Authentication using random challenges

Authentication using random challenges

US005872917A United States Patent [19] [11] Patent Number: Hellman [45] Date of Patent: Feb. 16, 1999 CHALLENGES Privacy And Authentication: ...

1009KB Sizes 0 Downloads 2 Views

Recommend Documents

Using random numbers
sible mechanism for doing this is the lottery method with replacement using ... numbers we get 1,2,4,6 and the random sa

Using two-factor authentication with SSL VPN
An SSL VPN can use two-factor user authentication for enhanced security. In this example, a remote user uses FortiClient

electronic authentication electronic authentication electronic
Internet transactions for credit unions and ... learning about your online security options. These are provided ... to b

Worm Origin Identification Using Random Moonwalks
We propose a novel technique that can determine both the host responsible for originating a propagating worm attack and

Integrated OTP-Based User Authentication Scheme Using - CiteSeerX
contents such as music, video and data. Therefore ... scheme using smart cards proposed for home networks, so that .....

Outline Data confidentiality Entity authentication Data authentication
Sep 13, 2007 - data authentication anonymity identification. Non-repudiation of origin, receipt. Notarisation and Timest

Predictive Modelling Using Random Forest and Its Hybrid Methods
Predictive Modelling Using Random Forest and Its Hybrid Methods with Geostatistical Techniques in Marine Environmental G

RANDOM SAMPLING IN SAS: Using PROC SQL and PROC
Oct 16, 2015 - given a known probability of selection and a random mechanism is used ... STRATIFIED RANDOM SAMPLING—a

Random noise attenuation using local signal-and-noise - Madagascar
We propose a novel approach to attenuate random noise based on local signal- ... test the orthogonalization property of

US005872917A

United States Patent [19]

[11]

Patent Number:

Hellman

[45]

Date of Patent:

Feb. 16, 1999

CHALLENGES

Privacy And Authentication: An Introduction To Cryptog raphy, Authors: Whit?eld Diffie and Martin E. Hellman.

Inventor: Martin E. Hellman, Stanford, Calif.

Password Security: A Case History, Operating Systems,

[54] AUTHENTICATION USING RANDOM [75]

5,872,917

Communications of the ACM, Nov., 1979, vol. 22, No. 11,

[73] Assignee: America Online, Inc., Dulles, Va.

Authors: Robert Morris, et al.

[21] Appl. No.: 947,053

A High Security Log—In Procedure, Operating Systems,

[22]

Communications of the ACM, Aug., 1974, vol. 17, No. 8, Authors: George B. Purdy.

Filed:

Oct. 8, 1997 Related US. Application Data

[63]

Continuation of Ser. No. 482,013, Jun. 7, 1995, abandoned.

[51]

Int. Cl.6 .................................................... .. G06F 11/00

[52]

US. Cl. .............................. .. 315/188.01; 395/187.01;

[58]

Field of Search ............................. .. 395/186, 187.01,

395/200.59

395/18801, 200.59; 705/18, 44; 707/9; 711/163, 164; 380/1—59 [56]

References Cited U.S. PATENT DOCUMENTS

Primary Examiner—Robert W. Beausoliel, Jr. Assistant Examiner—Pierre E. Elisca

Attorney, Agent, or Firm—Standley & Gilcrest

[57]

ABSTRACT

A method is disclosed for authenticating one or both of two parties, for example, a user and a host computer. The ?rst

party and second party each know the same password. The ?rst party sends a challenge to the second party. The second party generates and sends to the ?rst party a response based on a ?rst function of the password, the ?rst party’s challenge, and an extra value unknown to the ?rst party. The ?rst party, which knows only the length of the extra value, then attempts to match the response by using the same

4,200,770 4,218,582

4/1980 Hellman et al. ........................ .. 178/22 8/1980 Hellman et al. . .. 178/22

4,264,782

4/1981

4,351,982

9/1982 Miller et a1.

178/22.11

4,424,414 4,567,600 4,590,470

1/1984 Hellman et al. . 1/1986 Massey et al. 5/1986 Koenig ........... ..

178/2211

function, password, and challenge by cycling through the possible values for the extra value of known format. A

Konheim

......

. . . . ..

380/25

4,779,224

...... .. 375/2.1 340/825.31 2/1988 Munck et al. .......................... .. 380/25 10/1988 Moseley et al. ................. .. 395/188.01

4,964,164

10/1990

Fiat

5,371,794

12/1994

Dif?e et a1.

