P
USRE37178EExpiredUtilityPatentIndex 94

Method and apparatus for authentication of client server communication

Assignee: NOVELL INCPriority: Nov 3, 1992Filed: Sep 20, 1996Granted: May 15, 2001
Est. expiryNov 3, 2012(expired)· nominal 20-yr term from priority
Inventors:KINGDON KEVIN
H04L 63/067H04L 9/0827H04L 9/3247H04L 63/12H04L 9/3236H04L 63/083H04L 69/16H04L 63/061
94
PatentIndex Score
51
Cited by
32
References
44
Claims

Abstract

The present invention provides a method and apparatus for message packet authentication to prevent the forging of message packets. After a message packet is created, a secret session key is preappended to the message, and a message digesting algorithm is executed on the altered message to create a message digest. A portion of the message digest, referred to as the signature, is then appended to the actual message when it is sent over the wire. The receiving station strips the signature from the message, preappends the same secret session key and creates its own message digest. The signature of the digest created by the receiving station is compared to the signature of the digest appended by the sending station. If there is a match, an authentic message is assumed. If there is no match, the message is considered as invalid and discarded. An advantage of the present invention is that the session key is never transmitted over the wire. The receiving station (server) already has the key and uses the key along with the message data to recalculate the message digest upon receiving the packet. The shared secret key (session key) is generated during initiation of the NCP session. In addition, cumulative state information is maintained by both the sending station and the receiving station. This state information is also used to authenticate messages.

Claims

exact text as granted — not AI-modified
I claim:  
     
       1. A method of authenticating a message transmitted between a sender and a receiver comprising the steps of: 
       generating a message at said sender;  
       combining a session key with said message to create a first appended message;  
       calculating a first digest of said first appended message;  
       combining a first portion of said first digest with said message to create a transmit message;  
       transmitting said transmit message to said receiver;  
       removing said first portion of said first digest from said transmit message to result in said message;  
       combining said session key with said message to generate a second appended message;  
       calculating a second digest of said second appended message; 
       comparing said said  first portion of said first digest and a second portion of said second digest;  
       authenticating said message when said first portion of said first digest matches said second portion of said second digest.  
     
     
       2. The method of claim I wherein said sender is a client in a client/server network. 
     
     
       3. The method of claim  1  wherein said receiver is a server in a client/server network. 
     
     
       4. The method of claim  1  wherein said step of calculating a first digest of said first appended message is accomplished by executing a digest algorithm on said first appended message. 
     
     
       5. The method of claim  4  wherein said digest algorithm is an MD4 digest algorithm. 
     
     
       6. The method of claim  4  wherein a current state of said sender is used as an initial state when executing said digest algorithm to create said first digest. 
     
     
       7. The method of claim  6  wherein said current state is used as an initial state when executing said digest algorithm to create said second digest. 
     
     
       8. The method of claim  7  wherein said current state is advanced when an authenticated message is received. 
     
     
       9. The method of claim  8  wherein said current state is not advanced when an authenticated message is not received. 
     
     
       10. The method of claim  1  wherein said session key is generated by the steps of: 
       providing a random number sequence challenge to said sender;  
       requesting a password from a user of said sender;  
       generating a first pass digest from said password;  
       combining said first pass digest and said challenge in a buffer; generating a buffer digest of said buffer;  
       defining said session key as a first number of bytes of said buffer digest.  
     
     
       11. Apparatus for authenticating a message transmitted between a sender and a receiver comprising: 
       means for generating a message at said sender;  
       means for combining a session key with said message to create a first appended message;  
       means for calculating a first digest of said first appended message;  
       means for combining said a first portion of said first digest with said message to create a transmit message;  
       means for transmitting said transmit message to said receiver;  
       means for removing said first portion of said first digest from said transmit message to result in said message;  
       means for combining said session key with said message to generate a second appended message;  
       means for calculating a second digest of said second appended message;  
       means for comparing said said  first portion of said first digest and a second portion of said second digest;  
       means for authenticating said message when said first portion of said first digest matches said second portion of said second digest.  
     
