Cryptography – Key management – Having particular key generator
Patent
1997-03-14
2000-01-25
Swann, Tod R.
Cryptography
Key management
Having particular key generator
380 49, 380 21, H04L 900, H04L 902
Patent
active
06018583&
DESCRIPTION:
BRIEF SUMMARY
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to computer networks and more particularly to a computer network arranged to provide a high level of security.
It is common in computer networks for individual users to be required to enter their personal passwords in order to gain access to the system. However, present password-based security arrangements are prone to a number of abuses, which undermine the security of the system.
SUMMARY OF THE INVENTION
We have now devised a computer network which is arranged to provide a high level of security, and which is not open to degradation of that high level of security.
In accordance with the present invention, there is provided a computer network system which comprises a plurality of individual remote terminals and a central file server, each terminal being arranged to hold, in a memory thereof, an encrypted unique variable and unique first and second conjugates for each user authorised to use that terminal, the second conjugate being a password-encrypted form of the first conjugate.
This system is thus arranged so that in order to log on at a given terminal, the user must enter his password, and the terminal then uses this password as the key to encrypt the first conjugate which is stored at that terminal for that user, and compares that encrypted first conjugate with the stored second conjugate: if the two agree, the terminal is enabled for that person to use.
The system requires each person to register at each terminal which he is intended to use: he cannot use any terminal at which he is not registered.
The system enables each person, once registered, to change his password at will. In order to do this, the system requires the person to log on as described above, then (in response to the user entering the required commands) call up the encrypted unique variable for that user and decrypts that encrypted unique variable, using the user's current password (the encrypted unique variable which is stored being a password--encryption of the unique variable itself). The system then allows the user to select and enter his own new password, and the terminal then encrypts the user's unique variable with the new password, and creates new first and second conjugates (the second conjugate being a password-encrypted form of the first conjugate, as previously). The terminal now stores, for that user, his new encrypted unique variable and new first and second conjugates, in place of the original ones.
Preferably the system is arranged to create the first conjugate (at initial registration and on change-of-password) on a random basis. Preferably the unique code is generated by the terminal, at initial registration, by a predetermined algorithm and as a function of (a) a master key or set of master keys, (b) a unique identifying number or code for the terminal, and (c) a unique identifying number or code for the particular user to be registered. Preferably the master key (or set of master keys) is entered at the terminal temporarily for each registration procedure, by a security manager. Preferably the master keys are held on a disc or other memory medium normally kept secure by the security manager.
The master key or keys are also held in memory in a secure manner at the central file server. The system is able to transmit data in encrypted form between the file server and terminal and vice versa, in the following manner.
Thus, the user logs on at his terminal, as described above. The system is arranged so that, for the purpose of encrypted transmission, it calls up the user's encrypted unique variable and decrypts this with the user's password. The terminal then randomly generates a session key, and encrypts the session key with the unique variable (preferably however, the terminal also randomly generates an open key and the session key is encrypted with the unique variable and the open key). The encrypted session key (or both encrypted session key and open key) are sent as headers from the terminal to the server, together with the user's iden
REFERENCES:
patent: 4238853 (1980-12-01), Ehrsam et al.
patent: 5172414 (1992-12-01), Reeds, III et al.
Chantilley Corporation LTD
Gallagher Thomas A.
Gordon David P.
Jack Todd
Jacobson David S.
LandOfFree
Secure computer network does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Secure computer network, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Secure computer network will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2321447