1. Field of the Invention
The invention relates generally to security of authentication and data transmission over untrusted communication media in client-server computer, network, and other architectures, and more particularly to encryption key management systems and authentication protocols.
2. Description of the Related Art
Electronic networks of interconnected devices and users continue to grow with unprecedented rate. They have become foundations for vitally important infrastructures enabling e-commerce, communications, corporate and government operations, healthcare, education, and other important areas. This phenomenon was actively studied and commercialized during the last quarter of the 20th century, and there is every indication this activity will intensify well into the 21st century.
There are various parties involved in remote relationships over distributed electronic networks. Most known representations are business-to-business (b2b), business-to-consumers (b2c), and peer-to-peer (p2p), describing scaled-down to hardware devices communication, for instance, peer router to peer router, or device-to-device (d2d). One of the fundamental problems for continued growth of electronic networks and their efficient utilization is establishing trust between remote counterparts in b2b, b2c, d2d, and other interrelating over network parties. It is common knowledge that computer network intruders (or intruding organizations) cause ever-growing direct economic losses to enterprises and individual consumers. They significantly undermine the progress in applying network technologies to certain areas, especially related to parties having legal and financial responsibilities, and national security.
Trust to remote humans or devices, interacting over electronic networks, has two components. The first component is identification and verification of the parties at the beginning of the communication session (mutual authentication). The second component is associated with trust to information transferred during the communication session over untrusted communication media (communication lines). It includes the following specific requirements—confidentiality (none can read the message except the intended recipient), integrity (none altered, tampered with, or modified the message against the original), and non-repudiation (the sender cannot deny the fact of having sent the message).
Authentication and cryptography are key enabling technologies employed to satisfy the security requirements listed above. Authentication factors are typically characterized as “what user knows” (for instance, passwords, PINs), “what user has” (for instance, hardware token, smart card), and “what user is” (particular biometric traits; for instance, fingerprints, voice patterns, etc.). Passwords are the most ubiquitous over electronic networks as an authentication factor due to ease of use, low cost and easy electronic deployment. Most of the strong (two-, or three-factor) authentication systems are still using passwords or PINs as one of the system authentication factors.
However, passwords provide low security due to insufficient protection against numerous known intruding attacks on databases where the passwords are residing, social engineering attacks, videotaping or “shoulder surfing” attacks during password entry stages, memory sniffing attacks, Trojan horse attacks, and network sniffing attacks. Perhaps, the latter are the most dangerous attacks as a distributed electronic network (like Internet) has numerous access points. There are authentication systems transmitting passwords in clear text (for instance, Password Authentication Protocol (PAP) RFC 1334-2, Telnet, and FTP). Certainly, there is no protection at all in such cases. More protected authentication systems transmit encrypted passwords over electronic networks.
There are several approaches in transferring an encrypted password. The first one is based on the one-way encryption—calculating the password's hash value with one of the standard hashing algorithms (for example, SHA-1 Secure Hash Algorithm, FIPS PUB 180-1, Secure Hash Standard, 1995, Apr. 17, or MD5 Message Digest Algorithms, RFC 1320 and RFC 1321, April 1992, by Ronald L. Rivest) at both client and server locations. The client transmits the hashed password (of the user at the client platform) to the server, where it is compared with the password of the same client (the same user at the client platform) from the database connected to the server (typically, user passwords are already stored in password files in hashed form for database protection; that is why there is no need to perform text-to-hash encryption operation). Unfortunately, the progress in integrated circuit (ASIC, FPGA, etc.) design and manufacturing drastically reduced protection of hashed passwords, as dictionary or brute force computer processing attacks became extremely efficient. It is worthy to note that sometimes intercepting a hashed password is sufficient enough to break the system without learning the actual password.
There are more sophisticated authentication systems based on Challenge-Handshake Authentication Protocol (CHAP, for instance, RFC 1334-3, RFC 1934, RFC 2759) used by Microsoft for Windows NT remote log-in. The server (the authenticator) sends the “challenge” to the client (the peer), where the message gets encrypted using the client's (the peer's) password. Actually, the “challenge” sent to the client platform is then encrypted at the client location three times using the first seven bytes of the password's hash value as the first DES key (Data Encryption Standard and other known encryption algorithms used for data encryption and decryption described in Bruce Schneier, Applied Cryptography, Second Edition, John Wiley and Sons, Inc., at pp. 233-560, (1996)); the next seven bytes of the password's hash value used as the second DES key, and the remaining two bytes of the password's hash value concatenated with five zero-filled bytes used as a third DES key. Eventually, three 64-bit “responses” (the “challenge” encrypted with DES keys as described above) are sent back to the server (the authenticator), where they are compared with the similar outputs calculated at the server. If the values match, the authentication is acknowledged; otherwise the connection should be terminated.