     
       12. The apparatus of claim  11  wherein said sender is a client in a client/server network. 
     
     
       13. The apparatus of claim  11  wherein said receiver is a server in a client/server network. 
     
     
       14. The apparatus of claim  11  wherein said first digest of said first appended message is calculated by executing a digest algorithm on said first appended message. 
     
     
       15. The apparatus of claim  14  wherein said digest algorithm is an MD 4  digest algorithm. 
     
     
       16. The apparatus of claim  14  wherein a current state of said sender is used as an initial state when executing said digest algorithm to create said first digest. 
     
     
       17. The apparatus of claim  16  wherein said current state is used as an initial state when executing said digest algorithm to create said second digest. 
     
     
       18. The apparatus of claim  17  wherein said current state is advanced when an authenticated message is received. 
     
     
       19. The apparatus of claim  18  wherein said current state is not advanced when an authenticated message is not received. 
     
     
       20. The apparatus of claim  11  further including means for generating a session key comprising: 
       means for providing a random number sequence challenge to said sender;  
       means for requesting a password from a user of said sender;  
       means for generating a first pass digest from said password;  
       means for combining said first pass digest and said challenge in a buffer;  
       means for generating a buffer digest of said buffer;  
       means for defining said session key as a first number of bytes of said buffer digest.  
     
     
       21. A method of authenticating a message transmitted between a sender and a receiver, comprising the steps of: 
       
         generating a message at a sender;  
       
       
         combining a session key with said message to create a first appended message;  
       
       
         creating a first hash of said first appended message;  
       
       
         combining at least a portion of said first hash with said message to create a transmit message;  
       
       
         transmitting said transmit message to a receiver;  
       
       
         determining from the transmit message said portion of said first hash and said message;  
       
       
         combining said session key with said message to generate a second appended message;  
       
       
         creating a second hash of said second appended message;  
       
       
         comparing only a portion of said first hash and a corresponding portion of said second hash; and  
       
       
         authenticating said message when said portion of said first hash matches said corresponding portion of said second hash.  
       
     
     
       22. The method of claim  21 , wherein said sender is a client in a client/server network.  
     
     
       23. The method of claim  21 , wherein said receiver is a server in a client/server network.  
     
     
       24. The method of claim  21 , wherein the steps of creating involve calculating.  
     
     
       25. The method of claim  24 , wherein said step of calculating a first hash of said first appended message is accomplished by executing a digest algorithm on said first appended message.  
     
     
       26. A method of generating a session key, in a computer system comprising the steps of: 
       
         providing a random number sequence;  
       
       
         requesting a password from a user;  
       
       
         creating a first hash from said password;  
       
       
         combining said first hash and said sequence;  
       
       
         creating a second hash of said combined first hash and sequence; and  
       
       
         defining a session key as a portion of said second hash.  
       
     
     
       27. A session key generated by the method of claim  26 .  
     
     
       28. The method of claim  26 , wherein the steps of creating involve calculating.  
     
     
       29. The method of claim  26 , wherein the hashes are digests.  
     
     
       30. A method of authenticating a message transmitted between a sender and a receiver, comprising the steps of: 
       
         generating a message at a sender;  
       
       
         combining a session key with said message to create a first appended message;  
       
       
         creating a first hash of said first appended message using a current state as an initial state;  
       
       
         combining at least a portion of said first hash with said message to create a transmit message;  
       
       
         transmitting said transmit message to a receiver;  
       
       
         determining from said transmit message said portion of said first hash and said message;  
       
       
         combining said session key with said message to generate a second appended message;  
       
       
         creating a second hash of said second appended message using said current state as an initial state;  
       
       
         comparing said portion of said first hash and at least a portion of said second hash; and  
       
       
         authenticating said message when said portion of said first hash matches said portion of said second hash.  
       
     
     
       31. The method of claim  30 , wherein said current state is advanced when an authenticated message is received.  
     
     
       32. The method of claim  30 , wherein said current state is not advanced when an authenticated message is not received.  
     
     
       33. The method of claim  30 , wherein the portions of the first and second hashes are the entire first and second hashes, respectively.  
     
