WO2017093917A1 - Method and system for generating a password - Google Patents

Method and system for generating a password Download PDF

Info

Publication number
WO2017093917A1
WO2017093917A1 PCT/IB2016/057233 IB2016057233W WO2017093917A1 WO 2017093917 A1 WO2017093917 A1 WO 2017093917A1 IB 2016057233 W IB2016057233 W IB 2016057233W WO 2017093917 A1 WO2017093917 A1 WO 2017093917A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
resource
folio
vault
password
Prior art date
Application number
PCT/IB2016/057233
Other languages
French (fr)
Inventor
Frédéric MAILHOT
Sébastien ROY
Original Assignee
Groupe Mw Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Groupe Mw Inc. filed Critical Groupe Mw Inc.
Publication of WO2017093917A1 publication Critical patent/WO2017093917A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2117User registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords

Definitions

  • the present technology relates to password generation and more specifically to methods and systems for multi-platform user authentication with on-the-fly key generation.
  • U.S. Patent No. 7,171,679 B2 issued Jan. 30 2007 to Best et al. teaches a system, method and program providing an application program tool that generates a password for a user to access a resource.
  • the tool receives as input from a user a global user password and at least one hash key.
  • the tool applies a consistent algorithm to the name of the resource being accessed, such as a domain name for an Internet site, and the hash key, and the global user password to generate the password.
  • the same password is regenerated the next time the user accesses the same resource.
  • the tool automatically populates the resource with the password.
  • U.S. Patent Publication No. 2016/01101499 Al by Momchilov et al. teaches providing single sign on features in mobile applications in a secure environment using a shared vault.
  • An application may prompt a user to provide user entropy such as a passcode (e.g. a password and/or PIN).
  • the application may use the user entropy to decrypt a user-entropy-encrypted vault key.
  • the application may decrypt a vault database of the shared vault.
  • the shared vault may store shared secrets, such as server credentials, and an unlock key.
  • the application may store the unlock key, generate an unlock-key-encrypted vault key, and cause the shared vault to store the unlock-key-encrypted vault key, thereby "unlocking" the vault.
  • the application may then use the unlock key to decrypt the vault database without prompting the user to provide user entropy again.
  • Embodiments of the present technology have been developed based on inventors' appreciation that while different methods have been developed for ensuring security of passwords in insecure environments, these methods rely heavily on the user for providing information. Improvements are therefore desirable, in particular improvements aimed at generating a plurality of secure passwords for accessing resources without storing said passwords on the device of the user or intermediate servers, and without relying on the user to handle a large amount of secure information.
  • the present technology arises from an observation made by the inventor(s) that while methods have been developed using client-side and server-side authentication, where passwords are encrypted in a repository on the server, if third parties succeed in accessing the repository, all the protected passwords become available. Improvements are therefore desirable, in particular improvements aimed at generating secure passwords without storing said passwords on the user device or intermediate servers.
  • a method for generating a password required to access a resource by a user comprising authenticating, by a server connected to the electronic device, the user, causing a folio management system to retrieve, based on the authenticated user, a user folio associated with the user, the user folio being associated with an encrypted user vault, the encrypted user vault comprising at least one entropic sequence of characters and resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource, decrypting, based on a first key provided by the user, the encrypted user vault, and generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters.
  • the method further comprises transmitting the password to the resource.
  • the method further comprises encrypting the user vault based on the first key, and transmitting the encrypted user vault to the server.
  • the at least one set of resource-specific parameters is a first set of resource-specific parameters and the resource-specific data further comprises a second set of resource-specific parameters.
  • each set of resource-specific parameters further comprises a rule to generate the password, a resource identifier and a version number, and wherein the generating is further based on the rule to generate the password, the resource identifier and the version number.
  • the resource identifier of is one of: a Uniform Resource Locator (URL), an Internet Protocol Address (IP address), or any unique representation identifying the resource specific data.
  • URL Uniform Resource Locator
  • IP address Internet Protocol Address
  • the rule to generate the password comprises at least one of: a required number of alphabetical characters, a required number of numerical characters, a required number of special characters, a required number of upper-case letters and a required number of lower-case letters.
  • the generating the password is performed based on one of a PBKDF2 algorithm, a bcrypt algorithm, a crypt(3) algorithm, a scrypt algorithm, or an Argon2 algorithm.
  • the retrieving, based on the authenticated user the user folio associated with the user is executed by the server, and wherein the method further comprises receiving, by the server, the encrypted user vault associated with the user folio.
  • the at least one resource specific data is associated with a period of time
  • the method further comprises, responsive to the period of time being over a predetermined threshold: incrementing the version number; and wherein generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters is further based on the incremented version number;
  • the retrieving, based on the authenticated user the user folio associated with the user is executed by the server, and the method further comprises receiving, by the server, the encrypted user vault associated with the user folio.
  • the decrypting based on the first key provided by the user the encrypted user vault, the generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters, the transmitting the password to the resource, the encrypting the user vault based on the first key, and the transmitting the encrypted user vault to the server are executed on the electronic device.
  • the incrementing the version number and the generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource- specific parameters further based on the incremented version number are executed by the electronic device.
  • the user folio further comprises a public user token
  • the user vault comprises a private user token
  • the folio management system may authenticate the user based on the public user token and the private user token.
  • the folio management system further comprises a private server token
  • the user folio comprises a public server token and wherein the user may authenticate the folio management system based on the private server token and the public server token.
  • a method of generating a password required to access a resource by a user based on a first key and a second key comprising: receiving a request to initialize a user folio in a folio management system, initializing the user folio associated with the user in the folio management system, generating an entropic sequence of characters, associating the entropic sequence of characters with a user vault, the user vault associated with the user folio, acquiring resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource, associating the resource- specific data with the user vault, generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters, and encrypting the user-vault based on the first key.
  • the method further comprises transmitting the password to the resource and transmitting the encrypted user-vault to the server.
  • the receiving and the initializing are executed by a server.
  • a system for generating a password required to access a resource by a user comprising: a processor, a non-transitory computer-readable medium comprising instructions, the processor, upon executing the instructions, being configured to cause: authenticating, by a server connected to the electronic device, the user, causing a folio management system to retrieve, based on the authenticated user, a user folio associated with the user, the user folio being associated with an encrypted user vault, the encrypted user vault comprising at least one entropic sequence of characters and resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource, decrypting, based on a first key provided by the user, the encrypted user vault, and generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-
  • the processor is further configured to cause transmitting the password to the resource.
  • the processor is further configured to cause: encrypting the user vault based on the first key, and transmitting the encrypted user vault to the server.
  • the at least one set of resource-specific parameters is a first set of resource-specific parameters and the resource-specific data further comprises a second set of resource-specific parameters.
  • each set of resource-specific parameters further comprises a rule to generate the password, a resource identifier and a version number, and wherein the generating is further based on the rule to generate the password, the resource identifier and the version number.
  • the resource identifier of is one of: a Uniform Resource Locator (URL), an Internet Protocol Address (IP address), or any unique representation identifying the resource specific data.
  • the rule to generate the password comprises at least one of: a required number of alphabetical characters, a required number of numerical characters, a required number of special characters, a required number of upper-case letters and a required number of lower-case letters.
  • the generating the password is performed based on one of a PBKDF2 algorithm, a bcrypt algorithm, a crypt(3) algorithm, a scrypt algorithm, or an Argon2 algorithm.
  • the retrieving, based on the authenticated user the user folio associated with the user is executed by the server, and wherein the system further comprises receiving, by the server, the encrypted user vault associated with the user folio.
  • the at least one resource specific data is associated with a period of time
  • the system further comprises, responsive to the period of time being over a predetermined threshold: incrementing the version number; and wherein generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters is further based on the incremented version number.
  • the retrieving, based on the authenticated user the user folio associated with the user is executed by the server, and the processor is further configured to cause receiving, by the server, the encrypted user vault associated with the user folio.
  • the decrypting based on the first key provided by the user the encrypted user vault, the generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters, the transmitting the password to the resource, the encrypting the user vault based on the first key, and the transmitting the encrypted user vault to the server are executed on the electronic device.
  • the incrementing the version number and the generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource- specific parameters further based on the incremented version number are executed by the electronic device.
  • the user folio further comprises a public user token
  • the user vault comprises a private user token
  • the folio management system may authenticate the user based on the public user token and the private user token.
  • the folio management system further comprises a private server token
  • the user folio comprises a public server token and wherein the user may authenticate the folio management system based on the private server token and the public server token.
  • a system for generating a password required to access a resource by a user based on a first key and a second key comprising: a processor, a non-transitory computer-readable medium comprising instructions, the processor, upon executing the instructions, being configured to cause: receiving a request to initialize a user folio in a folio management system, initializing the user folio associated with the user in the folio management system, generating an entropic sequence of characters, associating the entropic sequence of characters with a user vault, the user vault associated with the user folio, acquiring resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource, associating the resource-specific data with the user vault, generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the
  • the receiving and the initializing are executed by a server.
  • a "server” is a computer program that is running on appropriate hardware and is capable of receiving requests (e.g. from client devices) over a network, and carrying out those requests, or causing those requests to be carried out.
  • the hardware may be implemented as one physical computer or one physical computer system, but neither is required to be the case with respect to the present technology.
  • the use of the expression a "server” is not intended to mean that every task (e.g. received instructions or requests) or any particular task will have been received, carried out, or caused to be carried out, by the same server (i.e.
  • “electronic device” is any computer hardware that is capable of running software appropriate to the relevant task at hand.
  • the term “electronic device” implies that a device can function as a server for other electronic devices and client devices, however it is not required to be the case with respect to the present technology.
  • some (non- limiting) examples of electronic devices include personal computers (desktops, laptops, netbooks, etc.), smartphones, and tablets, as well as network equipment such as routers, switches, and gateways. It should be understood, that in the present context the fact that the device functions as an electronic device does not mean that it cannot function as a server for other electronic devices. The use of the expression "an electronic device” does not preclude multiple client devices being used in receiving/sending, carrying out or causing to be carried out any task or request, or the consequences of any task or request, or steps of any method described herein.
  • client device is any computer hardware that is capable of running software appropriate to the relevant task at hand.
  • client device in general the term “client device” is associated with a user of the client device.
  • client devices include personal computers (desktops, laptops, netbooks, etc.), smartphones, and tablets, as well as network equipment such as routers, switches, and gateways
  • network equipment such as routers, switches, and gateways
  • the expression "information” includes information of any nature or kind whatsoever capable of being stored in a database.
  • information includes, but is not limited to audiovisual works (images, movies, sound records, presentations etc.), data (location data, numerical data, etc.), text (opinions, comments, questions, messages, etc.), documents, spreadsheets, etc.
  • software component is meant to include software (appropriate to a particular hardware context) that is both necessary and sufficient to achieve the specific function(s) being referenced.
  • computer information storage media (also referred to as “storage media”) is intended to include media of any nature and kind whatsoever, including without limitation RAM, ROM, disks (CD-ROMs, DVDs, floppy disks, hard drivers, etc.), USB keys, solid state-drives, tape drives, etc.
  • a plurality of components may be combined to form the computer information storage media, including two or more media components of a same type and/or two or more media components of different types.
  • a “database” is any structured collection of data, irrespective of its particular structure, the database management software, or the computer hardware on which the data is stored, implemented or otherwise rendered available for use.
  • a database may reside on the same hardware as the process that stores or makes use of the information stored in the database or it may reside on separate hardware, such as a dedicated server or plurality of servers.
  • first, second, third, etc. have been used as adjectives only for the purpose of allowing for distinction between the nouns that they modify from one another, and not for the purpose of describing any particular relationship between those nouns.
  • first database and “third server” is not intended to imply any particular order, type, chronology, hierarchy or ranking (for example) of/between the server, nor is their use (by itself) intended imply that any “second server” must necessarily exist in any given situation.
  • reference to a "first” element and a “second” element does not preclude the two elements from being the same actual real-world element.
  • a "first” server and a “second” server may be the same software and/or hardware components, in other cases they may be different software and/or hardware components.
  • Implementations of the present technology each have at least one of the above - mentioned object and/or aspects, but do not necessarily have all of them. It should be understood that some aspects of the present technology that have resulted from attempting to attain the above- mentioned object may not satisfy this object and/or may satisfy other objects not specifically recited herein.