Passwords (client/server shared secrets) in CHAP never enter communication lines in either form. This is a serious security advantage of this protocol. Also, CHAP prevents playback attacks by using “challenges” of a variable value. The server (the authenticator) is in control of the frequency and timing of the “challenge”. CHAP assumes that passwords are already known to the client and the server, and are easily accessible during a CHAP session. However, frequent usage of the same static encryption keys derived from a password on the client host, and applied to encrypt even random “challenge” numbers sent in clear text to the client, raises some security concerns. It provides ample opportunities for intruders, sniffing the network with the following offline computer data processing attacks.
Various modifications of client/server authentication employing a challenge/response protocol are disclosed in Bellovin et al., U.S. Pat. No. 5,241,599, Kung et al., U.S. Pat. No. 5,434,918, Pinkas, U.S. Pat. No. 5,841,871, Hellman, U.S. Pat. No. 5,872,917, Brown, U.S. Pat. No. 6,058,480, Hoffstein at al., U.S. Pat. No. 6,076,163, Guthrie et al., U.S. Pat. No. 6,161,185, Jablon, U.S. Pat. No. 6,226,383, Swift et al., U.S. Pat. No. 6,377,691, Brown, U.S. Pat. No. 6,487,667, Jerdonek, U.S. Pub. No. 2002/0095507. Some of these patents go beyond security of just only an authentication process. They explore the opportunity of utilizing challenge/response type protocols as a basis for an encryption key management system. This can extend security for the entire communication session duration, allowing for encrypted data transmission between parties once their mutual authentication is completed.
U.S. Pat. No. 5,434,918 and U.S. Pat. No. 6,377,691 applied client/server authentication based on different modifications of a challenge/response protocol to exchange secret keys (symmetric cryptography) between parties. There were attempts combining challenge/response protocols with well-known encryption key management systems. For instance, U.S. Pat. No. 6,076,163 and U.S. Pub. No. 2002/0095507 disclose versions of a challenge/response protocol utilizing an authentication and encryption key management system based on PKI (Public Key Infrastructure (Hellman et al., U.S. Pat. No. 4,200,770, and Diffie at al., IEEE Transactions on Information Theory, vol. IT-22, No. 6, Nov. 1976)), whereas U.S. Pat. No. 5,841,871 discloses a version of a challenge/response protocol integrated with Kerberos (NET, 1988; RFC 1510))—the authentication and encryption key management system.
Another approach would be encrypting passwords (either text or hash) with a secret key (symmetric cryptography) on the client side, before transmission, and then, decrypt it on the server side for comparison with the password stored in the server-connected database. Though it can be a viable solution, there are several security requirements making this approach a very difficult one to implement. The first issue is how to manage the session secret key distribution between the client and the server. Otherwise, if the secret keys are statically preset at the client and the server hosts, they become a security concern by themselves. Moreover, having static keys for numerous communication sessions makes encrypted passwords vulnerable against offline computer data processing attacks. There are protocols, not based on a challenge/response type mechanism, where authentication credentials are distributed over communication lines with help of PKI. They were disclosed in Kaliski, U.S. Pat. No. 6,085,320, Kausik, U.S. Pat. No. 6,170,058, Kaliski, U.S. Pat. No. 6,189,098, Spies, U.S. Pat. No. 6,230,269 and Volger, U.S. Pat. No. 6,393,127. Despite recognized scientific studies and long-time exposure, PKI and Kerberos authentication and encryption key management systems have not experienced a wide industry acceptance due to their complexity, cost, and mandatory requirements to trust artificial third parties (see, for instance, Gartner QA-18-7301, 13 Nov., 2002, by V. Wheatman, Public-Key Infrastructure Q&A, and DPRO-90693, 20 May, 2003, by Kristen Noakes-Fry, Public Key Infrastructure: Technology Overview; USENIX, 91, Dallas, Tex., “Limitations of the Kerberos Authentication System”, by Steven M. Bellovin and Michael Merritt). SSL (Secure Socket Layer, based on PKI protocol developed by Netscape Communications in 1994) is also known for its security deficiencies, high cost and complexity in assuring “client browser”/“Web server” encrypted communication (see, for instance, Gartner T-16-0632, 3 Apr., 2002, by J. Pescatore and V. Wheatman, and FT-178896, 15 Aug., 2002, by J. Pescatore). Hence, there is a significant interest in exploring other encryption key management systems, similar to the challenge/response authentication protocols mentioned above, for instance, Fielder, U.S. Pat. No. 6,105,133, Alegre, U.S. Pat. No. 6,199,113, and Venkatram, U.S. Pat. No. 6,367,010.
Aspects of this invention are particularly concerned with security of authentication systems and encrypted information exchange over distributed computer networks. Prior art encrypted authentication protocol implementations based on PKI, SSL, and Kerberos exhibited numerous security flaws and a prohibitive level of complexity and cost for various applications, businesses and organizations. There is a substantial need for improved and more efficient encrypted authentication protocols, addressing less complex infrastructures required, and less costly for practical implementation encryption key management systems. These improved encrypted authentication protocols should also include secure mutual authentication built into the protocols; randomly generated session secret keys; new cryptographic algorithms allowing for scalable security authentication and data encryption, and further allowing for variation based on the power of computer and network resources.