EP1290531A2 - Netzagent-passwortspeicherungs- und abrufverfahren - Google Patents
Netzagent-passwortspeicherungs- und abrufverfahrenInfo
- Publication number
- EP1290531A2 EP1290531A2 EP01941359A EP01941359A EP1290531A2 EP 1290531 A2 EP1290531 A2 EP 1290531A2 EP 01941359 A EP01941359 A EP 01941359A EP 01941359 A EP01941359 A EP 01941359A EP 1290531 A2 EP1290531 A2 EP 1290531A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- password
- encryption key
- network agent
- recited
- decryptor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/73—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2211/00—Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
- G06F2211/007—Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
Definitions
- the present invention relates to a network agent password storage and retrieval scheme. More specifically, the present invention is concerned with a password storage and retrieval system and method, for network agents.
- ⁇ assword(s) Such as with human users, network agents need to use ⁇ assword(s) to be authorised to perform certain routines with other devices or components.
- a standard procedure is to use a password that is memorised and stored in a password database in the network.
- a system or device for which the user requires to use his/her password also uses the password database. The procedure begins with a user giving his password to the system or device, which will then compare the password with the corresponding password stored in the password database. If a match occurs, then the user is authorised.
- network agents requiring performing of routines with other network components are requested to provide their identification and password to the authenticating device.
- the network agent therefore needs to store its password (also referred to herewith as an agent-authenticating password) in a memory location of some sort.
- One possible memory location implementation is to use a central database that is accessible to all agents, components or devices in the network. This solution is not very practical since any agent, component, or device, whether it is hostile or not, has access to all the network agent passwords. Indeed, a component needing access to the database to obtain a password must be able to obtain it without having to provide its own password. Additionally, the passwords cannot be encrypted since this involves the use of a password for decryption and the network agent does not have one prior to accessing the central database.
- Another solution consists in hard-coding the password within the network agent's code. Unfortunately, this solution renders the network agent very inflexible because its password cannot be changed easily. In addition, if the agent's code is stolen, it can be decompiled and the password extrapolated from the decompiled code.
- Yet another proposition consists of storing the password in a file located "close" to the network agent to which it belongs.
- the file can be placed in a special directory such that it is only accessible to the network agent.
- this prior art proposition stores the password as clear text in the file. Hence, the file can easily be stolen and clear password obtained from it.
- An object of the present invention is therefore to overcome the problems of the prior art and, more specifically, to securely provide password storage and retrieval for a network agent.
- a password storage and retrieval system for a network agent.
- the password storage and retrieval system has a memory unit in which an encrypted password related to the network agent is stored, an encryption key related to the network agent and a decryptor for decrypting the encrypted password into a decrypted password for the network agent.
- the decryptor has access to the encryption key and the memory unit, and includes a password-decrypting algorithm compatible with the encryption key. The decryptor decrypts, in relation to the encryption key, the encrypted password using the password- decrypting algorithm.
- the password storage and retrieval system further comprises an encryptor for encrypting an agent password into the encrypted password.
- the encryptor has access to the encryption key and includes a password-encrypting algorithm compatible with the encryption key.
- the encryptor encrypts, in relation to the encryption key, the agent password into the encrypted password stored in the memory unit using the password-encrypting algorithm.
- a network agent capable of being authenticated by an authenticating device, and to which is associated an encrypted password stored in a memory unit.
- the network agent comprises an encryption key related to the network agent, and a decryptor of the encrypted password into a decrypted password authenticating the network agent.
- the decryptor is connected to the encryption key and the memory unit, and includes a password-decrypting algorithm compatible with the encryption key. The decryptor decrypts, in relation to the encryption key, the encrypted password using the password- decrypting algorithm.
- the present invention is concerned with a method for password storage and retrieval for a network agent, the method comprising steps for storing an encryption key related to the network agent, storing an encrypted password related to the network agent in a memory unit, retrieving, from the memory unit, the encrypted password, reading the encryption key, and decrypting, in relation to the encryption key, the encrypted password into a decrypted password for the network agent.
- the password storage and retrieval method further comprises encrypting an agent-authenticating password into the encrypted password in relation to the encryption key, and storing the encrypted password in the memory unit.
- An obvious advantage of this invention is that in order to break through the system, a person would need to obtain at least two pieces of information; that is, the encryption key and the encrypted password.
- Figure 1 is a schematic block diagram of a partial view of a multi-component network including a network agent password storage and retrieval system according to an embodiment of the present invention
- Figure 2 is a flow chart illustrating operation of the password storage and retrieval system of Figure 1;
- Figure 3 is a flow chart illustrating a method for changing the password in the password storage and retrieval system of Figure 1.
- FIG. 1 of the appended drawings illustrates a preferred embodiment of the network agent password storage and retrieval system 8 according to the present invention.
- a password storage and retrieval system 8 is shown in interaction with a network agent 10.
- the network agent may consist, without being limited thereto, of a node of a network, of a module of a node of the network, of a procedure or function of one of the modules of the node of the network.
- the network agent 10 is a network agent performing a predetermined function in the network.