  • FIG. 1 is an illustration of components and features of an electronic device in accordance with an embodiment of the present technology
  • FIG. 2 is an illustration of a communication networks in accordance with an embodiment of the present technology
  • FIG. 3 is an illustration of a simplified schematic overview of two high-level parts in accordance with an embodiment of the present technology
  • FIG. 4 is an illustration of a detailed view of a secure user-data management system in accordance with an embodiment of the present technology
  • FIG. 5 is an illustration of a detailed view of a password-generation system in accordance with non-limiting embodiments of the present technology
  • FIG. 6 is an illustration of a detailed view of the password generator of the password-generation system in accordance with non-limiting embodiments of the present technology
  • FIG. 7 is an illustration of a detailed view of the secure user-data management system and the password-generation system in accordance with non-limiting embodiments of the present technology
  • FIG. 8 is an illustration of a communication flow of a initialization of the user folio and password in accordance with non-limiting embodiments of the present technology
  • FIG. 9 is an illustration of a communication flow for generating a password in accordance with non-limiting embodiments of the present technology.
  • FIG. 10 is a flow-chart illustration of a method carried out by an electronic device and a server for initializing a user folio and a password in accordance with non-limiting embodiments of the present technology.
  • FIG. 11 is flow-chart illustration of a method carried out by an electronic device and a first server for retrieving information from a user folio and generating a password in accordance with non-limiting embodiments of the present technology.
  • any functional block labeled as a "processor” or a "graphics processing unit” may be provided through the use of dedicated hardware as well as hardware capable of executing software in association with appropriate software.
  • the functions may be provided by a single dedicated processor, by a single shared processor, or by a plurality of individual processors, some of which may be shared.
  • the processor may be a general purpose processor, such as a central processing unit (CPU) or a processor dedicated to a specific purpose, such as a graphics processing unit (GPU).
  • CPU central processing unit
  • GPU graphics processing unit
  • processor or “controller” should not be construed to refer exclusively to hardware capable of executing software, and may implicitly include, without limitation, digital signal processor (DSP) hardware, network processor, application specific integrated circuit (ASIC), field programmable gate array (FPGA), read-only memory (ROM) for storing software, random access memory (RAM), and non-volatile storage.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • ROM read-only memory
  • RAM random access memory
  • non-volatile storage Other hardware, conventional and/or custom, may also be included.
  • an electronic device 100 suitable for use with some implementations of the present technology, the electronic device 100 comprising various hardware components including one or more single or multi-core processors collectively represented by processor 110, a graphics processing unit (GPU) 111, a solid- state drive 120, a random access memory 130, a display interface 140, and an input/output interface 150.
  • processor 110 a graphics processing unit (GPU) 111
  • solid- state drive 120 a solid- state drive 120
  • random access memory 130 random access memory
  • display interface 140 a display interface 140
  • input/output interface 150 input/output interface
  • Communication between the various components of the electronic device 100 may be enabled by one or more internal and/or external buses 160 (e.g. a PCI bus, universal serial bus, IEEE 1394 "Firewire” bus, SCSI bus, Serial-ATA bus, etc.), to which the various hardware components are electronically coupled.
  • the display interface 140 may be coupled to a monitor 142 (e.g. via an HDMI cable 144) visible to a user 170, and the input/output interface 150 may be coupled to a touchscreen (not shown), a keyboard 151 (e.g. via a USB cable 153) and a mouse 152 (e.g. via a USB cable 154), each of the keyboard 151 and the mouse 152 being operable by the user 170.
  • the solid-state drive 120 stores program instructions suitable for being loaded into the random access memory 130 and executed by the processor 110 and/or the GPU 111 for selecting a selected- sub-set of features from a plurality of features.
  • the program instructions may be part of a library or an application.
  • the electronic device 100 may be a server, a desktop computer, a laptop computer, a tablet, a smartphone, a personal digital assistant or any device that may be configured to implement the present technology, as it may be understood by a person skilled in the art.
  • the electronic device 100 is coupled to a communications network 210 via a communication link 190.
  • the communications network 210 can be implemented as the Internet.
  • the communications network 210 can be implemented differently, such as any wide-area communications network, local-area communications network, a private communications network and the like.
  • the communication link 190 is implemented is not particularly limited and will depend on how the electronic device 100 is implemented.
  • the communication link 190 can be implemented as a wireless communication link (such as but not limited to, a 3G communications network link, a 4G communications network link, a Wireless Fidelity, or WiFi® for short, Bluetooth® and the like).
  • the communication link 190 can be either wireless (such as the Wireless Fidelity, or WiFi® for short, Bluetooth® or the like) or wired (such as an Ethernet based connection).
  • the first server 220 can be implemented as a conventional computer server.
  • the first server 220 can be implemented as a DellTM PowerEdgeTM Server running the MicrosoftTM Windows ServerTM operating system.
  • the first server 220 can be implemented in any other suitable hardware and/or software and/or firmware or a combination thereof.
  • the first server 220 is a single server.
  • the functionality of the first server 220 may be distributed and may be implemented via multiple servers.
  • the first server 220 may implement in part the methods and system described herein.
  • the first server 220 is under control and/or management of a folio management operator.
  • the first server 220 can be under control and/or management of a service provider.
  • the second server 230 can be implemented as a conventional computer server.
  • the second server 230 can be implemented as a DellTM PowerEdgeTM Server running the MicrosoftTM Windows ServerTM operating system.
  • second server 230 can be implemented in any other suitable hardware and/or software and/or firmware or a combination thereof.
  • second server 230 is a single server.
  • the functionality of the second server 230 may be distributed and may be implemented via multiple servers.
  • second server 230 may implement in part the methods and system described herein.
  • second server 230 is under control and/or management of a folio management operator.
  • second server 230 can be under control and/or management of a service provider.
  • the present technology may comprise a secure user-data management system 300 and a password-generation system 400 used for implementing the present technology.
  • the user 170 may be associated with a user identifier 172, and may have chosen two keys or personal passwords to remember, a first key 174, also known as the user vault key, and a second key 178, also known as a user key.
  • the first key 174 may be used with a secure user-data management system 300 and the second key 187 may be used with a password-generation system 400 to generate a secure password 510.
  • each one of the first key 174 and the second key 178 may be implemented as conventional passwords of fixed length, containing strings of alphabetical characters and/or numerical characters and/or special characters, and may be complex enough to be hard to guess by brute-force attacks while being easy to remember for the user 170.
  • one of the first key 174 or the second key 178 may be implemented as biometric data, such as a fingerprint recognition, facial recognition, keystroke dynamics, voice recognition, etc., depending on how the electronic device 100 is implemented, as it would be recognized by a person skilled in the art of the present technology. While the technology herein relies on both high-level parts, but can also be defined and used with only one of those parts, independently from the other one.
  • the secure user-data management system 300 may comprise a folio management system 320 and private server token 390.
  • the folio management system 320 may generally be configured to receive requests from users having registered with the folio management system 320.
  • the folio management system 320 may therefore maintain a plurality of folios associated with respective users, the folios containing a part of the required information for generating passwords.
  • the folio management system 320 may comprise a userl folio 340, a user2 folio 360 and a userN folio 380.
  • userl folio 340, user2 folio 360 and userN folio 380 are merely provided as illustrative examples, and the number of user folios in the folio management system 320 is not limited.
  • each one of the userl folio 340, user2 folio 360 and the userN folio 380 of the folio management system 320 may be associated with a respective user having previously registered with the secure user-data management system 300 or a resource or service (not depicted) associated with the secure user-data management system 300.
  • a user folio may be initialized.
  • the user 170 may register with his user identifier 172 on the folio management system 320 for managing user profiles and passwords used on different resources.
  • the user 170 may access his user folio, such as userl folio 340, by logging onto a resource 550 previously associated with the secure user-data management system 300.
  • Each one of the userl folio 340, user2 folio 360 and the userN folio 380 of the folio management system 320 may comprise a respective encrypted user vault 350, also known as hidden user vault, and a respective public user token 355.
  • the encrypted user vault 350 may be associated with the userl folio 340 and may be decrypted by using the first key 174 provided by the user 170 to obtain a user vault 410.
  • the respective public user tokens 355 may be used by the folio management system 320 to authenticate the user 170.
  • a private server token 390 can be used to prove to the user 170 that each of the userl folio 340, user2 folio 360 and the userN folio 380 of the folio management system 320 are legitimate and that the user 170 may trust the information received from the folio management system 320.
  • the respective public user token 355 and the private server token 390 may be implemented respectively as a public cryptographic key and a private cryptographic key as it may become apparent to a person skilled in the art of the present technology.
  • some predefined subsets of the complete team of users need to be present in order for the authentication (and the access to the system or services protected by that authentication) to be granted.
  • the multiple users (not depicted) may be associated with one or more user folios.
  • FIG. 5 a detailed view of the password-generation system 400 is illustrated in accordance with a non-limiting embodiment of the present technology.
  • the user 170 may access the user vault 410 part of his/her userl folio 340.
  • the user vault 410 may comprise an entropic sequence of characters 420, and resource-specific data 430.
  • the entropic sequence of characters 420 also known as entropy, salt, or nonce, may be any sequence of random binary digits (bits) that may be acquired by the electronic device 100 in a variety of ways that will be apparent to persons skilled in the art.
  • the entropic sequence of characters 420 can be obtained from specific computer instructions, random user input through some input device like a mouse, a tactile surface or other means, usage of random physical phenomena like network traffic, power consumption, clock drift, or other physical means.
  • the entropic sequence of characters 420 may be generated by a true random number generator (TRNG) (not depicted) on the electronic device 100.
  • TRNG true random number generator
  • the entropic sequence of characters 420 may be a combination of multiple random entropic sequences of characters collected from multiple components of the electronic device 100.
  • the entropic sequence of characters 420 may be generated by or with the help of another device or a server (not depicted).
  • the entropic sequence of characters 420 may be used to generate a different password (not depicted) for each resource of the userl folio 340. In some embodiments, a different entropic sequence of characters may be used for each resource.
  • the resource-specific data 430 comprises at least one set of resource-specific parameters 440, resource-specific parameters2 450, and resource-specific parametersN 460, each one associated with a respective resource or service. Each one of the resource-specific parameters 440, the resource-specific parameters2 450, and the resource-specific parametersN 460 may comprise a respective resource identifier 442, a respective set of rules 444 and a respective version number 446.
  • the resource-specific parameters 440 may be associated with a banking website, the resource-specific parameters2 450 with a work website and the resource-specific parametersN 460 with an entertainment website, each one of the resource-specific parameters 440, the resource-specific parameters2 450, and the resource-specific parametersN 460 being associated with the user 170.
  • each one of the resource-specific parameters 440, the resource-specific parameters2 450, and the resource-specific parametersN 460 may be initialized in response to a request from the user 170 or in response to a request from the associated resource, or may be pre- initialized by default and only activated when the user 170 requests a connection to an associated resource.
  • the resource identifier 442 may be acquired from the associated service, may be received from the user 170 or from another source on the internet.
  • the resource identifier 442 may be: a Uniform Resource Locator (URL), an Internet Protocol Address (IP address), or any unique representation identifying the resource specific data.
  • the userl folio may further comprise a public server token 470, and private userl token 480, paired with the private server token 390 and the public user token 355 respectively.
  • the public server token 470, and private userl token 480, paired with the private server token 390 and the public user token 355 respectively may be used as asymmetric cryptographic keys to encrypt and decrypt information, therefore authenticating the user 170 and the folio management system 320.
  • the password-generation system 500 may further comprise the password generator 500, the password generator 500 for generating a password 510 associated with the resource 550 based on the second key 178 provided by the user 170, the entropic sequence of characters 420, the resource identifier 442, the set of rules 444 and the version number 446.
  • the password generator 500 may be implemented with different algorithms, as it would be recognized by the person skilled in the art of the present technology.
  • One such algorithm may be the PBKDF2 algorithm, part of the Public-Key Cryptography Standards (PCKS) 5 v2.0.
  • the PBKDF2 algorithm may be used with a HMAC-SHA-256 hashing algorithm in the following manner: the user identifier 172, the resource identifier 442 and the second key 178 may be concatenated, resulting in a passphrase 495.
  • the passphrase 495 may be input with the entropic sequence of characters 420, a number of iterations 496, a chosen key length 497 in the PBKDF2 algorithm using the SHA-256 algorithm, resulting in a derived key (not depicted).
  • the derived key may go through a function (not depicted) repetitively with the set of rules 444, which contains rules (number of upper case letters, number of special characters, etc.) until a password 510 respecting the rules of the set of rules 444 is generated.
  • Other alternatives such as, but not limited to, bcrypt, Argon2, Catena, Luyra2, yesscrypt and Makwa algorithms may be used, as it may be recognized by the person skilled in the art of the present technology.
  • the password generator 500 may be associated with a timer (not depicted) and a predetermined expiration time (not depicted), and each time the timer is over the predetermined expiration time, the password 510 may be automatically regenerated by the password-generation system 400 incrementing the version number 446 and going through the generating function 490.
  • the pre-determined expiration time may be acquired from the associated resource.
  • the secure user-data management system 300 may be implemented on the first server 220.
  • the secure user-data management system comprising the folio management system 320, may be implemented as part of a cloud computing service where the user 170 may register via a computing device, such as his/her electronic device 100.
  • the password-generation system 500 may be executed on the electronic device 100.
  • the password-generation system 500 may be implemented as the client-side software of the computing service.
  • the password-generation system 500 may be implemented at least in part by a secure processor (not depicted), a hardware security module (not depicted) or any other secure and/or tamper-resistant module, as it may be recognized by the person skilled in the art of the present technology.
