Browse Prior Art Database

Prevalidation Hashes for Authentication Credentials

IP.com Disclosure Number: IPCOM000238645D
Publication Date: 2014-Sep-09
Document File: 3 page(s) / 78K

Publishing Venue

The IP.com Prior Art Database

Abstract

The disclosed invention describes a system and method to reduce the risk of sending incorrect authentication credentials to a potentially untrustworthy server.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 43% of the total text.

Page 01 of 3

Prevalidation Hashes for Authentication Credentials
As the variety of exploits and security attacks expands, client applications and devices may not fully trust the connected server, especially for sensitive operations like user authentication. For example, a user may receive a phishing email with a link to a fake banking site. If the user authenticates with the site, they have handed their credentials to an attacker. Even if the user's banking site is legitimate, if the user enters incorrect credentials such as the wrong ID and password, they have handed over credentials to another site. Those credentials could be picked up by an insider attacker or possibly intercepted by an attacker and used to exploit other user accounts.

A great deal of "wrong credential" errors could be avoided if the server communicated something about the credentials for the client device to know that the credentials supplied are likely to match what the server expects, to avoid sending invalid credentials to the server.

The disclosed invention proposes a solution that provides hints for client-side prevalidation of authentication credentials.

Prior art search:

Search Term Results

Relevance

client password check

check password before submit none relevant, just devices to have the user check their entered password

doublecheck authentication

client authentication hash

Hashes on both client and server, however a full hash is performed for to minimize authentication credential length. A secondary hash is not used for validation of the credentials

client password comparison

second client hash

WO2009100259A2

Web search:

Search terms: hash password send, check password client side, separate hash password client side, client password comparison, client authentication hash
Results: none relevant, mainly forum results from programmers asking if passwords can be hashed on the client before sending to the server (which is a different idea, and compromises security)

At a high level, the system integrates with an existing authentication protocol, such as password authentication, biometric authentication, or challenge-response authentication. System steps:

A client and server arrange for authentication credentials, as usual

1.


2.

The server creates a low-entropy "signature" representation of the credentials, for example by taking an 8-bit hash of the

credentials (a completely separate hash from any other hashing that may take place)

When prompting the user for authentication, the server also sends the signature of the credentials to the client, along with

3.

the algorithm used to generate the signature
When the user enters credentials on the client (password, biometric, USB authentication, etc), the client first computes the

4.


5.

signature of the credentials
If the signatures match, the client sends the credentials. Otherwise the client prompts for re-try


6.

If the server supplied signature does not match the signature of credentials entered by the user, the server may be...