GB2344977A - Password generation by hashing site and time data - Google Patents

Password generation by hashing site and time data Download PDF

Info

Publication number
GB2344977A
GB2344977A GB9827746A GB9827746A GB2344977A GB 2344977 A GB2344977 A GB 2344977A GB 9827746 A GB9827746 A GB 9827746A GB 9827746 A GB9827746 A GB 9827746A GB 2344977 A GB2344977 A GB 2344977A
Authority
GB
United Kingdom
Prior art keywords
password
site
key
encrypted
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB9827746A
Other versions
GB9827746D0 (en
Inventor
Sean Boylan
Nigel Monks
John Healy
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
3Com Technologies Ltd
Original Assignee
3Com Technologies Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 3Com Technologies Ltd filed Critical 3Com Technologies Ltd
Priority to GB9827746A priority Critical patent/GB2344977A/en
Publication of GB9827746D0 publication Critical patent/GB9827746D0/en
Publication of GB2344977A publication Critical patent/GB2344977A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Abstract

A password is generated by hashing a site-specific identifier data such as selected bytes of a MAC address with site-specific temporal data such as selected bytes of a run-time measured from the start of an operating session. The keyword may be encrypted by means of a private key and an encryption algorithm to provide a password. The generation of the password may be performed both remotely from a network device and within it to provide a mechanism for controlled access to the device.