  • the resource 550 or website may run on the second server 230.
  • at least a part of the secure user-data management system 300 and at least part of the password-generation system 500 may be implemented on the electronic device 100, and at least a part of the first server 220 and at least a part of the second server 230 may also be implemented on the electronic device 100.
  • the password-generation system 500 may be implemented on a server, such as but not limited to second server 230.
  • the secure user-data management system 300 may be implemented on the same server as the resource 550, the second server 230.
  • FIG. 8 a communication flow 800 for initialization of the userl folio 340 and the password 510 in accordance with an embodiment of the present technology is illustrated.
  • the user 170 may transmit a request which may comprise his/her user identifier 172 to the folio management system 320 part of the secure user- data management system 300 via his electronic device 100 to initialize a userl folio 340.
  • the folio management system 320 may then initialize the userl folio 340.
  • the electronic device 100 may then initialize a user vault 410 and generate an entropic sequence of characters 420 associated with the user vault 410.
  • the electronic device 100 may then acquire the resource-specific data 430, the resource-specific data 430 comprising at least one set of resource-specific parameters 440, the at least one set of resource-specific parameters 440 being associated with the resource 550 to access.
  • the resource-specific data 430 may be provided by the user 170, by the resource 550 or by another resource on the Internet (not depicted).
  • the electronic device 500 may then associate the resource- specific data 430 with the user vault 410.
  • the electronic device 100 may then generate the password 510 based on the one set of resource-specific parameters 440 and the second key 178 in the password- generation system 400 and transmit the password 510 to the resource 550.
  • the electronic device 100 may then encrypt the user vault 410 based on the first key 174 and transmit the encrypted user vault 350 to the resource 550.
  • the user 170 may transmit a request to retrieve the encrypted user vault 350 from the userl folio 340 of the folio management system 320 part of the secure user-data management system 300 via his electronic device 100.
  • the request may comprise his/her user identifier 172.
  • the user 170 may decrypt the encrypted user vault 350 based on the first key 174 to access the user vault 410.
  • the electronic device 100 may then access the resource-specific data 430 and use the second key 178 provided by the user 170 and generate the password 510.
  • the user 170 may or may not modify the content of the user vault 410.
  • the electronic device 100 may then encrypt the user vault 410 based on the first key 174 to obtain the encrypted user vault.
  • the electronic device 100 may then transmit the encrypted user vault 350 to the secure user-data management system 300.
  • the secure user-data management system 300 may then transmit the password 510 to the resource 550.
  • FIG. 10 a method 1000 carried out by an electronic device 100 and a first server 220 for initializing a userl folio 340 and a password 510 is illustrated in accordance with non-limiting embodiments of the present technology.
  • the method 1000 may begin at a step 1002.
  • STEP 1002 receiving a request to initialize a user folio in a folio management system, the request comprising a user identifier and a resource identifier
  • the first server 220 may receive a request to initialize a userl folio 440 in the folio management system 320, the request comprising a user identifier 172 and a resource identifier 442.
  • the user 170 may have sent the request via the electronic device 100 to initialize a user folio in a folio management system 320 which may be part of a secure user-data management system 300, the request comprising a user identifier 172 and a resource identifier 442.
  • the user 170 may have downloaded an application associated with the folio management system 320 part of a secure user-data management system 300 on her/his electronic device 100, and may execute the application, which may be implemented as a browser extension or a standalone software application.
  • the user 170 may then be prompted to specify a user identifier 172, such as, but not limited to, a user name, an e-mail address, etc.
  • the user 170 may then, at the same time or at a different time, be prompted by the application to specify a resource identifier 442 for a resource for which she/he wants to generate a password 510.
  • the user 170 may then enter the required information and confirm.
  • the folio management system 320 may be executed in part or entirely by the electronic device 100 instead of the first server 220.
  • the request may originate from the second server 230 via the communications network 210, the second server 230 executing a resource previously associated with the user 170, such as a banking website.
  • the user 170 may have recently opened a new account with the bank, and may wish to access his accounts via the banking website, which may ask him to give a password 510.
  • the user 170 may open an account without sending the resource identifier 442, and may simply initialize a user folio for later use.
  • the resource 550 may be associated with the folio management system 320 running on the first server 220, and may send the user identifier 172 and the resource identifier 442 to the folio management system 320 part of the secure user-data management system 300 on the first server 220.
  • the folio management system 320 may receive the request, and the method 1000 may then advance to a step 1004.
  • STEP 1004 initializing the user folio associated with the user in the folio management system
  • the folio management system 320 which may be part of the secure user-data management system 300, may initialize the userl folio based on the user identifier 172 and the resource identifier 442.
  • the folio management system 320 may manage a plurality of user folios, such as user folio2 360 and userN folio 380 each associated with a different user identifier, and may create an entry for the user 170 associated with the user identifier 172 and the resource identifier 442 by associating an empty userl folio 340 with the user 170.
  • STEP 1006 generating an entropic sequence of characters
  • step 1006 after having sent the request to the folio management system 320, the user 170 may be prompted to generate an entropic sequence of characters 420 in ways described above. The method 1000 may then advance to step 1008.
  • STEP 1008 associating the entropic sequence of characters with a user vault, the user vault associated with the user
  • the electronic device 100 may associate the entropic sequence of characters 420 with a user vault 410, the user vault 410 associated with the user 170.
  • the user vault 410 may be initialized by the electronic device 100 as a variable or a file that will contain the necessary information to generate the password 510, such as the entropic sequence of characters 420.
  • the entropic sequence of characters 420 may be stored in the user vault 410. The method 1000 may then advance to step 1010.
  • STEP 1010 acquiring resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource
  • the electronic device 100 may acquire resource-specific data 430, the resource-specific data 430 comprising at least one set of resource-specific parameters 440, the at least one set of resource-specific parameters 440 being associated with the resource to access.
  • the resource-specific parameters 440 may comprise a resource identifier 442, a rule to generate the password 446, and a version number 446.
  • the user 170 may enter manually at least a part of the resource-specific parameters.
  • the electronic device 100 may acquire such information from a database, from the folio management system 320 part of the secure user-data management system 300, from the resource itself, or from any other source on the internet.
  • the version number 446 may be automatically initialized. The method 1000 may then advance to step 1012.
  • STEP 1012 associating the resource-specific data with the user vault
  • the electronic device 100 may associate the resource- specific data 430 with the user vault 410, the user vault 410 associated with the user 170.
  • the electronic device 100 may associate resource- specific data 430 in the same way that it associated the entropic sequence of characters.
  • associating the the resource-specific data 430 and the entropic sequence of characters to the user vault 410 may be performed at the same time.
  • the method 1000 may then advance to step 1014.
  • STEP 1014 generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters
  • the password generator 500 of the electronic device 100 may generate the password 510 required to access the resource 550 based on a second key 178 provided by the user 170, the at least one entropic sequence of characters 420 and the at least one set of resource-specific parameters 440, the at least one set of resource-specific parameters 440 comprising the resource identifier 442, the rule to generate the password 446, and the version number 448.
  • the password 510 may be generated by using the PBKDF2 algorithm or any other algorithm as it would be recognized by the person skilled in the art.
  • the password 510 may respect the rules to generate the password 446, and be of a length compliant with security standards of the resource 550.
  • the method 1000 may then advance to step 1016.
  • STEP 1016 encrypting the user-vault based on the first key
  • the electronic device 100 may encrypt the user vault 410 based on the first key 174 provided by the user 170, resulting in the encrypted user vault 350.
  • the user 170, having the first key 174 in his possession, may therefore be the only one able to decrypt the encrypted user vault 350.
  • the method 1000 may then advance to step 1018.
  • STEP 1018 transmitting the encrypted user vault.
  • the electronic device 100 may transmit the encrypted user vault 350 to the folio management system 320 part of the secure user-data management system 300 on the first server 220 via the communications network 210. Therefore, the first server 220 may only have access to an encrypted version of the user vault 410.
  • the encrypted user vault 350 may be transmitted to the resource located on the second server 230. In other embodiments, the encrypted user vault 350 may not be transmitted and may be stored on the electronic device 100. The encrypted user vault 350 may be later retrieved by the electronic device 100 to generate a password for the same resource in accordance with the method 1100. The method 1000 may then end.
  • FIG. 11 a method 1100 carried out by an electronic device 100 and a first server 220 for retrieving information from a userl folio 340 to generate a password 510 is illustrated in accordance with non-limiting embodiments of the present technology.
  • the method 1100 may be executed after the method 1000 has been executed once for the same resource.
  • the method 1000 may begin at a step 1102.
  • STEP 1102 authenticating, by a server connected to the electronic device, the user
  • the first server 220 may authenticate the user 170 connected to the first server 220 with her/his electronic device 100 via the communications network 210.
  • the user 170 may want to connect to a resource from her/his electronic device 100.
  • the user 170 may want to access the website of a bank. Since she/he has previously opened an account with the folio management system 320 part of the secure user-data management system 300 on the first server 220, the user 170 may want to generate the password 510 to access the resource or banking website.
  • the user 170 may send a request comprising his user identifier 172.
  • the user 170 may login to the website or application of the folio management system 320 to enter her/his user identifier and a user password.
  • the folio management system 320, part of the secure user-data management system 300 on the first server 220 may receive the request from the user, and verify that the user 170 is associated with a folio in the folio management system 320, therefore authenticating the user 170.
  • the method 1100 may then advance to step 1104.
  • STEP 1104 causing a folio management system to retrieve, based on the authenticated user, a user folio associated with the user, the user folio being associated with an encrypted user vault, the encrypted user vault comprising at least one entropic sequence of characters and resource-specific data, the resource- specific data comprising at least one set of resource- specific parameters, the at least one set of resource-specific parameters being associated with the resource
  • the folio management system 320 may be caused to retrieve, based on the authenticated user 170, a userl folio 340 associated with the user 170, the userl folio 340 being associated with an encrypted user vault 350, the encrypted user vault 350 comprising at least one entropic sequence of characters 420 and resource- specific data 430, the resource- specific data 430 comprising at least one set of resource- specific parameters 440, the at least one set of resource-specific parameters 440 being associated with the resource.
  • the folio management system 320 may then transmit the encrypted user vault 350 to the electronic device 100 of the user 170, as the folio management system 320 may not have enough information for decrypting the encrypted user vault 350.
  • the method 1100 may then advance to step 1106.
  • STEP 1106 decrypting, based on a first key provided by the user, the encrypted user vault
  • the electronic device 100 of the user 170 may receive the encrypted user vault 350 and decrypt, based on the first key 174 provided by the user 170, the encrypted user vault 350 to reveal the user vault 410. A part of the information required to generate the password 510 to access the resource may therefore be accessible to the user 170 on the electronic device 100. The method may then advance to step 1108.
  • STEP 1108 generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters
  • the electronic device 100 may generate the password 510 required to access the resource based on a second key 178 provided by the user 170, the at least one entropic sequence of characters 420 and the at least one set of resource-specific parameters 440 comprising the resource identifier 442, the rule to generate the password 446, and the version number 448.
  • the password 510 may be generated by using the PBKDF2 algorithm or any other algorithm as it would be recognized by the person skilled in the art.
  • the password 510 may respect the rules to generate the password 446, and be equivalent to the password 510 previously generated when initializing the userl folio 440 for the resource.
  • the method 1100 may then advance to step 1110.
  • the user 170 of the electronic device 100 may transmit the password 510 to access the resource. The method may then advance to step 1112.
  • STEP 1112 encrypting the user-vault based on the first key
  • the user 170 may encrypt the user vault 410 with the first key 174, resulting in the encrypted user vault 350.
  • the user 170 may modify the content of the user vault 410 before encrypting the user vault 410.
  • the electronic device 100 may then transmit the encrypted user vault 350 to the first server 220.
  • the encrypted user vault 350 may be stored on the electronic device 100.
  • the method 1100 may then end.
  • the password 510 is not stored anywhere. Instead, it is generated on-the-fly as required by the user 170, upon his providing of the second key 178. Therefore, the invention protects the user 170 from third parties who would want to get access to the services reserved through authentication to user 170. In order to fraudulently pass as the user 170, a third party would have to first obtain the user vault 410 through brute force (or other) decryption attacks on the encrypted user vault 350. If the first key 174 is long and complex enough, and if hiding or encryption mechanism is respecting security standards, this brute force attack will be extremely difficult.
  • the third party would need the first key 174 in order to obtain the password 510.
  • the fraudulent third party would not be able to mount a brute force attack on the password 510.
  • the fraudulent third party would be able to try accessing secure services whose access is reserved to user 170. This would amount to something no simpler than trying to guess some password on some system, without any additional information.
  • the system may generate an unlimited number of distinct passwords based on the first key 174 and the second key 178 provided by the user 170, therefore not relying on the user to provide a large number of keys to generate distinct passwords, and not being predictable because of a cyclic reuse of keys for generating the passwords.
  • retrieving an electronic or other signal from corresponding client device can be used, and displaying on a screen of the device can be implemented as transmitting a signal to the screen, the signal includes specific information which further can be interpreted with specific images and at least partially displayed on the screen of the client device.
  • Sending and receiving the signal is not mentioned in some cases within the present description to simplify the description and as an aid to understanding.
  • Signals can be transmitted using optical methods (for example, using fiber-optic communication), electronic methods (wired or wireless communication), mechanic methods (transmitting pressure, temperature and/or other physical parameters by the means of which transmitting a signal is possible.