- the predetermined function may include, in particular but not exclusively, at least one of the following functions: a management function, a control function, a verification function, a signalling function, a monitoring function, etc. Therefore, the network agent 10 includes additional circuitry, or network agent logic 6 for carrying out its function(s) in the network.
- the network agent 10 is shown to be in interaction with an authenticating device 34, which typically requires a password from the network agent 10 to authenticate the network agent.
- the network agent 10 could alternatively be in interaction in any node requiring a password from the network agent 10, other then the authenticating device 34.
- the block diagram of Figure 1 may form part of a more elaborate network comprising many other network agents or devices (not shown).
- the password storage and retrieval system 8 includes within the network agent 10 itself, a decryptor 12, an encryptor 14 and an encryption key 16.
- the password storage and retrieval system 8 also includes a memory unit 18 in which is stored an encrypted password 7 associated with the network agent 10.
- the decryptor 12 and encryptor 14 use a symmetrical encrypting mechanism, as well known to those skilled in the art.
- the decryptor 12 and the encryptor 14 have access to the encryption key 16 through a link 20, so that the encryption key 16 related to the network agent 10 is accessible to both the decryptor 12 and the encryptor 14.
- the encryption key 16 is accessible only by the network agent 10 or by its intricate components.
- the encryption key 16 is preferably hard-coded, or intertwined within the code of the network agent 10. h an alternate manner, it is also within the scope of the present invention to use any type of memory circuit and/or data memory support suitable for storing the encryption key 16, which will ensure that the encryption key 16 is accessible only by the network agent 10. For example, in another preferred embodiment, the encryption key 16 is stored in a read-only memory (ROM) (not shown).
- ROM read-only memory
- the memory unit 18 may store the encrypted password for only one network agent, or alternatively, encrypted passwords associated with two or more network agents (not shown) similar to network agent 10 could be stored in memory unit 18. Although being shown on Figure 1 as being independent from the network agent 10, the memory unit 18 could alternatively form part of the network agent 10, be hosted by one or several other network components or nodes (not shown) with which the network agent 10 communicates. Alternatively, a dedicated directory or software file accessible only by the network agent 10 may constitute memory unit 18. Again, it is within the scope of the present invention to use any other type of memory circuit and/or persistent data memory support suitable for storing the encrypted password. However, in a preferred embodiment of the invention, the memory unit 18 is a software file that stores the encrypted password, along with a network agent- identifying portion (e.g., identification numbers, letters, code, etc.) for the network agent 10.
- a network agent- identifying portion e.g., identification numbers, letters, code, etc.
- an authentication device 34 is shown.
- the authentication device 34 is connected to the network agent 10 through bi-directional link 28.
- the principal functions of the authentication device 34 are to receive authenticating password from the network agent 10 and to compare the obtained response to data with an expected result.
- a password is encrypted and stored in the memory unit 18.
- the password storage and retrieval system 8 is used. Its decryptor 12 accesses the memory unit 18 to obtain the encrypted password 7, obtains the encryption key 16 through the link 20, and applies the encryption key 16 to its encryption software (not shown), to decrypt the encrypted password 7 into an unencrypted password that can be used by the network agent.
- the first operation consists of choosing a password 36 and supplying it to the network agent 10, or alternatively to the password storage and retrieval system 8 of the network agent 10.
- the network agent 10 includes circuits (not shown) to transmit the new password to the encryptor 14.
- the encryptor 14 includes an algorithm compatible with the encryption key 16. As previously indicated, the algorithm is a symmetrical algorithm. Symmetrical algorithms are well known to those of ordinary skill in the art and, accordingly, will not be further described in the present specification.
- the encryptor 14 accesses the encryption key 16 through link 20 to encrypt the chosen password 36 in relation to the encryption key 16.
- this encrypted password is transmitted from the encryptor 14 to the memory unit 18 through circuits (not shown) of the network agent 10 , where it is stored in memory unit 18 for later use.
- the network agent 10 proceeds to retrieve its password (step 204).
- the decryptor 12 obtains the encrypted password 7 related to the network agent 10 from the memory unit 18 through a link 24 (step 204).
- the decryptor 12 then decrypts the encrypted password in relation to the encryption key 16 using the algorithm (a symmetrical algorithm in the preferred embodiment) previously used by the encryptor 14 to encrypt the password (step 206).
- the decryptor 12 forwards the decrypted password to the authenticating device 34 through the circuits (not shown) of the network agent 10 and the link 28 and continues its regular operation.
- the authenticating device 34 compares the password received from the decryptor 12 with an expected result stored therein. When a match exists between the password and the expected result, the network agent 10 is authenticated and permission(s) granted. If no match exists, the network agent is not authenticated.
- step 302 the network agent 10 receives the new password 36.
- the new password 36 is transmitted to the network agent using a secure mechanism like Kerberos so that the password storage and retrieval system 8 may verify that the new password 36 being submitted is from an authorized party. If the party requesting a password change is authorized (step 306) then new password 36 is encrypted with encryptor 14 using the encryption key 16 (step 307). This new encrypted password then replaces the currently encrypted password stored in memory unit 18 (step 310).
- Step 312 may be performed by the user, the agent 10 or a tool of the agent (not shown).