Description

PASSWORD GENERATION AND RECOVERY SYSTEM Introduction to the Invention This invention relates to the generation and recovery of passwords which enable access to a network device which operates in a packet-switched data communication network.
Background to the Invention The use of local area networks and wide area networks for management of a commercial or other enterprise is now well established. In principle, any user or terminal connected directly or indirectly to such a network has access to all the information available in the network and accordingly it is necessary for the sake of security to permit access to certain parts or data files within the network by means of passwords or selected disabling using for example some operation or switching sequence. In the case of the former, where for example access to accounting information is password protected, it is not unknown for a user's password to be forgotten and for access to the password protection information to be denied to the user. The inaccessibility is the more serious where, as is not unusual, a customer employs the same password for all accounts or in general a large number of information files.
Alternatively, users may be allowed to disable access to the various different management interfaces, such as SNMP (Simple Network Management Protocol), Web, Telnet, CLI (Command Line Interface) or the like. It is quite easy to accidentally disable access to all interfaces and thus cause a device to be locked against any effective access.
If access to a device has been denied through unavailability of the known password, a device may be subject to a variety of procedures to recover a password. The procedures tend to vary from product to product. All such procedures require direct physical access to the device. In one example, an engineer may connect a VT100 terminal or emulator thereof to the device's serial port When a prompt is displayed, the engineer enters a secret password and the device bex, ins to re-initialise the entire contents of its non-volatile store, including passwords, to 'default'factory settings. It is also known to reset passwords by operation of a reset function, the device being thereby caused to re-initialise all configuration information to factory defaults Irrespective of the actual procedure by which access to the device is recovered the device must be returned to the supplier or a support engineer must visit the customer's site in order to maintain the security of the recovery mechanism. This is the main disadvantage of previous recovery mechanisms.
Summarv of the Invention The invention relates to a new manner of generating and recovering passwords for network devices. in order to facilitate the provision of re-access to devices of which the password has been forgotten. The invention is based on the generation of a special password by means of an operation on a site-specific identifier and a run-time identifier as well as a private key As will be seen, this manner of generating passwords will enable the remote assistance of a user who desires to gain re-access to a device to which access is denied, while preserving the security of the password mechanism.
Brief Description of the Drawings Figure 1 illustrates schematically only the components and personnel participating in a password recovery mechanism according to the invention, and Figure 2 illustrates the generation of a password in a system according to the invention.
Detailed Description Figure 1 illustrates a site 1 including a network device 3 which may form part of a packetswitched data communication network such as a local area network (LAN) or wide area network (WAN) physically disposed in or about the site 1 Remote from site 1, hereinafter called the users site, is another site 2, which may be that of a supplier or in general an administrator, customer service centre or the like. Site 1 is occupied by a user A whereas site 2 is occupied a support engineer or other authorised person or administrator B. It is assumed that device 3 is at least partly password protected and that user A requires access to 3 notwithstanding the non-availability of the password. As will be seen, a special password is generated in a particular manner which can preserve security but for convenience the process of recovery is described chronologically.
In the performance of the recovery process, user A communicates, for example by way of a telephone link 4, to site 2. Administrator B needs to authenticate the identity of user A in an appropriate way, for example by requesting certain privileged information such as a registration number. Administrator B requests customer A to connect a VT100 terminal (or emulator) to a serial port on the device 3, either directly or by way of a modem. Administrator B requests user A to type a special user name at the CLI log-in prompt. A unique hexadecimal value will be displayed, followed by a password prompt.
The hexadecimal value is generated, as will be described with reference to Figure 2, in a manner which renders it unique to the device in combination with the particular log-in session.
Administrator B then asks user A for the hexadecimal value, the version of the software in use that is displayed and the type of the device 3.
In a second phase, administrator B employs web browser 6 to access a special application that is hosted on a web site 7 on the Internet. Administrator B logs on to the application and enters the information furnished by the customer, that is to say the hexadecimal value, the version of the software and the type of device 3. The application uses this information to generate a special password, by encrypting the hexadecimal value with a private key employing a standard encryption algorithm. The version of software and type of device are used to identify the private key and the encryption algorithm that should be used. The administrator B then provides user A with the special password In a third stage, the user B enters the special password provided by the administrator A The entered value is compared against a value generated internally within the device. If the entered value matches the internally generated value the user is allowed access. The internally generated value is generated by encrypting the hexadecimal value using the same private key and encryption algorithm as was used by the web site. The private key and the encryption algorithm may be stored within the device as part of the executable code.
In this manner the user can be allowed access to protected functionality, this may be the reset of management account passwords to default values. the initialization of the entire contents of non-volatile store (including passwords) to factory defaults, so that users may log into the device immediately and may change the user's password or passwords to a new value or to new values as desired Figure 2 illustrates the manner of generating the special password. A device specific unique identifier, shown as site-specific data 20, and which may be for example a media access control address of the device or its serial number, is combined by way of an appropriate operation or algorithm with a device specific temporal identifier data 21, which may be for example directly related to or constituted by the system's up-time from the start of a particular log-in session.
The result is to produce a unique identifier that is only recognised for the duration of that log-in session In particular, a temporal key (the hexadecimal value) may be generated by taking temporal identifier data and device specific identifier data and'hashing'them (stage 22), for example by means of an exclusive-or operation. In particular an n digit hexadecimal temporal key may be generated from n/4 bytes of temporal identifier data (the numerical value of the system's uptime since the log-on to the CLI interface) and n/4 bytes of the device specific identifier data (the MAC address). Thus for example if M4 to MI are four selected bytes from the devicespecific identifier and T4 to Tl are four selected bytes from the temporal identifier, the following operations may be performed (a) an exclusive-or operation [M4-M3, M9, MI] XOR [T4, T3, T2, T1]- [X4. X3. X2. X1] (b) [X4. X3, X2, Xl], [T4, T3. T2, Tll- [X3, T2, T4, X2, TI, X4, XI, T3] so that the bytes from one of the input identifiers are ordered with the bytes resulting from the exclusive-or operation to provide a sixteen digit hexadecimal value (the temporal key).
The hexadecimal value may then be encrypted (stage 23) using a standard encryption algorithm to provide an encrypted value which is transformed (stage 24) to a printable ASCII password.
The number of characters in the password may be given by the following formula : MOD [ (4n)/ (7)] = the number of ASCII characters in the password Seven bits are need to encode each ASCII character in the password. The following rules may be applied to each seven-bit chunk which makes up the password. If the seven bits have a value between thirty-three and one hundred and twenty-six the value may be accepte, if the seven bits have a value less than thirty-three a transformation should be applied, namely (7 bits *2 + 33 = y, where y is the new value). Finally, if the seven bits have a value of one hundred and twenty-seven it may be mapped to the ASCII value of one hundred.