Abstract

A system and method for generating a password required to access a resource by a user is provided, the method comprising: authenticating, by a server connected to the electronic device, the user; causing a folio management system to retrieve, based on the authenticated user, a user folio associated with the user, the user folio being associated with an encrypted user vault, the encrypted user vault comprising at least one entropic sequence of characters and resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource; decrypting, based on a first key provided by the user, the encrypted user vault; and generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters.

Description

METHOD AND SYSTEM FOR GENERATING A PASSWORD
CROSS-REFERENCE
[0001] The present application claims priority to Canadian Patent Application No. 2,913,571 filed December 1, 2015, entitled "MULTI-PLATFORM USER AUTHENTICATION DEVICE WITH DOUBLE AND MULTILATERALLY BLIND ON-THE-FLY KEY GENERATION", the entirety of which is incorporated herein.
FIELD
[0001] The present technology relates to password generation and more specifically to methods and systems for multi-platform user authentication with on-the-fly key generation.
BACKGROUND
[0002] This section is intended to introduce the reader to various aspects of art that may be related to various aspects of the present disclosure, which are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present technology. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
[0003] The expansion of the Internet coupled with the multiplication of connected mobile electronic devices allows billions of people to use their mobile devices daily for learning, communicating, exchanging information and conducting financial transactions. While performing such activities, passwords are typically relied upon to ensure proper identification to web resources which may include secure personal information and sensitive data. This has resulted in a proliferation of passwords that have to be handled, remembered and/or stored by every user. This proliferation of passwords, for a large number of systems and services, can lead users to being overwhelmed by the sheer number of character sequences and phrases they have to remember. Users can then adopt some strategies to cope with this proliferation of passwords, either by reusing the same passwords multiple times, using a limited number of variations, keeping a list of said passwords in an electronic file or device, or simply written down on paper or other physical substrate. All those strategies have shortcomings, as the theoretical number of different passwords is significantly reduced when reusing passwords or their variations and that storing passwords on physical substrate may give the opportunity to a third party to physically gain access to the list of all the user's authentication codes.
[0004] As the value and volume of sensitive information processed by mobile devices and online service providers has increased, so too have the efforts of malevolent third parties to obtain sensitive information and exploit it for financial gain or other illicit purposes. Various methods and systems have been proposed in order to reduce the risks of passwords being discovered by third parties. These methods and systems can be based on the keeping of a list of cryptographically hidden target passwords, which only the rightful user can access. Additionally, these methods and systems may generate secure passwords for the users and then add them to the cryptographically hidden password list. The main drawback of these methods is that upon access to the cryptographically hidden password list, a third party can mount a brute force attack on that list and eventually discover all the user's passwords stored in it. Other methods and systems have been proposed to allay the risks described above by generating dynamically the target passwords, using an array of user inputs as a source of entropy in order to generate good quality target passwords. Still other methods and systems have been proposed, where a physical device is made necessary in order for the authentication to succeed, for example by providing an information (such as a sequence of characters) which only the physical device is able to provide and which can be verified by the authenticating mechanism. Those methods and systems are suited for enterprise and institution environments, where employees or members are directly provided with the necessary physical devices, which are in some way known to the authentication mechanism, but require acquiring and maintaining a fleet of said physical devices. However, for general authentication on arbitrary systems, physical devices cannot be easily deployed as users are generally not in the employ or directly involved with the organizations offering those systems and services. Still other methods have been proposed which use server/client challenges, onetime passwords, shared images, etc. [0005] One such system is described in U.S. Patent No. 8,438,382 B2 issued May 7, 2013 to Ferg et al. which teaches a centralized credential management system including website credentials that are stored at a vault. The website credentials are encrypted based upon a key not available to the vault and are for authenticating a user to a third party website. Through a client, a user authenticates to the vault and retrieves the encrypted website credentials and parameters and code for properly injecting the credentials into a website authentication form. The website credentials are decrypted at the client and injected into the authentication form using the parameters and code.
[0006] U.S. Patent No. 7,171,679 B2 issued Jan. 30 2007 to Best et al. teaches a system, method and program providing an application program tool that generates a password for a user to access a resource. The tool receives as input from a user a global user password and at least one hash key. The tool applies a consistent algorithm to the name of the resource being accessed, such as a domain name for an Internet site, and the hash key, and the global user password to generate the password. The same password is regenerated the next time the user accesses the same resource. The tool automatically populates the resource with the password.
[0007] U.S. Patent Publication No. 2016/01101499 Al by Momchilov et al. teaches providing single sign on features in mobile applications in a secure environment using a shared vault. An application may prompt a user to provide user entropy such as a passcode (e.g. a password and/or PIN). The application may use the user entropy to decrypt a user-entropy-encrypted vault key. Once the vault key is decrypted, the application may decrypt a vault database of the shared vault. The shared vault may store shared secrets, such as server credentials, and an unlock key. The application may store the unlock key, generate an unlock-key-encrypted vault key, and cause the shared vault to store the unlock-key-encrypted vault key, thereby "unlocking" the vault. The application may then use the unlock key to decrypt the vault database without prompting the user to provide user entropy again. [0008] However, all these methods, although very interesting, require a paradigm shift insofar as the existing authentication infrastructure is concerned and cannot be directly used with existing systems based on regular password-based user authentication.
[0009] For the foregoing reasons, there is a need for methods and systems for generating a password.
SUMMARY
[0010] Embodiments of the present technology have been developed based on inventors' appreciation that while different methods have been developed for ensuring security of passwords in insecure environments, these methods rely heavily on the user for providing information. Improvements are therefore desirable, in particular improvements aimed at generating a plurality of secure passwords for accessing resources without storing said passwords on the device of the user or intermediate servers, and without relying on the user to handle a large amount of secure information.
[0011] The present technology arises from an observation made by the inventor(s) that while methods have been developed using client-side and server-side authentication, where passwords are encrypted in a repository on the server, if third parties succeed in accessing the repository, all the protected passwords become available. Improvements are therefore desirable, in particular improvements aimed at generating secure passwords without storing said passwords on the user device or intermediate servers.
[0012] Therefore, inventor(s) have devised method and systems for generating a password.
[0013] In accordance with a first broad aspect of the present technology, there is provided a method for generating a password required to access a resource by a user, the method comprising authenticating, by a server connected to the electronic device, the user, causing a folio management system to retrieve, based on the authenticated user, a user folio associated with the user, the user folio being associated with an encrypted user vault, the encrypted user vault comprising at least one entropic sequence of characters and resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource, decrypting, based on a first key provided by the user, the encrypted user vault, and generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters.
[0014] In some implementations, the method further comprises transmitting the password to the resource.
[0015] In some implementations, the method further comprises encrypting the user vault based on the first key, and transmitting the encrypted user vault to the server.
[0016] In some implementations, the at least one set of resource-specific parameters is a first set of resource-specific parameters and the resource-specific data further comprises a second set of resource-specific parameters.
[0017] In some implementations, each set of resource-specific parameters further comprises a rule to generate the password, a resource identifier and a version number, and wherein the generating is further based on the rule to generate the password, the resource identifier and the version number.
[0018] In some implementations, the resource identifier of is one of: a Uniform Resource Locator (URL), an Internet Protocol Address (IP address), or any unique representation identifying the resource specific data.
[0019] In some implementations, the rule to generate the password comprises at least one of: a required number of alphabetical characters, a required number of numerical characters, a required number of special characters, a required number of upper-case letters and a required number of lower-case letters.
[0020] In some implementations, the generating the password is performed based on one of a PBKDF2 algorithm, a bcrypt algorithm, a crypt(3) algorithm, a scrypt algorithm, or an Argon2 algorithm. [0021] In some implementations, the retrieving, based on the authenticated user the user folio associated with the user, is executed by the server, and wherein the method further comprises receiving, by the server, the encrypted user vault associated with the user folio.
[0022] In some implementations, the at least one resource specific data is associated with a period of time, and the method further comprises, responsive to the period of time being over a predetermined threshold: incrementing the version number; and wherein generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters is further based on the incremented version number;
[0023] In some implementations, the retrieving, based on the authenticated user the user folio associated with the user is executed by the server, and the method further comprises receiving, by the server, the encrypted user vault associated with the user folio.
[0024] In some implementations, the decrypting based on the first key provided by the user the encrypted user vault, the generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters, the transmitting the password to the resource, the encrypting the user vault based on the first key, and the transmitting the encrypted user vault to the server are executed on the electronic device.
[0025] In some implementations, the incrementing the version number and the generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource- specific parameters further based on the incremented version number are executed by the electronic device.
[0026] In some implementations, the user folio further comprises a public user token, the user vault comprises a private user token, and wherein the folio management system may authenticate the user based on the public user token and the private user token.
[0027] In some implementations, the folio management system further comprises a private server token, the user folio comprises a public server token and wherein the user may authenticate the folio management system based on the private server token and the public server token.
[0028] In accordance with a second broad aspect of the present technology, there is provided a method of generating a password required to access a resource by a user based on a first key and a second key, the method comprising: receiving a request to initialize a user folio in a folio management system, initializing the user folio associated with the user in the folio management system, generating an entropic sequence of characters, associating the entropic sequence of characters with a user vault, the user vault associated with the user folio, acquiring resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource, associating the resource- specific data with the user vault, generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters, and encrypting the user-vault based on the first key.
[0029] In some implementations, the method further comprises transmitting the password to the resource and transmitting the encrypted user-vault to the server.
[0030] In some implementations, the receiving and the initializing are executed by a server.
[0031] In some implementations, the generating the entropic sequence of characters, the associating the entropic sequence of characters with a user vault, the user vault associated with the user folio, the acquiring the resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource, the associating the resource-specific data with the user vault, the generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters, the encrypting the user-vault based on the first key, and the transmitting the password to the resource and transmitting the encrypted user-vault to the server are executed by the electronic device.
[0032] In accordance with a third broad aspect of the present technology, there is provided a system for generating a password required to access a resource by a user, the system comprising: a processor, a non-transitory computer-readable medium comprising instructions, the processor, upon executing the instructions, being configured to cause: authenticating, by a server connected to the electronic device, the user, causing a folio management system to retrieve, based on the authenticated user, a user folio associated with the user, the user folio being associated with an encrypted user vault, the encrypted user vault comprising at least one entropic sequence of characters and resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource, decrypting, based on a first key provided by the user, the encrypted user vault, and generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters.
[0033] In some implementations, the processor is further configured to cause transmitting the password to the resource.
[0034] In some implementations, the processor is further configured to cause: encrypting the user vault based on the first key, and transmitting the encrypted user vault to the server.
[0035] In some implementations, the at least one set of resource-specific parameters is a first set of resource-specific parameters and the resource-specific data further comprises a second set of resource-specific parameters.
[0036] In some implementations, each set of resource-specific parameters further comprises a rule to generate the password, a resource identifier and a version number, and wherein the generating is further based on the rule to generate the password, the resource identifier and the version number. [0037] In some implementations, the resource identifier of is one of: a Uniform Resource Locator (URL), an Internet Protocol Address (IP address), or any unique representation identifying the resource specific data.
[0038] In some implementations, the rule to generate the password comprises at least one of: a required number of alphabetical characters, a required number of numerical characters, a required number of special characters, a required number of upper-case letters and a required number of lower-case letters.
[0039] In some implementations, the generating the password is performed based on one of a PBKDF2 algorithm, a bcrypt algorithm, a crypt(3) algorithm, a scrypt algorithm, or an Argon2 algorithm.
[0040] In some implementations, the retrieving, based on the authenticated user the user folio associated with the user, is executed by the server, and wherein the system further comprises receiving, by the server, the encrypted user vault associated with the user folio.
[0041] In some implementations, the at least one resource specific data is associated with a period of time, and the system further comprises, responsive to the period of time being over a predetermined threshold: incrementing the version number; and wherein generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters is further based on the incremented version number.
