发明名称 |
Protocol and method for client-server mutual authentication using event-based OTP |
摘要 |
A method of authenticating and encrypting a client-server communication is provided. Two one-time passwords (OTP1 and OTP2) are generated from a cryptographic token. An encryption key (K_ENC) and a MAC key (K_MAC) are generated based on OTP2. The client data are prepared and protected using K_ENC and K_MAC. A request message is sent from the client to the server, and contains the protected client data, a cryptographic token identifier and OTP1. OTP1 is validated at the server, and OTP2 is generated at the server upon successful validation. K_ENC and K_MAC are derived from OTP2 at the server. The request message is processed and result data is generated. The result data is encrypted using K_ENC and a digest is created using K_MAC. The encrypted result data is sent to the client, and is decrypted using K_ENC and the authenticity of the result data is verified using K_MAC. |
申请公布号 |
US9197411(B2) |
申请公布日期 |
2015.11.24 |
申请号 |
US201213412275 |
申请日期 |
2012.03.05 |
申请人 |
IMS HEALTH INCORPORATED |
发明人 |
Machani Salah E.;Teslenko Konstantin |
分类号 |
H04L9/32;H04L9/08;G06Q20/38;G06Q20/40;H04L29/06 |
主分类号 |
H04L9/32 |
代理机构 |
Maldjian Law Group LLC |
代理人 |
Maldjian Law Group LLC |
主权项 |
1. A method of authenticating and encrypting a client-server communication, comprising steps of:
a) generating a first one-time password (OTP1) and a second one-time password (OTP2) from a cryptographic token; b) generating an encryption key (K_ENC) and a MAC (Message Authentication Code) key (K_MAC) based on OTP2; c) preparing and protecting client data using K_ENC and K_MAC; d) sending a request message from the client to the server, the request message containing the protected client data, a cryptographic token identifier (TID) and OTP1; e) validating OTP1 at the server, and generating OTP2 at the server upon successful validation; f) deriving K_ENC and K_MAC from OTP2 at the server; g) processing the request message and generating result data; h) encrypting the result data using K_ENC and creating a digest using K_MAC; i) sending the encrypted result data to the client; and j) decrypting the result data at the client using K_ENC and verifying the authenticity of the result data using K_MAC. |
地址 |
Danbury CT US |