Electrical computers and digital processing systems: support – System access control based on user identification by...
Reexamination Certificate
1999-06-29
2003-12-09
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
System access control based on user identification by...
C713S183000, C713S187000
Reexamination Certificate
active
06662300
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to a method and apparatus operable within a client computer in a network for providing a secure password to a remote computer.
BACKGROUND OF THE INVENTION
More and more internet sites and applications are controlling access by asking for userids and passwords. As time goes by, users expect to acquire more userids, not less. At the same time, it is a well known problem that users accessing Internet sites may be prone to eavesdropping by third parties. Users are therefore encouraged to choose different passwords for different web sites or applications so that detection of a user's password on one site would not enable an eavesdropper to successfully use the same username and password on other sites or applications to which the eavesdropper believes the user has access.
Solutions to the problem of eavesdropping have been to implement one time passwordschemes. An example of such a scheme is Skey from Bellcore.
http://www.nic.surfnet.nl/surfnet/projects/surf-ace/mm-lab/security/skey.html
Such schemes rely on both the client and server having a copy of the user's password. Each time the client connects to the server, the server issues a different challenge. The password is combined with the challenge on both the client and server normally using some kind of hashing algorithm eg MD5. The client provides its result to the server and should the results match, the client is given access to the server. A different challenge is issued each time the client accesses the server, so that even if one password is detected by a third party, it is of no use in the future. It will be seen, however, that should the original password be seen when it is provided to the server, the client's security is compromised not only on one site but on any other site for which the user may use the same password.
The problem is therefore how to generate a different password for each site in such a way that the user can remember them all.
DISCLOSURE OF THE INVENTION
Accordingly, the present invention provides a method for providing across said network a secure password to one or more remote computers, said method comprising the steps of: obtaining a string associated with an application on one of the or each remote computer; obtaining a password from a user of said client computer; combining said string and said password irreversibly to generate a secure password for said application; and providing only said secure password to said one remote computer.
It should be seen that the term “client” is used to define any computer in communication with another computer. The invention is therefore applicable to, inter alia, a computer communicating in a peer-to-peer fashion with another computer, any type of computing device eg. a PDA, or an intermediate computer linking two other computers.
The term string is also used to define an input to a means for combining application associated information with the password. The string could, for example, contain a number as in the case of a TCP/IP address or any other form of suitable data.
The present invention provides a method and apparatus whereby a user has to remember only one password, but the password that is given to each individual Internet site, company or application is different, and no one site can work out the password given to other sites. This is both easy to use and secure for users.
REFERENCES:
patent: 4349695 (1982-09-01), Morgan et al.
patent: 5596748 (1997-01-01), Kleewein et al.
patent: 5661807 (1997-08-01), Guski et al.
patent: 5774551 (1998-06-01), Wu et al.
patent: 5841871 (1998-11-01), Pinkas
patent: 5845070 (1998-12-01), Ikudome
patent: 5910986 (1999-06-01), Dove
patent: 6182219 (2001-01-01), Feldbau et al.
patent: 8-249253 (1996-09-01), None
patent: 99/01993 (1999-01-01), None
“A Survey of Web Security”, Aviel D. Rubin and Daniel E. Geer Jr., IEEE Computing, vol. 31, No. 9, pp 34-41, Sep. 1998.
Peeso Thomas R.
Ray-Yarletts Jeanine S.
LandOfFree
Secure password provision does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Secure password provision, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Secure password provision will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3095319