[0042] In some implementations, the retrieving, based on the authenticated user the user folio associated with the user is executed by the server, and the processor is further configured to cause receiving, by the server, the encrypted user vault associated with the user folio.
[0043] In some implementations, the decrypting based on the first key provided by the user the encrypted user vault, the generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters, the transmitting the password to the resource, the encrypting the user vault based on the first key, and the transmitting the encrypted user vault to the server are executed on the electronic device.
[0044] In some implementations, the incrementing the version number and the generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource- specific parameters further based on the incremented version number are executed by the electronic device.
[0045] In some implementations, the user folio further comprises a public user token, the user vault comprises a private user token, and wherein the folio management system may authenticate the user based on the public user token and the private user token.
[0046] In some implementations, the folio management system further comprises a private server token, the user folio comprises a public server token and wherein the user may authenticate the folio management system based on the private server token and the public server token.
[0047] In accordance with a fourth broad aspect of the present technology, there is provided a system for generating a password required to access a resource by a user based on a first key and a second key, the system comprising: a processor, a non-transitory computer-readable medium comprising instructions, the processor, upon executing the instructions, being configured to cause: receiving a request to initialize a user folio in a folio management system, initializing the user folio associated with the user in the folio management system, generating an entropic sequence of characters, associating the entropic sequence of characters with a user vault, the user vault associated with the user folio, acquiring resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource, associating the resource-specific data with the user vault, generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters, and encrypting the user-vault based on the first key. [0048] In some implementations, the processor is further configured to cause transmitting the password to the resource and transmitting the encrypted user-vault to the server.
[0049] In some implementations, the receiving and the initializing are executed by a server.
[0050] In some implementations, the generating the entropic sequence of characters, the associating the entropic sequence of characters with a user vault, the user vault associated with the user folio, the acquiring the resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource, the associating the resource-specific data with the user vault, the generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters, the encrypting the user-vault based on the first key, and the transmitting the password to the resource and transmitting the encrypted user-vault to the server are executed by the electronic device.
[0051] In the context of the present specification, a "server" is a computer program that is running on appropriate hardware and is capable of receiving requests (e.g. from client devices) over a network, and carrying out those requests, or causing those requests to be carried out. The hardware may be implemented as one physical computer or one physical computer system, but neither is required to be the case with respect to the present technology. In the present context, the use of the expression a "server" is not intended to mean that every task (e.g. received instructions or requests) or any particular task will have been received, carried out, or caused to be carried out, by the same server (i.e. the same software and/or hardware); it is intended to mean that any number of software elements or hardware devices may be involved in receiving/sending, carrying out or causing to be carried out any task or request, or the consequences of any task or request; and all of this software and hardware may be one server or multiple servers, both of which are included within the expression "at least one server". [0052] In the context of the present specification, "electronic device" is any computer hardware that is capable of running software appropriate to the relevant task at hand. In the context of the present specification, the term "electronic device" implies that a device can function as a server for other electronic devices and client devices, however it is not required to be the case with respect to the present technology. Thus, some (non- limiting) examples of electronic devices include personal computers (desktops, laptops, netbooks, etc.), smartphones, and tablets, as well as network equipment such as routers, switches, and gateways. It should be understood, that in the present context the fact that the device functions as an electronic device does not mean that it cannot function as a server for other electronic devices. The use of the expression "an electronic device" does not preclude multiple client devices being used in receiving/sending, carrying out or causing to be carried out any task or request, or the consequences of any task or request, or steps of any method described herein.
[0053] In the context of the present specification, "client device" is any computer hardware that is capable of running software appropriate to the relevant task at hand. In the context of the present specification, in general the term "client device" is associated with a user of the client device. Thus, some (non- limiting) examples of client devices include personal computers (desktops, laptops, netbooks, etc.), smartphones, and tablets, as well as network equipment such as routers, switches, and gateways It should be noted that a device acting as a client device in the present context is not precluded from acting as a server to other client devices. The use of the expression "a client device" does not preclude multiple client devices being used in receiving/sending, carrying out or causing to be carried out any task or request, or the consequences of any task or request, or steps of any method described herein.
[0054] In the context of the present specification, the expression "information" includes information of any nature or kind whatsoever capable of being stored in a database. Thus information includes, but is not limited to audiovisual works (images, movies, sound records, presentations etc.), data (location data, numerical data, etc.), text (opinions, comments, questions, messages, etc.), documents, spreadsheets, etc. [0055] In the context of the present specification, the expression "software component" is meant to include software (appropriate to a particular hardware context) that is both necessary and sufficient to achieve the specific function(s) being referenced.
[0056] In the context of the present specification, the expression "computer information storage media" (also referred to as "storage media") is intended to include media of any nature and kind whatsoever, including without limitation RAM, ROM, disks (CD-ROMs, DVDs, floppy disks, hard drivers, etc.), USB keys, solid state-drives, tape drives, etc. A plurality of components may be combined to form the computer information storage media, including two or more media components of a same type and/or two or more media components of different types.
[0057] In the context of the present specification, a "database" is any structured collection of data, irrespective of its particular structure, the database management software, or the computer hardware on which the data is stored, implemented or otherwise rendered available for use. A database may reside on the same hardware as the process that stores or makes use of the information stored in the database or it may reside on separate hardware, such as a dedicated server or plurality of servers.
[0058] In the context of the present specification, the words "first", "second", "third", etc. have been used as adjectives only for the purpose of allowing for distinction between the nouns that they modify from one another, and not for the purpose of describing any particular relationship between those nouns. Thus, for example, it should be understood that, the use of the terms "first database" and "third server" is not intended to imply any particular order, type, chronology, hierarchy or ranking (for example) of/between the server, nor is their use (by itself) intended imply that any "second server" must necessarily exist in any given situation. Further, as is discussed herein in other contexts, reference to a "first" element and a "second" element does not preclude the two elements from being the same actual real-world element. Thus, for example, in some instances, a "first" server and a "second" server may be the same software and/or hardware components, in other cases they may be different software and/or hardware components.
[54] Implementations of the present technology each have at least one of the above - mentioned object and/or aspects, but do not necessarily have all of them. It should be understood that some aspects of the present technology that have resulted from attempting to attain the above- mentioned object may not satisfy this object and/or may satisfy other objects not specifically recited herein.
[0059] Additional and/or alternative features, aspects and advantages of implementations of the present technology will become apparent from the following description, the accompanying drawings and the appended claims.
BRIEF DESCRIPTION OF THE DRAWINGS
[0060] These and other features, aspects and advantages of the present technology will become better understood with regard to the following description, appended claims and accompanying drawings where:
[0061] FIG. 1 is an illustration of components and features of an electronic device in accordance with an embodiment of the present technology;
[0062] FIG. 2 is an illustration of a communication networks in accordance with an embodiment of the present technology;
[0063] FIG. 3 is an illustration of a simplified schematic overview of two high-level parts in accordance with an embodiment of the present technology;
[0064] FIG. 4 is an illustration of a detailed view of a secure user-data management system in accordance with an embodiment of the present technology;
[0065] FIG. 5 is an illustration of a detailed view of a password-generation system in accordance with non-limiting embodiments of the present technology;
[0066] FIG. 6 is an illustration of a detailed view of the password generator of the password-generation system in accordance with non-limiting embodiments of the present technology; [0067] FIG. 7 is an illustration of a detailed view of the secure user-data management system and the password-generation system in accordance with non-limiting embodiments of the present technology;
[0068] FIG. 8 is an illustration of a communication flow of a initialization of the user folio and password in accordance with non-limiting embodiments of the present technology;
[0069] FIG. 9 is an illustration of a communication flow for generating a password in accordance with non-limiting embodiments of the present technology;
[0070] FIG. 10 is a flow-chart illustration of a method carried out by an electronic device and a server for initializing a user folio and a password in accordance with non-limiting embodiments of the present technology; and
[0071] FIG. 11 is flow-chart illustration of a method carried out by an electronic device and a first server for retrieving information from a user folio and generating a password in accordance with non-limiting embodiments of the present technology.
DETAILED DESCRIPTION
[0072] The examples and conditional language recited herein are principally intended to aid the reader in understanding the principles of the present technology and not to limit its scope to such specifically recited examples and conditions. It will be appreciated that those skilled in the art may devise various arrangements which, although not explicitly described or shown herein, nonetheless embody the principles of the present technology and are included within its spirit and scope.
[0073] Furthermore, as an aid to understanding, the following description may describe relatively simplified implementations of the present technology. As persons skilled in the art would understand, various implementations of the present technology may be of a greater complexity.
[0074] In some cases, what are believed to be helpful examples of modifications to the present technology may also be set forth. This is done merely as an aid to understanding, and, again, not to define the scope or set forth the bounds of the present technology. These modifications are not an exhaustive list, and a person skilled in the art may make other modifications while nonetheless remaining within the scope of the present technology. Further, where no examples of modifications have been set forth, it should not be interpreted that no modifications are possible and/or that what is described is the sole manner of implementing that element of the present technology.
[0075] Moreover, all statements herein reciting principles, aspects, and implementations of the present technology, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof, whether they are currently known or developed in the future. Thus, for example, it will be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative circuitry embodying the principles of the present technology. Similarly, it will be appreciated that any flowcharts, flow diagrams, state transition diagrams, pseudo-code, and the like represent various processes which may be substantially represented in computer-readable media and so executed by a computer or processor, whether or not such computer or processor is explicitly shown. [0076] The functions of the various elements shown in the figures, including any functional block labeled as a "processor" or a "graphics processing unit", may be provided through the use of dedicated hardware as well as hardware capable of executing software in association with appropriate software. When provided by a processor, the functions may be provided by a single dedicated processor, by a single shared processor, or by a plurality of individual processors, some of which may be shared. In some embodiments of the present technology, the processor may be a general purpose processor, such as a central processing unit (CPU) or a processor dedicated to a specific purpose, such as a graphics processing unit (GPU). Moreover, explicit use of the term "processor" or "controller" should not be construed to refer exclusively to hardware capable of executing software, and may implicitly include, without limitation, digital signal processor (DSP) hardware, network processor, application specific integrated circuit (ASIC), field programmable gate array (FPGA), read-only memory (ROM) for storing software, random access memory (RAM), and non-volatile storage. Other hardware, conventional and/or custom, may also be included.
[0077] Software modules, or simply modules which are implied to be software, may be represented herein as any combination of flowchart elements or other elements indicating performance of process steps and/or textual description. Such modules may be executed by hardware that is expressly or implicitly shown.
[0078] With these fundamentals in place, we will now consider some non-limiting examples to illustrate various implementations of aspects of the present technology.
[0079] Referring to FIG. 1, there is shown an electronic device 100 suitable for use with some implementations of the present technology, the electronic device 100 comprising various hardware components including one or more single or multi-core processors collectively represented by processor 110, a graphics processing unit (GPU) 111, a solid- state drive 120, a random access memory 130, a display interface 140, and an input/output interface 150.
[0080] Communication between the various components of the electronic device 100 may be enabled by one or more internal and/or external buses 160 (e.g. a PCI bus, universal serial bus, IEEE 1394 "Firewire" bus, SCSI bus, Serial-ATA bus, etc.), to which the various hardware components are electronically coupled. The display interface 140 may be coupled to a monitor 142 (e.g. via an HDMI cable 144) visible to a user 170, and the input/output interface 150 may be coupled to a touchscreen (not shown), a keyboard 151 (e.g. via a USB cable 153) and a mouse 152 (e.g. via a USB cable 154), each of the keyboard 151 and the mouse 152 being operable by the user 170.
[0081] According to implementations of the present technology, the solid-state drive 120 stores program instructions suitable for being loaded into the random access memory 130 and executed by the processor 110 and/or the GPU 111 for selecting a selected- sub-set of features from a plurality of features. For example, the program instructions may be part of a library or an application.
[0082] The electronic device 100 may be a server, a desktop computer, a laptop computer, a tablet, a smartphone, a personal digital assistant or any device that may be configured to implement the present technology, as it may be understood by a person skilled in the art.
[0083] Now turning to FIG. 2, the electronic device 100 is coupled to a communications network 210 via a communication link 190. In some non-limiting embodiments of the present technology, the communications network 210 can be implemented as the Internet. In other embodiments of the present technology, the communications network 210 can be implemented differently, such as any wide-area communications network, local-area communications network, a private communications network and the like.