4,723,284

. ... ... ... ... ... ..

......

5,428,745

6/1995 de Bruijn et al.

5,491,752

2/1996

. . . . ..

380/30

. . . ..

380/21

395/187.01

Kaufman et al. ....................... .. 380/30

OTHER PUBLICATIONS

A User Authentication Scheme Not Requiring Secrecy In

The Computer, Operating Systems, Communications of the ACM, Aug., 1974, vol. 17, No. 8, Authors: Arthur Evans, Jr.,

method of bi-directional authentication may be achieved by having the ?rst party return to the second party a response using a different function of the password, a preferably different challenge, and the extra value. The second party

already knows the input values, including the extra value, and therefore, does not incur the costs associated with

learning the extra value. The identity of the ?rst party is con?rmed by matching the transmitted response with a value

generated locally. 19 Claims, 3 Drawing Sheets

et al.

|o



PROMPT USER FOR 10

7

7

14

SEND ID

:

\le CHALLENGE A (CA)

\Ie RESPONSE = fA (PASSWORD. CA.PAD)_

\zo RESPONSE = fB (PASSWORD, CA, PAD

USER COMPUTER



\22 HOST COMPUTER

DATA FLOW BETWEEN USER AND HOST COMPUTER

U.S. Patent

Feb. 16,1999

Sheet 1 of3

.1502: 1/ v2)

mE.92wu"z5om“:.6

.m0HO_EuomO: ‘4'

Q8Izwm

I07

NN/$5.w1:28

5,872,917

U.S. Patent

Feb. 16,1999

Sheet 2 of3

5,872,917

( START )/~— l0 l2 HOST: PROMPT USER FOR ID '

/

/

2O

HOST: SEND l'CA:" + CHALLENGE +

USER: GENERATE EXTRA RANDOM VALUE OF KNOWN LENGTH (PAD) GENERATE UR = FUNCTION A (PASSWORD, CA, PAD) SEND "URI" + UR +

24 HOST: Pv = INITIAL VALUE OF PAD (o)

\22

/

26

I

/

——’ HOST: GENERATE HV =_ FUNCTION A (PASSWORDTCA, PV)

/3O

PV =

28

INCREMENT

LARGEST POSSIBLE VALUE?

PV

/34

38 END AUTHENTI

ABORT SEQUENCE

s/glqiNégBsEggN

BECAUSE USER IDENTITY NoT PROVED

Hg 2/]

U.S. Patent

Feb. 16, 1999

5,872,917

Sheet 3 0f 3

/ HOST: GENERATE HR = FUNCTION B (PASSWORD, CA, PV) SEND "HRI" + HR +

42

/ USER: GENERATE UV = FUNCTION B (PASSWORD, CA, PV)

/46 NO

ABORT SEQUENCE BECAUSE HOST IDENTITY NOT PHOVED

YES

END AUTHENTICATION; BEGIN WORK SESSION

Hg 25

/

48

5,872,917 1

2

AUTHENTICATION USING RANDOM CHALLENGES

limited (e.g., once every ?ve seconds) to prevent automated attacks in Which passWords are tried at electronic speeds— potentially thousands of passWords per second. For similar reasons, the number of incorrect login attempts is often limited (e.g., to three) before the user account is put on hold

This application is a ?le Wrapper continuation of appli cation Ser. No. 08/482,013 ?led Jun. 7, 1995.

pending investigation of a possible attack. These limits place little or no burden on legitimate users because humans can

BACKGROUND OF THE INVENTION

1. Field of the Invention This invention relates generally to a system for authenti cation betWeen tWo parties—for example, a user and a host

10

not stopped completely.

computer. More particularly, the present invention relates to a system for generating challenges and responses, based on a function generated from speci?c input values, betWeen an authenticating party and a party to be authenticated in order to establish the identities of either or both.

