Browse Prior Art Database

Using a Local Password for Two Step Authentication

IP.com Disclosure Number: IPCOM000109625D
Original Publication Date: 1992-Sep-01
Included in the Prior Art Database: 2005-Mar-24
Document File: 3 page(s) / 162K

Publishing Venue

IBM

Related People

Gopal, I: AUTHOR [+4]

Abstract

This article proposes a method to do authentication in two steps: the secret required for authentication will be maintained in a mobile storage, but will be protected using a password, so that if an unauthorized party gets hold of the storage, he or she will still not be able to use it for authentication.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Using a Local Password for Two Step Authentication

       This article proposes a method to do authentication in
two steps: the secret required for authentication will be maintained
in a mobile storage, but will be protected using a password, so that
if an unauthorized party gets hold of the  storage, he or she will
still not be able to use it for authentication.

      Many authentication protocols between two parties require that
the two parties taking part in the protocol share a secret.  This
secret should also be random to decrease the probability that
somebody would guess it.  The longer the secret is, the more security
it provides.  Moreover, some secrets have a complex structure
required by some protocols.  For example, it is a polynomial of a
certain structure, if the polynomial authentication is used.
Alternatively, it may be a set of keys.

      When a person is the party to be authenticated, it is not
reasonable to expect this person to remember a long, complex and
random secret.  On the other hand, a person can be expected to
remember a relatively short password.  This password is also a
secret, but one that is less secure than the kind of secret mentioned
above.  It is desired to limit the use of this secret as much as
possible.

      In this article we suggest a method to use the password to
protect the secret that is stored on a (probably portable) device
(e.g., a smart card).  Without the password, the device will be
useless to anybody who acquired it without the consent of its owner.
The password itself will not be stored on the device.  It will be
used only in the communication  with the device (that typically is
local and under a close control of the password user) rather than in
communication with the other party (who may be far away and not under
the control of the device user).

      In the following we use so called encryptions.  However, we do
not use decryption.  Thus, only one-way functions are actually
necessary, rather than encryption-decryption systems.

      This method can be used to protect any kind of secret.  In this
article we use the example where the secret is a polynomial.
However, the method is general.
Asymmetric Polynomial with Password

      In the example of the polynomial method, the locally stored
polynomial is use...