[0084] How the communication link 190 is implemented is not particularly limited and will depend on how the electronic device 100 is implemented. Merely as an example and not as a limitation, in those embodiments of the present technology where the electronic device 100 is implemented as a wireless communication device (such as a smart-phone), the communication link 190 can be implemented as a wireless communication link (such as but not limited to, a 3G communications network link, a 4G communications network link, a Wireless Fidelity, or WiFi® for short, Bluetooth® and the like). In those examples, where the electronic device 100 is implemented as a notebook computer, the communication link 190 can be either wireless (such as the Wireless Fidelity, or WiFi® for short, Bluetooth® or the like) or wired (such as an Ethernet based connection).
[0085] It should be expressly understood that implementations for the electronic device 100, the communication link 190 and the communications network 210 are provided for illustration purposes only. As such, those skilled in the art will easily appreciate other specific implementational details for the electronic device 100, the communication link 190 and the communications network 210. As such, by no means, examples provided herein above are meant to limit the scope of the present technology.
[0086] Also coupled to the communications network is a first server 220. The first server 220 can be implemented as a conventional computer server. In an example of an embodiment of the present technology, the first server 220 can be implemented as a Dell™ PowerEdge™ Server running the Microsoft™ Windows Server™ operating system. Needless to say, the first server 220 can be implemented in any other suitable hardware and/or software and/or firmware or a combination thereof. In the depicted non- limiting embodiment of present technology, the first server 220 is a single server. In alternative non-limiting embodiments of the present technology, the functionality of the first server 220 may be distributed and may be implemented via multiple servers. In the context of the present technology, the first server 220 may implement in part the methods and system described herein. In some embodiments of the present technology, the first server 220 is under control and/or management of a folio management operator. Alternatively, the first server 220 can be under control and/or management of a service provider.
[0087] Also coupled to the communications network is a second server 230. The second server 230 can be implemented as a conventional computer server. In an example of an embodiment of the present technology, the second server 230 can be implemented as a Dell™ PowerEdge™ Server running the Microsoft™ Windows Server™ operating system. Needless to say, second server 230 can be implemented in any other suitable hardware and/or software and/or firmware or a combination thereof. In the depicted non- limiting embodiment of present technology, second server 230 is a single server. In alternative non-limiting embodiments of the present technology, the functionality of the second server 230 may be distributed and may be implemented via multiple servers. In the context of the present technology, second server 230 may implement in part the methods and system described herein. In some embodiments of the present technology, second server 230 is under control and/or management of a folio management operator. Alternatively, second server 230 can be under control and/or management of a service provider.
[0088] Now turning to FIG. 3, a simplified schematic overview of two high-level parts of the present technology is illustrated in accordance with a non-limiting embodiment of the present technology. The present technology may comprise a secure user-data management system 300 and a password-generation system 400 used for implementing the present technology. The user 170 may be associated with a user identifier 172, and may have chosen two keys or personal passwords to remember, a first key 174, also known as the user vault key, and a second key 178, also known as a user key. The first key 174 may be used with a secure user-data management system 300 and the second key 187 may be used with a password-generation system 400 to generate a secure password 510. How the first key 174 and the second key 178 are implemented is not limited. In some embodiments, each one of the first key 174 and the second key 178 may be implemented as conventional passwords of fixed length, containing strings of alphabetical characters and/or numerical characters and/or special characters, and may be complex enough to be hard to guess by brute-force attacks while being easy to remember for the user 170. In other embodiments, one of the first key 174 or the second key 178 may be implemented as biometric data, such as a fingerprint recognition, facial recognition, keystroke dynamics, voice recognition, etc., depending on how the electronic device 100 is implemented, as it would be recognized by a person skilled in the art of the present technology. While the technology herein relies on both high-level parts, but can also be defined and used with only one of those parts, independently from the other one.
[0089] Now turning to FIG. 4, a detailed view of the secure user-data management system 300 is illustrated in accordance with a non-limiting embodiment of the present technology. The secure user-data management system 300 may comprise a folio management system 320 and private server token 390. The folio management system 320 may generally be configured to receive requests from users having registered with the folio management system 320. The folio management system 320 may therefore maintain a plurality of folios associated with respective users, the folios containing a part of the required information for generating passwords. The folio management system 320 may comprise a userl folio 340, a user2 folio 360 and a userN folio 380. As it may be understood, userl folio 340, user2 folio 360 and userN folio 380 are merely provided as illustrative examples, and the number of user folios in the folio management system 320 is not limited. Generally, each one of the userl folio 340, user2 folio 360 and the userN folio 380 of the folio management system 320 may be associated with a respective user having previously registered with the secure user-data management system 300 or a resource or service (not depicted) associated with the secure user-data management system 300. Each time a new user registers with the secure user-data management system 300 or a resource associated with the secure user-data management system 300, a user folio may be initialized. As a non-limiting example, the user 170 may register with his user identifier 172 on the folio management system 320 for managing user profiles and passwords used on different resources. As another non-limiting example, the user 170 may access his user folio, such as userl folio 340, by logging onto a resource 550 previously associated with the secure user-data management system 300. Each one of the userl folio 340, user2 folio 360 and the userN folio 380 of the folio management system 320 may comprise a respective encrypted user vault 350, also known as hidden user vault, and a respective public user token 355. The encrypted user vault 350 may be associated with the userl folio 340 and may be decrypted by using the first key 174 provided by the user 170 to obtain a user vault 410. The respective public user tokens 355 may be used by the folio management system 320 to authenticate the user 170. In some embodiments, a private server token 390 can be used to prove to the user 170 that each of the userl folio 340, user2 folio 360 and the userN folio 380 of the folio management system 320 are legitimate and that the user 170 may trust the information received from the folio management system 320. In some embodiments, the respective public user token 355 and the private server token 390 may be implemented respectively as a public cryptographic key and a private cryptographic key as it may become apparent to a person skilled in the art of the present technology. In some embodiments, it is possible for multiple users (not depicted) to collaborate in providing multiple keys (not depicted), therefore producing a password 20 only when all users (or some subset of predefined size therein) have provided their personal keys. In those embodiments, some predefined subsets of the complete team of users need to be present in order for the authentication (and the access to the system or services protected by that authentication) to be granted. The multiple users (not depicted) may be associated with one or more user folios.
[0090] Now turning to FIG. 5, a detailed view of the password-generation system 400 is illustrated in accordance with a non-limiting embodiment of the present technology. After having acquired the encrypted user vault 350 and providing the first key 174 to decrypt the encrypted user vault 350, resulting in the user vault 410, the user 170 may access the user vault 410 part of his/her userl folio 340. Generally, the user vault 410 may comprise an entropic sequence of characters 420, and resource-specific data 430. The entropic sequence of characters 420, also known as entropy, salt, or nonce, may be any sequence of random binary digits (bits) that may be acquired by the electronic device 100 in a variety of ways that will be apparent to persons skilled in the art. For example, the entropic sequence of characters 420 can be obtained from specific computer instructions, random user input through some input device like a mouse, a tactile surface or other means, usage of random physical phenomena like network traffic, power consumption, clock drift, or other physical means. In other embodiments, the entropic sequence of characters 420 may be generated by a true random number generator (TRNG) (not depicted) on the electronic device 100. In some embodiments, the entropic sequence of characters 420 may be a combination of multiple random entropic sequences of characters collected from multiple components of the electronic device 100. In some embodiments, the entropic sequence of characters 420 may be generated by or with the help of another device or a server (not depicted). Generally, the entropic sequence of characters 420 may be used to generate a different password (not depicted) for each resource of the userl folio 340. In some embodiments, a different entropic sequence of characters may be used for each resource. The resource-specific data 430 comprises at least one set of resource-specific parameters 440, resource-specific parameters2 450, and resource-specific parametersN 460, each one associated with a respective resource or service. Each one of the resource-specific parameters 440, the resource-specific parameters2 450, and the resource-specific parametersN 460 may comprise a respective resource identifier 442, a respective set of rules 444 and a respective version number 446. As a non-limiting example, the resource-specific parameters 440 may be associated with a banking website, the resource-specific parameters2 450 with a work website and the resource-specific parametersN 460 with an entertainment website, each one of the resource-specific parameters 440, the resource-specific parameters2 450, and the resource-specific parametersN 460 being associated with the user 170. Generally, each one of the resource- specific parameters 440, the resource-specific parameters2 450, and the resource-specific parametersN 460 may be initialized in response to a request from the user 170 or in response to a request from the associated resource, or may be pre- initialized by default and only activated when the user 170 requests a connection to an associated resource. Similarly, the resource identifier 442, the set of rules 444 and the version number 446 may be acquired from the associated service, may be received from the user 170 or from another source on the internet. As a non-limiting example, the resource identifier 442 may be: a Uniform Resource Locator (URL), an Internet Protocol Address (IP address), or any unique representation identifying the resource specific data. The userl folio may further comprise a public server token 470, and private userl token 480, paired with the private server token 390 and the public user token 355 respectively. The public server token 470, and private userl token 480, paired with the private server token 390 and the public user token 355 respectively may be used as asymmetric cryptographic keys to encrypt and decrypt information, therefore authenticating the user 170 and the folio management system 320. The password-generation system 500 may further comprise the password generator 500, the password generator 500 for generating a password 510 associated with the resource 550 based on the second key 178 provided by the user 170, the entropic sequence of characters 420, the resource identifier 442, the set of rules 444 and the version number 446.
[0091] Now turning to FIG. 6, a detailed view of the password generator 500 is illustrated in accordance with a non-limiting embodiment of the present technology. The password generator 500 may be implemented with different algorithms, as it would be recognized by the person skilled in the art of the present technology. One such algorithm may be the PBKDF2 algorithm, part of the Public-Key Cryptography Standards (PCKS) 5 v2.0. More specifically, the PBKDF2 algorithm may be used with a HMAC-SHA-256 hashing algorithm in the following manner: the user identifier 172, the resource identifier 442 and the second key 178 may be concatenated, resulting in a passphrase 495. Then, the passphrase 495 may be input with the entropic sequence of characters 420, a number of iterations 496, a chosen key length 497 in the PBKDF2 algorithm using the SHA-256 algorithm, resulting in a derived key (not depicted). Next, the derived key may go through a function (not depicted) repetitively with the set of rules 444, which contains rules (number of upper case letters, number of special characters, etc.) until a password 510 respecting the rules of the set of rules 444 is generated. Other alternatives, such as, but not limited to, bcrypt, Argon2, Catena, Luyra2, yesscrypt and Makwa algorithms may be used, as it may be recognized by the person skilled in the art of the present technology. The password generator 500 may be associated with a timer (not depicted) and a predetermined expiration time (not depicted), and each time the timer is over the predetermined expiration time, the password 510 may be automatically regenerated by the password-generation system 400 incrementing the version number 446 and going through the generating function 490. In some embodiments, the pre-determined expiration time may be acquired from the associated resource.
[0092] Now turning to FIG. 7, a detailed view of the secure user-data management system 300 and the password-generation system 500 implemented on the electronic device 100, the first server 220 and the second server 230 is illustrated in accordance with non-limiting embodiments of the present technology. The secure user-data management system 300 may be implemented on the first server 220. The secure user-data management system, comprising the folio management system 320, may be implemented as part of a cloud computing service where the user 170 may register via a computing device, such as his/her electronic device 100. The password-generation system 500 may be executed on the electronic device 100. The password-generation system 500 may be implemented as the client-side software of the computing service. In some embodiments, the password-generation system 500 may be implemented at least in part by a secure processor (not depicted), a hardware security module (not depicted) or any other secure and/or tamper-resistant module, as it may be recognized by the person skilled in the art of the present technology. The resource 550 or website may run on the second server 230. In some embodiments, at least a part of the secure user-data management system 300 and at least part of the password-generation system 500 may be implemented on the electronic device 100, and at least a part of the first server 220 and at least a part of the second server 230 may also be implemented on the electronic device 100. In other embodiments, at least a part of the password-generation system 500 may be implemented on a server, such as but not limited to second server 230. In some embodiments, the secure user-data management system 300 may be implemented on the same server as the resource 550, the second server 230.
[0093] Now turning to FIG. 8, a communication flow 800 for initialization of the userl folio 340 and the password 510 in accordance with an embodiment of the present technology is illustrated. The user 170 may transmit a request which may comprise his/her user identifier 172 to the folio management system 320 part of the secure user- data management system 300 via his electronic device 100 to initialize a userl folio 340. The folio management system 320 may then initialize the userl folio 340. The electronic device 100 may then initialize a user vault 410 and generate an entropic sequence of characters 420 associated with the user vault 410. The electronic device 100 may then acquire the resource-specific data 430, the resource-specific data 430 comprising at least one set of resource-specific parameters 440, the at least one set of resource-specific parameters 440 being associated with the resource 550 to access. The resource-specific data 430 may be provided by the user 170, by the resource 550 or by another resource on the Internet (not depicted). The electronic device 500 may then associate the resource- specific data 430 with the user vault 410. The electronic device 100 may then generate the password 510 based on the one set of resource-specific parameters 440 and the second key 178 in the password- generation system 400 and transmit the password 510 to the resource 550. The electronic device 100 may then encrypt the user vault 410 based on the first key 174 and transmit the encrypted user vault 350 to the resource 550.