Security under this mechanism may be breached When the user ID and passWord are told to, guessed, or captured by an opponent. One method for capturing passWords is to eaves 15

drop on channels carrying passWords. “PassWord login” security has suf?ced for many services that rely on the dial-up telephone netWork because eavesdropping on a telephone call carried over the dial-up netWork requires a Wiretap—an invasive act susceptible to detection and appre

2. Description of the Related Art One method for protecting valuable computer based resources and digital services, such as computer time shar

ing services, computer information services (e.g., Com puServe® Information Service), automated teller machines,

hension of the Wiretapper. HoWever, “passWord login” is highly insecure When used on neW, shared communication channels such as local area netWorks (LANs), the Internet, cellular telephones, etc. Eavesdropping on shared commu

pay television, etc., is to employ an authentication mecha nism that controls access to the computer or service (the

host). Authentication protects resources by stopping vandals before they enter the host. Today, most authentication meth ods require a computer or service user (the user) to prove his or her identity before accessing the host. Therefore, authen tication takes place during an initial login sequence. If the

only enter a passWord once every feW seconds and rarely enter incorrect passWords many times in a roW. HoWever, these limits may thWart the efforts of an opponent using an automated attack because the attack is at least interrupted if

nication channels is accomplished easily, With little chance 25

of detection, because of their shared nature. For eXample, on a LAN, each user’s computer sees all messages going to any

other computer, but a legitimate user’s netWork adapter (e. g., an Ethernet card) is programmed to only pick off and store

user is unable to prove his or her identity during this sequence, access to the host Will be denied. While authen

those messages With that user’s address. It is a simple matter, almost impossible to detect, for the user to reprogram the

tication may be enforced only during an initial login

netWork adapter to store all messages With one or more other

sequence, it may also be enforced throughout an entire

users’ addresses. Debugging tools in some netWork adapters

facilitate eavesdropping under so-called “promiscuous lis

session so that the host and/or user identities are authenti cated With each transmission or after some number of

transmissions during the session. During any authentication sequence, security may be

35

tening mode.” This mode is intended for netWork adminis trators’ trouble shooting, but may be used by dishonest users as Well.

Challenge-response schemes attempt to address the eavesdropping problem. When the host computer ansWers the user’s authentication request, it initiates a dialog by

breached in several Ways. First, the user may not be the person he or she purports to be and is in reality, a computer

vandal (an opponent). Second, the host may not be the entity it purports to be so that the user logs into an imposter host

sending the user a challenge Which either never repeats—for

Which can then gain valuable personal information (e.g., credit card numbers). Finally, an eavesdropper may be

eXample, the date and time—or has negligible probability of

monitoring the eXchange betWeen the user and the host in order to capture information that may be used to breach security during this or a subsequent session. Given the possible security breaches that may occur during an authen

45

repeating—for eXample a 64-bit random value. The user’s computer receives the host’s challenge, encrypts it under a passWord supplied by the user, and returns the response to the host. The host also knoWs this passWord and can

tication sequence, there is a need for individuals Who use

authenticate the user’s identity by comparing this user’s response With a correctly encrypted version of the challenge.

various computer based services or other digital services to be able to identify themselves to the host in a Way that makes

Because the passWord itself is never sent, an eavesdropper must cryptanalyZe the system in order to impersonate a user.

impersonation by anyone else dif?cult, and preferably,

Variations of this challenge and response authentication

impossible. In some applications, authentication may be carried out continuously throughout the session.

include requiring the user to send a challenge to the host so

Most login sequences begin With the host prompting the user for an identi?cation name or number and a passWord

(sometimes called a personal identi?cation number or PIN).

55

This approach involves a tWo stage process in Which the user and host ?rst agree on a user ID, such as an authentication

name or number, and an associated passWord. This is done in a secure manner—for example, in a personal meeting or via mail. Both the host and the user store these values. When the user desires service, he sends his user ID and passWord

to the host. The host then compares the offered passWord With the value previously stored by the host for that user. If the offered and stored passWords agree, the user is granted access to services. If they disagree, the user is prompted to try again because users make occasional typing errors. HoWever, the rate at Which passWords may be tried is often

that the host authenticates itself to the user, thereby prevent ing an opponent from posing as the host. Under this scheme, the user sends a challenge to the host, the host generates the response to the challenge as above, and the user checks the validity of the host’s response. Authentication of the host may be important if the user is communicating con?dential information. Bi-directional or mutual authentication, in Which both host and user authenticate each other, is also clearly pos sible. Under this tWo-Way scheme, the user must prove his or her identity to the host and the host must prove its identity to the user. In some instances (e.g., if the challenge is the

date and time), the challenge may be generated by the user 65

or a third party, rather than by the host. In the former case, the challenge need not be transmitted to the user. A similar

option eXists in bidirectional authentication.

