Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-04-13
2004-05-18
Vu, Kim (Department: 2135)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S191000, C713S183000, C380S277000, C380S281000, C380S283000, C380S284000
Reexamination Certificate
active
06738907
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to maintaining security information in a distributed environment, and relates more particularly to updating passwords and private keys in a computer network.
TECHNICAL BACKGROUND OF THE INVENTION
Internal business networks, global computer networks, loosely- or tightly-coupled groups of networks, devices linked by wireless connections, mobile computers, and other distributed environments are becoming more important than ever to individuals, businesses, government agencies, and other entities. Distributed environments are also becoming more diverse in their geography, data format, hardware configuration, software platform, and other characteristics. As a result, security concerns are becoming both more important and more complex.
Keys and passwords protecting those keys are widely used to control access to data and other resources in a distributed environment. Keys are often used for authenticating user requests, for encrypting and decrypting digital documents, and for creating and verifying digital signatures on digital documents. Keys include symmetric keys, and asymmetric keys such as public-private key pairs. A given symmetric key may be used, for instance, both to encrypt a document and to decrypt the encrypted document. If a public key is used to encrypt a document, then the private key must be used to decrypt the encrypted document. Public-private key pairs are also useful for digitally signing documents and verifying such digital signatures. Passwords control access to keys and thus act as keys in their own right. Indeed, a key may be used as a password and vice versa.
Keys may be embedded in tokens. Tokens may be “hard” or “soft”. A hard token is a physical device, such as a dongle, a magnetic card, or a PCMCIA card, which must be physically presented to the distributed environment at a particular location in order to gain access to resources through that location. There are generally few or no duplicate copies of a key in a hard token, and the key data is normally restricted to the location at which the hard token is presented.
By contrast, a soft-token is a computer data structure, that is, a collection of digital information organized in a particular way to be recognized and otherwise processed by a computer. If the key is part of a public-private key pair, then the token may include a certificate for authenticating the key. Soft-tokens may be copied and distributed to many locations in the environment, making it unnecessary for the key's owner to be physically present at a hard-token-ready machine to present the token. Soft-token distribution is accomplished using network connections, memory copies, and similar operations.
In the absence of security concerns, soft-tokens would be easier to work with than hard tokens: they are cheaper to make, easier to transport, easier to store, and easier to modify. Unfortunately, these same characteristics make soft-tokens vulnerable to security breaches. Unless appropriate steps are taken, fake keys and passwords can be made and substituted for authorized keys and passwords, and authorized keys and passwords can be modified to grant access to unauthorized entities.
In particular, some assurance of authenticity is needed when a new key or a new password arrives at a location to be entered as the replacement for the current key or current password. Otherwise one is forced to choose between forbidding changes to keys and passwords, on the one hand, and risking unauthorized access after a key or password is updated, on the other. Forbidding changes makes the distributed environment much less convenient and effective for administrators and other users. Accordingly, novel systems, devices, and methods for secure key and password updates are disclosed and claimed herein.
BRIEF SUMMARY OF THE INVENTION
The present invention provides methods, systems, and devices for maintaining a soft-token store. In particular, the invention provides tools for securely updating private keys, passwords, and other confidential information in a distributed environment. One method of the invention updates a password which protects a key stored in the distributed environment. According to this method, a user's current password and new password are first obtained. Next a transaction is created including at least a current-password-encrypted-key (formed by encrypting the user's key using the current password) and a new-password-encrypted-key (formed by encrypting the user's key using the new password). The transaction is sent to an update location in the distributed environment which does not yet recognize the new password. The update location may not recognize any password for the user as yet, or it might only recognize a previously supplied different password. Regardless, the current-password-encrypted-key in the transaction is compared with a current-password-encrypted-key previously stored at the update location to determine whether they are equivalent. If they are, then the new-password-encrypted-key is entered at the update location so that the new password will be recognized there. This is accomplished without ever sending the plain text form of the key or the password across the “wire” between the distributed locations.