[0094] Now turning to FIG. 9, a communication flow 900 for generating the password 510 in accordance with an embodiment of the present technology is illustrated. The user 170 may transmit a request to retrieve the encrypted user vault 350 from the userl folio 340 of the folio management system 320 part of the secure user-data management system 300 via his electronic device 100. The request may comprise his/her user identifier 172. After having retrieved the encrypted user vault 350, the user 170 may decrypt the encrypted user vault 350 based on the first key 174 to access the user vault 410. The electronic device 100 may then access the resource-specific data 430 and use the second key 178 provided by the user 170 and generate the password 510. The user 170 may or may not modify the content of the user vault 410. The electronic device 100 may then encrypt the user vault 410 based on the first key 174 to obtain the encrypted user vault. The electronic device 100 may then transmit the encrypted user vault 350 to the secure user-data management system 300. The secure user-data management system 300 may then transmit the password 510 to the resource 550.
[0095] Now turning to FIG. 10, a method 1000 carried out by an electronic device 100 and a first server 220 for initializing a userl folio 340 and a password 510 is illustrated in accordance with non-limiting embodiments of the present technology. The method 1000 may begin at a step 1002.
[0096] STEP 1002: receiving a request to initialize a user folio in a folio management system, the request comprising a user identifier and a resource identifier
[0097] At a step 1002, the first server 220 may receive a request to initialize a userl folio 440 in the folio management system 320, the request comprising a user identifier 172 and a resource identifier 442. The user 170 may have sent the request via the electronic device 100 to initialize a user folio in a folio management system 320 which may be part of a secure user-data management system 300, the request comprising a user identifier 172 and a resource identifier 442. As a non-limiting example, the user 170 may have downloaded an application associated with the folio management system 320 part of a secure user-data management system 300 on her/his electronic device 100, and may execute the application, which may be implemented as a browser extension or a standalone software application. The user 170 may then be prompted to specify a user identifier 172, such as, but not limited to, a user name, an e-mail address, etc. The user 170, may then, at the same time or at a different time, be prompted by the application to specify a resource identifier 442 for a resource for which she/he wants to generate a password 510. The user 170 may then enter the required information and confirm. In some embodiments, the folio management system 320 may be executed in part or entirely by the electronic device 100 instead of the first server 220. As another non-limiting example, the request may originate from the second server 230 via the communications network 210, the second server 230 executing a resource previously associated with the user 170, such as a banking website. The user 170 may have recently opened a new account with the bank, and may wish to access his accounts via the banking website, which may ask him to give a password 510. In some embodiments, the user 170 may open an account without sending the resource identifier 442, and may simply initialize a user folio for later use. The resource 550 may be associated with the folio management system 320 running on the first server 220, and may send the user identifier 172 and the resource identifier 442 to the folio management system 320 part of the secure user-data management system 300 on the first server 220. The folio management system 320 may receive the request, and the method 1000 may then advance to a step 1004.
[0098] STEP 1004: initializing the user folio associated with the user in the folio management system
[0099] At a step 1004, after receiving the request to initialize the userl folio 440 in the folio management system 320 by the electronic device 100, the folio management system 320 which may be part of the secure user-data management system 300, may initialize the userl folio based on the user identifier 172 and the resource identifier 442. As it may be understood, the folio management system 320 may manage a plurality of user folios, such as user folio2 360 and userN folio 380 each associated with a different user identifier, and may create an entry for the user 170 associated with the user identifier 172 and the resource identifier 442 by associating an empty userl folio 340 with the user 170.
[0100] STEP 1006: generating an entropic sequence of characters
[0101] At a step 1006, after having sent the request to the folio management system 320, the user 170 may be prompted to generate an entropic sequence of characters 420 in ways described above. The method 1000 may then advance to step 1008. [0102] STEP 1008: associating the entropic sequence of characters with a user vault, the user vault associated with the user
[0103] At a step 1008, after having generated the entropic sequence of characters, the electronic device 100 may associate the entropic sequence of characters 420 with a user vault 410, the user vault 410 associated with the user 170. As explained previously, the user vault 410 may be initialized by the electronic device 100 as a variable or a file that will contain the necessary information to generate the password 510, such as the entropic sequence of characters 420. As a non-limiting example, the entropic sequence of characters 420 may be stored in the user vault 410. The method 1000 may then advance to step 1010.
[0104] STEP 1010: acquiring resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource
[0105] At a step 1010, at the same time or at a different time, the electronic device 100 may acquire resource-specific data 430, the resource-specific data 430 comprising at least one set of resource-specific parameters 440, the at least one set of resource-specific parameters 440 being associated with the resource to access. The resource-specific parameters 440 may comprise a resource identifier 442, a rule to generate the password 446, and a version number 446. In some embodiments, the user 170 may enter manually at least a part of the resource-specific parameters. In other embodiments, the electronic device 100 may acquire such information from a database, from the folio management system 320 part of the secure user-data management system 300, from the resource itself, or from any other source on the internet. The version number 446 may be automatically initialized. The method 1000 may then advance to step 1012.
[0106] STEP 1012: associating the resource-specific data with the user vault
[0107] At a step 1012, the electronic device 100 may associate the resource- specific data 430 with the user vault 410, the user vault 410 associated with the user 170. The electronic device 100 may associate resource- specific data 430 in the same way that it associated the entropic sequence of characters. In some embodiments, associating the the resource-specific data 430 and the entropic sequence of characters to the user vault 410 may be performed at the same time. The method 1000 may then advance to step 1014.
[0108] STEP 1014: generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters
[0109] At a step 1014, the password generator 500 of the electronic device 100 may generate the password 510 required to access the resource 550 based on a second key 178 provided by the user 170, the at least one entropic sequence of characters 420 and the at least one set of resource-specific parameters 440, the at least one set of resource-specific parameters 440 comprising the resource identifier 442, the rule to generate the password 446, and the version number 448. As stated previously, the password 510 may be generated by using the PBKDF2 algorithm or any other algorithm as it would be recognized by the person skilled in the art. The password 510 may respect the rules to generate the password 446, and be of a length compliant with security standards of the resource 550. The method 1000 may then advance to step 1016.
[0110] STEP 1016: encrypting the user-vault based on the first key
[0111] At a step 1016, at the same time or at a different time, the electronic device 100 may encrypt the user vault 410 based on the first key 174 provided by the user 170, resulting in the encrypted user vault 350. The user 170, having the first key 174 in his possession, may therefore be the only one able to decrypt the encrypted user vault 350. The method 1000 may then advance to step 1018.
[0112] STEP 1018: transmitting the encrypted user vault.
[0113] At a step 1016, after having encrypted the user vault 410 based on the first key 174 provided by the user 170, the electronic device 100 may transmit the encrypted user vault 350 to the folio management system 320 part of the secure user-data management system 300 on the first server 220 via the communications network 210. Therefore, the first server 220 may only have access to an encrypted version of the user vault 410. In some embodiments, the encrypted user vault 350 may be transmitted to the resource located on the second server 230. In other embodiments, the encrypted user vault 350 may not be transmitted and may be stored on the electronic device 100. The encrypted user vault 350 may be later retrieved by the electronic device 100 to generate a password for the same resource in accordance with the method 1100. The method 1000 may then end.
[0114] Now turning to FIG. 11, a method 1100 carried out by an electronic device 100 and a first server 220 for retrieving information from a userl folio 340 to generate a password 510 is illustrated in accordance with non-limiting embodiments of the present technology. The method 1100 may be executed after the method 1000 has been executed once for the same resource. The method 1000 may begin at a step 1102.
[0115] STEP 1102: authenticating, by a server connected to the electronic device, the user
[0116] At a step 1102, the first server 220 may authenticate the user 170 connected to the first server 220 with her/his electronic device 100 via the communications network 210. The user 170 may want to connect to a resource from her/his electronic device 100. As an example, the user 170 may want to access the website of a bank. Since she/he has previously opened an account with the folio management system 320 part of the secure user-data management system 300 on the first server 220, the user 170 may want to generate the password 510 to access the resource or banking website. The user 170 may send a request comprising his user identifier 172. In some embodiments, the user 170 may login to the website or application of the folio management system 320 to enter her/his user identifier and a user password. The folio management system 320, part of the secure user-data management system 300 on the first server 220 may receive the request from the user, and verify that the user 170 is associated with a folio in the folio management system 320, therefore authenticating the user 170. The method 1100 may then advance to step 1104.
[0117] STEP 1104: causing a folio management system to retrieve, based on the authenticated user, a user folio associated with the user, the user folio being associated with an encrypted user vault, the encrypted user vault comprising at least one entropic sequence of characters and resource-specific data, the resource- specific data comprising at least one set of resource- specific parameters, the at least one set of resource-specific parameters being associated with the resource
[0118] At a step 1104, the folio management system 320 may be caused to retrieve, based on the authenticated user 170, a userl folio 340 associated with the user 170, the userl folio 340 being associated with an encrypted user vault 350, the encrypted user vault 350 comprising at least one entropic sequence of characters 420 and resource- specific data 430, the resource- specific data 430 comprising at least one set of resource- specific parameters 440, the at least one set of resource-specific parameters 440 being associated with the resource. The folio management system 320 may then transmit the encrypted user vault 350 to the electronic device 100 of the user 170, as the folio management system 320 may not have enough information for decrypting the encrypted user vault 350. The method 1100 may then advance to step 1106.
[0119] STEP 1106: decrypting, based on a first key provided by the user, the encrypted user vault
[0120] At a step 1106, the electronic device 100 of the user 170 may receive the encrypted user vault 350 and decrypt, based on the first key 174 provided by the user 170, the encrypted user vault 350 to reveal the user vault 410. A part of the information required to generate the password 510 to access the resource may therefore be accessible to the user 170 on the electronic device 100. The method may then advance to step 1108.
[0121] STEP 1108: generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters
[0122] At a step 1108, the electronic device 100 may generate the password 510 required to access the resource based on a second key 178 provided by the user 170, the at least one entropic sequence of characters 420 and the at least one set of resource-specific parameters 440 comprising the resource identifier 442, the rule to generate the password 446, and the version number 448. As stated previously, the password 510 may be generated by using the PBKDF2 algorithm or any other algorithm as it would be recognized by the person skilled in the art. The password 510 may respect the rules to generate the password 446, and be equivalent to the password 510 previously generated when initializing the userl folio 440 for the resource. The method 1100 may then advance to step 1110.
[0123] STEP 1110: transmitting the password
[0124] At a step 1110, the user 170 of the electronic device 100 may transmit the password 510 to access the resource. The method may then advance to step 1112.
[0125] STEP 1112: encrypting the user-vault based on the first key
[0126] At a step 1112, at the same time or at different time, the user 170 may encrypt the user vault 410 with the first key 174, resulting in the encrypted user vault 350. In some embodiments, the user 170 may modify the content of the user vault 410 before encrypting the user vault 410. The electronic device 100 may then transmit the encrypted user vault 350 to the first server 220. In some embodiments, the encrypted user vault 350 may be stored on the electronic device 100.
[0127] The method 1100 may then end.
[0128] As it may be understood, the password 510 is not stored anywhere. Instead, it is generated on-the-fly as required by the user 170, upon his providing of the second key 178. Therefore, the invention protects the user 170 from third parties who would want to get access to the services reserved through authentication to user 170. In order to fraudulently pass as the user 170, a third party would have to first obtain the user vault 410 through brute force (or other) decryption attacks on the encrypted user vault 350. If the first key 174 is long and complex enough, and if hiding or encryption mechanism is respecting security standards, this brute force attack will be extremely difficult. Then, if the fraudulent third party did obtain a user vault 410 through such an attack, the third party would need the first key 174 in order to obtain the password 510. However, as the password 510 isn't stored anywhere, the fraudulent third party would not be able to mount a brute force attack on the password 510. At most, the fraudulent third party would be able to try accessing secure services whose access is reserved to user 170. This would amount to something no simpler than trying to guess some password on some system, without any additional information. Furthermore, the system may generate an unlimited number of distinct passwords based on the first key 174 and the second key 178 provided by the user 170, therefore not relying on the user to provide a large number of keys to generate distinct passwords, and not being predictable because of a cyclic reuse of keys for generating the passwords.
[0129] Within the present description it should be understood that in any case where retrieving data from any client device and/or from any mail server is mentioned, retrieving an electronic or other signal from corresponding client device (a server, a mail server) can be used, and displaying on a screen of the device can be implemented as transmitting a signal to the screen, the signal includes specific information which further can be interpreted with specific images and at least partially displayed on the screen of the client device. Sending and receiving the signal is not mentioned in some cases within the present description to simplify the description and as an aid to understanding. Signals can be transmitted using optical methods (for example, using fiber-optic communication), electronic methods (wired or wireless communication), mechanic methods (transmitting pressure, temperature and/or other physical parameters by the means of which transmitting a signal is possible.