5,872,917 3

4

While such challenge-response schemes provide a defense against eavesdroppers, short passwords are insecure because an eavesdropping opponent can search through all

are representative only. Host computation times that are greater or less than those provided in the examples may result from various embodiments of the present invention. The examples provided are not intended to limit the scope of the present invention to the particular embodiment described herein.

possiblities rapidly. In particular, short passWords are often susceptible to “dictionary attacks” in Which an opponent

attempts to guess the passWord by monitoring the challenges and responses and testing frequently used passWords (e.g.,

In previously knoWn challenge-response authentication

the user’s name) by performing the same operations as the user and host computers. Dictionary attacks may be

thWarted by requiring longer passWords, perhaps as long as cryptographic keys. For example, if the Data Encryption Standard (DES) is used as the cryptographic system in the challenge and response authentication, and if the passWord is a 56-bit totally random value (the siZe of DES’s key), then an opponent must search 256=7E16 values. If the passWord is four alphanumeric characters, instead, the opponent must search only 364=2E6 values. If the opponent can search 1E5 values per second (a typical value for a modem PC), searching for the totally random key takes 7E11 seconds= 20,000 years, but, searching for a four character alphanu meric key takes only 20 seconds. If the passWord must be memorized or entered manually by the user, there is great user resistance to using long, random passWords. Even When passWords are stored in script ?les that are communicated automatically to the host,

schemes, if computation of a response takes 0.01 msec on a 10

million “short” passWords on a similar machine has a cost 2 million times as large, or $0.0004—a trivial sum for obtain 15

ing a passWord. As noted above, the search may be accom plished in 20 seconds on a PC. Because all three costs are so

small, it pays to increase the computation time of each response to 100 seconds, ten million times longer than before. Then, the costs to the host and the user increase by 20

a factor of ten million to $0.002—Which is still

insigni?cant—While the opponent’s cost also increases by a factor of ten million to $4,000—a point at Which attacking the system may not be economical. If the opponent is limited to using a single PC, the computations take 2 years. 25

many users select passWords that are short or non-random.

While a cost of $0.002 to host and user is reasonable, the

attendant delay time of 100 seconds to authentication, needed to achieve this cost, is unacceptable. If, as is often the

SUMMARY OF THE INVENTION

The present invention addresses the problems of short or non-random passWords present in current authentication

$2,000 PC, the corresponding cost per authentication to the host and the user is approximately $2E-10 ($2,000 divided by the number of 0.01 msec in three years, the approximate useful life of the PC.) An opponent Who must search 2

case, the host generates many responses every minute, it can 30

overcome this delay by using poWerful Workstations. The high capital cost of this equipment is offset by the large number of responses computed so that the cost per response

schemes, and, particularly, challenge-response authentica tion schemes. In the authentication scheme of the present

is still $0.002, provided the Workstations are kept fully

invention, the authenticating party and/or the party to be

loaded. If, as is true for a large computer information service, thousands of authentications are handled each hour, it is also possible to use special purpose hardWare to generate responses at the host. In addition to reducing the authenti cation delay to a reasonable level, special purpose hardWare can give the host an economic advantage if the response algorithm is designed to be hardWare prone (i.e., having a high ratio of computation cost in softWare vs. hardWare.) While the time delay at the host can be made reasonable,

authenticated prove that they knoW a shared passWord. Proof

of knoWledge of the passWord is provided Without actually revealing the passWord during the exchange of data in an

35

authentication sequence. In a unidirectional authentication

scheme using the present invention, in Which the host computer veri?es the identity of the user, the folloWing exchange may take place. First, the host computer sends a

40

challenge to the user. The user takes the challenge and generates a response based on a function of the passWord and additional input values. The user sends the response to

users cannot afford to invest in fast Workstations or special

the host computer Which then compares the response to the result of a function applied to the passWord and additional input values. Identity of the user is con?rmed When the host computer generates locally a match for the response from

purpose hardWare merely to speed up authentication. Unlike the host, users rarely generate responses so such devices

the user.