- a particular advantage of the present invention is that, in order to break through the system, one needs to obtain at least two pieces of information: the encryption key 16, and the encrypted password 7 from memory unit 18.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US58828500A | 2000-06-07 | 2000-06-07 | |
US588285 | 2000-06-07 | ||
PCT/SE2001/001285 WO2001095072A2 (en) | 2000-06-07 | 2001-06-07 | Network agent password storage and retrieval scheme |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1290531A2 true EP1290531A2 (de) | 2003-03-12 |
Family
ID=24353242
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP01941359A Withdrawn EP1290531A2 (de) | 2000-06-07 | 2001-06-07 | Netzagent-passwortspeicherungs- und abrufverfahren |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1290531A2 (de) |
AU (1) | AU2001274719A1 (de) |
WO (1) | WO2001095072A2 (de) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU742639B3 (en) * | 2001-02-15 | 2002-01-10 | Ewise Systems Pty Limited | Secure network access |
US7571239B2 (en) * | 2002-01-08 | 2009-08-04 | Avaya Inc. | Credential management and network querying |
FR2862827B1 (fr) * | 2003-11-21 | 2006-03-03 | Enatel | Procede de gestion de donnees de securite |
JP2005173197A (ja) * | 2003-12-11 | 2005-06-30 | Buffalo Inc | 暗号復号処理システム及び暗号復号処理装置 |
EP1770584B1 (de) * | 2005-09-27 | 2019-03-06 | Omron Corporation | Programmierbares Steuersystem und entsprechende Vorrichtung zur Entwicklungsunterstützung eines Steuerprogrammes |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6108420A (en) * | 1997-04-10 | 2000-08-22 | Channelware Inc. | Method and system for networked installation of uniquely customized, authenticable, and traceable software application |
US6240184B1 (en) * | 1997-09-05 | 2001-05-29 | Rsa Security Inc. | Password synchronization |
US7085931B1 (en) * | 1999-09-03 | 2006-08-01 | Secure Computing Corporation | Virtual smart card system and method |
-
2001
- 2001-06-07 WO PCT/SE2001/001285 patent/WO2001095072A2/en not_active Application Discontinuation
- 2001-06-07 EP EP01941359A patent/EP1290531A2/de not_active Withdrawn
- 2001-06-07 AU AU2001274719A patent/AU2001274719A1/en not_active Abandoned
Non-Patent Citations (1)
Title |
---|
See references of WO0195072A3 * |
Also Published As
Publication number | Publication date |
---|---|
AU2001274719A1 (en) | 2001-12-17 |
WO2001095072A2 (en) | 2001-12-13 |
WO2001095072A3 (en) | 2002-04-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8972743B2 (en) | Computer security system and method | |
RU2284569C2 (ru) | Разблокирование и блокирование признаков программного обеспечения | |
US5548721A (en) | Method of conducting secure operations on an uncontrolled network | |
JP4866863B2 (ja) | セキュリティコード生成方法及びユーザ装置 | |
US7155616B1 (en) | Computer network comprising network authentication facilities implemented in a disk drive | |
US6075860A (en) | Apparatus and method for authentication and encryption of a remote terminal over a wireless link | |
US6230272B1 (en) | System and method for protecting a multipurpose data string used for both decrypting data and for authenticating a user | |
US8543764B2 (en) | Storage device with accessible partitions | |
US20070240226A1 (en) | Method and apparatus for user centric private data management | |
US20040157584A1 (en) | Method for establishing and managing a trust model between a chip card and a radio terminal | |
US20180324158A1 (en) | Assuring external accessibility for devices on a network | |
JP4876169B2 (ja) | データを安全に記憶するための方法、システム、およびコンピュータ・プログラム | |
EP3694142A1 (de) | Verwaltung und verteilung von schlüsseln in verteilten umgebungen | |
US6018583A (en) | Secure computer network | |
JPS63205687A (ja) | 開放キーの取扱いによって暗号装置のネットワークにおける秘密素子を保護する方法および装置 | |
KR101701304B1 (ko) | 클라우드 환경에서 속성기반 암호를 이용한 의료 데이터 관리 방법 및 시스템 | |
JPH05333775A (ja) | ユーザ認証システム | |
EP1501238A1 (de) | Verfahren und System zur Schlüsseldistribution mit einem Authentifizierungschritt und einem Schlüsseldistributionsschritt unter Verwendung von KEK (key encryption key) | |
CN112257121A (zh) | 加密方法、解密方法、电子设备和存储介质 | |
CA2251193A1 (en) | Method and apparatus for encoding and recovering keys | |
US8750522B2 (en) | Method and security system for the secure and unequivocal encoding of a security module | |
CN106845264A (zh) | 应用加密方法、装置和应用访问方法、装置 | |
WO2001095072A2 (en) | Network agent password storage and retrieval scheme | |
JP2004013560A (ja) | 認証システム、通信端末及びサーバ | |
JPH063905B2 (ja) | センタと利用者間の相手認証方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20021102 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK RO SI |
|
17Q | First examination report despatched |
Effective date: 20040323 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL) |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20040803 |