Claims

1. A method of generating a password required to access a resource by a user, the
method comprising:
-authenticating, by a server connected to the electronic device, the user;
-causing a folio management system to retrieve, based on the authenticated user, a user folio associated with the user, the user folio being associated with an encrypted user vault, the encrypted user vault comprising at least one entropic sequence of characters and resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource;
-decrypting, based on a first key provided by the user, the encrypted user vault; and -generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters.
2. The method of claim 1, further comprising transmitting the password to the resource.
3. The method of any of claims 1 to 2, further comprising:
encrypting the user vault based on the first key; and
transmitting the encrypted user vault to the server.
4. The method of any of claims 1 to 3, wherein the at least one set of resource-specific parameters is a first set of resource-specific parameters and the resource-specific data further comprises a second set of resource- specific parameters.
5. The method of any of claims 1 to 4, wherein each set of resource-specific parameters further comprises a rule to generate the password, a resource identifier and a version number, and wherein the generating is further based on the rule to generate the password, the resource identifier and the version number.
6. The method of any of claims 1 to 5, wherein the resource identifier of is one of: a Uniform Resource Locator (URL), an Internet Protocol Address (IP address), or any unique representation identifying the resource specific data.
7. The method of any of claims 1 to 6, wherein the rule to generate the password comprises at least one of: a required number of alphabetical characters, a required number of numerical characters, a required number of special characters, a required number of upper-case letters and a required number of lower-case letters.
8. The method of any of claims 1 to 7, wherein the generating the password is performed based on one of a PBKDF2 algorithm, a bcrypt algorithm, a crypt(3) algorithm, a scrypt algorithm, or an Argon2 algorithm.
9. The method of any of claims 1 to 8, wherein the retrieving, based on the authenticated user the user folio associated with the user is executed by the server, and wherein the method further comprises receiving, by the server, the encrypted user vault associated with the user folio.
10. The method of any of claims 1 to 9, wherein the at least one resource specific data is associated with a period of time, and the method further comprises, responsive to the period of time being over a predetermined threshold:
-incrementing the version number; and wherein generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource- specific parameters is further based on the incremented version number;
11. The method of any of claims 1 to 10, wherein the retrieving, based on the authenticated user the user folio associated with the user is executed by the server, and wherein the method further comprises receiving, by the server, the encrypted user vault associated with the user folio.
12. The method of any of claims 1 to 11, wherein the decrypting based on the first key provided by the user the encrypted user vault, the generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource- specific parameters, the transmitting the password to the resource, the encrypting the user vault based on the first key, and the transmitting the encrypted user vault to the server are executed by the electronic device.
13. The method of any of claims 1 to 12, wherein the incrementing the version number and the generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters further based on the incremented version number are executed by the electronic device.
14. The method of any of claims 1 to 13, wherein the user folio further comprises a public user token, the user vault comprises a private user token, and wherein the folio management system may authenticate the user based on the public user token and the private user token.
15. The method of any of claims 1 to 14, wherein the folio management system further comprises a private server token, the user folio comprises a public server token and wherein the user may authenticate the folio management system based on the private server token and the public server token.
16. A method of generating a password required to access a resource by a user based on a first key and a second key, the method comprising:
-receiving a request to initialize a user folio in a folio management system;
-initializing the user folio associated with the user in the folio management system; -generating an entropic sequence of characters;
-associating the entropic sequence of characters with a user vault, the user vault associated with the user folio; -acquiring resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource;
-associating the resource-specific data with the user vault;
-generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters; and
-encrypting the user-vault based on the first key.
17. The method of claim 16, further comprising transmitting the password to the resource and transmitting the encrypted user-vault to the server.
18. The method of any of claims 16 to 17, wherein the receiving and the initializing are executed by a server.
19. The method of any of claims 16 to 18, wherein the generating the entropic sequence of characters, the associating the entropic sequence of characters with a user vault, the user vault associated with the user folio, the acquiring the resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource- specific parameters being associated with the resource, the associating the resource-specific data with the user vault, the generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters, the encrypting the user- vault based on the first key, and the transmitting the password to the resource and transmitting the encrypted user-vault to the server are executed by the electronic device.
20. A system for generating a password required to access a resource by a user, the system comprising:
a processor;
a non-transitory computer-readable medium comprising instructions; the processor, upon executing the instructions, being configured to cause:
-authenticating, by a server connected to the electronic device, the user;
-causing a folio management system to retrieve, based on the authenticated user, a user folio associated with the user, the user folio being associated with an encrypted user vault, the encrypted user vault comprising at least one entropic sequence of characters and resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource;
-decrypting, based on a first key provided by the user, the encrypted user vault; and -generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters.
21. The system of claim 20, wherein the processor is further configured to cause transmitting the password to the resource.
22. The system of any of claims 20 to 21, wherein the processor is further configured to cause:
encrypting the user vault based on the first key; and
transmitting the encrypted user vault to the server.
23. The system of any of claims 20 to 22, wherein the at least one set of resource-specific parameters is a first set of resource-specific parameters and the resource-specific data further comprises a second set of resource- specific parameters.
24. The system of any of claims 20 to 23, wherein each set of resource-specific parameters further comprises a rule to generate the password, a resource identifier and a version number, and wherein the generating is further based on the rule to generate the password, the resource identifier and the version number.
25. The system of any of claims 20 to 24, wherein the resource identifier of is one of: a Uniform Resource Locator (URL), an Internet Protocol Address (IP address), or any unique representation identifying the resource specific data.
26. The system of any of claims 20 to 25, wherein the rule to generate the password comprises at least one of: a required number of alphabetical characters, a required number of numerical characters, a required number of special characters, a required number of upper-case letters and a required number of lower-case letters.
27. The system of any of claims 20 to 26, wherein the generating the password is performed based on one of a PBKDF2 algorithm, a bcrypt algorithm, a crypt(3) algorithm, a scrypt algorithm, or an Argon2 algorithm.
28. The system of any of claims 20 to 27, wherein the retrieving, based on the authenticated user the user folio associated with the user, is executed by the server, and wherein the processor is further configured to cause receiving, by the server, the encrypted user vault associated with the user folio.
29. The system of any of claims 20 to 28, wherein the at least one resource specific data is associated with a period of time, and wherein the processor is further configured to cause, responsive to the period of time being over a predetermined threshold:
-incrementing the version number; and wherein generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource- specific parameters is further based on the incremented version number;
30. The system of any of claims 20 to 29, wherein the retrieving, based on the authenticated user the user folio associated with the user is executed by the server, and wherein the processor is further configured to cause receiving, by the server, the encrypted user vault associated with the user folio.
31. The system of any of claims 20 to 30, wherein the decrypting based on the first key provided by the user the encrypted user vault, the generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource- specific parameters, the transmitting the password to the resource, the encrypting the user vault based on the first key, and the transmitting the encrypted user vault to the server are executed on the electronic device.
32. The system of any of claims 20 to 31, wherein the incrementing the version number and the generating the password required to access the resource based on the second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters further based on the incremented version number are executed by the electronic device.
33. The system of any of claims 20 to 32, wherein the user folio further comprises a public user token, the user vault comprises a private user token, and wherein the folio management system may authenticate the user based on the public user token and the private user token.
34. The system of any of claims 20 to 33, wherein the folio management system further comprises a private server token, the user folio comprises a public server token and wherein the user may authenticate the folio management system based on the private server token and the public server token.
35. A system for generating a password required to access a resource by a user based on a first key and a second key, the system comprising:
a processor;
a non-transitory computer-readable medium comprising instructions;
the processor, upon executing the instructions, being configured to cause:
-receiving a request to initialize a user folio in a folio management system;
-initializing the user folio associated with the user in the folio management system; -generating an entropic sequence of characters;
-associating the entropic sequence of characters with a user vault, the user vault associated with the user folio;
-acquiring resource-specific data, the resource-specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource;
-associating the resource-specific data with the user vault;
-generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters; and
-encrypting the user-vault based on the first key.
36. The system of claim 35, wherein the processor is further configured to cause transmitting the password to the resource and transmitting the encrypted user-vault to the server.
37. The system of claim 36, wherein the receiving and the initializing are executed by a server.
38. The system of claim 37, wherein the generating the entropic sequence of characters, the associating the entropic sequence of characters with a user vault, the user vault associated with the user folio, the acquiring the resource-specific data, the resource- specific data comprising at least one set of resource-specific parameters, the at least one set of resource-specific parameters being associated with the resource, the associating the resource-specific data with the user vault, the generating the password required to access the resource based on a second key provided by the user, the at least one entropic sequence of characters and the at least one set of resource-specific parameters, the encrypting the user- vault based on the first key, and the transmitting the password to the resource and transmitting the encrypted user-vault to the server are executed by the electronic device.
PCT/IB2016/057233 2015-12-01 2016-11-30 Method and system for generating a password WO2017093917A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CA2913571A CA2913571A1 (en) 2015-12-01 2015-12-01 Multi-platform user authentication device with double and multilaterally blind on-the-fly key generation
CA2,913,571 2015-12-01

Publications (1)

Publication Number Publication Date
WO2017093917A1 true WO2017093917A1 (en) 2017-06-08

Family

ID=58794282

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2016/057233 WO2017093917A1 (en) 2015-12-01 2016-11-30 Method and system for generating a password

Country Status (2)

Country Link
CA (1) CA2913571A1 (en)
WO (1) WO2017093917A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111597547A (en) * 2020-05-26 2020-08-28 中国联合网络通信集团有限公司 Password management method and system
CN112486500A (en) * 2020-11-03 2021-03-12 杭州云嘉云计算有限公司 System authorization deployment method
CN112910654A (en) * 2021-01-19 2021-06-04 深圳市星际大陆科技有限公司 Private key management method, system, device and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001832B (en) * 2022-06-10 2024-02-20 阿里云计算有限公司 Method and device for preventing password attack and electronic equipment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003065169A2 (en) * 2002-01-30 2003-08-07 Tecsec, Inc. Access system utilizing multiple factor identification and authentication
US7171679B2 (en) * 2002-01-07 2007-01-30 International Business Machines Corporation Generating and maintaining encrypted passwords
US8140855B2 (en) * 2008-04-11 2012-03-20 Microsoft Corp. Security-enhanced log in
US8438382B2 (en) * 2008-08-06 2013-05-07 Symantec Corporation Credential management system and method
US20130166920A1 (en) * 2011-06-03 2013-06-27 Commandhub, Inc. Mobile data vault
US20130227661A1 (en) * 2012-02-29 2013-08-29 Infosys Limited Systems and methods for generating and authenticating one time dynamic password based on context information
EP2953312A1 (en) * 2014-06-02 2015-12-09 Alcatel Lucent System to handle passwords for service authentication
US20160191499A1 (en) * 2014-12-31 2016-06-30 Citrix Systems, Inc. Shared Secret Vault for Applications with Single Sign On

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7171679B2 (en) * 2002-01-07 2007-01-30 International Business Machines Corporation Generating and maintaining encrypted passwords
WO2003065169A2 (en) * 2002-01-30 2003-08-07 Tecsec, Inc. Access system utilizing multiple factor identification and authentication
US8140855B2 (en) * 2008-04-11 2012-03-20 Microsoft Corp. Security-enhanced log in
US8438382B2 (en) * 2008-08-06 2013-05-07 Symantec Corporation Credential management system and method
US20130166920A1 (en) * 2011-06-03 2013-06-27 Commandhub, Inc. Mobile data vault
US20130227661A1 (en) * 2012-02-29 2013-08-29 Infosys Limited Systems and methods for generating and authenticating one time dynamic password based on context information
EP2953312A1 (en) * 2014-06-02 2015-12-09 Alcatel Lucent System to handle passwords for service authentication
US20160191499A1 (en) * 2014-12-31 2016-06-30 Citrix Systems, Inc. Shared Secret Vault for Applications with Single Sign On

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHATTERJEE ET AL.: "Cracking-Resistant Password Vaults Using Natural Language Encoders''.", 2015 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, 17 May 2015 (2015-05-17), pages 1 - 21, XP061019011, Retrieved from the Internet <URL:http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=7163043> *
HORSCH ET AL.: "PALPAS -- PAssword Less PAssword Synchronization''.", RELIABILITY AND SECURITY (ARES), 2015 10TH INTERNATIONAL CONFERENCE, 24 August 2015 (2015-08-24), XP032795226, Retrieved from the Internet <URL:httD://ieeexplore.ieee.ora/xpls/icp.iso?arnumber=7299896> *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111597547A (en) * 2020-05-26 2020-08-28 中国联合网络通信集团有限公司 Password management method and system
CN111597547B (en) * 2020-05-26 2023-04-28 中国联合网络通信集团有限公司 Password management method and system
CN112486500A (en) * 2020-11-03 2021-03-12 杭州云嘉云计算有限公司 System authorization deployment method
CN112910654A (en) * 2021-01-19 2021-06-04 深圳市星际大陆科技有限公司 Private key management method, system, device and storage medium
CN112910654B (en) * 2021-01-19 2023-04-28 深圳市星际大陆科技有限公司 Private key management method, system, equipment and storage medium

Also Published As

Publication number Publication date
CA2913571A1 (en) 2017-06-01

Similar Documents

Publication Publication Date Title
US11683187B2 (en) User authentication with self-signed certificate and identity verification and migration
US10574648B2 (en) Methods and systems for user authentication
KR101641809B1 (en) Method and system for distributed off-line logon using one-time passwords
US10848304B2 (en) Public-private key pair protected password manager
US9887993B2 (en) Methods and systems for securing proofs of knowledge for privacy
US20130318576A1 (en) Method, device, and system for managing user authentication
US10423796B2 (en) User authentication
CA2877082C (en) Secure password management systems, methods and apparatuses
US20180255053A1 (en) Partial one-time password
WO2017093917A1 (en) Method and system for generating a password
US9021248B2 (en) Secure access of mobile devices using passwords
US10341110B2 (en) Securing user credentials
GB2585010A (en) Cryptocurrency key management
US11502840B2 (en) Password management system and method
EP3757920A1 (en) Cryptocurrency key management
JP7174730B2 (en) Terminal device, information processing method and information processing program
Kumar Protocol based verification and authentication for multi-tasking server in DUOS system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16870092

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16870092

Country of ref document: EP

Kind code of ref document: A1