The user’s response is based on the result of a function 50

that includes an extra input value, called PAD, Which is

Would be idle most of the time With a large attendant increase in the cost per authentication. The problem is thus reduced to one of increasing the host’s cost of generating responses Without increasing the user’s cost. The present invention accomplishes this goal through the use of an extra

unknoWn to the host. The use of the value PAD is unique to

input value. The extra input value is a padding value

the present invention. To con?rm the identity of the user, the host, Which knoWs the format of the extra input value, but not the actual value, may need to try all possible values for the extra input value in attempting to match the user’s response. While a usual goal is to minimiZe the computa

PAD—chosen by the user’s computer—to lengthen the passWord. If, for example, the passWord is four characters 55

used for PAD. In an ASCII representation, a four character

tional cost to the host and user, one of the surprising

advantages of the present invention is the increased cost of generating a response—in this instance, the host response,

long and DES is used as the basis of the challenge and response authentication system, then 24 random bits may be

60

passWord is 32 bits long so adding 24 PAD bits makes it 56 bits long, the right siZe for a DES key. A 24 bit PAD results in 224=17 million possible values, close to a cost increase factor of ten million used earlier as an example. Because PAD is knoWn to the user, he does not see any

because that cost increase also extends to the opponent. As

a result, the present invention increases the dif?culty of

dictionary attacks by increasing signi?cantly the number of

change from the situation before PAD Was introduced and

operations an opponent must perform to generate a match and learn a passWord. The extent of the cost increase may be illustrated by

can generate the response in 0.01 msec at a cost of $2E-10.

examples. HoWever, the computation times described herein

65

But the host, Which does not knoW PAD, must generate the response to its challenge for the passWord and PAD concat enation for each of the 224 possible values of PAD and

5,872,917 5

6

accept the response as valid if any PAD value results in the received response. It is seen that the host’s cost increases by a factor of 224 to $0.004, While the user’s cost, and more

DETAILED DESCRIPTION OF PREFERRED

EMBODIMENT(S) Referring noW to FIG. 1, there is shoWn the How of data betWeen the user’s computer 10 and the host computer 12. The user is assigned, prior to any communications, an identi?cation sequence and a passWord knoWn also by the host computer. Furthermore, the host and user computers

importantly, delay are unchanged. Most importantly, an eavesdropping opponent Who tries to learn the passWord by

encrypting the challenge under all possible passWord and PAD concatenated values also sees an increase in cost by a

factor of 224 (to $7,000) compared to the situation before PAD Was added. Thus, the use of PAD increases the host’s and the opponent’s cost in an easily controlled manner,

knoW, prior to the exchange of data, What functions should 10

While leaving the user’s cost and delay unchanged. Another advantage of the present invention is that the cost to the host and opponent may be controlled independently of

user and host computer could be lesser or greater than the

the cost to the user. This is important in an environment

Where users have vastly different computing abilities, as is

15

the case today Where a computer information service must serve a pool of users Whose computers range from the

bi-directional or mutual authentication, unidirectional 20

an opponent to search probable passWords 100 times faster than if the service could assume all users had poWerful

computers. The present invention alloWs the service to add 2 digits to PAD, increasing the cost to the host and opponent by a factor of 100, the factor by Which the service Would have liked to increase the response computation time if all users had modem, poWerful computers. The increased cost to the host is not a problem because it Will be equipped With

25

30

In the preferred embodiment, the exchange begins With the host computer 12 sending a prompt 14 to the user 10 for an identi?cation name or number. The user responds With a 40

opponent Who attacks either response in an attempt to learn 45

challenge and response authentication schemes. The security 50

PAD that Was sent earlier 22. The user veri?es the identity

of the host by comparing the host’s response to his internally generated value using the function FB With the same input 55

host’s response. These advantages and others are explained

further by the accompanying draWings and detailed descrip tion.

FIG. 1 is a schematic representation of the How of data betWeen the user’s and host computer;

For bi-directional authentication, the user may verify the identity of the host. The host generates and sends to the user a response generated from a different function FB of the

passWord, the host’s challenge, and the user’s extra value

reduced because the number of eavesdropper computations needed to search a set of probable passWords (e.g., names)

BRIEF DESCRIPTION OF THE DRAWINGS

extra value PAD 20 using a function FA. Other values, such as a challenge from the user, also may be used in generating the response. The host veri?es the identity of the user by comparing the user’s response 20 to its oWn internally generated response using the same function With the same

input values.

previously knoWn authentication schemes, particularly,

is increased signi?cantly. HoWever, no additional time is

user ID 16. The host then sends to the user a challenge CA 18. Then, the user sends to the host computer a response 20

generated from the passWord, the host’s challenge, and an

by the use of PAD because the host has already paid the price for learning PAD When verifying the user’s response. An

needed for the user to generate his response or to validate the

exchanged value. The checksum may be useful for assis tance in auditing the process. If the arriving data have an incorrect checksum or cannot be understood, then the prob lem is most likely line noise. If hoWever, the checksum is correct, then a failure to log in usually means the user did not knoW the passWord and is more likely to be an opponent.

