Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-11-30
2001-01-30
Beausoliel, Jr., Robert W. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S170000
Reexamination Certificate
active
06182229
ABSTRACT:
BACKGROUND OF THE INVENTION
The present application relates to user authentication and more particularly to authenticating a user operating a client system to a plurality of remote servers, each of which requiring a password for authentication.
Many remotely accessible computer systems require user authentication. The user, presumably operating a client system, must be registered with the remote system and must type in his or her user ID and a password for that remote system every time it is accessed.
One problem presented by the need for user authentication is that if the user accesses multiple remote systems, the user must remember numerous passwords and user IDs. Typical users confronted with this problem will often try to use the same password for each remote system or write down a list of passwords.
Both of these makeshift solutions compromise security. If the same password is used for each remote system, a system administrator of one remote system will be able to obtain passwords usable to access other remote systems. A written list of passwords is an obvious breach of security in that anyone with access to the list will be able to access any of the remote systems.
The problem of authenticating a user to a plurality of remote systems has become particularly apparent in light of the proliferation of limited access sites on the World Wide Web (WWW). Before accessing a site, the user is presented with an authentication form generated by his or her WWW browser requesting a user ID and password. The user must register separately with each such site and maintain multiple passwords. Furthermore, when navigating through the WWW, he or she is frequently interrupted by authentication messages requesting a user ID and password.
One known partial solution is to remember the last user ID and password typed into a WWW browser's authentication form and provide these values as a default the next time the form is brought up. This facilitates navigation of the WWW for users who employ the same user ID and password for multiple sites since logging into subsequent sites after the first one can be done by simply accepting the default. Thus, the problem of interruption by authentication messages is partially ameliorated in that it is easy to respond to the messages. However, the security problem presented by using a common password for multiple sites remains.
What is needed is a convenient yet adequately secure system whereby a user may access multiple remote servers that require passwords.
SUMMARY OF THE INVENTION
By virtue of the present invention, a user operating a client system may access a plurality of remote servers requiring passwords for access by employing a master password. The master password is used to decrypt a stored password for a particular remote server to which the client desires access. In one embodiment, the client system maintains a database of encrypted passwords and user IDs for remote servers to which the user is registered. Since only the master password need be remembered, the passwords particular to specific remote sites may be made more random and thus more secure. Implementation of this password management system does not require modification of any remote servers.
In one embodiment, the remote servers are controlled access WWW sites. The client system, coupled to the remote servers via the Internet, includes a WWW browser. The WWW browser is extended in accordance with the invention to incorporate special capabilities for assisting the user with accessing WWW sites which require authentication. No modification to the remote servers is required in this embodiment.
A WWW browser modified in accordance with the invention may maintain a password database that includes entries holding the URL, encrypted user ID, and encrypted password for a plurality of remote sites. When a new browsing session begins, the WWW browser may prompt the user for the master password upon the start of a new browsing session and store it. Then, when an authentication request message is received from a remote site that the user is seeking to access, the browser scans the password database for the URL of that remote site. If an entry is found, the browser decrypts the password and user ID and forwards them to that remote site. This can all occur without presenting the usual authentication form to the user. For enhanced security, instead of storing the master password, the browser may prompt the user for it every time it is needed.
If the browser cannot find an entry for the URL of a remote site, control may be returned to the user for the purpose of registration. To update the database, the browser presents a screen for the user to enter the same password and user ID that he or she registers to the remote site. The browser may suggest a password, providing a higher level of security in that passwords generated by the user are often easily guessed. The password and user ID input by the user are then encrypted using the master password and stored in the database along with the URL of the remote site.
A further understanding of the nature and advantages of the inventions herein may be realized by reference to the remaining portions of the specification and the attached drawings.
REFERENCES:
patent: 5448045 (1995-09-01), Clark
patent: 5481720 (1996-01-01), Loucks
patent: 5560008 (1996-09-01), Johnson
patent: 5611048 (1997-03-01), Jacobs
patent: 5623637 (1997-04-01), Jones
patent: 5642515 (1997-06-01), Jones
patent: 5655077 (1997-08-01), Jones
patent: 5892902 (1999-04-01), Clark
patent: 6006333 (1999-12-01), Nielsen
Beausoliel, Jr. Robert W.
Elisca Pierre E
Sun Microsystems Inc.
Townsend and Townsend / and Crew LLP
LandOfFree
Password helper using a client-side master password which... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Password helper using a client-side master password which..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Password helper using a client-side master password which... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2435280