenticator ;
d. the authenticator retrieves the encryption key corresponding to the received identifier and decrypts the passed back encrypted character string;
e. if the decrypted character string does not match the random character string sent in the initial request, authentication fails and communication is terminated; f. if the decrypted character string matches the random character string sent in the initial request, the random character string from the requester is encrypted;
g. the encrypted character string is passed back to the requester with the authenticator' s unique identifier;
h. the requester uses the identifier to retrieve the encryption key for the authenticator and decrypts the encrypted character string;
i. if the decrypted character string matches the random character string sent in the initial request, both parties are authenticated.
8. The method of claim 7 uses one encryption key.
9. The method of claim 7 uses one encryption key for incoming requests and one encryption key for outgoing requests.
10. The encryption key of claim 7 is determined from a plurality of rotating encryption keys.
11. The rotation of the encryption keys of claim 10 is determined by a predefined pattern in the randomly generated character string of claim 7.
12. A means to determine the rotation of encryption keys of claim 10.
13. The authentication method of claim 7 is configured to authenticate a website by using the website name as an identifier;
14. The authentication method of claim 7 uses the IP address of the website as part of the encryption key.
15. The method of claim 7 further comprises:
a. the requester or authenticator generating a new random encryption key;
b. the new encryption key is encrypted with the next encryption key in the rotation from claim 10.
c. the encrypted key is communicated between the requester and authenticator. d. both parties replaces the encryption key used in the current authentication.
PCT/US2010/049018 2010-09-16 2010-09-16 Universal authentication method WO2012036683A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2010/049018 WO2012036683A2 (en) 2010-09-16 2010-09-16 Universal authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2010/049018 WO2012036683A2 (en) 2010-09-16 2010-09-16 Universal authentication method

Publications (2)

Publication Number Publication Date
WO2012036683A2 true WO2012036683A2 (en) 2012-03-22
WO2012036683A3 WO2012036683A3 (en) 2014-03-27

Family

ID=45832150

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2010/049018 WO2012036683A2 (en) 2010-09-16 2010-09-16 Universal authentication method

Country Status (1)

Country Link
WO (1) WO2012036683A2 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100005303A1 (en) * 2007-12-14 2010-01-07 James Ng Universal authentication method
US20100180328A1 (en) * 2007-06-26 2010-07-15 Marks & Clerk, Llp Authentication system and method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100180328A1 (en) * 2007-06-26 2010-07-15 Marks & Clerk, Llp Authentication system and method
US20100005303A1 (en) * 2007-12-14 2010-01-07 James Ng Universal authentication method

Also Published As

Publication number Publication date
WO2012036683A3 (en) 2014-03-27

Similar Documents

Publication Publication Date Title
US10027631B2 (en) Securing passwords against dictionary attacks
EP2519906B1 (en) Method and system for user authentication
CN110324143A (en) Data transmission method, electronic equipment and storage medium
EP3038316B1 (en) Identity authentication system, apparatus, and method, and identity authentication request apparatus
US20070240226A1 (en) Method and apparatus for user centric private data management
US20160205098A1 (en) Identity verifying method, apparatus and system, and related devices
US20080148057A1 (en) Security token
CN103685282A (en) Identity authentication method based on single sign on
CN111159684B (en) Safety protection system and method based on browser
CN108809633B (en) Identity authentication method, device and system
US10686787B2 (en) Use of personal device for convenient and secure authentication
WO2005088892A1 (en) A method of virtual challenge response authentication
US20110162053A1 (en) Service assisted secret provisioning
US9954853B2 (en) Network security
US20150328119A1 (en) Method of treating hair
CN105281902A (en) Web system safety login method based on mobile terminal
US8307209B2 (en) Universal authentication method
RU2698424C1 (en) Authorization control method
US20090319778A1 (en) User authentication system and method without password
CN109412799B (en) System and method for generating local key
KR101271464B1 (en) Method for coding private key in dual certificate system
US20090158038A1 (en) Universal authentication method
WO2012036683A2 (en) Universal authentication method
JP6165044B2 (en) User authentication apparatus, system, method and program
Xu et al. Qrtoken: Unifying authentication framework to protect user online identity

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10857381

Country of ref document: EP

Kind code of ref document: A2

122 Ep: pct application non-entry in european phase

Ref document number: 10857381

Country of ref document: EP

Kind code of ref document: A2