scheme, the user’s delay Would increase unacceptably. The present invention may address this problem by having the

of the authentication, based on the addition of PAD, is improved even When relatively short passWords are used. The likelihood of successful dictionary attacks is also

exchange of, preferably, four values: the user’s ID 16, the host’s challenge 18, the user’s response 20, and the host’s response 22. Preferably, the standard protocol translates all noise is a failure to log in to the host. Preferably, the protocol uses a simple checksum on each

If bi-directional or mutual authentication is desired, the reverse operation may used so that the user challenges the host and the host chooses a PAD value. HoWever, under this

the passWord has his cost increased by the number of PAD values. The present invention offers several advantages over

authentication is also possible so that only the host veri?es the identity of the user or only the user veri?es the identity of the host. The authentication dialog, or protocol, involves the

exchanges into line-oriented text. The Worst impact of line

modem, fast computers.

user ?rst authenticate himself to the host and then having the host authenticate itself to the user using the same PAD value chosen by the user and noW knoWn to the host. The cost to the host and user of this second authentication is unaffected

number provided in the preferred embodiment. The source of the values may vary in different embodiments of the present invention. Also, the types of values may be different.

Finally, although the preferred embodiment involves

original IBM PC through 100 MHZ Pentium systems—a range of approximately 100 in computing poWer. The time to compute the user response to the host’s challenge must be reasonable on the sloWest of these user computers, but Without the present invention’s use of PAD, that may alloW

be applied to the exchanged data. FIG. 1 represents a preferred embodiment of the present invention. The exchange of information may take place in a different order. In addition, the number of values exchanged betWeen the

60

values. Other values, such as a challenge from the user, also

may be used in generating the response. Referring noW to FIG. 2A, a preferred embodiment of the authentication sequence is shoWn. The host begins the authentication process by prompting the user for his or her ID 12. In the next step, the host generates a challenge, CA, 20. The process of generating a challenge is Well knoWn in the art and is not explained here. For example, the challenge

may be a random value or the date and time. Challenges of FIG. 2A is a How chart of the authentication sequence for other siZes and origins may be used as Well. The host then host computer authentication of the user; and 65 sends to the user the challenge, preferably, in the format FIG. 2B is a How chart of user authentication of the host “CAz” plus the challenge folloWed by a carriage return and line feed 20. computer.

5,872,917 7

8

Next, the user generates a response, “UR”, to send to the host computer 22. The host computer uses this response to

44, then the host does not knoW the passWord and the authentication sequence aborts 46. If the host response (HR) and user value (UV) match 44, then the identity of the host

verify the identity of the user. To generate the response UR, the user ?rst generates an extra value PAD of a format

is veri?ed and the user may begin or continue a Work session

knoWn to the host computer. This extra value is not trans mitted to the host computer. The use of this extra value PAD

48. The present invention offers several advantages over knoWn authentication mechanisms. The method increases costs for both the host and an opponent. The cost increase for

is unique to the present invention. The response UR depends on the passWord, the host’s challenge (CA), and the extra value of knoWn format Preferrably, the response is generated from a one-Way function (functionA) that is easy to compute, but dif?cult to invert such as the MDS digest or DES function. These functions are Well knoWn in the art and are not described here. Many other functions may Work as Well. The user then sends to the host computer the response,

preferably, in the format “URz” plus the response folloWed by a carriage return and line feed 22. In steps 24—38, the host computer attempts to verify the identity of the user by comparing its oWn results, using the same function and input values, With the user’s response (UR). The extra value (PAD) used in the calculation of the user’s response (UR) above, hoWever, Was not transmitted to the host. Therefore, to ?nd a matching value, the host may be required to try all possible values (PV) of the knoWn

the host, hoWever, is manageable because its base cost, 10

be manageable because the opponent’s base cost is higher and potentially, the method is expensive in softWare. As a 15

result, the mechanism may be published and incorporated in many products. Furthermore, the method of the present invention may be used regardless of the means of access. It

may be used Whether the user’s path to the host is through 25

The present invention protects valuable resources by providing for authentication betWeen tWo parties—for example, a computer user and a host computer. For com 35

