Cryptography – Video cryptography – Video electric signal masking
Reexamination Certificate
1998-09-02
2001-05-29
Peeso, Thomas R. (Department: 2132)
Cryptography
Video cryptography
Video electric signal masking
C380S268000, C380S274000, C380S044000, C380S044000, C380S044000
Reexamination Certificate
active
06240184
ABSTRACT:
TECHNICAL FIELD
This invention relates to computer data security and, more particularly, to synchronizing passwords stored in systems that communicate via an unsecure channel.
BACKGROUND INFORMATION
In the context of computer data security, user authentication is the process of a computer system reliably verifying the identity of a user. Password-based user authentication refers to a secret quantity (the “password”) that the user communicates to the system to prove that she knows it. Computer systems sometimes store passwords in a data store that is not secure, and so there is a risk that the passwords might be read by an attacker. The password can be stored in a manner that allows a secret password to be verified easily, but does not leave the secret password exposed. For example, the hash of a password, rather than the password itself, can be stored in the system. When a user submits a “claimed” password, a submission that requires verification to determine if it is, in fact, the actual password, the claimed password is hashed, meaning that a one-way, not easily reversible, function is performed using the password as an input such that the result of the function is relatively unique to the password, and does not provide enough information to recover the password. The hash of the claimed password is compared to the stored hash of the actual password. If the hash of the claimed password is identical to the hash of the actual password, then the user is authenticated. An attacker who gains access to the hash of the password cannot readily discern the password from the hash of the password due to the one-way property of the hash function.
When a system is designed such that the same user would benefit from authentication on multiple systems, it becomes necessary for the user to maintain passwords on each system. It can be unwieldy for a user to remember different passwords for multiple systems, and a user generally prefers to have the same password on all systems. When a user changes her password on one system, the user generally prefers to have the password automatically changed, also referred to as synchronized, on other systems. This can be accomplished by propagating a password from a first system, system A, to a second system, system B.
Depending on the systems, and the links between them, the communications channel between systems A and B may not be secure. In addition, it may be necessary to verify that the password propagated from system A to system B actually comes from system A, and not from an attacker.
SUMMARY OF THE INVENTION
Thus, a system and method to synchronize passwords that does not require use of public key cryptography and its associated overhead is therefore useful and desired. The present invention provides such a system.
In general, in one aspect, the invention features a data structure facilitating use of a password. The data structure is stored in a memory element. The data structure has a first portion storing a value encrypted with an encryption key based on the password. The data structure also has a second portion storing a digest created in response to an input comprising the value.
In general, in another aspect, the invention features a method for creating a password file. The method includes the step of encrypting a value using an encryption key based on an updated password. A digest is created in response to the encrypted value; and the value and the digest are stored in a memory. The digest is the result of treating a message as a string of bits, and applying a one-way transformation to produce a fixed-length value. In one embodiment, the one-way transformation is a hash function.
In general, in another aspect, the invention features a method for changing a password. The method includes accepting a first password and decrypting information in a file that was encrypted with the first password. The decrypted information is verified. The method further includes accepting a second password, and encrypting information in the file with the second password.
In general, in another aspect, the invention features a system for changing a password. The system includes a first receiver for receiving a first password. The system includes a decrypting module for decrypting information in a file that was encrypted with the first password. The system includes a verification module for verifying the decrypted information, and a second receiver for receiving a second password. The system includes an encrypting module for encrypting information in the file with the second password.
In general, in another aspect, the invention features a system for updating data in a password verification memory. The system includes a password update file, a receiver for receiving a password, and a decryption module for decrypting information in the password update file. The system further includes a verification module for verifying the received password by comparing the decrypted information to the data in the password verification memory, and an output for replacing at least some of the data in the password verification memory in response to the received password.
In general, in another aspect, the invention features a method for updating a password. The method includes receiving password data, decrypting a value using a decryption key based on the password data, and producing a first function result in response to the decrypted value. The method further includes comparing the first function result with a value in a memory to verify the password data, producing a second function result in response to the password data, and storing the second function result in the memory.
In general, in another aspect, the invention features a password update system that includes a receiver for receiving a password, a decryption module for decrypting a value using a decryption key based on the password, and a first hashing module for hashing the decrypted value. The system further includes a verifier for comparing the hash of the decrypted value with a value in a memory to verify the password and a second hashing module for hashing the password and storing the result in the memory.
In general, in another aspect, the invention features a method for updating data in a password verification memory location. The method includes receiving a password, decrypting information in a password update file using the received password, and verifying the received password by comparing the decrypted information to the data in the password verification memory location. The method further includes replacing at least some of the data in the password verification memory location in response to the received password.
In general, in another aspect, the invention features a system for updating data. The system includes a password verification memory location, a password update file, and a receiver for receiving a password. The system further includes a decryption module for decrypting information in the password update file using the received password, a verifier for verifying the received password by comparing the decrypted information to the data in the password verification memory location; and an output for replacing at least some of the data in the password verification memory location in response to the received password.
The foregoing and other objects, aspects, features, and advantages of the invention will become more apparent from the following description and from the claims.
REFERENCES:
patent: 4817146 (1989-03-01), Szczutkowski et al.
patent: 5719941 (1998-02-01), Swift et al.
patent: 5734718 (1998-03-01), Prafullchandra
patent: 5832211 (1998-11-01), Blakley, III et al.
patent: 5838903 (1998-11-01), Blakely, III et al.
patent: 0 752 636 A2 (1997-01-01), None
patent: 0 773489 A1 (1997-05-01), None
patent: 09330298 (1997-12-01), None
Gish, J. ““Salting” the Password, ”Infosystems, vol. 32, No. 4, Apr. 1985, abstract only, 1 pg.
Wu, et al. “Authenticating Passwords Over an Insecure Channel,”Computer&Security, vol. 15, No. 5, 1996, pp. 431-439.
Patent Cooperation Treaty, International Search Report, Intern
Huynh Dung
Juels Ari
Kaliski, Jr. Burton
Robshaw Matthew
Jack Todd
Peeso Thomas R.
RSA Security Inc.
Testa Hurwitz & Thibeault LLP
LandOfFree
Password synchronization does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Password synchronization, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Password synchronization will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2474708