Data processing: financial – business practice – management – or co – Business processing using cryptography
Reexamination Certificate
1997-10-20
2001-09-18
Trammell, James P. (Department: 2161)
Data processing: financial, business practice, management, or co
Business processing using cryptography
C700S079000, C713S151000
Reexamination Certificate
active
06292790
ABSTRACT:
REFERENCES
[1] Stevens, W. Richard,
Unix Network Programming
(Prentice-Hall, 1990), pages 24-25.
[2]
ExtendNet VPN Reference Guide
(Extended Systems Inc., June, 1997)
[3] Schneier, Bruce,
Applied Cryptography, Second Edition
(Wiley, 1996), pages 30-31, 265-269, 435-436
[4] Wright, Gary R.,
TCP/IP Illustrated, Volume
2 (Addison-Wesley, 1995), pages 64-65.
FIELD OF THE INVENTION
This invention relates to an apparatus to import and export computer configuration data, part of which is confidential, to and from plain-text computer files.
BACKGROUND
Modern computing environments consist of computer networks with multiple servers for performing many varied functions. Often access to a server or other network resource is limited to users(clients) who can present proper credentials to the server. The process of identifying one's self to a computer system is generally known as authentication, and often consists of the client logging on to a system by entering a user name followed by a password. If the password entered in by the client matches that maintained in a list by the server, the user is considered authenticated, and is logged into the server. Authenticated clients are then allowed access to the resources and services provided by the particular server according to the privilege level associated with the user name.
Modern computer networks typically have multiple servers. On a computer network with multiple servers, it is often desirable to have multiple user name/password lists, and each server is generally associated with a single user name/password list. The user name/password lists are typically grouped with other server specific data. The collection as a whole represents the configuration data for a particular server.
For example, a remote access server is a device that allows remote users to access network computing resources from a remote site such as home or a customer site. The network itself generally has its own configuration data, including its own user name and password lists to authenticate users to the network at large. Thus in the general case, a remote user must authenticate to the remote access server, and then, having done that, gain access to the network itself.
Administering user name/password configuration files in a multi-server environment is difficult. It is desirable to be able to make backup copies of configuration data from each server that can be stored in a secure place on the network. The stored configuration file can be used to restore the configuration of a server that becomes corrupted. It sometimes is useful to replicate user
ames and passwords across multiple servers when, for example, simultaneous user capacity is being increased by adding additional servers. The user
ame password lists tend to be large and contain confidential passwords, making it impractical and undesirable to enter the data by hand, so the ability to transfer memory based server configuration data to a file is important. Such a file, however, poses security challenges, because certain configuration data, such as passwords, is confidential and should not be disclosed. One common solution for protecting passwords when written to a text file is to hash them with a one-way hash. Unix, for example, does not store the plain-text versions of passwords. Instead, Unix stores a one way hash of the password. The hashing algorithm is a well-known algorithm. When a password is presented by a user, it too is hashed with the same algorithm, and the hashes are compared to determine if the original passwords match. One limitation of one way hash schemes is that the original clear-text password is not preserved on the server which is undesirable if the plain-text password is needed for another server purpose, such as an encryption key for data files.
Another prior art solution to protect confidential passwords is to encrypt the entire configuration file; this solution suffers from the fact that the entire configuration file, including public data, is encrypted and thus unreadable and difficult to modify.
What is needed is a system for saving and restoring configuration data to and from a text file that permits editing of public configuration data, preserves the secrecy of private configuration data, and ensures that improperly modified text files by unauthorized persons are blocked from restoration on a server.
BRIEF SUMMARY AND OBJECTS OF THE INVENTION
It is an object of the present invention to provide an apparatus that allows system administrators to be able to save, restore, and replicate server configuration data such as user names and passwords into a text file without compromising the secrecy of the passwords and other secure data, and further, to allow the resulting text files to optionally be edited in part, and to be restored to the same or different virtual private network server in a secure way.
The present invention achieves this objective by introducing a novel system that allows user configuration data, including names and passwords, to be saved in a textual data file by an authorized, authenticated system administrator, who provides an additional encryption password for the data when the configuration file is created. Selected portions of the data, such as passwords and other confidential data, are encrypted prior to being written to the file. The remaining information is written in an unencrypted form. The public portion of the configuration file can be restored on any server by an administrator authenticated to that server, including an administrator who cannot provide the decryption password associated with the configuration file. The entire configuration file, including the private, encrypted data, can be restore on any server, providing that the administrator authenticated to that server also can provide the decryption password associated with the configuration file.
The present invention is particularly novel in the way it performs a restore when the data authentication fails because the system administrator cannot present the proper decryption password. The present invention discloses a system having a data decryption password associated with the configuration file, the decryption password is distinct from the authentication password needed to authenticate to a target server. Rather than simply deny a restoration if the data authentication fails, the present invention allows a system administrator authenticated to the server, but not to the data, to restore the public parts of a configuration file, thus allowing public configuration data to be replicated freely.
The present invention also allows configuration data to be selectively excluded from a restore.
REFERENCES:
patent: 5175800 (1992-12-01), Galis et al.
patent: 5241594 (1993-08-01), Kung
patent: 5640567 (1997-06-01), Phipps
patent: 5721924 (1998-02-01), Kitadate
patent: 5742677 (1998-04-01), Pinder et al.
patent: 5778395 (1998-07-01), Whiting et al.
patent: 5812398 (1998-09-01), Nielsen
patent: 5819296 (1998-10-01), Anderson et al.
patent: 5883956 (1999-03-01), Le et al.
patent: 0887723-A2 (1998-12-01), None
Stevens, W. Richard,Unix Network Programming(Prentice-Hall, 1990), pp. 24-25.
Schneier, Bruce,Applied Cryptography, Second Edition(Wiley, 1996), pp. 30-31, 265-269, 435-436.
Wright, Gary R.,TCP/IP Illustrated, vol. 2(Addison-Wesley, 1995), pp. 64-65.
Krahn James E.
Poole David K.
Terrill Jody L.
Dixon Thomas A.
Ormiston & McKinney PLLC
Trammell James P.
LandOfFree
Apparatus for importing and exporting partially encrypted... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Apparatus for importing and exporting partially encrypted..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Apparatus for importing and exporting partially encrypted... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2511190