Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
1998-05-12
2001-12-18
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C713S169000, C713S171000, C713S152000, C713S182000, C713S183000, C380S277000, C380S279000
Reexamination Certificate
active
06332192
ABSTRACT:
FIELD OF THE INVENTION
The invention relates generally to methods for verifying the identity of a user of a secure application. More particularly, the invention relates to a method for verifying the identity of a user accessing one or more secure applications or systems, such as a computer, on-line service, automated transaction mechanism, and the like.
BACKGROUND OF THE INVENTION
Many electronic systems are in use that require a user to identify himself before being granted access to the system. These systems include computer networks, automated teller machines (ATM's), automated databases such as LEXIS™, banking systems, electronic mail systems, on-line providers such as America On-Line (AOL)™, stock-trading systems, educational institutions, payroll accounts, and a great variety of additional applications. To ensure that the information on these systems is protected from tampering, destruction, or misuse, most of these systems employ some type of security. Security is especially important when information is made easily available to a large community of potential users in multiple locations on networks.
System security typically can include physical, procedural, and technical mechanisms. However, most systems rely on one or more of three basic methods of identification and authentication, each of which requires something of the Prover (the terms “Prover” and “user” are used interchangeably throughout the Specification):
something the Prover knows (e.g., name and password);
something the Prover has (e.g., identity badge); or
something the Prover is (e.g., finger print).
Security systems commonly rely on something the Prover knows even when applying something the Prover has. The most widely applied approach to “something known” is the use of name and password in computer systems. Even recent security improvements (e.g., smart cards, firewalls, digital signatures) rely on traditional passwords and user ID's to identify and authenticate users when granting access.
Most authentication methodologies rely on the presence of a complete set of authentication information at every stage of the process (e.g., name and password). The typical process is that the user knows the complete set of authentication information, and inputs the complete set into a computer or terminal. The complete set is transmitted to a secure application and compared there to a set of stored authentication information. At each stage of the process, the necessary complete set of authentication data is exposed to interception and possible unauthorized use. This is especially true in the case of networked computer environments.
To ensure good security, passwords must be difficult to guess or decipher. Thus, users are advised to avoid “weak” passwords such as names (e.g., that of one's spouse, pet); easily obtained information (e.g., phone number, birthday); dictionary words; the same password for multiple systems, etc. To reduce the threat of unauthorized access, computer security experts often recommend that a user password contain only mixed letters and numbers in seemingly random strings (e.g., 87SFs81R9) and that it be changed often. Undetected unauthorized access could easily occur when a password is discovered, intercepted, or guessed.
The problems with such an approach are twofold. First, because human users typically find it easier to remember passwords that have a context to the user (e.g. a word or date), the passwords they choose typically are not difficult to guess. A study of the range of passwords chosen by computer operators found that one third of all user passwords could be found in the dictionary. Such passwords are vulnerable to commonly available software that can try every word in the dictionary as a password.
Second, the problem of “password overload” is resulting in many breaches of carefully planned security techniques. An increasing number of applications require that users follow an authentication process that typically includes presenting some form of a name and password to gain access. If users comply with security standards, they must memorize a seemingly random string of letters and numbers for each application. Further, most secure applications have their own interfaces and may require something unique of the user. Some review users' passwords and restrict the type of password that the user can use and how long the password may be valid. However, the vast majority of applications do nothing to simplify the process for users and instead make it more complex.
Ultimately, the difficulty with remembering a multitude of passwords for a multitude of applications encourages users toward bad habits. Users select weak passwords, share them, and maintain vulnerable password lists, often sticking passwords directly onto their computer. In effect, users themselves are the weakest link in most secure applications and systems, making the systems vulnerable to easy breach and unauthorized access.
Thus, there is a need for a type of password authentication system that can satisfy the two seemingly conflicting goals of being easy for the user to remember and difficult for anyone else to figure out.
One prior art solution to solving this problem is the technique known as “single log-on” or “single sign-on,” typified by U.S. Pat. No. 5,241,594. In this technique, a user logs on to his or her user computer just once, using a conventional user ID and password. When the user needs to access a remote computer or application, the ID and password that the user just entered are encrypted and transmitted to the remote computer, using a secure transport layer protocol between the user's computer and the remote computer. The secure transport layer protocol is established either using special software on the user's computer or using a separate server. The encrypted password is then compared to a database of encrypted passwords stored in a central location, typically on the server or the remote computer. In addition, all systems that the user wants to access must use the same password.
However, the requirement that every computer or application in the system (i.e., the user computer and all remote computers) have the same password means that this technique may not work for all systems. This method may be unusable with remote computers or applications having complicated or atypical authentication requirements. Thus, many single sign-on applications are compatible with a limited number of applications. Moreover, most commercially available versions of single sign-on systems utilize the separate server method, which complicates and adds expense to the authentication process. Additionally, many commercially available systems require that all compliant applications use the same security protocols, hardware interfaces, etc., limiting the applicability of such systems. Therefore, there exists a need for a simple, yet secure, authentication system that does not require additional hardware and will work with systems having varied authentication techniques and requirements.
SUMMARY OF THE INVENTION
The invention provides users with a single, simple method of authentication that replaces traditional name and password approaches and is compatible with varied authentication requirements. The invention allows Verifiers (“Verifier” and “secure application” are used interchangeably throughout the specification) to securely authenticate Provers and allows Provers to be authenticated by multiple Verifiers. The invention applies a process that requires a Prover to complete only one set of easy-to-recall routines or Prover steps. These Prover steps initiate the appropriate authentication process for each Verifier without further intervention or input from the Prover. Thus, Provers have a single, unified method for all their authentication requirements, because the invention handles the subtleties associated with each secure application.
In one respect, the invention features a method for providing a user access to a secure application. The method includes storing in an encrypted form the authentication
Boroditsky Marc D.
Manza Marc B.
Passlogix, Inc.
Peeso Thomas R.
Testa Hurwitz & Thibeault LLP
LandOfFree
Generalized user identification and authentication system does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Generalized user identification and authentication system, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Generalized user identification and authentication system will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2588233