Claims (1)

  1. CLAIMS 1 A method of automatically generating a password for a network device, : (i) providing device specific identifier data, (ii) providing device specific temporal data ; (iii) hashing selected parts of said site-specific identifier data and said site-specific temporal data to provide a key, and (iv) encrypting said key.
    ? A method according to claim 1 and further comprising generating an ASCII representation of a password from the encrypted key 3. A method according to claim 1 and 2 wherein said device specific identifier data comprises a media access control address.
    4 A method according to any foregoing claim wherein said device specific temporal data is constituted by or directly related to a time elapsed from the beginning of a log-in session on the device.
    5 A method according to any foregoing claim wherein the said key is or represents a hexadecimal value 6 A method according to any foregoing claim, wherein the said key is encrypted using a private key and an encryption algorithm remotely from said device to provide an externally generated password and said key is encrypted within the device using said private key and said encryption algorithm to provide an internally generated password, the externally generated password and the internally generated password being compared for identity within the device
GB9827746A 1998-12-17 1998-12-17 Password generation by hashing site and time data Withdrawn GB2344977A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB9827746A GB2344977A (en) 1998-12-17 1998-12-17 Password generation by hashing site and time data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB9827746A GB2344977A (en) 1998-12-17 1998-12-17 Password generation by hashing site and time data

Publications (2)

Publication Number Publication Date
GB9827746D0 GB9827746D0 (en) 1999-02-10
GB2344977A true GB2344977A (en) 2000-06-21

Family

ID=10844368

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9827746A Withdrawn GB2344977A (en) 1998-12-17 1998-12-17 Password generation by hashing site and time data

Country Status (1)

Country Link
GB (1) GB2344977A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2359969A (en) * 1999-11-08 2001-09-05 Ibm Automated authentication of communication devices with certificates bound to the device identifier
WO2003038569A2 (en) * 2001-10-30 2003-05-08 F-Secure Oyj Method and apparatus for selecting a password generated based on discrete password elements
WO2005114945A1 (en) * 2004-05-18 2005-12-01 Siemens Aktiengesellschaft Method for authenticating a communications unit while using a lasting programmed secret code word
CN1314237C (en) * 2003-06-08 2007-05-02 华为技术有限公司 Dynamic supercode generating method and exchange board safety managing method
WO2015069921A1 (en) * 2013-11-11 2015-05-14 Pure Storage, Inc. Storage array password management
US9548972B2 (en) 2012-09-26 2017-01-17 Pure Storage, Inc. Multi-drive cooperation to generate an encryption key
EP3312754A1 (en) * 2016-10-21 2018-04-25 Otto Ersek Method for password generation
US10263770B2 (en) 2013-11-06 2019-04-16 Pure Storage, Inc. Data protection in a storage system using external secrets
US10623386B1 (en) 2012-09-26 2020-04-14 Pure Storage, Inc. Secret sharing data protection in a storage system
US11032259B1 (en) 2012-09-26 2021-06-08 Pure Storage, Inc. Data protection in a storage system
US11128448B1 (en) 2013-11-06 2021-09-21 Pure Storage, Inc. Quorum-aware secret sharing

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4720860A (en) * 1984-11-30 1988-01-19 Security Dynamics Technologies, Inc. Method and apparatus for positively identifying an individual
US5737421A (en) * 1996-03-22 1998-04-07 Activcard System for controlling access to a function having clock synchronization
US5802176A (en) * 1996-03-22 1998-09-01 Activcard System for controlling access to a function, using a plurality of dynamic encryption variables

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4720860A (en) * 1984-11-30 1988-01-19 Security Dynamics Technologies, Inc. Method and apparatus for positively identifying an individual
US5737421A (en) * 1996-03-22 1998-04-07 Activcard System for controlling access to a function having clock synchronization
US5802176A (en) * 1996-03-22 1998-09-01 Activcard System for controlling access to a function, using a plurality of dynamic encryption variables

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Research Disclosure Jan1999 UK Vol 42 NO 417 *