REFERENCES:
patent: 4203166 (1980-05-01), Ehrsam et al.
patent: 4238853 (1980-12-01), Ehrsam et al.
patent: 4281216 (1981-07-01), Hogg et al.
patent: 4315101 (1982-02-01), Atalla
patent: 4386233 (1983-05-01), Smid et al.
patent: 4578531 (1986-03-01), Everhart et al.
patent: 4688250 (1987-08-01), Corrington et al.
patent: 4731840 (1988-03-01), Mniszewski
patent: 4771459 (1988-09-01), Jansen
patent: 4868877 (1989-09-01), Fischer
patent: 4876716 (1989-10-01), Okamoto
patent: 4910773 (1990-03-01), Hazard et al.
patent: 4912762 (1990-03-01), Lee et al.
patent: 5081678 (1992-01-01), Kaufman et al.
patent: 5146497 (1992-09-01), Bright
patent: 5146498 (1992-09-01), Smith
patent: 5150408 (1992-09-01), Bright
patent: 5164986 (1992-11-01), Bright
patent: 5185795 (1993-02-01), Bright
patent: 5208859 (1993-05-01), Bartucci et al.
patent: 5299263 (1994-03-01), Beller et al.
patent: 5325432 (1994-06-01), Gardeck et al.
patent: 5341426 (1994-08-01), Barney et al.
patent: 5349642 (1994-09-01), Kingdon
patent: 5381479 (1995-01-01), Gardeck et al.
patent: 5404404 (1995-04-01), Novorita
patent: 5418854 (1995-05-01), Kaufman et al.
patent: 5428738 (1995-06-01), Carter et al.
patent: 5471532 (1995-11-01), Gardeck et al.
patent: 5481612 (1996-01-01), Campana et al.
patent: 5491750 (1996-02-01), Bellare et al.
patent: 5553139 (1996-09-01), Ross et al.
patent: 5553143 (1996-09-01), Ross et al.
patent: 5572528 (1996-11-01), Shuen
patent: 5633931 (1997-05-01), Wright
patent: 5651066 (1997-07-01), Moriyasu et al.
patent: 5671414 (1997-09-01), Nicolet
patent: 5687235 (1997-11-01), Perlman et al.
patent: 5692129 (1997-11-01), Sonderegger et al.
patent: 5719786 (1998-02-01), Nelson et al.
patent: 5734718 (1998-03-01), Prafullchandra
patent: 5818936 (1998-10-01), Mashayekhi
patent: 6061799 (2000-05-01), Eldridge et al.
patent: 6085320 (2000-07-01), Kaliski, Jr.
patent: 6311194 (2001-10-01), Sheth et al.
Schneier, Applied Cryptography, 1995, pp. 183-184.*
Menezes et al, Handbook of Applied Cryptography, Oct. 17, 1996, pp. 388-393, 425-428, 430, 434, 452, 546-550, 553-556 and 559-561.*
Garfinkel, PGP: Pretty Good Privacy, 3/95, pp. 153, 177, 178.*
Medvinsky et al., “Public Key Utilizing Tickets for Application Servers (PKTAPP),” Jan. 1997.
Oorschot et al.,Handbook of Applied Cryptography,chapters 12, 13.
Sirbu et al., “Distributed Authentication in Kerberos Using Public Key Cryptography,” Mar. 1995.
Public Key Distribution, Oct. 7, 1994.
Schneier,Applied Cryptography,1994, pp. 139-153.
Neumann, “Crypto Key Management,” Aug. 1997.
Denning et al., “A Taxonomy for Key Escrow Encryption Systems,” Mar. 1996.
Bellare et al., “Provably Secure Key Distribution—The Three Party Case,” 1995.
Bird et al., “The KryptoKnight Family of Light-Weight Protocols for Authentication and Key Distribution,” Feb. 199
Marger Johnson & McCollom
Novell Inc.
Seal James
LandOfFree
Maintaining a soft-token private key store in a distributed... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Maintaining a soft-token private key store in a distributed..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Maintaining a soft-token private key store in a distributed... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3207611