     
       34. The method of claim  30 , wherein the hashes are digests.  
     
     
       35. A computer system for authenticating a message transmitted between a sender and a receiver, comprising: 
       
         a first computer having:  
       
       
         means for generating a message;  
       
       
         means for combining a session key with said message to create a first appended message;  
       
       
         means for creating a first hash of said first appended message;  
       
       
         means for combining at least a portion of said first hash with said message to create a transmit message;  
       
       
         means for transmitting said transmit message;  
       
       
         a second computer having:  
       
       
         means for receiving said transmit message;  
       
       
         means for determining from the transmit said portion of said first hash and said message;  
       
       
         means for combining said session key with said message to generate a second appended message;  
       
       
         means for creating a second hash of said second appended message;  
       
       
         means for comparing only a portion of said first hash and a corresponding portion of said second hash; and  
       
       
         means for authenticating said message when said portion of said first hash matches said corresponding portion of said second hash.  
       
     
     
       36. The computer system of claim  35 , wherein said sender is a client in a client/server network.  
     
     
       37. The computer system of claim  35 , wherein said receiver is a server in a client/server network.  
     
     
       38. The computer system of claim  35 , wherein the hashes are digests.  
     
     
       39. A computer system for authenticating a message transmitted between a sender and a receiver, comprising: 
       
         a first computer having:  
       
       
         means for generating a message;  
       
       
         means for combining a session key with said message to create a first appended message;  
       
       
         means for creating a first hash of said first appended message using a current state as an initial state;  
       
       
         means for combining at least a portion of said first hash with said message to create a transmit message;  
       
       
         means for transmitting said transmit message;  
       
       
         a second computer having:  
       
       
         means for receiving said transmit message;  
       
       
         means for determining from said transmit message said portion of said first hash and said message;  
       
       
         means for combining said session key with said message to generate a second appended message;  
       
       
         means for creating a second hash of said second appended message using said current state as an initial state;  
       
       
         means for comparing said portion of said first hash and at least a portion of said second hash; and  
       
       
         means for authenticating said message when said portion of said first hash matches said portion of said second hash.  
       
     
     
       40. The computer system of claim  39 , wherein said current state is advanced when an authenticated message is received.  
     
     
       41. The computer system of claim  39 , wherein said current state is not advanced when an authenticated message is not received.  
     
     
       42. The computer system of claim  39 , wherein the portions of the first and second hashes comprise the entire first and second hashes, respectively.  
     
     
       43. A computer readable medium comprising a program capable of authenticating a message transmitted between a sender and a receiver by performing the steps of: 
       
         generating a message at a sender;  
       
       
         combining a session key with said message to create a first appended message;  
       
       
         creating a first hash of said first appended message;  
       
       
         combining at least a portion of said first hash with said message to create a transmit message;  
       
       
         transmitting said transmit message to a receiver;  
       
       
         determining from the transmit message said portion of said first hash and said message;  
       
       
         combining said session key with said message to generate a second appended message;  
       
       
         creating a second hash of said second appended message;  
       
       
         comparing only a portion of said first hash and a corresponding portion of said second hash; and  
       
       
         authenticating said message when said portion of said first hash matches said corresponding portion of said second hash.  
       
     
     
       44. A computer readable medium comprising a program capable of authenticating a message transmitted between a sender and a receiver by performing the steps of: 
       
         generating a message at a sender;  
       
       
         combining a session key with said message to create a first appended message;  
       
       
         creating a first hash of said first appended message using a current state of said sender as an initial state;  
       
       
         combining at least a portion of said first hash with said message to create a transmit message;  
       
       
         transmitting said transmit message to a receiver;  
       
       
         determining from said transmit message said portion of said first hash and said message;  
       
       
         combining said session key with said message to generate a second appended message;  
       
       
         creating a second hash of said second appended message using said current state as an initial state;  
       
       
         comparing said portion of said first hash and at least a portion of said second hash; and  
       
       
         authenticating said message when said portion of said first hash matches said portion of said second hash.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.