45

55

functions may Work as Well. Preferably, the function (PE) is not the same one used by the host and user to verify the

spirit and scope of the invention. Also, the source of the values may differ in various embodiments. In addition, devices such as cable TV boxes may take the place of the user’s computer and still be Within the scope of the intended invention. Devices such as cellular telephones may take the place of the host computer and still be Within the scope of the invention. A preferred or exemplary embodiment of the invention has been described. What is claimed is: 1. A method of authentication, said method comprising the steps of: (i) generating a passWord, said passWord knoWn to a ?rst party and a second party; (ii) generating at least one challenge, said at least one

challenge being generated by said ?rst party, said

identity of the user (functionA). The host then sends to the user its response (HR), preferably, in the format “HRz” plus the response folloWed by a carriage return and line feed 40. The user attempts to verify the identity of the host by comparing its oWn results, using the same function

(functionB) The user generates and input a value values, (UV) With42theusing host’s theresponse passWord, the

prevented from entering the computer system. In addition,

contemplates other embodiments compatible With the teach ings herein. Various changes may be made to the number and types of values used, the formats of values used, and the functions applied to the data Without departing from the

challenge (CA), and the extra value (PAD) that the host determined Was part of the user response (UR) 40. Preferrably, the response is generated from a one-Way func tion that is easy to compute, but dif?cult to invert such as the MDS digest or DES function. These functions are Well knoWn in the art and are not described here. Many other

puter users and hosts, the authentication may take place during the login sequence so that computer vandals may be authentication may be enforced throughout a session betWeen the user and host computer. Although the invention has been described in accordance With one preferred embodiment, it is to be understood that the present invention

PAD. In step 36, a test for bi-directional authentication is made

36. If host identity is not to be con?rmed, then the Work session may begin or continue because user identity has been con?rmed. In the bi-directional authentication scheme of the pre ferred embodiment, the host generates a response (HR) that is a one-Way function (functionB) of the passWord, the

a netWork modem, cable TV, the Internet or one of many other means. Therefore, users are not required to invest in

special hardWare or equipment to access the host. In addition, the method may be passWord based so that users need only a passWord and possibly, a user ID—a paradigm familiar to most users today.

(HV), preferrably using the same one-Way function (FA) of the passWord, the host’s challenge (CA), and the extra value of knoWn format (PV) 26. The host compares this generated value (HV) to the user response (UR) to verify the user’s identity 28. If the host value (HV) and user response (UR) do not match 28, the host increments the extra value (PV) 30. If the incremented value (PV) is still Within the range of possibilities 32, then the host generates a neW value (HV) using the neW extra value 26. If the host value (HV) and user response (UR) do not match 28 and all possible extra values have been tried 32, then the user does not knoW the passWord and the authentication sequence aborts 34. If the host value HV and the user’s response UR match 28 for any value of PV, then the user is authenticated and the host has learned

result, opponents may be deterred from attempting unautho riZed access to the host. Most importantly, the method does not increase costs or impose delays for users. In addition, the host and user are not dependent upon the secrecy of the method or non-obviousness of intercepted data for protection during the authentication sequence. As a

format. Preferably, the host cycles through all possible values for the knoWn format, beginning at 0, 24 and tests them in order 26, 28, 30, 32. The values may actually be tested in any order—for example, ascending, descending, or random. For each possible value, the host generates a value

before the increase, Was loWer. Additionally, the host’s cost may be managed by use of hardWare prone responses and the use of special purpose hardWare and/or fast Workstations. The cost increase for the opponent, hoWever, is unlikely to

second party, or a third party;

(iii) generating a ?rst value, said ?rst value Within a range of values determined prior to generating said ?rst value

and said ?rst value being generated by said second Party; 65

(iv) generating a ?rst response using said passWord, at

challenge (CA), and extra value (PAD) generated in step 22.

least one of said challenges, and said ?rst value, said

If the host response (HR) and user value (UV) do not match

?rst response being generated by said second party;

5,872,917 9

10 plurality of second responses using said passWord, at

(v) transmitting said ?rst response from said second party

least one of said challenges, and one of said plurality of second values until said ?rst response matches one of said plurality of second responses or until all of said second values Within said predetermined range of val ues have been generated. 10. The system of claim 9, further comprising a means for

to said ?rst party;

