| 摘要 |
A method for authenticating a user having a username and password and authenticating access to the user's information. A client computer generates, and sends to a server computer, input data that includes a key (h1) to a dataset of salts accessible to the server computer, a proxy (h2) for the password, a proxy (h4) for the username, and in one embodiment, a different proxy (h8) for the username. The input data does not include the username in plaintext and does not include the password in plaintext. Using the input data and not utilizing the username in plaintext and not utilizing the password in plaintext, the server computer authenticates both the user and access to the user's information, after which the server computer sends, to the client computer, notification that the server computer has authenticated both the user and access to the user's information. |
| 主权项 |
1. A method for receiving notification that a user having a username and password has been authenticated and that access to the user's information has been authenticated, said method comprising:
receiving, by a client computer to which the user has access, the username, the password, an integer N of at least 2, and a constant salt s0; said client computer computing t0 as a hash of: the username and the salt s0; said client computer computing h0 as t0 modulo N; said client computer determining a salt s1 from a site dataset of salts, wherein said determining the salt s1 comprises using h0 as a key pointing to a location, in the site dataset, at which the salt s1 is located; said client computer computing h1 as a hash of: the username and the salt s1, wherein h1 is a key pointing to a location, in a first dataset of salts, at which a set of independent user salts is located, wherein the first dataset is stored at or accessible to a server computer; said client computer sending a first request to the server computer for a plurality of salts comprising independent user salts s2 and s4 within the set of independent user salts pointed to by h1 in the first dataset, wherein the first request includes h1; after said sending the first request, said client computer receiving, from the server computer, the plurality of salts including the salts s2 and s4; said client computer computing a proxy (h2) for the password, wherein h2 is computed as a hash of: the password and the salt s2; said client computer computing a proxy (h4) for the username, wherein h4 is computed as a hash of: the username and the salt s4; said client computer sending a second request to the server computer for the server computer to authenticate both the user and access of the user's information, wherein the second request includes input data that comprises either first data or second data; after the user and the access to the user's information have both been authenticated by the server computer using the input data sent by the client computer, said client computer receiving, from the server computer, notification that the server computer has authenticated both the user and access to the user's information, wherein the second data comprises h1, h2, h4, and a proxy (h8) for the username and does not comprise the username in plaintext and does not comprise the password in plaintext and is sufficient for the server computer to authenticate the user and to authenticate access to the user's information without use of the username in plaintext and without use of the password in plaintext, wherein the first data comprises h1, h2, and h4 and does not comprise h8 and does not comprise the username in plaintext and does not comprise the password in plaintext and is sufficient for the server computer to authenticate both the user and the access to the user's information without use of the username in plaintext and without use of the password in plaintext, wherein h4 and h8 are independent of each other aside from both h4 and h8 depending on the username, and wherein if the input data includes the second data then: (i) the requested plurality of salts further comprises independent user salt s7 within the set of independent user salts pointed to by h1 in the first dataset, wherein the salt s7 is independent of the salt s2 and the salt s4 and (ii) prior to said sending the second request, said client computer computing h8 as a hash of: the username and the salt s7. |
