Secure password-based authentication for cloud computing services

摘要

Secure password-based authentication for cloud service computing. A request for cloud computing resource access includes a derivative password that contains a parameter that the recipient may extract in order to independently calculate the derivative password based on the parameter and a stored password which may then be verified against a known-to-be-correct password. Other systems and methods are disclosed.

主权项

1. A method for operating a computing system, the computer system including a client computer, a security device, and a server, wherein the client computer and the server engage in a communications session constituting a sequence of request-response communications between the client computer and the server, to authenticate a client program executing on the client computer to a server service executing on the server upon the client program making a service request of the server during said communications session, the method comprising:
operating the client computer to form the service request to the server in a request-response communications protocol using a process that includes transmitting a command to the security device to provide username and a derivative-password; operating the security device: in response to the command from the client computer to provide a username and derivative-password: to generate a derivative-password using a first parameter and a password-equivalent value stored in the security device; at least one time during the communications session, in conjunction with a user device operated by a user, to obtain authorization from the user granting permission to the security device to provide a derivative password to the client computer; and transmit an answer-message to the client computer, the answer-message including the first parameter, the derivative-password and the username; operating the client computer to: form the service request by including the answer-message received from the security device in the service request; and transmit the service request to the server; and operating the server to: receive the service request from the client; extract the first parameter, the derivative-password and the username from the service request; compute a server-side-computed derivative of the password-equivalent value using the extracted first parameter and a server-side-stored password-equivalent value; compare the received derivative-password to the server-side-computed derivative-password; and upon determining that the received derivative-password matches the server-side-computed derivative-password, fulfilling the service requested by the client computer.