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2359969B (en) * 1999-11-08 2004-03-31 Ibm Automated authentication of communicating devices
US6826690B1 (en) 1999-11-08 2004-11-30 International Business Machines Corporation Using device certificates for automated authentication of communicating devices
GB2359969A (en) * 1999-11-08 2001-09-05 Ibm Automated authentication of communication devices with certificates bound to the device identifier
WO2003038569A2 (en) * 2001-10-30 2003-05-08 F-Secure Oyj Method and apparatus for selecting a password generated based on discrete password elements
WO2003038569A3 (en) * 2001-10-30 2003-09-18 F Secure Oyj Method and apparatus for selecting a password generated based on discrete password elements
CN1314237C (en) * 2003-06-08 2007-05-02 华为技术有限公司 Dynamic supercode generating method and exchange board safety managing method
WO2005114945A1 (en) * 2004-05-18 2005-12-01 Siemens Aktiengesellschaft Method for authenticating a communications unit while using a lasting programmed secret code word
US10284367B1 (en) 2012-09-26 2019-05-07 Pure Storage, Inc. Encrypting data in a storage system using a plurality of encryption keys
US11924183B2 (en) 2012-09-26 2024-03-05 Pure Storage, Inc. Encrypting data in a non-volatile memory express (‘NVMe’) storage device
US11032259B1 (en) 2012-09-26 2021-06-08 Pure Storage, Inc. Data protection in a storage system
US9548972B2 (en) 2012-09-26 2017-01-17 Pure Storage, Inc. Multi-drive cooperation to generate an encryption key
US10623386B1 (en) 2012-09-26 2020-04-14 Pure Storage, Inc. Secret sharing data protection in a storage system
US10887086B1 (en) 2013-11-06 2021-01-05 Pure Storage, Inc. Protecting data in a storage system
US10263770B2 (en) 2013-11-06 2019-04-16 Pure Storage, Inc. Data protection in a storage system using external secrets
US11128448B1 (en) 2013-11-06 2021-09-21 Pure Storage, Inc. Quorum-aware secret sharing
US11706024B2 (en) 2013-11-06 2023-07-18 Pure Storage, Inc. Secret distribution among storage devices
US9516016B2 (en) 2013-11-11 2016-12-06 Pure Storage, Inc. Storage array password management
WO2015069921A1 (en) * 2013-11-11 2015-05-14 Pure Storage, Inc. Storage array password management
WO2018073355A1 (en) * 2016-10-21 2018-04-26 Otto Ersek Method for the reproducible generation of a password
EP3312754A1 (en) * 2016-10-21 2018-04-25 Otto Ersek Method for password generation

Also Published As

Publication number Publication date
GB9827746D0 (en) 1999-02-10

Similar Documents

Publication Publication Date Title
US6292790B1 (en) Apparatus for importing and exporting partially encrypted configuration data
Mitchell et al. Comments on the S/KEY user authentication scheme
US5944824A (en) System and method for single sign-on to a plurality of network elements
US8966276B2 (en) System and method providing disconnected authentication
US5548721A (en) Method of conducting secure operations on an uncontrolled network
US5841871A (en) Method for authenticating a user working in a distributed environment in the client/server mode
Neuman et al. Kerberos: An authentication service for computer networks
US5349643A (en) System and method for secure initial program load for diskless workstations
US8762726B2 (en) System and method for secure access
CN105103488B (en) By the policy Enforcement of associated data
Garman Kerberos: The Definitive Guide: The Definitive Guide
US5719941A (en) Method for changing passwords on a remote computer
Künnemann et al. YubiSecure? Formal security analysis results for the Yubikey and YubiHSM
CN101102194B (en) A method for OTP device and identity authentication with this device
EP0781427B1 (en) Secure computer network
GB2344977A (en) Password generation by hashing site and time data
WO1996008756A9 (en) Secure computer network
CN110740116B (en) System and method for multi-application identity authentication
US7412603B2 (en) Methods and systems for enabling secure storage of sensitive data
KR100286904B1 (en) System and method for security management on distributed PC
CN109218026A (en) The method and system of licensing scheme is executed between service terminal system and Help Desk system
JP2003530739A (en) Network system
Snow et al. Simple authentication
Cisco Terminal Access Security Commands
Cisco Controlling Access to the Switch Using Authentication, Authorization, and Accounting

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)