(vi) generating a second value, said second value Within said range of values determined prior to generating said ?rst value and said second value being generated by said ?rst party; (vii) generating a second response using said passWord, at least one of said challenges, and said second value, said second response being generated by said ?rst party; and (viii) comparing said ?rst response and said second

generating said ?rst response using said passWord, at least 10

generating said plurality of second responses using said

response, said comparison performed by said ?rst party. 2. The method according to claim 1, further comprising the step of repeating steps vi, vii, and viii until said ?rst response and said second response match or until all of said

second values Within said range of values determined prior to generating said ?rst value have been generated. 3. The method of claim 1, further comprising the steps of: said ?rst party generating a third response using said passWord, at least one of said challenges, and said

passWord, at least one of said challenges, said second values Within said predetermined range of values, and at least one 15

additional challenge from said second party. 11. The system of claim 9, further comprising: means for said ?rst party to generate a third response

using said passWord, at least one of said challenges, and said second value; means for said ?rst party to transmit said third response to

said second party;

second value; transmitting said third response from said ?rst party to said second party; generating a fourth response using said passWord, at least one of said challenges, and said ?rst value, said fourth

one of said challenges, said ?rst value, and at least one additional challenge from said second party and a means for

means for said second party to generate a fourth response

using said passWord, at least one of said challenges, and said ?rst value; 25

response being generated by said second party; com

means for said second party to compare said third response and said fourth response.

12. The system of claim 9, Wherein said second value is

paring said third response and said fourth response,

randomly generated.

said comparison being done by said second party.

13. The system of claim 9 Wherein said second party is authenticated if said ?rst response and said second response match.

4. The method of claim 1, further comprising the step of generating said ?rst response using said passWord, at least one of said challenges, said ?rst value, and at least one

14. The system of claim 9 Wherein said plurality of second

additional challenge from said second party and generating

values is generated in ascending order beginning With the

said second response using said passWord, at least one of said challenges, said second value, and at least one addi

minimum value in said predetermined range of values. 15. The system of claim 9 Wherein said plurality of second

tional challenge from said second party. 5. The method of claim 1, Wherein the step of generating said ?rst value comprises the step of randomly generating

35

said ?rst value. 6. The method of claim 1 Wherein said step of comparing said ?rst response and said second response guarantees

authentication of said second party by said ?rst party. 7. The method of claim 1 Wherein the step of generating second values Within said range of values comprises gener ating said second values in ascending order beginning With the minimum value in said range of values. 8. The method of claim 1 Wherein the step of generating second values Within said range of values determined prior

and said second party, that said second party knoWs said passWord, said communication involving a value, said value knoWn to said ?rst party, said value Within 45

a determinate range of values knoWn to said second

party, and said value tested by said second party; and maintaining said communication free of revealing said

passWord.

mum value in said range of values.

17. A system for authentication comprising:

9. A system for authenticating comprising:

a ?rst party a second party;

a ?rst party; a second party;

a ?rst response, said ?rst response being generated by said

means for generating a passWord, said passWord knoWn

by said ?rst party and by said second party; means for generating at least one challenge, said at least 55

one challenge being generated by said ?rst party, said second party, or a third party; means for said second party to generate a ?rst value

Within a predetermined range of values; means for said second party to generate a ?rst response

second party from a ?rst random value Within a speci ?ed range of values knoWn to said ?rst party and said ?rst response being transmitted to said ?rst party; a second response, said second response being generated by said ?rst party at a cost substantially higher than the cost of generating said ?rst response. 18. The system of claim 17 Wherein said ?rst party generates said second response in accordance With a plural

ity of second values Within said speci?ed range of values

using said passWord, at least one of said challenges, and said ?rst value; means for transmitting said ?rst response to said ?rst

party; and

maXimum value in said predetermined range of values. 16. A method of authentication, said method comprising the steps of: providing a ?rst party With a passWord; providing a second party With said passWord;

establishing by communication betWeen said ?rst party

to generating said ?rst value comprises generating said second values in descending order beginning With the maXi

means for said ?rst party to generate a plurality of second values Within said predetermined range of values and a

values is generated in descending order beginning With the

65

knoWn to said ?rst party. 19. The system of claim 17 Wherein said second party is authenticated if said ?rst response and said second response match.

UNITED STATES PATENT AND TRADEMARK OFFICE

CERTIFICATE OF CORRECTION PATENT NO.

; 5,872,917

DATED

: February 16, 1999

INVENTOFKS) I Martin E. Hellman It is certified that error appears in the above—indentified patent and that said Letters Patent is hereby corrected as shcwn below:

In column 5, line 29, please delete the word “modem” and replace it with -- modern --. In column 5, line 31, please delete the word “modem” and replace it with -- modern --.

Signed and Sealed this

Twenty-sixth Day of October, 1999

Q. TODD DICKINSON